Hacking websites training in Windows

Many web applications have been created that specifically contain vulnerabilities to train hacker skills.

Some of them are distributed installed and configured specifically for this purpose intended Linux distributions, some can be installed by yourself in any Linux distribution (for an example see the article “How to install OWASP Mutillidae II and Damn Vulnerable Web Application (DVWA) in Kali Linux”.

And in this article I will explain how to install and configure vulnerable web applications in Windows. Installation instructions will be given for:

• OWASP Mutillidae II
• Damn Vulnerable Web Application (DVWA)
• bWAPP

You can install only one of them or all at once – they are independent of each other.

This manual will be useful to those who are more accustomed to working in Windows. In addition, some of the vulnerabilities have their own specifics: for example, the OS command injection on Linux and on Windows is exploited in different ways.

All of these vulnerable web applications run on a web server (actually, like any other web applications). Therefore, we need a web server. You can install it in any way, I have the instruction ‘How to install web server on Windows 10 (Apache 2.4, PHP 7, MySQL 8.0 and phpMyAdmin)’ and my web server is installed in accordance with it. If your web server is installed in another way, then you may need to slightly edit the paths in the file system, but, in general, the installation principle is the same everywhere.

After installing the web server, also see the article “How to protect the Apache web server from hacking in Windows” - otherwise, while you learn to hack, you will be hacked.

In the c:\Server\data\htdocs\ folder create the directory pentest.

In the c:\Server\data\htdocs\pentest\ folder create the .htaccess file, open it with a text editor, and copy there:

Require local

This setting ensures that no one from outside can access these vulnerable environments. Otherwise, a hacker can hack the entire computer through these vulnerable web applications because in Windows the web server has permissions to all folders and files.

If you need a web server to be accessible on the local network (for example, you will attack web applications from another computer with Kali Linux), then instead of the above line, insert in the .htaccess file:

Require ip 127
Require ip 192.168
Require ip ::1

This setting allows access for IP in 127.0.0.0/8 and 192.168.0.0/16 ranges, as well as IPv6 addresses ::1/128 (0:0:0:0:0:0:0:1) (analogous to localhost).

In any case, access to vulnerable environments should be as limited as possible to outsiders.

How to install OWASP Mutillidae II in Windows

Moving on to installing and configuring OWASP Mutillidae II.

Download the OWASP Mutillidae II: https://github.com/webpwnized/mutillidae/archive/master.zip (this is the official site, always the latest version).

Unzip the downloaded archive into the folder c:\Server\data\htdocs\pentest\ and rename it from mutillidae-master to mutillidae.

Open the c:\Server\data\htdocs\pentest\mutillidae\.htaccess file, delete the lines from it:

Order Deny,Allow
Deny from all
 
## This allows access from localhost
Allow from 127.
Allow from localhost
 
## This is to allow access from other machines on Virtual Box host-only networks.
Allow from 192.168.0.0/16

and add the lines instead:

Require ip 127
Require ip 192.168
Require ip ::1

Save and close the file.

Open the c:\Server\data\htdocs\pentest\mutillidae\includes\database-config.inc file and in the line

define('DB_PASSWORD', 'mutillidae');

instead of mutillidae, set your password from MySQL (empty by default).

Save and close the file.

Now in your web browser, open http://localhost/pentest/mutillidae

On the page, find 3. Try to setup/reset the DB to see if that helps in it go to http://localhost/pentest/mutillidae/set-up-database.php

Now reopen http://localhost/pentest/mutillidae:

Everything is ready – now you can begin to train to hack websites.

How to install Damn Vulnerable Web Application (DVWA) in Windows

Now install and configure the Damn Vulnerable Web Application (DVWA).

Download the latest version of Damn Vulnerable Web Application (DVWA) from the official website at the link: https://github.com/ethicalhack3r/DVWA/archive/master.zip

Unzip the downloaded archive to c:\Server\data\htdocs\pentest\ and rename it from DVWA-master to DVWA.

In the c:\Server\data\htdocs\pentest\DVWA\config\ folder find the config.inc.php.dist file and copy it to the same folder, but with the name config.inc.php (or just rename it).

Open the c:\Server\data\htdocs\pentest\DVWA\config\config.inc.php file and find the line

$_DVWA[ 'db_password' ] = 'p@ssw0rd';

and replace p@ssw0rd with your actual password. By default, the password is blank.

Open the c:\Server\bin\PHP\php.ini file and find the line there:

allow_url_include = Off

replace this line with:

allow_url_include = On

Restart the web server for the changes to take effect:

c:\Server\bin\Apache24\bin\httpd.exe -k restart

Open http://localhost/pentest/DVWA/ and click the Create / Reset Database button there:

Log in to http://localhost/pentest/DVWA/login.php:

By the way, username: admin, password: password.

And everything is ready:

Do not forget to change the level of complexity, as the default is set to impossible, for this, go to the DVWA Security tab: http://localhost/pentest/DVWA/security.php​

How to install bWAPP in Windows

Finally install and configure bWAPP in Windows

Download the latest version of bWAPP: https://sourceforge.net/projects/bwapp/files/latest/download

In the c:\Server\data\htdocs\pentest\ folder create a directory bWAPP. Extract the contents of the bWAPP_latest.zip archive to the c:\Server\data\htdocs\pentest\bWAPP\ directory.

Open the c:\Server\data\htdocs\pentest\bWAPP\bWAPP\admin\settings.php file and find the line in it:

$db_password = "bug";

In this line, change the bug to the password of your MySQL (empty by default). Save and close this file.

Follow http://localhost/pentest/bWAPP/bWAPP/install.php  the link.

Find Click here to install there bWAPP and the http://localhost/pentest/bWAPP/bWAPP/install.php?install=yes link – click on it.

Everything is ready, go to http://localhost/pentest/bWAPP/bWAPP/

Username: bee, password: bug

Note: unfortunately, due to the fact that bWAPP has not been updated for a long time, some of its pages are not compatible with new versions of PHP. For example, pages for practicing SQL injections will generate an error due to the use of the mysql_connect() function. In principle, there are no special problems in fixing – just move to mysqli_connect(). To do this, edit the c:\Server\data\htdocs\pentest\bWAPP\bWAPP\connect.php file (you can simply copy the contents of c:\Server\data\htdocs\pentest\bWAPP\bWAPP\connect_i.php into it, and also all files of the type c:\Server\data\htdocs\pentest\bWAPP\bWAPP\sqli_*.php.

If you wish, you can do it yourself – a bonus exercise. Or simply use the other vulnerable environments discussed above to practice using SQL injection.

Conclusion

If you have installed a web server specifically for training in vulnerable web applications and you are afraid that the server may impair the security of your computer, then you can disable the web server after practicing penetration testing.

To disable the web server and remove its services from startup, run:

c:\Server\bin\Apache24\bin\httpd.exe -k stop
c:\Server\bin\Apache24\bin\httpd.exe -k uninstall
net stop mysql
c:\Server\bin\mysql-8.0\bin\mysqld --remove

In this case, the server will be completely disabled, as if it is not on the computer at all, but the sites and databases will remain.

The next time you go back to practice and you will need a web server, start all the services you need:

c:\Server\bin\Apache24\bin\httpd.exe -k install
c:\Server\bin\Apache24\bin\httpd.exe -k start
C:\Server\bin\mysql-8.0\bin\mysqld --install
net start mysql

After the work is finished, stop the web server services again, as shown above.

Troubleshooting

Error (Mutillidae):

By default, Mutillidae only allows access from localhost (127.*.*.*). Edit the .htaccess file to change this behavior (not recommended on a public network).

Solution:

This message states that by default Mutillidae only allows access from 127.*.*.*. It also suggests changing the .htaccess file if you want to change this behavior, which is not recommended in public networks.

This error may occur even if you actually open Mutillidae on the local computer. The fact is that the authors have forgotten about IPv6, and in Windows, when accessing localhost, the local IPv6 address is used, which is not provided in the original .htaccess. Therefore, to remedy the situation without weakening the protection, open the .htaccess file, find and delete the lines there

Order Deny,Allow
Deny from all
 
## This allows access from localhost
Allow from 127.
Allow from localhost
 
## This is to allow access from other machines on Virtual Box host-only networks.
Allow from 192.168.0.0/16

and add the lines instead:

Require ip 127
Require ip 192.168
Require ip ::1

Error (DVWA):

DVWA System error - config file not found. Copy config/config.inc.php.dist to config/config.inc.php and configure to your environment.

Solution:

You need to copy or rename the config/config.inc.php.dist file in config/config.inc.php, and also enter the username and password of your MySQL server there.

Error (bWAPP):

Warning: mysqli::__construct(): (HY000/1045): Access denied for user 'root'@'localhost' (using password: YES) in C:\Server\data\htdocs\pentest\bWAPP\bWAPP\connect_i.php on line 23
Connection failed: Access denied for user 'root'@'localhost' (using password: YES)

And also:

Fatal error: Uncaught Error: Call to undefined function mysql_connect() in C:\Server\data\htdocs\pentest\bWAPP\bWAPP\connect.php:23 Stack trace: #0 C:\Server\data\htdocs\pentest\bWAPP\bWAPP\sqli_3.php(23): include() #1 {main} thrown in C:\Server\data\htdocs\pentest\bWAPP\bWAPP\connect.php on line 23
Fatal error: Uncaught Error: Call to undefined function mysql_query() in C:\Server\data\htdocs\pentest\bWAPP\bWAPP\sqli_3.php:144 Stack trace: #0 {main} thrown in C:\Server\data\htdocs\pentest\bWAPP\bWAPP\sqli_3.php on line 144

The error is caused by the mysql_connect() function, which is not defined (unknown).

This extension, mysql_connect, has been deprecated since PHP 5.5.0, and has been removed in recent PHP versions. Use MySQLi or PDO_MySQL instead. Alternatives for this feature:

• mysqli_connect()
• PDO::__construct()

If you encounter this error, contact the author to correct it, or edit the source code by yourself to switch from mysql_connect() to mysqli_connect().