Setting up Lab Environment for AWS Pen-Testing
Hi Folks,
This is Fourth Blog from AWS Pen-Testing Series of Blogs. In my Previous Blogs I have shown “Creating and Connecting to AWS Linux and Windows Instances” So if you are not aware of that kindly navigate to following URL’s.
In this Blog, I will focus on Setting up Lab Environment for AWS Pen-Testing. I will explain following things in this Blog,
- Installing Buggy apps(SQL Injection Demo Project) for Pen-testing on Windows Instance.
- Installing Buggy apps(DVWA) for Pen-testing on Linux Instance.
I am using following Instances on AWS, which I have already covered “How to create and connect with them in earlier Blogs”.
- Kali Linux (Ubuntu) Instance.
- Windows Server 2012 R2 Base.
So without wasting more time in theoretical explanation, Let’s start.
- Installing Buggy apps (SQL INJECTION Demo Project) on AWS Windows Instance:
Step 1: As shown below, I have connected to windows server 2012 R2 Base.
Step 2: Navigate to https://www.apachefriends.org/download.html to download XAMPP for Windows. XAMPP is package which comes with inbuilt My-SQL and Apache and many more useful packages.
Step 3: Click on Save button to save installer file.
Step 4: Now, go through simple installation Setup to install XAMPP.
Step 5: Navigate to C:\xampp → htdocs folder and delete all existing folders and files and create new folder _bak as shown below.
Step 6: Download SQL Injection Demo which is Buggy App from below link.
Once downloaded copy the content of zip file into C:\xampp → htdocs folder. our htdocs folder will look like,
Step 7: Start Apache and MySQL server from XAMPP Control Panel by running Control Panel.exe file.
Step 8: Once completed, the next step is to create a database for the application and import the data into it. To achieve this, you need to access the phpMyAdmin interface, which is accessible at http://127.0.0.1/phpmyadmin. Once here, select the New option.
Step 9: Create new database sqli as shown below:
Step 10: Click on import button and browse to database.sql file from htdocs folder to import existing database tables and click on GO button.
Step 11: Now, if we browse to http://127.0.0.1 in our browser, we will be able to access the vulnerable website running SQL Injection Demo:
As Shown above, We are successfully able to deploy vulnerable website on AWS windows instance and connect to it. Now we will see how to deploy buggy apps on AWS Linux instance.
2. Installing Buggy apps (DVWA) on AWS Linux Instance:
This time we will try to deploy some other buggy apps on Linux instance like Damn Vulnerable Buggy App (DVWA) rather than SQL INJECTION DEMO PROJECT.
I have already shown in my previous blogs creating and connecting to Linux Instances on AWS. So lets connect to our AWS instance and install following dependent modules.
- Apache Web Server (Useful in Linux to Host Websites)
- My-SQL (Database to Store Data for hosted website).
- PHP (Technology Module)
- PHPMyAdmin (Technology Module)
Prior to that we need to Modify Security Group On our AWS Linux instance and add inbound rule which enabled PORT 80 because by default apache web server runs on PORT 80. Let’s see how to add custom rules to Security Groups.
Step 1: Select your ubuntu linux instance from list of instances on AWS. Click on Security Group.
Step 2: Click on Edit inbound rule.
Step 3: Click on Add rule.
Step 4: Add HTTP PORT 80 to the inbound rule and click on Save.
Notice you will get success message if rules added successfully.
Now next thing is connect to the ubuntu instance and install our dependent modules along with apache web server.
- Installing Apache Web Server on ubuntu instance:
Command: apt install apache2
Testing Apache Web Server Running or not:
Now to validate that Apache is running on our Ubuntu server, we access the IP of the instance in a browser so that we will get default web page of apache web server.
2. Installing and configuring MySQL database:
Command: apt install mysql-server
It will prompt to set password for MySQL root user. you can set by entering credentials twice.
You can set new username and password on MySQL database using below commands:
Commands:
i) mysql -u root -p
ii) GRANT ALL PRIVILEGES ON *.* TO ‘spitfire’@’%’ IDENTIFIED BY ‘Admin@123’ WITH GRANT OPTION;
iii) flush privileges;
iv) exit
3. Installing PHP Module:
Command: apt install php
4. Installing PHPMyAdmin:
Command: apt install phpmyadmin
Now we have successfully installed all the dependency module. Lets setup DVWA Lab for Pen-testing.
To host website or webpages locally, we basically navigate to directory /var/www/html so that web pages will be accessible on localhost from this directory while running apache web server and MySQL server. run the following commands to setup DVWA.
Commands:
i) cd /var/www/html (Root directory for localhost website)
ii) git clone https://github.com/ethicalhack3r/DVWA (Downloading Website Resources)
OR
git clone https://github.com/digininja/DVWA
iii) cd /dvwa/config
iv) mv config.inc.php.dist config.inc.php
v)vim config.php
click i for INSERT MODE.
vi)Add below credentials to the file and click ESC then :wq on keyboard to SAVE Changes and Close config.php File.
Now after all the installation don’t forget to reboot your Linux ubuntu AWS instance or else changes will not be done. Once rebooted navigate to your AWS linux instance URL from web browser.
In your case URL may be different because Public IPV4 DNS address is differ for every instance on AWS. in my case it is
http://ec2-65-2-125-40.ap-south-1.compute.amazonaws.com/DVWA/setup.php
Click on Create/Reset Database button and it will redirect to login.php page as shown below:
I hope this blog will be helpful for pen-testers. Please provide your valuable feedback and suggestions.
In my next blog, I will explain following things,
- Installing Vulnerable Services on Linux Instance.
- Establishing connection between EC2 Instances (Linux and Windows).
Thanks Readers!
