Dr. Mine – Tool To Aid Automatic Detection Of In-Browser Cryptojacking

Dr. Mine is a node script written to aid automatic detection of in-browser cryptojacking. The most accurate way to detect things that happen in a browser is via browser itself. Thus, Dr. Mine uses puppeteer to automate browser thingy and catches any requests to online cryptominers. When a request to any online cryptominers is detected, it flags the corresponding URL and cryptominer being in use. Therefore, however the code is written or obfuscated, Dr. Mine will catch it (as long as the miners are in the list). The list of online cryptominers are fetched from CoinBlockerLists. The result is also saved on file for later use.Can also process single URL passed directly via command lineAll links found on the first (requested) page are also processed, if same-originAll configurable options are stored in config.js allowing easier modificationsTo reduce extra bandwidth and processing, all requests to resources like fonts, images, media, stylesheets are abortedPre-requisites & InstallationThe following 3 lines of commands should set everything up and running on Arch distros;pacman -S nodejs npmgit clone https://github.com/1lastBr3ath/drmine.git && cd drminenpm i –save puppeteerPlease make sure your version of node is 7.6.0 or greater. For any installation assistance or instructions on specific distros, please refer to respective documents;https://nodejs.org/en/download/package-manager/https://docs.npmjs.com/getting-started/installing-nodehttps://github.com/GoogleChrome/puppeteer#installationUsageDr. Mine accepts either a URL or a file which is expected to contain valid URLs. Usage is as simple as;node drmine.js list.txtA sample list.txt looks like;http://cm2.pwhttp://cm2.pw/xmr/https://example.com/An example of passing URL directly via command line;node drmine.js http://cm2.pw/xmr/Download Dr. Mine

Link: http://feedproxy.google.com/~r/PentestTools/~3/PI7H4mRFqgY/dr-mine-tool-to-aid-automatic-detection.html

Gobuster – Directory/File & DNS Busting Tool Written In Go

Gobuster is a tool used to brute-force:URIs (directories and files) in web sites.DNS subdomains (with wildcard support).Oh dear God.. WHY!?Because I wanted:… something that didn’t have a fat Java GUI (console FTW)…. to build something that just worked on the command line…. something that did not do recursive brute force…. something that allowed me to brute force folders and multiple extensions at once…. something that compiled to native on multiple platforms…. something that was faster than an interpreted script (such as Python)…. something that didn’t require a runtime…. use something that was good with concurrency (hence Go)…. to build something in Go that wasn’t totally useless.Common Command line options-fw – Force processing of a domain with wildcard results.-m – which mode to use, either dir or dns (default: dir)-q – disables banner/underline output.-t <threads> – number of threads to run (default: 10).-u <url/domain> – full URL (including scheme), or base domain name.-v – verbose output (show all results).-w <wordlist> – path to the wordlist used for brute forcing.Command line options for dns mode-cn – show CNAME records (cannot be used with ‘-i’ option).-i – show all IP addresses for the result.Command line options for dir mode-a <user agent string> – specify a user agent string to send in the request header.-c <http cookies> – use this to specify any cookies that you might need (simulating auth).-e – specify extended mode that renders the full URL.-f – append / for directory brute forces.-k – Skip verification of SSL certificates.-l – show the length of the response.-n – “no status" mode, disables the output of the result’s status code.-o <file> – specify a file name to write the output to.-p <proxy url> – specify a proxy to use for all requests (scheme much match the URL scheme).-r – follow redirects.-s <status codes> – comma-separated set of the list of status codes to be deemed a "positive" (default: 200,204,301,302,307).-x <extensions> – list of extensions to check for, if any.-P <password> – HTTP Authorization password (Basic Auth only, prompted if missing).-U <username> – HTTP Authorization username (Basic Auth only).BuildingSince this tool is written in Go you need install the Go language/compiler/etc. Full details of installation and set up can be found on the Go language website. Once installed you have two options.Compilinggobuster now has external dependencies, and so they need to be pulled in first:gobuster $ go get && go buildThis will create a gobuster binary for you. If you want to install it in the $GOPATH/bin folder you can run:gobuster $ go installRunning as a scriptgobuster$ go run main.go <parameters>Wordlists via STDINWordlists can be piped into gobuster via stdin:hashcat -a 3 –stdout ?l | gobuster -u https://mysite.comNote: If the -w option is specified at the same time as piping from STDIN, an error will be shown and the program will terminate.Examplesdir modeCommand line might look like this:$ gobuster -u https://mysite.com/path/to/folder -c ‘session=123456’ -t 50 -w common-files.txt -x .php,.htmlDefault options looks like this:$ gobuster -u http://buffered.io/ -w words.txtGobuster v1.4.1 OJ Reeves (@TheColonial)=====================================================[+] Mode : dir[+] Url/Domain : http://buffered.io/[+] Threads : 10[+] Wordlist : words.txt[+] Status codes : 200,204,301,302,307=====================================================/index (Status: 200)/posts (Status: 301)/contact (Status: 301)=====================================================Default options with status codes disabled looks like this:$ gobuster -u http://buffered.io/ -w words.txt -nGobuster v1.4.1 OJ Reeves (@TheColonial)=====================================================[+] Mode : dir[+] Url/Domain : http://buffered.io/[+] Threads : 10[+] Wordlist : words.txt[+] Status codes : 200,204,301,302,307[+] No status : true=====================================================/index/posts/contact=====================================================Verbose output looks like this:$ gobuster -u http://buffered.io/ -w words.txt -vGobuster v1.4.1 OJ Reeves (@TheColonial)=====================================================[+] Mode : dir[+] Url/Domain : http://buffered.io/[+] Threads : 10[+] Wordlist : words.txt[+] Status codes : 200,204,301,302,307[+] Verbose : true=====================================================Found : /index (Status: 200)Missed: /derp (Status: 404)Found : /posts (Status: 301)Found : /contact (Status: 301)=====================================================Example showing content length:$ gobuster -u http://buffered.io/ -w words.txt -lGobuster v1.4.1 OJ Reeves (@TheColonial)=====================================================[+] Mode : dir[+] Url/Domain : http://buffered.io/[+] Threads : 10[+] Wordlist : /tmp/words[+] Status codes : 301,302,307,200,204[+] Show length : true=====================================================/contact (Status: 301)/posts (Status: 301)/index (Status: 200) [Size: 61481]=====================================================Quiet output, with status disabled and expanded mode looks like this ("grep mode"):$ gobuster -u http://buffered.io/ -w words.txt -q -n -ehttp://buffered.io/postshttp://buffered.io/contacthttp://buffered.io/indexdns modeCommand line might look like this:$ gobuster -m dns -u mysite.com -t 50 -w common-names.txtNormal sample run goes like this:$ gobuster -m dns -w subdomains.txt -u google.comGobuster v1.4.1 OJ Reeves (@TheColonial)=====================================================[+] Mode : dns[+] Url/Domain : google.com[+] Threads : 10[+] Wordlist : subdomains.txt=====================================================Found: m.google.comFound: admin.google.comFound: mobile.google.comFound: www.google.comFound: search.google.comFound: chrome.google.comFound: ns1.google.comFound: store.google.comFound: wap.google.comFound: support.google.comFound: directory.google.comFound: translate.google.comFound: news.google.comFound: music.google.comFound: mail.google.comFound: blog.google.comFound: cse.google.comFound: local.google.com=====================================================Show IP sample run goes like this:$ gobuster -m dns -w subdomains.txt -u google.com -iGobuster v1.4.1 OJ Reeves (@TheColonial)=====================================================[+] Mode : dns[+] Url/Domain : google.com[+] Threads : 10[+] Wordlist : subdomains.txt[+] Verbose : true=====================================================Found: chrome.google.com [2404:6800:4006:801::200e,]Found: m.google.com [, 2404:6800:4006:801::200b]Found: www.google.com [,,,,, 2404:6800:4006:801::2004]Found: search.google.com [2404:6800:4006:801::200e,]Found: admin.google.com [, 2404:6800:4006:801::200e]Found: store.google.com [, 2404:6800:4006:801::200e]Found: mobile.google.com [, 2404:6800:4006:801::200b]Found: ns1.google.com []Found: directory.google.com [, 2404:6800:4006:801::200e]Found: translate.google.com [, 2404:6800:4006:801::200e]Found: cse.google.com [, 2404:6800:4006:801::200e]Found: local.google.com [2404:6800:4006:801::200e,]Found: music.google.com [2404:6800:4006:801::200e,]Found: wap.google.com [, 2404:6800:4006:801::200e]Found: blog.google.com [, 2404:6800:4006:801::2009]Found: support.google.com [, 2404:6800:4006:801::200e]Found: news.google.com [, 2404:6800:4006:801::200e]Found: mail.google.com [, 2404:6800:4006:801::2005]=====================================================Base domain validation warning when the base domain fails to resolve. This is a warning rather than a failure in case the user fat-fingers while typing the domain.$ gobuster -m dns -w subdomains.txt -u yp.to -iGobuster v1.4.1 OJ Reeves (@TheColonial)=====================================================[+] Mode : dns[+] Url/Domain : yp.to[+] Threads : 10[+] Wordlist : /tmp/test.txt=====================================================[-] Unable to validate base domain: yp.toFound: cr.yp.to [,]=====================================================Wildcard DNS is also detected properly:$ gobuster -w subdomainsbig.txt -u doesntexist.com -m dnsGobuster v1.4.1 OJ Reeves (@TheColonial)=====================================================[+] Mode : dns[+] Url/Domain : doesntexist.com[+] Threads : 10[+] Wordlist : subdomainsbig.txt=====================================================[-] Wildcard DNS found. IP address(es):[-] To force processing of Wildcard DNS, specify the ‘-fw’ switch.=====================================================If the user wants to force processing of a domain that has wildcard entries, use -fw:$ gobuster -w subdomainsbig.txt -u doesntexist.com -m dns -fwGobuster v1.4.1 OJ Reeves (@TheColonial)=====================================================[+] Mode : dns[+] Url/Domain : doesntexist.com[+] Threads : 10[+] Wordlist : subdomainsbig.txt=====================================================[-] Wildcard DNS found. IP address(es): email.doesntexist.com^C[!] Keyboard interrupt detected, terminating.=====================================================Download Gobuster

Link: http://feedproxy.google.com/~r/PentestTools/~3/buQ2qHF-Row/gobuster-directoryfile-dns-busting-tool.html

Lynis 2.6.2 – Security Auditing Tool for Unix/Linux Systems

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration.Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.Supported operating systemsThe tool has almost no dependencies, therefore it runs on almost all Unix-based systems and versions, including:AIXFreeBSDHP-UXLinuxMac OSNetBSDOpenBSDSolarisand othersIt even runs on systems like the Raspberry Pi and several storage devices!Installation optionalLynis is light-weight and easy to use. Installation is optional: just copy it to a system, and use “./lynis audit system" to start the security scan. It is written in shell script and released as open source software (GPL). How it worksLynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.StepsDetermine operating systemSearch for available tools and utilitiesCheck for Lynis updateRun tests from enabled pluginsRun security tests per categoryReport status of security scanBesides the data displayed on the screen, all technical details about the scan are stored in a log file. Any findings (warnings, suggestions, data collection) are stored in a report file.Opportunistic ScanningLynis scanning is opportunistic: it uses what it can find.For example, if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers an SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates so they can be scanned later as well.In-depth security scansBy performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!Use casesSince Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:Security auditingCompliance testing (e.g. PCI, HIPAA, SOx)Vulnerability detection and scanningSystem hardeningResources used for testingMany other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.Best practicesCISNISTNSAOpenSCAP dataVendor guides and recommendations (e.g. Debian Gentoo, Red Hat)Lynis PluginsPlugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard.ChangelogUpgrade noteChanges:——–* Bugfix for Arch Linux (binary detection)* Textual changes for several tests* Update of tests databaseDownload Lynis 2.6.2

Link: http://feedproxy.google.com/~r/PentestTools/~3/vGkfwda54AA/lynis-262-security-auditing-tool-for.html

ReelPhish – A Real-Time Two-Factor Phishing Tool

ReelPhish simplifies the real-time phishing technique. The primary component of the phishing tool is designed to be run on the attacker’s system. It consists of a Python script that listens for data from the attacker’s phishing site and drives a locally installed web browser using the Selenium framework. The tool is able to control the attacker’s web browser by navigating to specified web pages, interacting with HTML objects, and scraping content.The secondary component of ReelPhish resides on the phishing site itself. Code embedded in the phishing site sends data, such as the captured username and password, to the phishing tool running on the attacker’s machine. Once the phishing tool receives information, it uses Selenium to launch a browser and authenticate to the legitimate website. All communication between the phishing web server and the attacker’s system is performed over an encrypted SSH tunnel.Victims are tracked via session tokens, which are included in all communications between the phishing site and ReelPhish. This token allows the phishing tool to maintain states for authentication workflows that involve multiple pages with unique challenges. Because the phishing tool is state-aware, it is able to send information from the victim to the legitimate web authentication portal and vice versa.This tool has been released along with a FireEye blog post. The blog post can be found at the following link: https://www.fireeye.com/blog/threat-research/2018/02/reelphish-real-time-two-factor-phishing-tool.htmlInstallation Steps The latest release of Python 2.7.x is required. Install Selenium, a required dependency to run the browser drivers.pip install -r requirements.txt Download browser drivers for all web browsers you plan to use. Binaries should be placed in this root directory with the following naming scheme.Internet Explorer: www.seleniumhq.org/download/Download the Internet Explorer Driver Server for 32 bit Windows IE. Unzip the file and rename the binary to: IEDriver.exe.In order for the Internet Explorer Driver to work, be sure protected mode is disabled. On IE11 (64 bit Windows), you must create registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BFCACHE". In this key, create a DWORD value named iexplore.exe and set the value to 0.Further information on Internet Explorer requirements can be found on www.github.com/SeleniumHQ/selenium/wiki/InternetExplorerDriverFirefox: www.github.com/mozilla/geckodriver/releases/Download the latest release of the Firefox GeckoDriver for Windows 32 bit. Unzip the file and rename the binary to: FFDriver.exe.On Linux systems, download the Linux version of Firefox GeckoDriver and rename the binary to: FFDriver.bin . Linux support is experimental.Gecko Driver has special requirements. Copy FFDriver.exe to geckodriver.exe and place it into your PATH variable. Additionally, add firefox.exe to your PATH variable.Chrome: https://chromedriver.storage.googleapis.com/index.html?path=2.35/Download the latest release of the Google Chrome Driver for Windows 32 bit. Unzip the file and rename the binary to: ChromeDriver.exe.On Linux systems, download the Linux version of the Chrome Web Driver and rename the binary to: ChromeDriver.bin . Linux support is experimental.Running ReelPhishReelPhish consists of two components: the phishing site handling code and this script. The phishing site can be designed as desired. Sample PHP code is provided in /examplesitecode. The sample code will take a username and password from a HTTP POST request and transmit it to the phishing script.The phishing script listens on a local port and awaits a packet of credentials. Once credentials are received, the phishing script will open a new web browser instance and navigate to the desired URL (the actual site where you will be entering a user’s credentials). Credentials will be submitted by the web browser.The recommended way of handling communication between the phishing site and this script is by using a reverse SSH tunnel. This is why the example PHP phishing site code submits credentials to localhost:2135.ReelPhish ArgumentsYou must specify the browser you will be using with the –browser parameter. Supported browsers include Internet Explorer ("–browser IE"), Firefox ("–browser FF"), and Chrome ("–browser Chrome"). Windows and Linux are both supported. Chrome requires the least amount of setup steps. See above installation instructions for further details.You must specify the URL. The script will navigate to this URL and submit credentials on your behalf.Other optional parameters are available.Set the logging parameter to debug (–logging debug) for verbose event loggingSet the submit parameter (–submit) to customize the element that is "clicked" by the browserSet the override parameter (–override) to ignore missing form elementsSet the numpages parameter (–numpages) to increase the number of authentication pages (see below section)Multi Page Authentication SupportReelPhish supports multiple authentication pages. For example, in some cases a two factor authentication code may be requested on a second page. To implement this feature, be sure that –numpages is set to the number of authentication pages. Also be sure that the session ID is properly tracked on your phishing site. The session ID is used to track users as they proceed through each step of authentication.In some cases, you may need to scrape specific content (such as a challenge code) off of a particular authentication page. Example commented out code is provided in ReelPhish.py to perform a scraping operation.Download ReelPhish

Link: http://feedproxy.google.com/~r/PentestTools/~3/pqO4QKRqGRw/reelphish-real-time-two-factor-phishing.html

DNSspider – Very Fast, Async Mulithreaded Subdomain Scanner

A very fast multithreaded bruteforcer of subdomains that leverages a wordlist and/or character permutation.CHANGELOG:v0.9use async multithreading via concurrent.futures moduleattack while mutating -> don’t generate whole list when using -t 1log only the subdomains to logfile when ‘-r’ was chosenminor code clean-ups / refactoringswitch to tabstop=2 / shiftwidth=2v0.8upgraded to python3v0.7upgraded built-in wordlist (more than 2k)remove annoying timeout warningsremove color output when logging to filev0.6upgraded default wordlistreplaced optionparser with argparseadd version output optionfixed typov0.5fixed extracted ip addresses from rrset answersrenamed file (removed version string)removed trailing whitespacesremoved color outputchanged bannerv0.4fixed a bug for returned listadded postfix optionupgraded wordlist[]colorised outputchanged error messagesv0.3:added verbose/quiet mode default is quiet nowfixed try/catch for domainnamesfixed some tab width (i normally use <= 80 chars per line)v0.2:append DNS and IP output to found listadded diffound list for subdomains resolved to different addressesget right ip address from current used iface to avoid socket problemsfixed socket exception syntax and outputadded usage note for fixed port and multithreaded socket exceptionv0.1:initial release  Download DNSspider

Link: http://feedproxy.google.com/~r/PentestTools/~3/LtSqRCzJviE/dnsspider-very-fast-async-mulithreaded.html

LuLu – macOS Firewall That Aims To Block Unauthorized (Outgoing) Network Traffic

LuLu is the free open-source macOS firewall that aims to block unauthorized (outgoing) network traffic, unless explicitly approved by the user:Full details and usage instructions can be found here.It’s also important to understand LuLu’s limitations! Some of these will be addressed as the software matures, while others are design decisions (mostly with the goal of keeping things simple).    Network Monitoring    By design, LuLu only monitors for outgoing network connections. Apple’s built in firewall does a great job blocking unauthorized incoming connections.    Rules    Currently, LuLu only supports rules at the ‘process level’, meaning a process (or application) is either allowed to connect to the network or not. As is the case with other firewalls, this also means that if a legitimate (allowed) process is abused by malicious code to perform network actions, this will be allowed.    Single User    For now, LuLu can only be installed for a single user. Future versions will likely allow it to be installed by multiple users on the same system.    Self-Defense    Legitimate attackers/security professionals know that any security tool can be trivially bypassed if specifically targeted – even if the tool employs advanced self-defense mechanisms. Such self-defense mechanisms are often complex to implement and in the end, almost always futile. As such, by design LuLu (currently) implements few self-defense mechanisms. For example, an attacker could enumerate all running processes to find the LuLu component responsible for displaying alerts and terminate it (via a sigkill).    Limited Features    As LuLu is currently in alpha, certain features have not (yet) been implemented. For example, alert windows shown by LuLu currently only contain the ip address of the remote endpoint, not the URL. Stay tuned for updates that address these short-comings!To BuildLuLu should build cleanly in Xcode (though you will have to remove code signing constraints, or replace with your own Apple developer/kernel code signing certificate).To InstallFor now, LuLu must be installed via the command-line. Build LuLu or download the pre-built binaries/components from the Releases page, then execute the configuration script (configure.sh) with the -install flag, as root://install$ sudo configure.sh -installDownload LuLu

Link: http://feedproxy.google.com/~r/PentestTools/~3/qvAhgGpSYkc/lulu-macos-firewall-that-aims-to-block.html

BLEAH – A BLE Scanner For “Smart” Devices Hacking

A BLE scanner for “smart" devices hacking based on the bluepy library, dead easy to use because retarded devices should be dead easy to hack. Explanatory post and screenshots can be found here.How to InstallInstall bluepy from source:git clone https://github.com/IanHarvey/bluepy.gitcd bluepypython setup.py buildsudo python setup.py installThen install bleah:git clone https://github.com/evilsocket/bleah.gitcd bleahpython setup.py buildsudo python setup.py installUsageFrom the -h help menu:usage: bleah [-h] [-i HCI] [-t TIMEOUT] [-s SENSITIVITY] [-b MAC] [-f] [-e] [-u UUID] [-d DATA] [-r DATAFILE]optional arguments: -h, –help show this help message and exit -i HCI, –hci HCI HCI device index. -t TIMEOUT, –timeout TIMEOUT Scan delay, 0 for continuous scanning. -s SENSITIVITY, –sensitivity SENSITIVITY dBm threshold. -b MAC, –mac MAC Filter by device address. -f, –force Try to connect even if the device doesn’t allow to. -e, –enumerate Connect to available devices and perform services enumeration. -u UUID, –uuid UUID Write data to this characteristic UUID (requires –mac and –data). -d DATA, –data DATA Data to be written. -r DATAFILE, –datafile DATAFILE Read data to be written from this file.ExamplesKeep scanning for BTLE devices:sudo bleah -t0Connect to a specific device and enumerate all the things:sudo bleah -b "aa:bb:cc:dd:ee:ff" -eWrite the bytes hello world to a specific characteristic of the device:sudo bleah -b "aa:bb:cc:dd:ee:ff" -u "c7d25540-31dd-11e2-81c1-0800200c9a66" -d "hello world"Download BLEAH

Link: http://feedproxy.google.com/~r/PentestTools/~3/Mhqq4sdlgxk/bleah-ble-scanner-for-smart-devices.html

DVWA – Damn Vulnerable Web Application

Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.The aim of DVWA is to practice some of the most common web vulnerabilities, with various levels of difficulty, with a simple straightforward interface. Please note, there are both documented and undocumented vulnerabilities with this software. This is intentional. You are encouraged to try and discover as many issues as possible.WARNING!Damn Vulnerable Web Application is damn vulnerable! Do not upload it to your hosting provider’s public html folder or any Internet facing servers, as they will be compromised. It is recommended using a virtual machine (such as VirtualBox or VMware), which is set to NAT networking mode. Inside a guest machine, you can download and install XAMPP for the web server and database.Download and install as a docker containerdockerhub page docker run –rm -it -p 80:80 vulnerables/web-dvwaPlease ensure you are using aufs due to previous MySQL issues. Run docker info to check your storage driver. If it isn’t aufs, please change it as such. There are guides for each operating system on how to do that, but they’re quite different so we won’t cover that here.DownloadDVWA is available either as a package that will run on your own web server or as a Live CD:DVWA v1.9 Source (Stable) – [1.3 MB] Download ZIP – Released 2015-10-05DVWA v1.0.7 LiveCD – [480 MB] Download ISO – Released 2010-09-08DVWA Development Source (Latest) Download ZIP // git clone https://github.com/ethicalhack3r/DVWAInstallationPlease make sure your config/config.inc.php file exists. Only having a config.inc.php.dist will not be sufficient and you’ll have to edit it to suit your environment and rename it to config.inc.php. Windows may hide the trailing extension.Installation VideosWindows + XAMPPThe easiest way to install DVWA is to download and install XAMPP if you do not already have a web server setup.XAMPP is a very easy to install Apache Distribution for Linux, Solaris, Windows and Mac OS X. The package includes the Apache web server, MySQL, PHP, Perl, a FTP server and phpMyAdmin.XAMPP can be downloaded from: https://www.apachefriends.org/en/xampp.htmlSimply unzip dvwa.zip, place the unzipped files in your public html folder, then point your browser to: PackagesIf you are using a Debian based Linux distribution, you will need to install the following packages (or their equivalent):apt-get -y install apache2 mysql-server php php-mysqli php-gdDatabase SetupTo set up the database, simply click on the Setup DVWA button in the main menu, then click on the Create / Reset Database button. This will create / reset the database for you with some data in.If you receive an error while trying to create your database, make sure your database credentials are correct within ./config/config.inc.php. This differs from config.inc.php.dist, which is an example file.The variables are set to the following by default:$_DVWA[ ‘db_user’ ] = ‘root’;$_DVWA[ ‘db_password’ ] = ‘p@ssw0rd’;$_DVWA[ ‘db_database’ ] = ‘dvwa’;Note, if you are using MariaDB rather than MySQL (MariaDB is default in Kali), then you can’t use the database root user, you must create a new database user. To do this, connect to the database as the root user then use the following commands:mysql> create database dvwa;Query OK, 1 row affected (0.00 sec)mysql> grant all on dvwa.* to dvwa@localhost identified by ‘xxx’;Query OK, 0 rows affected, 1 warning (0.01 sec)mysql> flush privileges;Query OK, 0 rows affected (0.00 sec)Other ConfigurationDepending on your Operating System as well as version of PHP, you may wish to alter the default configuration. The location of the files will be different on a per-machine basis.Folder Permissions:./hackable/uploads/ – Needs to be writable by the web service (for File Upload)../external/phpids/0.6/lib/IDS/tmp/phpids_log.txt – Needs to be writable by the web service (if you wish to use PHPIDS).PHP configuration:allow_url_include = on – Allows for Remote File Inclusions (RFI) [allow_url_include]allow_url_fopen = on – Allows for Remote File Inclusions (RFI) [allow_url_fopen]safe_mode = off – (If PHP <= v5.4) Allows for SQL Injection (SQLi) [safe_mode]magic_quotes_gpc = off - (If PHP <= v5.4) Allows for SQL Injection (SQLi) [magic_quotes_gpc]display_errors = off - (Optional) Hides PHP warning messages to make it less verbose [display_errors]File: config/config.inc.php:$_DVWA[ 'recaptcha_public_key' ] & $_DVWA[ 'recaptcha_private_key' ] - These values need to be generated from: https://www.google.com/recaptcha/admin/createDefault CredentialsDefault username = adminDefault password = password...can easily be brute forced ;)Login URL: the latest troubleshooting information please visit: https://github.com/ethicalhack3r/DVWA/issues+Q. SQL Injection won't work on PHP v5.2.6.-A.If you are using PHP v5.2.6 or above you will need to do the following in order for SQL injection and other vulnerabilities to work.In .htaccess:Replace (please note it may say mod_php7):<IfModule mod_php5.c> php_flag magic_quotes_gpc off #php_flag allow_url_fopen on #php_flag allow_url_include on</IfModule>With:<IfModule mod_php5.c> magic_quotes_gpc = Off allow_url_fopen = On allow_url_include = On</IfModule>+Q. Command Injection won’t work.-A. Apache may not have high enough privileges to run commands on the web server. If you are running DVWA under Linux make sure you are logged in as root. Under Windows log in as Administrator.LinksHomepage: http://www.dvwa.co.uk/Project Home: https://github.com/ethicalhack3r/DVWACreated by the DVWA teamDownload DVWA

Link: http://feedproxy.google.com/~r/PentestTools/~3/pVGS5bUemKY/dvwa-damn-vulnerable-web-application.html