Setup a Vulnerable Web Server DVWA in Kali Linux localhost

Why we need a vulnerable web server?


Attacking on a website or server in internet without legal permission will considered as crime. Practice makes perfect, but where to practice our hacking skills ?

A simple answer is on our localhost. Localhost is a locally hosted web server it can be hosted on our PC and not connected to the internet.


There is a famous quote "There is no place like 127.0.0.1". This 127.0.0.1 is our home server or local server. This is an awesome place to learn and practice our skills. That's why it is the best place. No place can better then localhost.

How to set up ?


Setting up a vulnerable server is very easy. Now we set up DVWA in our Kali Linux machine.

DVWA stands for Damn Vulnerable Web Application. Oh yes, it is too vulnerable. In this web application security researchers, penetration testers or ethical hackers test their skills and run tools in a legal environment.

setup DVWA in Kali Linux

DVWA is designed for practice some most common web vulnerability. It is made with PHP and mySQL. Let's start without wasting time.

In Linux environment localhost files are stored in /var/www/html directory, so we open a terminal and change our directory to that directory using following command:

cd /var/www/html
Here we clone DVWA from it's Github repository. To clone it we run following command:

git clone https://github.com/ethicalhack3r/DVWA
cloning DVWA fron GitHub

After the cloning complete, we rename the DVWA to dvwa (it is not necessary but it will save our effort).

mv DVWA dvwa
Then we change the permission on dvwa directory by using following command:-

chmod -R 777 dvwa/
changing permission of dvwa

Now we have to setup this web application to run properly for that we have to go into /dvwa/config directory.

cd dvwa/config
Using ls command we can the list of files.

ls

configure the DVWA


In the above screenshot we can see the config.inc.php.dist file. This file contains default configuration. We need to make a copy of this file with .php extension name, we are coping this file because in future if anything goes wrong then we have the default values. So we copy this file with .php extension name using following command:-

cp config.inc.php.dist config.inc.php
Then we check the copied file using ls command:

ls
config.inc.php.dist

Then we use nano editor to make changes on our newly created PHP file.

nano config.inc.php
The screenshot is following:-

editing config.inc.php

We will make changes in this part the p@ssw0rd to pass and the user from root. Watch the following screenshot:-

changes in config.inc.php file

Then we save it using CTRL+X and press Y to save changes and Enter button to save and exit.

The next is configuring the database.

Here we have opened a new terminal window closing the previous one. We start the mysql at first using following command:-

service mysql start
If there are no errors that means the service is started.

Now let's login to mysql using following command:-

mysql -u root -p
Here in our Kali Linux root is our superuser name, if we have something else then we need to change that user.

In the password field we press Enter without typing password; because we didn't set any password for it, now mysql will open like following screenshot:-

mysql in Kali Linux

Now to setup a database, we start with creating a new user by applying following command:-

create user 'user'@'127.0.0.1' identified by 'pass';
Here using this command we are creating a user called 'user' running server on 127.0.0.1(localhost) and the password is 'pass'. Remember that this username and password should exactly same as the password and username we have entered in the configuration file of dvwa web application.

creating new user in database

In the screenshot we can see the query is OK. That means the user is created.

Then we grant this user all the privileges over the database. For that we type following command:-

grant all privileges on dvwa.* to 'user'@'127.0.0.1' identified by 'pass';
grant user privileges over database

Yes, we have finished the work of database, now we configure the server. For this we need to configure our apache2 server. Let's change our directory to /etc/php/7.3/apache2

Here we are using version 7.3, if we use another version then the path might be change.

cd /etc/php/7.3/apache2
Here we configure the php.ini file using leafpad of any good text editor. We have used mousepad editor.

mousepad php.ini
We need to change the allow_url_fopen and allow_url_include values. We set both of them 'On'. In some cases when we are first time configuring it, we might find that one of this or both of this configuration is set to 'Off'. We have turned both of these configuration to 'On', as the following screenshot:-

server configuration

Then we save and close the file.

Then we start the apache2 server using following command:-

service apache2 start

Let's open the browser and navigate to 127.0.0.1/dvwa/ first open will open the setup.php as shown in the screenshot.

DVWA setup screen

Here we scroll down and click on "Create/Reset Database".

creating database on DVWA
Then it will create and configure the database and we redirected to DVWA login page.

DVWA default login


The default login is
  • Username:- admin
  • Password:- password
After login we are in Damn Vulnerable Web Applications main page. Here is some general information and warnings.
DVWA Main page

On the left side we can see lots of vulnerable pages are available we can practice here.

DVWA have different security levels to change those we navigate to DVWA security. There are some security levels low, medium, high, impossible. We can choose difficulty as we need.

DVWA security Level

Now we can run penetration testing tools and techniques in our localhost.

This is how we can setup DVWA, Damn Vulnerable Web Application in our Kali Linux system. This is very helpful for beginners to advanced users, because of it multilayered security levels.

Tell us which kind of vulnerability you should try at first ? For any problem feel free to comment below, follow us on blogger and Twitter and Medium for more updates and Kali Linux tutorials.
author-img
Kali Linux

Comments

19 comments
Post a Comment
  • antuApril 3, 2020 at 12:45 PM

    it worked...thanks...

    Delete Comment
    • AnonymousJuly 6, 2021 at 9:03 AM

      aye trrick sahi hai or bahut aacha bhi hai, thank you so much sir

      Delete Comment
      • Kali Linux photo
        Kali LinuxJuly 6, 2021 at 5:51 PM

        Thanks, for your valuable comment. You might found this article more easy and fast to use.

        Delete Comment
      • Unknown photo
        UnknownApril 15, 2020 at 11:27 AM

        tks

        Delete Comment
        • Unknown photo
          UnknownApril 19, 2020 at 1:02 AM

          Its really helpful.

          Delete Comment
          • Moss1980 photo
            Moss1980May 11, 2020 at 3:18 AM

            Hi,
            I'm trying to do this on AWS Ubuntu. Is MySQL a prerequisite or does the installer install mysql?

            I'm hitting an error at service mysql start:

            Failed to start mysql.service: Interactive authentication required.
            See system logs and 'systemctl status mysql.service' for details.
            $ systemctl status mysql.service
            Unit mysql.service could not be found.

            Thanks

            Delete Comment
            • Kali Linux photo
              Kali LinuxMay 12, 2020 at 7:57 AM

              Most probably mysq; doesn't run with user root which is what you need to use systemctl. Therefore you should execute your command using sudo.

              Delete Comment
            • Moss1980 photo
              Moss1980May 13, 2020 at 12:09 PM

              Unfortunately that didn't work. Do I need to install and configure mysql first?

              $ sudo find . -name mysql
              ./snap/core/9066/etc/apparmor.d/abstractions/mysql
              ./snap/core/9066/usr/share/bash-completion/completions/mysql
              ./snap/core18/1705/etc/apparmor.d/abstractions/mysql
              ./snap/core18/1705/usr/share/bash-completion/completions/mysql
              ./snap/core18/1754/etc/apparmor.d/abstractions/mysql
              ./snap/core18/1754/usr/share/bash-completion/completions/mysql
              ./usr/share/bash-completion/completions/mysql
              ./etc/apparmor.d/abstractions/mysql

              $ sudo service --status-all
              [ + ] acpid
              [ + ] apparmor
              [ + ] apport
              [ + ] atd
              [ - ] console-setup.sh
              [ + ] cron
              [ - ] cryptdisks
              [ - ] cryptdisks-early
              [ + ] dbus
              [ + ] grub-common
              [ - ] hibagent
              [ - ] hwclock.sh
              [ - ] irqbalance
              [ - ] iscsid
              [ - ] keyboard-setup.sh
              [ + ] kmod
              [ - ] lvm2
              [ - ] lvm2-lvmpolld
              [ + ] multipath-tools
              [ - ] open-iscsi
              [ - ] open-vm-tools
              [ - ] plymouth
              [ - ] plymouth-log
              [ + ] procps
              [ - ] rsync
              [ + ] rsyslog
              [ - ] screen-cleanup
              [ + ] ssh
              [ + ] udev
              [ + ] ufw
              [ + ] unattended-upgrades
              [ - ] uuidd
              $ sudo service mysql start
              Failed to start mysql.service: Unit mysql.service not found.

              Delete Comment
              • Kali Linux photo
                Kali LinuxMay 13, 2020 at 12:52 PM

                I think this is because you are using client software and not the server.
                Uninstall and reinstall again

                Uninstalling:

                sudo apt-get purge mysql-server
                sudo apt-get autoremove
                sudo apt-get autoclean

                Re-Installing:

                sudo apt-get update
                sudo apt-get install mysql-server

                Backup entire folder before doing this:

                sudo rm /etc/apt/apt.conf.d/50unattended-upgrades*
                sudo apt-get update
                sudo apt-get upgrade

                Delete Comment
              • Moss1980 photo
                Moss1980May 16, 2020 at 2:33 AM

                Thanks for this, finally got it working!

                I started again with the Kali Linux distro on AWS and that worked. For GUI access, I used this
                https://www.hack4charity.org/2017/09/13/securely-accessing-kali-linux-with-gui-on-amazon-ec2-from-window-host/

                Delete Comment
                • Unknown photo
                  UnknownJuly 7, 2020 at 7:06 PM

                  that worked thanks
                  of all the articles i have gone through this one is really legit

                  Delete Comment
                  • AnonymousSeptember 3, 2020 at 7:58 AM

                    It worked perfect!! Thank u so much

                    Delete Comment
                    • Unknown photo
                      UnknownOctober 13, 2020 at 10:35 PM

                      Bro it worked
                      After closing the virtual machine
                      Again if i want to work on dvwa
                      Should I have to repeat the same procedure

                      Delete Comment
                    • TUTOR photo
                      TUTORApril 30, 2021 at 1:54 PM

                      i have this error sir:

                      elcot@boss:/var/www/html/DVWA/config$ mysql -u elcot -p
                      Enter password:
                      ERROR 1698 (28000): Access denied for user 'elcot'@'localhost'

                      please help me

                      Delete Comment
                    • spydr photo
                      spydrJune 7, 2021 at 3:06 PM

                      It was explained in a very good manner
                      worked perfectly

                      Delete Comment
                      • Kali Linux photo
                        Kali LinuxJune 7, 2021 at 6:06 PM

                        Your compliment boosts our motivation to do something more awesome. Thanks a lot. There is another easy way to setup dvwa and other pentest labs on our system. You can check our this article.

                        Delete Comment
                      • Unknown photo
                        UnknownJuly 24, 2021 at 4:46 PM

                        Thank you so much.

                        Delete Comment
                        google-playkhamsatmostaqltradent