DVWA installation

In this post I will do an installation on DVWA in Kali Linux using the step from the slides given in binusmaya.

The first step is to change directory in the terminal into /var/www/html and then download the file through the link by using the command wget https://github.com/ethicalhack3r/DVWA/archive/master.zip after finished with the download then unzip the file using unzip master.zip command after that confirming that the file really exist at the file location by using ls command.

Above is the process I do from changing the directory and downloading the DVWA file.

Below is the process of unziping the master.zip

because i lost the screen capture of this process i redo the process and recapture but the terminal indicate that i have a same file and asking to replace it or not.

Below is to check if the file exist at the folder location.

It can be seen in the directory of var/www/html that the master.zip really did exist.

The next step is to move the content from directory DVWA-Master to web root directory by using “mv DVWA-Master/* /var/www/html” command then changing the owner directory of var/www/html by using “chown -R www-data:www-data /var/www/html” as shown below.

After that the tutorial shows the directory with details using ls -la command.

After that starting the service of apache2 and mysql by using “service apache2 start; service mysql start” as seen below

After that following the instruction next step is to secure mysql installation by using “mysql secure installation” command then you will be asked whether you want to change password or not. In the tutorial the user change the password so i also did the same.

After changing the password I got some question from the system like “Remove anonymous users?”, “Disallow root login remotely?”, “Remove test database and access to it?”, “Reload privilege tables now?” and the answer to all that is yes. It is done to prevent others from accessing the mysql of the system.

After following the next step it is quite strange that I didn’t find any error that are mentioned in the slides but I still follow the following command after the supposed to be error step to config the not available error. The command for the config is “cp config/config.inc.php.dist config/config.inc.php”.

As seen above there are no error in going to the ip of kali.

Since I didn’t find the error I’m stuck at the recaptcha step so i jumped to the setting up the database by using mysql -u root -p command after that command the system will ask for the password. but in my case the system didn’t ask the password so it directly goes into the database configuration as seen below.

after that following the command given in the slide “create database cbn_workshop;” to create the database after that granting all privilege with a password of W3llD0n3CS by using “grant all privileges on cbn_workshop.* to dvwa_user@localhost identified by ‘W3llD0n3CS’ ” command as seen below. Other than that the tutorial have another command to flush all other privilege other than dvwa_user.

 

but after asking help from Mr Charles he said that the website need to have /index.php on the behind of the ip.

As seen above it brings me to the DVWA login site.

I don’t know the username and password until the class with Mr Kalpin that he told us that the username is admin and the password is password. After logging in the site brings me to the database setup page.

Enumeration and Port Scanning

Enumeration Introduction

  • Enumeration extracts information about:
    • Resources or shares on the network
    • User names or groups assigned on the network
    • Last time user logged on
    • User’s password
  • Port scanning and footprinting is used to determine OS being used
  • Intrusive process
  • NBT (NetBIOS over TCP/IP) is a tool for enumerating Microsoft OSs

using wpscan to do enumeration on jo1.pentest.id

from the wpscan — url http://jo1.pentest.id –enumerate u -r command I got the username of the admin of the site.

After that following the Hint given in the jo1.pentest.id I got the list of possible password for the admin of the site

after that i tried to brute force the system using the available possible password using wpscan –url jo1.pentest.id –wordlist password.txt –username adminjo –threads 50 -r

From the command one of the possible password match with the admin password so the wpscan gives back the result of the matched password.

 

Week 4 of Ethical Hacking

On the 4rd week I learn about dnstrails.com a website that holds the record of DNS from all website and also you might get info about the website real ip behind cloudflare.

Below is the DNS record of x company

Below is the historical data of x company from dnstrails.com

Below is the the whois data of x company from dnstrails.com

Week 3 of Ethical Hacking

On the 3rd week I learn about information gathering and utilizing search engine using kali linux terminal.

Below is the result of dig pentest.id

Below is the result of host pentest.id

Below is the result of whois pentest.id

Introduction of Ethical Hacking and Penetration Testing

On the first week the class discussed about all of the definition in ethical hacking such as:

  • Ethical Hackers: Employed by a company to do penetration testing on the company’s system.
  • Penetration test: a legal attempt to get access into a company’s network to find its weakest link. Tester only report findings.
  • Security test: similar with penetration testing in term of attempting to get access but with more details such as analyzing company’s security policy and procedures. Tester not only report finding but also offers solution to secure or protect the network.
  • Hackers: getting access into computer system or network without authorization. Because there is no authorization this breaks the law and can get the person in action go to prison.
  • Crackers: breaking into systems to steal or destroy data.
  • Ethical Hacker: doing hacking activity with the owner’s permission.
  • Script Kiddies/Packet Monkeys: inexperienced hackers that copy codes and techniques from knowledgeable hackers.
  • Script: set of instruction that runs in sequence.
  • Tiger box: Collection of OSs and hacking tools. It helps penetration testers and security testers conduct vulnerabilities assessments and attack.

Programming language that are used by experienced penetration testers:

  • Practical Extraction and Report Language (Perl)
  • C
  • Python

Other than that the class also discussed about Penetration-Testing Methodologies such as:

  • White box model:
    • The tester is told about everything in the network from the topology to the technology
    • Tester is authorized to interview IT personnel and company employees
    • By knowing all the information on the network it makes tester job easier
  • Black box model:
    • Company staff doesn’t know about the test
    • Tester is not given any information regarding the network
    • Test to know if the security personnel are able to detect an attack
  • Gray box model:
    • Hybrid of the white and black box models
    • The company gives tester partial information regarding the network

After that the class discussed about Penetration-Testing Process that consist of:

  • Defining the scope of the test:
    • Extend of the testing
    • What will be tested
    • From where it will be tested
    • By whom it will be tested
  • Performing the penetration-test:
    • Detail process (The 10 Hacking Cycle)
  • Reporting and delivering results

Then the class discussed about common techniques in penetration testing which consist of:

  • Passive Research:
    • Gathering information about system configuration of the institution
  • Open Source Monitoring:
    • To ensure confidentiality and integrity
  • Network mapping and OS fingerprinting
  • Spoofing
  • Network Sniffing
  • Trojan attacks:
    • Malicious code
  • A brute-force attack:
    • Password cracking
  • Vulnerability scanning
  • Scenario analysis
    • Final phase of testing

The Blue Team and Red Team

  • Red Team:
    • Performing penetration testing without the knowledge and consent of IT staff of the organization
    • May conducted with or without warning
    • Goal: To detect network and system vulnerabilities (revealing system defense capability )
  • Blue Team:
    • The “internal” team that defend the system, they commonly have knowledge of internal system
    • They are the opposing site of the red team

If they perform penetration testing they do the least expensive and most commonly used way of testing. The goal is to think how to surprise attacks might occur.

 

Final Project Report For MHCI Class

This is the report for my group final project for Multimedia and Human Computer Interaction class.

Because we are working in a group I and my teammate decided to split things up.

Because I’m better at designing layout I got the designing part. Although i didn’t make the asset of the game, I did some searching for the asset and find the asset at Qraken Games. After taking the asset i arranged the asset to be as it is. I also did some of the assets for the start menu as displayed below.

This is the start screen after running the game.

This is the guide on how to play the games.

This is the Credits Screen.

This is the display of the quiz screen.

This is the display of Game Over screen.

This is another variation of display of the quiz screen.

 

These are some of the events that I do.

Final Project Proposal

This is a proposal made for the final project of Multimedia and Human Computer Interaction class.

My team consist of me and my teammate named Hanssen.

The Project that we are asked to do is to make a simple game for kindergarten kids.

After some discussion with my teammate. My team decided to make a quiz based game for kindergarten kids.

The quiz will be like a multiple choice question based on animals and the answers will be the icon of the animal.

About Me

Hi there readers, my name is Benny Victor.

I’m a Computer Science student at Binus University batch 2020.

The purpose of me making this blog is mainly for University assignment requirement. So, basically what i posted here will all be related to my  University assignment.