Setup a Vulnerable Web Server DVWA in Kali Linux localhost

Why we need a vulnerable web server?


Attacking on a website or server in internet without legal permission will considered as crime. Practice makes perfect, but where to practice our hacking skills ?

A simple answer is on our localhost. Localhost is a locally hosted web server it can be hosted on our PC and not connected to the internet.


There is a famous quote "There is no place like 127.0.0.1". This 127.0.0.1 is our home server or local server. This is an awesome place to learn and practice our skills. That's why it is the best place. No place can better then localhost.

How to set up ?


Setting up a vulnerable server is very easy. Now we set up DVWA in our Kali Linux machine.

DVWA stands for Damn Vulnerable Web Application. Oh yes, it is too vulnerable. In this web application security researchers, penetration testers or ethical hackers test their skills and run tools in a legal environment.

setup DVWA in Kali Linux

DVWA is designed for practice some most common web vulnerability. It is made with PHP and mySQL. Let's start without wasting time.

In Linux environment localhost files are stored in /var/www/html directory, so we open a terminal and change our directory to that directory using following command:

cd /var/www/html
Here we clone DVWA from it's Github repository. To clone it we run following command:

git clone https://github.com/ethicalhack3r/DVWA
cloning DVWA fron GitHub

After the cloning complete, we rename the DVWA to dvwa (it is not necessary but it will save our effort).

mv DVWA dvwa
Then we change the permission on dvwa directory by using following command:-

chmod -R 777 dvwa/
changing permission of dvwa

Now we have to setup this web application to run properly for that we have to go into /dvwa/config directory.

cd dvwa/config
Using ls command we can the list of files.

ls

configure the DVWA


In the above screenshot we can see the config.inc.php.dist file. This file contains default configuration. We need to make a copy of this file with .php extension name, we are coping this file because in future if anything goes wrong then we have the default values. So we copy this file with .php extension name using following command:-

cp config.inc.php.dist config.inc.php
Then we check the copied file using ls command:

ls
config.inc.php.dist

Then we use nano editor to make changes on our newly created PHP file.

nano config.inc.php
The screenshot is following:-

editing config.inc.php

We will make changes in this part the p@ssw0rd to pass and the user from root. Watch the following screenshot:-

changes in config.inc.php file

Then we save it using CTRL+X and press Y to save changes and Enter button to save and exit.

The next is configuring the database.

Here we have opened a new terminal window closing the previous one. We start the mysql at first using following command:-

service mysql start
If there are no errors that means the service is started.

Now let's login to mysql using following command:-

mysql -u root -p
Here in our Kali Linux root is our superuser name, if we have something else then we need to change that user.

In the password field we press Enter without typing password; because we didn't set any password for it, now mysql will open like following screenshot:-

mysql in Kali Linux

Now to setup a database, we start with creating a new user by applying following command:-

create user 'user'@'127.0.0.1' identified by 'pass';
Here using this command we are creating a user called 'user' running server on 127.0.0.1(localhost) and the password is 'pass'. Remember that this username and password should exactly same as the password and username we have entered in the configuration file of dvwa web application.

creating new user in database

In the screenshot we can see the query is OK. That means the user is created.

Then we grant this user all the privileges over the database. For that we type following command:-

grant all privileges on dvwa.* to 'user'@'127.0.0.1' identified by 'pass';
grant user privileges over database

Yes, we have finished the work of database, now we configure the server. For this we need to configure our apache2 server. Let's change our directory to /etc/php/7.3/apache2

Here we are using version 7.3, if we use another version then the path might be change.

cd /etc/php/7.3/apache2
Here we configure the php.ini file using leafpad of any good text editor. We have used mousepad editor.

mousepad php.ini
We need to change the allow_url_fopen and allow_url_include values. We set both of them 'On'. In some cases when we are first time configuring it, we might find that one of this or both of this configuration is set to 'Off'. We have turned both of these configuration to 'On', as the following screenshot:-

server configuration

Then we save and close the file.

Then we start the apache2 server using following command:-

service apache2 start

Let's open the browser and navigate to 127.0.0.1/dvwa/ first open will open the setup.php as shown in the screenshot.

DVWA setup screen

Here we scroll down and click on "Create/Reset Database".

creating database on DVWA
Then it will create and configure the database and we redirected to DVWA login page.

DVWA default login


The default login is
  • Username:- admin
  • Password:- password
After login we are in Damn Vulnerable Web Applications main page. Here is some general information and warnings.
DVWA Main page

On the left side we can see lots of vulnerable pages are available we can practice here.

DVWA have different security levels to change those we navigate to DVWA security. There are some security levels low, medium, high, impossible. We can choose difficulty as we need.

DVWA security Level

Now we can run penetration testing tools and techniques in our localhost.

This is how we can setup DVWA, Damn Vulnerable Web Application in our Kali Linux system. This is very helpful for beginners to advanced users, because of it multilayered security levels.

Tell us which kind of vulnerability you should try at first ? For any problem feel free to comment below, follow us on blogger and Twitter and Medium for more updates and Kali Linux tutorials.
author-img
Kali Linux

Comments

16 comments
Post a Comment
  • antuApril 3, 2020 at 12:45 PM

    it worked...thanks...

    Delete Comment
    • Unknown photo
      UnknownApril 15, 2020 at 11:27 AM

      tks

      Delete Comment
      • Unknown photo
        UnknownApril 19, 2020 at 1:02 AM

        Its really helpful.

        Delete Comment
        • Moss1980 photo
          Moss1980May 11, 2020 at 3:18 AM

          Hi,
          I'm trying to do this on AWS Ubuntu. Is MySQL a prerequisite or does the installer install mysql?

          I'm hitting an error at service mysql start:

          Failed to start mysql.service: Interactive authentication required.
          See system logs and 'systemctl status mysql.service' for details.
          $ systemctl status mysql.service
          Unit mysql.service could not be found.

          Thanks

          Delete Comment
          • Kali Linux photo
            Kali LinuxMay 12, 2020 at 7:57 AM

            Most probably mysq; doesn't run with user root which is what you need to use systemctl. Therefore you should execute your command using sudo.

            Delete Comment
          • Moss1980 photo
            Moss1980May 13, 2020 at 12:09 PM

            Unfortunately that didn't work. Do I need to install and configure mysql first?

            $ sudo find . -name mysql
            ./snap/core/9066/etc/apparmor.d/abstractions/mysql
            ./snap/core/9066/usr/share/bash-completion/completions/mysql
            ./snap/core18/1705/etc/apparmor.d/abstractions/mysql
            ./snap/core18/1705/usr/share/bash-completion/completions/mysql
            ./snap/core18/1754/etc/apparmor.d/abstractions/mysql
            ./snap/core18/1754/usr/share/bash-completion/completions/mysql
            ./usr/share/bash-completion/completions/mysql
            ./etc/apparmor.d/abstractions/mysql

            $ sudo service --status-all
            [ + ] acpid
            [ + ] apparmor
            [ + ] apport
            [ + ] atd
            [ - ] console-setup.sh
            [ + ] cron
            [ - ] cryptdisks
            [ - ] cryptdisks-early
            [ + ] dbus
            [ + ] grub-common
            [ - ] hibagent
            [ - ] hwclock.sh
            [ - ] irqbalance
            [ - ] iscsid
            [ - ] keyboard-setup.sh
            [ + ] kmod
            [ - ] lvm2
            [ - ] lvm2-lvmpolld
            [ + ] multipath-tools
            [ - ] open-iscsi
            [ - ] open-vm-tools
            [ - ] plymouth
            [ - ] plymouth-log
            [ + ] procps
            [ - ] rsync
            [ + ] rsyslog
            [ - ] screen-cleanup
            [ + ] ssh
            [ + ] udev
            [ + ] ufw
            [ + ] unattended-upgrades
            [ - ] uuidd
            $ sudo service mysql start
            Failed to start mysql.service: Unit mysql.service not found.

            Delete Comment
            • Kali Linux photo
              Kali LinuxMay 13, 2020 at 12:52 PM

              I think this is because you are using client software and not the server.
              Uninstall and reinstall again

              Uninstalling:

              sudo apt-get purge mysql-server
              sudo apt-get autoremove
              sudo apt-get autoclean

              Re-Installing:

              sudo apt-get update
              sudo apt-get install mysql-server

              Backup entire folder before doing this:

              sudo rm /etc/apt/apt.conf.d/50unattended-upgrades*
              sudo apt-get update
              sudo apt-get upgrade

              Delete Comment
            • Moss1980 photo
              Moss1980May 16, 2020 at 2:33 AM

              Thanks for this, finally got it working!

              I started again with the Kali Linux distro on AWS and that worked. For GUI access, I used this
              https://www.hack4charity.org/2017/09/13/securely-accessing-kali-linux-with-gui-on-amazon-ec2-from-window-host/

              Delete Comment
              • Unknown photo
                UnknownJuly 7, 2020 at 7:06 PM

                that worked thanks
                of all the articles i have gone through this one is really legit

                Delete Comment
                • AnonymousSeptember 3, 2020 at 7:58 AM

                  It worked perfect!! Thank u so much

                  Delete Comment
                  • Unknown photo
                    UnknownOctober 13, 2020 at 10:35 PM

                    Bro it worked
                    After closing the virtual machine
                    Again if i want to work on dvwa
                    Should I have to repeat the same procedure

                    Delete Comment
                  • TUTOR photo
                    TUTORApril 30, 2021 at 1:54 PM

                    i have this error sir:

                    elcot@boss:/var/www/html/DVWA/config$ mysql -u elcot -p
                    Enter password:
                    ERROR 1698 (28000): Access denied for user 'elcot'@'localhost'

                    please help me

                    Delete Comment
                  • spydr photo
                    spydrJune 7, 2021 at 3:06 PM

                    It was explained in a very good manner
                    worked perfectly

                    Delete Comment
                    • Kali Linux photo
                      Kali LinuxJune 7, 2021 at 6:06 PM

                      Your compliment boosts our motivation to do something more awesome. Thanks a lot. There is another easy way to setup dvwa and other pentest labs on our system. You can check our this article.

                      Delete Comment
                    google-playkhamsatmostaqltradent