Whitelist

Installing XAMPP and DVWA at Linux Ubuntu 17.10.1

INSTALLING XAMPP AND DVWA AT LINUX UBUNTU 17.10.1

- The goal of this exercise is to install the XAMPP web server plaftorm and DVWA web vulnerable application at the Ubuntu 17.10.1 Linux distro.

1 - XAMPP

- XAMPP is a free and open source cross-platform web server solution stack package developed by Apache Friends, consisting mainly of the Apache HTTP Server, MySQL/MariaDB database, and interpreters for scripts written in the PHP and Perl programming languages.

- XAMPP stands for Cross-Platform (X), Apache (A), MySQL/MariaDB (M), PHP (P) and Perl (P).

- The version 5.6.34 using MySQL can be downloaded from here:

https://sourceforge.net/projects/xampp/files/XAMPP%20Linux/5.6.34/

- Giving executable permissions to the XAMPP installer:

- Running the installation:

- Going to /opt/lampp, where XAMPP has been installed:

- Starting Apache, MySQL and FTP services at XAMPP:

2 - DAMN VULNERABLE WEB APP (DVWA)

- Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is "damn vulnerable".

- Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

http://www.dvwa.co.uk/

https://github.com/ethicalhack3r/DVWA

- Downloading the application:

- Extracting to the folder webtest:

- Renaming DVWA-master to dvwa, for greater ease of use:

- Now, the whole folder dvwa must be copied to the /opt/lamp/htdocs directory, where web site related content is stored by XAMPP:

- Setting up the DVWA Database:

- However, there is an error because not using the correct credential, so config.inc.php file must be edited:

- Creating a new config.inc.php:

- Editing config.inc.php:

- The line regarding db_password must be altered:

- Also, for future exercises let's establish the security level to "low":

- Resetting the database the installation is now successful:

- Finally, the DVWA login page is available:

- Entering the credentials admin:password:

Extracting and decrypting an HTTP capture with Tcpxtract / FCrackKZIP

EXTRACTING AND DECRYPTING AN HTTP CAPTURE WITH TCPXTRACT / FCRACKZIP

- Layout for this exercise:

1 - Tcpxtract / FCrackZip

- tcpxtract is a tool for extracting files from network traffic based on file signatures.

- Extracting files based on file type headers and footers (sometimes called "carving") is an age old data recovery technique.

- tcpxtract uses this technique specifically for the application of intercepting files transmitted across a network.

- To download and install tcpxtract:

http://www.toolwar.com/2014/01/tcpxtract-network-traffic-extracting.html

- FCrackZip is a zip password cracking tool.

- To download and install FCrackZip:

http://www.toolwar.com/2013/10/fcrackzip-tools.html

2 - Transferring a password protected file from Ubuntu to Kali Linux

- Protecting with a password a zipped file, composed of a text and a picture, and storing at the Ubuntu Apacher server:

- Now, let's enable Wireshark at Kali so that the transfer can be captured:

- Now, opening a browser at Kali, let's download the file instrument.zip from Ubuntu:

- The file transfer is successful:

- Wireshark has captured the transfer beetween both devices and created a .pcap file:

- Saving capture.pcap for further treatment:

3 - Extracting a Wireshark capture with tcpxtract

- Extracting capture.pcap with tcpxtract and outputting to the folder data:

- Checking the content of the .html files, some of them are encrypted:

4 - Decrypting with fcrackzip and unzipping

- Taking the file 00000010.zip to be decrypted:

- The encryption password is found:

- Finally, we are able to unzip the transferred file (composed by a text and an image) using the decrypted password:

Setting a Self-Signed SSL Certificate

SETTING TLS/SSL SELF-SIGNED CERTIFICATE

- Layout for this exercise:

0 - INTRODUCTION

- The goal of this exercise is to illustrate how to implement a self-signed TLS/SSL certificate for an Apache Server in Ubuntu 1.04.

- TLS (Transport Layer Security) and SSL (Secure Socket Layer) are cryptographic protocols used by web protocol HTTPS (HTTP Secure). Both provide two main security services:

i) protection by encrypting the communication between client and server, so that traffic can be sent safely without being intercepted by third parties, out of the client and server.

ii) authentication of the server against the client (also, it is optional to enforce mutual authentication between client and server), so that the identity of the website is verified.

- For more information about HTTPS, TLS and SSL:

https://es.wikipedia.org/wiki/Hypertext_Transfer_Protocol_Secure

- The usual way of setting HTTPS on a website is to acquire a certificate from a trusted Certificate Authority (CA). However, for the purpose of experimenting on future exercises, it is very interesting to practice the installation of a self-signed certificate, where the Authority is the server itself:

https://en.wikipedia.org/wiki/Certificate_authority
https://en.wikipedia.org/wiki/Self-signed_certificate

- TLS/SSL uses Public Key cryptography, or asymmetric cryptography, what combines a pair of different keys:

a) public key, available widely for anybody.
b) private key, stored at the server and known only by the owner.

https://en.wikipedia.org/wiki/Public-key_cryptography

- A digital certificate is an electronic document used to prove the ownership of a public key. A certificate provides information about the public key, the identity of the owner, the authority or issuer who backs the validity of the certification, expiration date, etc ...

https://en.wikipedia.org/wiki/Public_key_certificate

1 - CREATING THE CERTIFICATE

- The first step to install a self-signed certificate for an Apache server is to create it using the command openssl:

- Parameters and options used in the command:

req -x509 = X.509 is the standard format for public key certificates, forcing to be self-signed instead of being requested to a Certificate Authority

-nodes = no using a passphrase

-days 365 = one year before expiration

-newkey rsa:2048 = RSA is the algorithm to be used, and 2048 bits is the key length

-keyout /etc/ssl/private/apache-selfsigned.key = location of the private key

-out /etc/ssl/certs/apache-selfsigned.crt = location of the certificate

- The server prompts with some questions about names, domains, email address of the administrator, etc ...:

- As mentioned before the private key (apache-selfsigned.ky) is kept secret on the server, and it is used to encrypt content sent by the server to the clients.

- The certificate (apache-selfsigned.crt) is publicly shared with users or clients that request content to the web server, and it is used to decrypt content sent by the server:

2 - SERVER CONFIGURATION

- Modifying some files at the Apache server, starting with ssl-params.conf:

- Also, modifying the default SSL Virtual Host File default-ssl.conf:

- Finally, modifying (this is optional) the unencrypted Virtual Host file 000-default.conf to automatically redirect HTTP requests to HTTPS:

3 - ENABLING SSL AT THE SERVER

- Enabling the SSL module:

- Enabling the SSL Virtual Host:

- Enabling ssl-params.conf:

- Testing that the syntax is correct after all the modifications at the Apache server files:

- Restarting the server:

4 - TESTING THE SERVER:

- Now, when the client Kali tries to access the website www.whitelist.com/secure, provided by the server Ubuntu, HTTPS must be used instead of HTTP (although HTTP would be automatically redirected to HTTPS according to that specific configuration at the previous chapter).

- Because the certificate is unknown for the browser, the user is warned about the insecurity of the connection:

- However, for experimentation at this exercise, the client/browser accepts the connection by clicking the Add Exception tab, and later confirming by clicking Confirm Security Exception: