How To Create a Virtual Lab For Web Penetration Testing

MODULE 15:- Website Hacking

  1. How To Create a Virtual Lab For Web Penetration Testing
  2. How to use httrack website copier command line
  3. How to use httrack website copier graphically
  4. Free Website Vulnerability Scanner – W3af in Kali Linux
  5. How to use Arachni scanner for Web Application vulnerability in Kali Linux
  6. Inject SQL Injection Script by using Firebug | SQLi Part1
  7. Mutillidae Part 2: Command Injection Database Interrogation

How to install Mutillidae on Fedora 20

What is Mutillidae?

OWASP Mutillidae project is a free, open source, deliberately vulnerable web-application giving a focus to web-security lover.

With many vulns and clues to help the client; this is a simple to-utilize web hacking environment intended for labs, security devotee, classrooms, CTF, and weakness appraisal apparatus targets. Mutillidae has been utilized within graduate security courses, corporate web sec instructional classes, and as a “survey the assessor” focus for defenselessness evaluation programming.

Pre-Requisite

Installed Fedora on VirtualBox
How to install Fedoar on VirtualBpX Click Here

Downloaded Latest version of mutillidae
http://sourceforge.net/projects/mutillidae/

Step 1: Configure Fedora 20 Virtual Machine Settings

  1. Open VirtualBox
    Start your Host Computer, Go to
    Start à All Program à Oracle VM VirtualBox à Oracle VM VirtualBox
    OR
    Click the Start Button
    Type “VirtualBox” in the search Box
    Click On Oracle VM VirtualBox
  2. Edit Fedora Virtual Machine Settings

    Select Fedora Virtual Machine
    Click on the Setting button, exist left top corner of VirtualBox
    Edit Network Adapter: Highlight Network in left menu option, Then configure network Attached to: NAT
    Configure VirtualBox before start installation of Fedora

Step 2: Configure Fedora for Mutillidae

  1. Hilight Fedora Virtual Machine then click on “Start” icon on the top left corner of VirtualBox
  2. Login to Fedora

    Username: Victim Fedora
    Password: <Whatever you Set>
    Open terminal and switch to “root” root by using following command
    $su
    <password what ever you set for “root” user>
    Mutillidae Login

  3. Open Console Terminal and Check the connectivity with internet by using following command:
    #ping www.google.com

Step 3: Disable SELinux

  1. Open the SELinux configuration file with any text editor software in Linux
    #gedit /etc/selinux/config 2> /dev/null &Mutillidae disabled
    gedit: is a text editor for the GNOME Desktop.
    /etc/selinux/config, is the file name.
    2> /dev/null, sends standard error messages to a black hole (/dev/null)
    The “&” is used to run gedit in the background
  2. Delete enforcing.

    Take cursor down to SELINUX=enforcing inside the /etc/selinux/config file
    Delete the enforcing word.
    Replace “enforcing” with the word “disabled”
    Click the save file
    Mutillidae enforcing

  3. Next two commands are required to disabled SELinux properly
    #setenforce 0
    #sestatus
    Mutillidaesetenforce
  4. Disable the Firewall

    #service iptables stop
    #chkconfig iptables off (
    is used to disable firewall permanently)

Step 4: Install Required packages

  1. Install Apache httpd Server
    Apache is a Web server used to make computer work as Web Server It can installed in Fedora by using following commands
    #yum install httpd.i686
    “y”
    (It will ask later for use confirmation)
    yum install httpd
  2. Start Apache Server
    Apache listening Daemon can be started by using following command:
    #service httpd start
    Check the status Apache is running or not
    #ps –eaf | grep httpd
    #chkconfig –level 2345 httpd on
    These command is used to start up script of httpd for given run levels 2, 3, 4, and 5.
    start service httpd
  3. Install mysql and mysql-server
    #yum install mysql.i686

Is this okay [y/N]: y and hit enter to proceed
#yum install mysql-server
install mysql
 Is this okay [y/N]: y and hit enter to proceed
#service mysqld start

service mysqld start
Service mysqld can be made to run at every startup then, it is created a startup script for run level 2, 3, 4, and 5. Setup the password for mysql “root” user password to “toor” by using given commands
#mysqladmin –uroot password toor
set root database password
Login to mysql
#mysql –uroot –p (Enter)
Enter the password: toor
>show databases;
>quit
login with mysql
Allow Remote Access to MySQL
Remote access is not part of Mutillidae installation. Remote Access can be allowed by using following commad.
#echo “use mysql; GRANT ALL PRIVILEGES ON * .* TO ‘root’@’%’ IDENTIFIED BY ‘toor’ WITH GRAN OPTION;” | mysql –uroot -ptoor
remot access allow

  1. Install PHP
    Install PHP:
    #yum install php.i686
    Is this okay [y/N]: y and hit enter to proceed
    install php on fedora
    install php-mysql:
    #yum install php-mysql
    Is this okay [y/N]: y and hit enter to proceed
    install php-mysql in fedora
    Install php-pear
    #yum install php-pear php-pear-DB
    Is this okay [y/N]: y and hit enter to proceed
    Install php-pear in Fedora
    Install php-mbstring
    #yum install php-mbstring
    Is this okay [y/N]: y and hit enter to proceed
    Install php-mbstring in Fedora
    Open & Edit php.ini
    #gedit /etc/php.ini 2> /dev/null &
    gedit is a text editor for Linux platform “/etc/php.ini” is php configuration file. The “&” is used to open gedit in the background
    Search à Find..
    Search for: ; extension
    Click to find button
    In the next line of ‘; extension_dir = “./”’ add the following code
    extension=mysql.so
    Save and close the file.Restart Apache :
    #service httpd restart
    Install wget :
    #yum install wget
    Is this okay [y/N]: y
  2. Install Mutillidae
    Download the Unzip file of Mutillidae project for Web penetration testing
    Copy in /var/www/html
    unzip LATEST-mutillidae-<latest Version>
    unzip mutillidae for web server
    Open & Edit MySQLHandler.php
    #
    cd mutillidae/classes/
    #ls –lrta
    # gedit MySQLHandler.php 2> /dev/null &
    The MySQLHandler.php is the file of mutillidae database configuration file. Arrow down at the line “$mMySQLDatabasePassword = “” and set the password as “toor”. Save and close the file
    go to mysqlhandler use for edit
    Change the ownership:
    Go inside the location /var/www/html
    #chown apache:mysql mutillidae
    #chmod 770 mutillidae
    #ls –ld mutillidae
    change the ownership of mutillidae
    Start the Firefox
    And enter http://loacalhost/mutillidae in Address bar.
    mutillidae setup
    Click on setup/reset the Database
    Setting up the database
    Click Ok button
  3. Welcome to Mutillidae ………
    mutillidae final

Vijay Kumar

Ethical Hacking & Penetration Testing Trainer, For more detail view My Profile

Latest posts by Vijay Kumar (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *