Damn Vulnerable Web Application (DVWA)
DVWA is a web application which uses PHP and MySQL and implements a number of common web application vulnerabilities. For more information visit http://www.dvwa.co.uk/
and https://github.com/digininja/DVWA
.
Installation - vagrant up
Using the Vagrantfile in the penetration testing lab directory in the git repo at https://github.com/kushfj/pentesting
, spin up a DVWA VM in virtual box.
The virtual machines has two virtual network adapters, the first adapter is connected to the default NAT network. The NAT network is required during the initial setup to download and install updates and packages. The second adapter is connected the default intnet
internal network. The intnet internal network is used for the penetration testing. Note, you must disable or disconnect the NAT interface as soon as the machine is ready.
The Kali or Parrot pentest VM should be connect to intnet. For this blog post an using Parrot OS, which has its eth0 interface connected to intnet internal network. The intnet internal network must have a DHCP server running, you can configure this using VBoxManage, e.g. VBoxManage dhcpserver add --netname intnet -ip 172.16.254.254 --netmask 255.255.255.0 --lowerip 172.16.254.100 --upperip 172.16.254.199 --enable
. In this case we have a DHCP server at 172.16.254.254
configured to issue IP addresses in the range 172.16.254.100
- 172.16.254.199
.
Virtual Machine
Once the vagrant command has completed, the DVWA Virtualbox should be up and running. Running sudo netdiscover -i eth1 -r 172.16.254.0/24
, we find the DVWA virtual machine at 172.16.254.107
Currently scanning: Finished! | Screen View: Unique Hosts
2 Captured ARP Req/Rep packets, from 2 hosts. Total size: 120
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
172.16.254.107 08:00:27:34:1b:c6 1 60 PCS Systemtechnik GmbH
172.16.254.254 08:00:27:00:00:b9 1 60 PCS Systemtechnik GmbH
Initial Configuration
- Using a web browser nagivate to http://172.16.254.107
- Click on
Login
button, no need to enter credentials yet - Once on the setup.php click on
Create/Reset Database
button - Once the database is rest you will be returned to the login.php page
Walkthough
The walkthough below is a summary of the notes collated during the exercise. The exercise is documented for each security level
- Log into the application using the default credentals of
admin
as the username andpassword
as the password, click on theLogin
button - The security level may be set to low, medium, high and impossible. The default security level is impossible.
Walkthrough - Low
Vulnerability: Brute Force
- Enter random password and use admin as the username
- We get the logon failure message
Username and/or password incorrect.
- Also we can see the URL query string
http://172.16.254.107/vulnerabilities/brute/?username=admin&password=totallynotapassword&Login=Login#
which was submitted - THC Hydra is a popular brute force tool and can be used, refer
https://github.com/vanhauser-thc/thc-hydra
- I tried
hydra -l admin -P /usr/share/wordlists/rockyou.txt 172.16.254.107 http-post-form "/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:incorrect."
, and it comes back with 16 successful logins, and althoughpassword
is one of the 16 passwords found, the other passwords are incorrect. 16 passwords were returned because by default Hydra runs 16 tasks in an attempt to brute force passwords. When restricting to a single task using the-t 1
command line option/switch, I get the password as123456
which is not correct. Thought perhaps the issue was with the expected error message so instead of justincorrect.
, tried the full error messageUsername and/or password incorrect.
, but still not getting the correct result. Attempted to introduce a delay between connection using-W 3
, but no change in results
hydra -l admin -P /usr/share/wordlists/rockyou.txt 172.16.254.107 http-post-form “/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:incorrect.” -W 2 -t 1 -f hydra -l admin -P /usr/share/wordlists/rockyou.txt 172.16.254.107 http-post-form “/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:incorrect.” -t 1 -W 3