This method or attack is the most severe and common form of attack according to the OWASP Top 10 list. It is also perhaps the most interesting attack I’ve ever done from my limited experience. A quick definition from OWASP follows:
Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.
1. Probing
So the DVWA command injection page looks like this:
(Note: the links in the More Information section are REALLY helpful).
So quickly testing with a valid IP address:
And with an invalid address:
I also tried inputing nothing and pressing submit:
So this this shows that the application simply passes our input as an argument to the console command ping. i.e. it executes “ping [input]” and we see that output of our command in red. If it doesnt work, then nothing happens.
2. Chaning Commands
We can execute more commands after our input by chaining them. Different operating systems will use different characters to chain. In linux, we can use ‘;’ to make commands run sequenctially or ‘&’ to make a command run in te background, In Windows, we can simply use ‘&’. If ‘;’ doesnt work, then we can conclude that the OS is Windows and vice versa.
3. Command Injection Attack
Basically, if the app doesn’t have any delimeter or character bans (to prevent ';' '&' or '|') then we can simply trick the app to continue executing any of the commands we want.
So a basic attack string would be
127.0.0.1 & hostname
Now it turns out you can run basically anything according to the OS. A bunch of other commands I tried was cd, dir, mkdir, del, echo, more, ipconfig, find, and whoami?
This was the output after making a directory called ‘hello’:
It was also interesting to see that localhost and ::1 were valid ping adresses. But I am no computer expert so I have no idea why these are valid.
DVWA Tutorial #2 - Brute Force Attack & Kali on windows
Previous post
So the first attack I wanted to try was the brute force method. I’m sure everyone knows what a brute force attack is. For those that don’t here is a quick definition from Wikipedia:
In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.
Brute Force
The DVWA Brute Force page looks like this:
Our goal for today is to try out a brute force method using Hydra on Kali Linux.
Now in my last blog, I failed to realise that you needed Kali Linux to do most of the attacks I planned to do. Thankfully, there is a thing called Windows subsystem for Linux (WSL) in windows 10, so all I had to do was to run a few simple commands found here, and then kali was installed~.
The next step was to first install Hydra for Kali Linux. This was done by running
sudo apt-get install hydra-gtk
in the Kali linux terminal, and hydra should’ve been installed.
Typing hydra -h then resulted in this:
Now to use Hydra, we need a couple of things, namely
Target server. In my case, it is localhost
URL path. This is the Relative path to the vulnerable form.
Username. -l [username] We know this to be admin, although we can try
Password dictionary. -P [wordlist_file]. This will be our list of passwords (called wordlist) that Hydra will try. Apparantly Kali has wordlists stored in /usr/share/wordlists/. But for me this was not the case, instead I found some here. A good wordlist to use is rockyou.txt.
Cookies. This is how the web application authenticates a valid session. We can find what cookies are used by opening your browser’s web console (F12 for chrome) and entering document.cookie:
failure message. This lets Hydra know if a message fails. We can check by putting in a wrong username and password into the DVWA form, which gets us “Username and/or password incorrect”
The Damn Vulnerable Web Application (DMVA) - Tuturial #1 - Intro + Installation
DSo I’m finally starting on my Something Awesome Project, with only 26 hours before I have to submit something yay :D. Shoutout to my tutor, Adam Smallhorn, whose advice gave me a clearer goal than before and guided me to this whole DVWA idea. Now onto the meaty stuff:
What is DMVA?
I think there is no better explanation for DMVA than their description on their website:
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
The DVWA is an ideal environment to legally test a whole wide range of attacks due to its numerous vulnerabilities. Additionally, you can change the security level to low, medium, high, or impossible, with each level offering a different level of difficulty.
Now since I am a simple student with almost zero practical experience in the field of security, I will be attempting the lowest/easiest difficulty. I will also try to post tutorial-like blogs for other students in the same boat as me, who might be trying these things for fun. I think the aim for these next couple of blogs will just be to see how far I can get trying through this DMVA.
Installation
This following section will cover the installation of DMVA on a Windows 10 PC using XAMPP web server
1. Download DMVA from their website http://www.dvwa.co.uk/
3. Install XAMPP by running xampp-windows-xx-xx -installer.exe
4. Run the XAMPP Control Panel and Start the Apache and MySQL server. You can check that your server is running by typing \localhost into your web browser url.
5. (Optional) Delete everything inside the C:\xampp\htdocs folder. You dont need those for DVWA
6. Extract or Copy the files from the DVWA.zip file into the C:\xampp\htdocs folder.
7. Go back to your browser and refresh \localhost. You should now see something like this:
8. Now go C:\xampp\htdocs\DVWA-master\config and change the filename to “config.inc.php”
9. Your webpage should now look like this:
However, when you try to create a database at the bottom of the setup page, you will be faced with an error. Now you have to go back to your config.inc.php file, and open it with a text editor like notepad:
10. Find the password line and simply delete it so the line reads:
$_DVWA[ 'db_password' ] = '';
11. You should now be able to create a database. Simply login with
Username: admin
Password: password
12. Voila! You’re in!
Optional: Change the Security Level
Do this by navigating to the DVWA Security Page, change the drop down box to ‘Low’ and press submit.
Hacking 101 - Creating a Hacking Lab (CISA, CEH, CISSP)
Hacking 101 - Creating a Hacking Lab (CISA, CEH, CISSP)
Set up a Safe and Controlled Environment For You to Practice Ethical Hacking - Kali Linux, DVWA, WebGoat
What you'll learn
The students will be able to utilize "virtualization" to install all the hacking tools in Kali Linux, and then set up two different vulnerable applications on which they can try to use the Kali Linux tools.
Requirements
This is made for beginners that are looking to set up a controlled hacking environment at home
No previous knowledge is necessary - just the want to learn ethical hacking
Tools: A PC with at least 40 gigs of hard drive space and a decent power on your computer processor
Description
This course is designed to help you create a safe and controlled environment on your local machine to practice ethical hacking methods. The course will cover the following:
- Discussion on "virtualization" and demo of a virtualized environment installation process
- Discussion on Kali Linux (your hacking tools) and a demo of the installation process. We will also be talking, post installation, about the types of tools you can find on this application and how you will utilize some of them.
- Discussion on Damn Vulnerable Web Application (DVWA) and a demo of the installation process. We will also be talking, post installation, about some of the vulnerabilities you can expect to find in this environment and some of the Kali Linux tools you will be using to exploit those vulnerabilities
- Discussion on WebGoat and a demo of the installation process. We will also be talking, post installation, about some of the vulnerabilities you can expect to find in this environment and some of the Kali Linux tools you will be using to exploit those vulnerabilities
- Discussion of other, third party open vulnerable websites which you can look into after you've started building your skill-set within your controlled hacking lab
- BONUS - there is a short bonus at the end where you can win free courses from me as I develop them in the future. There will be two give-aways - one to each of the individuals that get the answer right. So get in on this quick. I will also be sharing the slide deck I used to create this presentation so you have something tangible to walk away with as well.
Who this course is for:
Anyone looking to learn ethical hacking
Anyone who wants to learn how to create a controlled environment for their ethical hacking learning exercises
Created by Arif Gani
Last updated 2/2018
English
English
Google Drive
https://www.udemy.com/hacking-101-creating-a-hacking-lab/
Read the full article
Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.
