The DVWA - Manual SQL Injection and Password Cracking module provides you with the instructions and devices to develop your hands-on skills in the following topics:
- DVWA Usage
- Performing an SQL Injection Attack
- Password Cracking with John
Lab time: It will take approximately 1 hour to complete this lab.
The following exam objectives are covered in this lab:
- CS0-001 3.4 Given a scenario, analyze common symptoms to select the best course of action to support incident response
- CS0-001 4.2 Given a scenario, use data to recommend remediation of security issues related to identity and access management
- CS0-001 4.3 Given a scenario, review security architecture and make recommendations to implement compensating controls
- CS0-001 4.4 Given a scenario, use application security best practices while participating in the Software Development Life Cycle (SDLC)
Exercise 1 - DVWA Usage
Damn Vulnerable Web App works using PHP/MySQL web applications that have been engineered to be deliberately vulnerable to a great variety of attack vectors for the purpose of allowing security professionals to test their skills and tools in a legal environment. It’s a very useful tool when learning and applying the techniques to security testing applications when using an SDLC.
In this exercise we will:
- Activate DVWA
- Connect to DVWA
Exercise 2 - Performing an SQL Injection Attack
SQL injections are used to inject code into applications which then pull out data which typically shouldn’t be displayed. For example, the technic can be used to find personal information of people which might be hidden from normal view presenting details like username and passwords.
In this exercise, we will cover:
- DVWA SQL Injection
Exercise 3 - Password Cracking with John
John the Ripper detects password hashes and then cracks the type of hash through either bruteforce or by allocating John a password hash list for its use. It is used against DES, MD5, Blowfish, Kerberos AFS and Windows LM hash. It will perform dictionary attacks by hashing the wordlist and comparing the results against the password hash list.
In this exercise, you will perform the following tasks:
- Making the Password Hash File
- Using a Wordlist
- Password Cracking and Validation
See the full benefits of our immersive learning experience with interactive courses and guided career paths.