You’ve decided to wear a hat, now what?
Now it’s time to start getting our game up. Remember I said that we’d be getting back to the “what” of hacking? Well, that time has arrived. As I recall, we came to an agreement that the word hacker itself implies a state of being. So I’m sure that we’re on the same page when I say it’s going to take more than just choosing a hat and downloading a penetration testing distribution. If you sincerely read through some of the articles and docs contained within the links that I shared….and, you’re still here reading this post, then I’m fairly confident that you have what it takes to stick this decision out to fruition. Give yourself a pat on the back. You’re doing just fine.
With all of these neat little powerful tools at your fingertips, you’re probably itching for something to hack aren’t you? You may have even already started querying the search engine with “how to” + “Kali Linux” questions. If so, your head is probably spinning with the amount of information returned to you on the possibilities. The articles, the videos, etc. It’s all out there for the curious mind to indulge itself. You see, the thing is, very rarely is the art of hacking performed in such a reckless and impulsive manner. In fact, there’s an actual methodology that a penetration test follows. (which we’ll get into later on). But for now, to keep you from running the risk of trying out something that you came across in the search results on a “live” system and best case scenario, ending your pen test career before even learning how to get root, I’m going to introduce you to a way that you can try out as many tricks of the trade that suits your little fancy. Risk free and well, “free free”. As in, free! Doesn’t cost a cent. But you get my point.
I’m going to walk you through installing a Damn Vulnerable Web Application. You can read a description and a lot more about what this is right on the homepage of the site. 1. Once you have this downloaded, you’ll want to open up a terminal, go to where you saved your download and run the unzip command. Your set up should look fairly similar to the screenshot.
(This next screenshot will probably be more similar to what you’re seeing in your shell (terminal) assuming you didn’t move the download from it’s default location. In the beginning I moved the download to the Desktop because I wanted you to practice a few minor skills in Linux. But I thought what the heck and restarted the process with the system defaults. All designed to screw you up, I admit. Kidding. Laugh.) 2. Next you’ll want to move and rename the app to something short and sweet like dvwa. 🙂 
3. Then, you’re going to start and check the status of the Apache server and the Mysql database.
         Â
You can also verify that the Apache service is running by going to your web browser and typing in 127.0.0.1 and pressing enter. Success? Yes, no….maybe so, dunno?
4. Now if you go back to the address bar of your web browser and type in localhost/dvwa, if all went well you should be greeted with the front page of the application. Something along the lines of this.
Here you’ll want to take note of the second line and what it’s saying about receiving an error message.
5. You’ll need to go into that config file and edit the DB password value only. It’ll be the line right below the DB user line. This will normally need to match the password that you set up for your Mysql database. If all else fails, there’s a default password in place for troubleshooting that will get you right in without a problem and you should be good from there. (That’s a hint and a lesson in itself by the way. One which….yes…we’ll cover.)
6. Last but not least, once you’ve successfully logged into the application you’ll want to go to the Security tab and change the difficulty level. Since you’re just starting out you’ll want to have this set to low.
And there you have it. As per the web site
The main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers understand the process of securing web applications and aid teachers/students to teach/learn web application security in a class room environment
Nice, eh’? When I told you all of this was free I guess I left out the part about the work you’d have to put in. The main thing is not to panic and take it slow. Rome wasn’t built in a day and neither will your hacking skills be. Patience is a virtue. If you get stuck on any part or have questions, feel free to give me a shout out. I promise to get back in touch with you and we’ll give it whirl together. Enjoy.
