What is damn vulnerable linux

( Damn Vulnerable Linux: [DVL])

  1. What is Damn Vulnerable Linux?
    • Damn Vulnerable Linux (DVL) is everything a good Linux distribution isn’t. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks.
  • DVL isn’t built to run on your desktop — it’s a learning tool for security students. DVL is a live CD available as a 150MB ISO.
  • It’s based on the popular mini-Linux distribution Damn Small Linux (DSL), not only for its minimal size, but also for the fact that DSL uses a 2.4 kernel, which makes it easier to offer vulnerable elements that might not work under the 2.6 kernel.
  • It contains older, easily breakable versions of Apache, MySQL, PHP, and FTP and SSH daemons, as well as several tools available to help you compile, debug, and break applications running on these services, including GCC, GDB, NASM, strace, ELF Shell, DDD, LDasm, LIDa, and more.
  • DVL was initiated by Thorsten Schneider of the International Institute for Training, Assessment, and Certification (IITAC) and Secure Software Engineering (S�e) in cooperation with Kryshaam from the French Reverse Engineering Team. «The main idea behind DVL,» says Schneider, «was to build up a training system that I could use for my university lectures.» His goal was to design a Linux system that was as vulnerable as possible, to teach topics such as reverse code engineering, buffer overflows, shellcode development, Web exploitation, and SQL injection.
  • SQL injection is a common web application attack that focuses on the database backend.
  • WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons.
1. Prerequisite
  1. Login to your DVL VM, as username root and password toor, unless you changed it to something else.
    • For those of you that are not part of this class, this is a Damn Vulnerable Linux distribution.

  • Type : startx
  • 2. Start WebGoat
    1. Start up WebGoat’s Web Server.
      • Damn Vulnerable Linux —> Training Material —> Web Exploitation —> WebGoat —> Start WebGoat Port 80

    2. You well see that a shell started for WebGoat.
      • Notice that you will use the following information in step 3.
        • Link: http://127.0.0.1/WebGoat/attack
        • Username: guest
        • Password: guest

    3. Bring up a FireFox Browser on your DVL machine.

    4. Paste in the below WebGoat address
      • Note
        • Link: http://127.0.0.1/WebGoat/attack
        • Username: guest
        • Password: Guest

    5. Start WebGoat (See Below)

    1. Click on Injection Flaws (See Below)

  • Click on String SQL Injection (See Below)

  • Click on Restart this Lesson (See Below)

  • Enter «Smith» into the textbox and click on Go!
    • Note: This is how the query is meant to work as designed.
      • SELECT * FROM user_data WHERE last_name = ?
        • user_data is a database tablename.
        • last_name is a column in the tablename called user_data.

  • Click on Restart this Lesson (See Below)

  • Now let’s start a popular injection technique.
    • In the text box enter the following string, %‘ or ‘0’=’0
      • Click Go!
    • How does this work?
      • The «?» in the statement SELECT * FROM user_data WHERE last_name = ?, is the text that gets entered into the text box.
      • So, if you enter in Smith, the statement that gets executed will look like
        • SELECT * FROM user_data WHERE last_name = ‘Smith’.
      • In our case we are entering the string [ %‘ or ‘0’=’0 ], which results in the statement
        • SELECT * FROM user_data WHERE last_name = ‘ %‘ or ‘0’=’0
        • Which mean, show me everything that is either equal to a wild card or is not equal to a wild card.
    • ‘ or 0=0 —, » or 0=0 —, or 0=0 —, ‘ or 0=0 #, » or 0=0 #, or 0=0 #, ‘ or ‘x’=’x, » or «x»=»x, ‘) or (‘x’=’x, ‘ or 1=1—, » or 1=1—, or 1=1—, ‘ or a=a—, » or «a»=»a, ‘) or (‘a’=’a, «) or («a»=»a, hi» or «a»=»a, hi» or 1=1 —, hi’ or 1=1 —, hi’ or ‘a’=’a, hi’) or (‘a’=’a and hi») or («a»=»a
  • Section: Proof of Lab
    1. Click on Restart this Lesson (See Below)

      Источник

      ( Damn Vulnerable Linux: [DVL])

      1. What is Damn Vulnerable Linux?
        • Damn Vulnerable Linux (DVL) is everything a good Linux distribution isn’t. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks.
      • DVL isn’t built to run on your desktop — it’s a learning tool for security students. DVL is a live CD available as a 150MB ISO.
      • It’s based on the popular mini-Linux distribution Damn Small Linux (DSL), not only for its minimal size, but also for the fact that DSL uses a 2.4 kernel, which makes it easier to offer vulnerable elements that might not work under the 2.6 kernel.
      • It contains older, easily breakable versions of Apache, MySQL, PHP, and FTP and SSH daemons, as well as several tools available to help you compile, debug, and break applications running on these services, including GCC, GDB, NASM, strace, ELF Shell, DDD, LDasm, LIDa, and more.
      • DVL was initiated by Thorsten Schneider of the International Institute for Training, Assessment, and Certification (IITAC) and Secure Software Engineering (S�e) in cooperation with Kryshaam from the French Reverse Engineering Team. «The main idea behind DVL,» says Schneider, «was to build up a training system that I could use for my university lectures.» His goal was to design a Linux system that was as vulnerable as possible, to teach topics such as reverse code engineering, buffer overflows, shellcode development, Web exploitation, and SQL injection.
      1. You need to have virtualization software that allows you to create operating system images using either an ISO or installation CD. For this «how to», I will be using VMware Workstation. However, you can also use other popular tools, such as, VirtualBox.

    2. Click Save

    3. Save to C:\VMware ISO’s\DVL\
      • In my case, I save it to an external hard drive, hence Hard Drive 2 (E:)
      3. Create VMware Image
      1. Click on New Virtual Machine.

    4. Bring up a FireFox Browser on your DVL machine.

    5. Select Install disc image file (iso)
      • Select the Browse Button

    6. Navigate to where you save the DVL iso.
      • In my case, the iso was saved to E:\VMware ISO’s\DVL\
      • Select DVL iso and click open

    7. Select Next

    8. Select the Linux OS, and Other Linux 2.6.x kernel

    9. Naming and Saving Location
      • Virtual machine name: DVL
      • Location: In my case, I save it to my external hard drive at E:\VMware

    10. Specify Disk Capacity

    11. Click on the Customize Hardware.

    12. Select Memory
      • Increase the memory from 256 MB to 512 MB.
      • Click OK.

    13. Click Finish

    14. Press Enter when you see «boot: »
    3. Login to DVL
    1. Credentials (See Below)
      • Login: root
      • Password: toor
    3. Partition the disk
    1. Determine what disk to format
      • Command : fdisk -l
      • Note : In my case, the disk is named /dev/sda

  • Select disk to be partitioned
    • Command : fdisk /dev/sda
    • Input : m

  • View the partition table
    • Select «p»

    • Note: There is 1044 cylinders

  • Add a new partition
    • Select «n»
    • Select «p»
    • Select «1»
    • Select the maximum amount of cylinders 1044.

  • View newly created partition
    • Select «p»
    • Note: Previously when «p» was selected there was not a partition listed.

  • Exit out of fdisk
    • Select «q»
  • 4. Format the partition
    1. Format the partition on /dev/sda
      • Command : mkfs.ext3 /dev/sda
      • Proceed : y

  • Change Language to English (See Below)
    • Right Click on DE and click on Configure

    • Highlight Germany, Click on Remove.
    • Highlight Italy, Click on Remove.
    • Only U.S. English should be left.
    • Click Apply
    • Click OK

  • Start the backlash installer

  • Configure installer as seen below
    • Note: If the installer completes in a few seconds, then the installer actually failed. The installer should take 5 to 10 minutes to complete. You should see messages like copying /opt with the status bar inching slowly forward.

  • Click the close button, when you see a status message of «All done! click Close button» and a status bar of 100% complete

  • Start up a terminal

  • Install the boot loader
    • Command : lilo -v

  • Command : poweroff

  • Edit virtual machine settings
    • VMware Workstation —> File —> Open

    • Navigate to where you created the DVL.vmx image

  • Оцените статью
    Adblock
    detector