Tag Archives: Kali

Kali with Damn Vulnerable Web App in Docker

If you have landed here I hope you are looking at starting your training with Damn Vulnerable Web App. I am excited for you as you have so much to learn. I hope it means that you are considering a career in Cyber Security, and that this post will save you a few hours of frustration, and get you to the fun bits quicker.

You are going to need access to tools and access to targets so you can explore legally and for free. This post is about getting you to setup two things which will simply provide you with first the tools and then the targets easily:

  1. Kali Linux – the goto distribution of choice for penetration testers at all parts of their careers. A Debian base with repositories that contain all of the most common “hacking” tools.
  2. Docker – I risk offending people with my simplistic definition here. I think of this as a lightweight virtual machine. Really it is a “container” which can include an entire ecosystem.We can use this to clone down vulnerable targets to play with quickly which will run inside our Kali. This will provide the targets.

In this post I will cover setting things up by providing links to the appropriate guides. By the end you will have access to Damn Vulnerable Web App (DVWA) which you can start targeting immediately!

Pre-Amble

The simplest way to interact with Kali Linux for most readers will be to use virtualisation.

  1. Install vmware player or virtual box. I prefer vmware Player and so the rest of this guide assumes you are using this. Sorry folks.
  2. Download Kali ISO and build a virtual machine.
  3. Boot and log into Kali with the credentials you created.

If all is going well you have a new OS with a fresh desktop environment.

Setup VMWare Tools

Before you go too far you are going to want to setup “VMWare Tools”. This will allow you to copy/paste between your host and guest machine as well as smooth out lots of bumps.

Fortunately there is an easy to follow and official guide here:

http://docs.kali.org/general-use/install-vmware-tools-kali-guest

By the end of this you should have a more useful virtual machine.

Setup Docker (the Lazy way)

To me docker is not that easy to setup. As Kali is Debian based you may assume that it is simply “apt-get install docker”. This is not the case and a major reason for me writing this post is to make sure you can get Docker into Kali as easily as possible.

The following script was made by some genius called “apolloclark” on Github:

Save this script to a file on your desktop called “getdocker.sh”. Then execute that in a terminal by first “chmod +x getdocker.sh” and then “./getdocker.sh”. This will install docker for you.

I am not going to explain how to actually use docker in the general cases. So you probably want to eventually get round to reading this:

https://docs.docker.com/engine/getstarted/

You can skip reading tutorials for Docker right now if you just want to focus on DVWA as soon as possible.

Getting DVWA and Running it

Various people have made docker containers which contain DVWA. At the time of writing the top hit on Google was made by another rockstar called “infoslack”. Open the following URL to see the details:

https://github.com/infoslack/docker-dvwa

The following commands are all you would need to execute:

docker pull infoslack/dvwa
docker run -d -p 80:80 infoslack/dvwa

At this point you can access DVWA on localhost port 80.

Check that you are ready

Open this URL in the browser within Kali:

http://localhost/ 

As you have not configured your server yet it will ask you to setup your database:

setup-dvwa1

Setup your DVWA now and get hacking

If you click on “Create / Reset Database” button then you will complete the setup. This will take you to a login page. Enter “admin” and “password” to login.

This will present you with the full interface which will include a long list of options down the left. By default your DVWA install will be set to “Impossible” level of difficulty. You should be unable to exploit any of the vulnerabilities because the code is not designed to be vulnerable at this level.

Click on “DVWA Security” and then alter the drop down from “Impossible” to low and click “Submit”.

At this point you can click on links on the left to load specific vulnerable exercises.

Play safe.