Welcome back, my aspiring hackers!
In this series on Linux for aspiring hackers, I'm trying to provide you with the basic skills needed to be capable in Linux as a hacker. One area that's critical that we haven't covered yet is building and managing an Apache web server.
Apache is found on over 60% of the globe's web servers, so any self-respecting Linux admin should be familiar with it. As a hacker aspiring to hack websites, it's critical to understand the inner workings of Apache, websites, and the backend databases of these sites.
In addition, by setting up your own web server, you could serve up malware to anyone who visits your site. If you're thinking of building a botnet, this is one of the best ways of doing that (I'll do a tutorial on building a botnet in the near future).
Getting Apache on Your System
If you have BackTrack running on your system, Apache is already installed. Many other Linux distros have it installed by default as well. If you don't have Apache installed, you can download and install the LAMP stack.
LAMP is an acronym for Linux, Apache, MySQL, PERL, and PHP. These are the most widely used tools for developing websites in the Linux world, and they're very popular in the Microsoft world too, only it's generally referred to as WAMP, where the W simply stands for Windows.
Simply download this LAMP stack and install it on your system, and then I will take you through the care and feeding of your LAMP stack to serve up webpages. In addition, we'll download and install a website that we can use for web and database hacking in future tutorials.
Step 1: Start Your Apache Daemon
The first step, of course, is to start our Apache daemon. In BackTrack, go the BackTrack -> Services -> HTTPD and click on apache start.
Step 2: Open the Default Website
Now that Apache is running, it should be able to serve up its default webpage. Let's type http://localhost/ in your favorite web browser.
Step 3: Open the Index.html File
Apache's default webpage is /var/www/index.html. We can edit that file and get Apache to serve up whatever webpage we want, so let's create our own.
Use any text editor you please, including vi, gedit, Kate, KWrite, emacs, etc. For demonstration purposes here, I'll open the /var/www/index.html with KWrite.
Note here that the default webpage has exactly the text that was displayed when we opened our browser to localhost, but in html format. All we need to do is edit this file to have our web server display the information we want.
Step 4: Add Some Html
Now that we have the web server running and the index file open, we can add whatever text we'd like the web server to serve up. We will create some simple html blocks.
Let's serve up this page:
<html>
<body>
<h1> Null Byte is the Best! </h1>
<p> If you are new to hacking, wonderhowto.com's Null Byte</p>
<p>world is the best place to learn hacking!</p>
</body>
</html>
Now, save this file and close KWrite.
Step 5: Let's See What Happens
Now that we have saved our /var/www/index.html file, we can check to see what Apache will serve up. Navigate your browser once again to http://localhost.
Apache has served up our webpage just as we created it!
Step 6: Download & Install DVWA
Now that we have our web server up and running, we want to download and install a website designed especially for hacking, known as the Damn Vulnerable Web Application or DVWA. Let's download it from here, then unzip it. To unzip it, type:
- unzip DVWA-1.0.8.zip -d /var/www
Next, we need to change permissions to give us (root) execute permissions.
- chmod 755 DVWA-1.0.8
In my next Linux tutorial, we will set up PHP, MySQL, and configure our Damn Vulnerable Web Application so that we can practice website and database hacking, so keep coming back!
Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:
63 Comments
thanks for the dvwa
waiting for the next ... cant wait anymore ... please publish as soon as possible ... :)
Pranab:
Please be patient. There are more coming.
What subjects would you like covered in future articles?
OTW
till now i am able to share picture and text through the virtual host .... i am using no ip service ... but every time i disconnect and reconnect my ppp0 device (3g modem) i get a new ip and i need to manually reset everything to make my small website run ,... is it possible that i can have a constant (static) ip using the same ppp0 interface ???? n please publish part 12 .... waiting for that .. :) tnx
Pranab:
Sorry it took so long to respond. You are behind a DHCP service, so everytime you disconnect, it will issue you a new IP. To get a static IP, contact you ISP.
OTW
search dynamic dns on google.. i think you might have come across the solution for your problem but still wanted to help..
Any idea when the next ones coming OTW??
good work by the way, enjoying every bit!
Chris:
I should have a new one out this week on LKM. What would you like to see covered in future Linux tutorials?
OTW
Your covering everything I want to know at the moment thanks, just keep up the good work and ill be kept happy!!
Cheers
At the end of this excellent tut you stated. 'In my next Linux tutorial, we will set up PHP, MySQL, and configure our Damn Vulnerable Web Application so that we can practice website and database hacking', but the next tut in this series (Part 12) is about LKM? Is there a continuation of this tut as it's sort of left hanging? Thanks.
Graymatter:
First, I want to welcome you to Null Byte!
Second, you are right, I kind of left you hanging. I'll finish up with PHP, MySQL, and DVWA in 2014. I promise!
OTW
In Step 6, I was having issues with
'chmod 755 DVWA-1.0.8'
Until I typed in
'chmod 755 /var/www/DVWA-1.0.8'
Which it seems to have accepted,
Has this granted me execute permissions? - I thought it had.
IT should've. if not. chmod 777. hahaha.
btw issues with chmod 755 dvwa... is because of the directory.
I was wondering if it would be worth mentioning that the last step could be checked by typing
'ls -l'
in the directory, like you (OTW) taught us in an earlier lesson (6?).
Because for me, the step did not appear to work, so I fixed it from there, using that earlier lesson.
Thank you,
Nemesis1512
Once again, it is an issue of which directory you are in when you execute the command.
I'm glad you could use another tutorial to resolve the issue.
Just keep in mind, if you are executing the command in the same directory as the object (file) resides, you do not need the path to the object (file).
Yes, indeed, sorry, it is just that this occurred before your response, hence why it has been brought up again.
Moreover, seeing as I could use one of your earlier tutorials, this suggests that your tutorials are comprehensive and are published in a very useful order.
Thank you very much for your understanding and further explanation,
Nemesis1512.
Bump! on that botnet tut idea!! im craving one that actually makes sense. I have found a great video i believe defcon 20 on making a HUGE botnet quickly through proxy/VPN
I am not able to edit the file index.html. And I am not even able to change the permissions using chmod.
"chmod: changing permissions of 'index.html': Operation not permitted" is the error I get when I try changing any permissions for that file.
And I am also not able to extract this zip file due to some permissions problem.
Are you using BackTrack?
Are logged in as "root"?
ubuntu.
How to log in as root?
Did you install Apache?
yes. I am able to do it now. I tried prefixing all the commands with 'sudo' and it worked for all.
This is now my home page. Hope it pleases you to know.
I'm fairly new to linux and i need a tut on how to hack a webserver this is the objective.
Okay, see if you can put a file in my home folder on my web server. Good luck! (Hint: use the console login.)
and BTW i know how to login to console but what do i do next plz help OTW! and i have kali linux bcz backtrack is obsolete.
Is there a question in there?
yes there is how to hack a webserver
and put the a file onto it while knowing console login or ssh and the ip i know all that info but wht do i do next?
Let me see if I understand. You know the console login and want to upload a file to the webserver? Why not use ftp or tftp?
like i can use filezilla or somthing like that?
Sure, if you have access to console. You can create an ftp account and upload whatever file you want.
You really don't need filezilla though. You can simply use ftp at the command prompt in Windows or Linux.
oh ok thnx OTW ur the best!
would it be possible to host this web server, send someone a link to it, and when they went to the page it would open a meterpreter session with them?
if so, how would I do it?
Deliveryman:
Have you checked out my Metasploit posts using a url? It does exactly what you are asking without having to build the website.
OTW
Okay i'll look thanks
that seems to only work with IE8 though, if I wanted it to work with any browser would I have to build the site?
There are different exploits for different browsers. IE8, though, is still the most widely used browser.
but how can you determine what browser a PC is running?
The new pof3.0 will tell you.
I've been doing some googling and I haven't found anything on how to detect browser types with pof3.0, How would you do it?
Pof is passive. All you do is enable it on your interface and it will tell you the OS, the interface and browser, if one is used.
Oh okay. thanks, and keep up the good work.
Thanks for that DeliveryMan!
OTW selinux. i want to know how to use it how to add policies . Read manual but no idea
Hi guys.
I'm running Ubuntu in VMWare Player.
When I try running Apache, it gives me "Could not open configuration file /etc/apache2/apache2.conf: No such file or directory"
Any pointers or suggestions on how to make Apache work?
Thanks,
Nathan
Nathan:
Every distribution of Linux places the files in different locations. Try using the locate command to find the apache2.conf.
OTW
Okay, I'll try that. I was using find to search for it, that may have been my problem.
hello,
i want to be the best hacker which programming languages should i learn to get my task.
Haroon:
I would recommend that you learn C and Java and then learn to script in BASH, Perl and Python.
OTW
How do i install the DVWA after i gave myself execute permission.
Hello OTW!
Thank a lot for your tutorials! You are helping me more than you can imagine!
have kali Linux 2.0 up and running w/dual boot. Don't see GUI screen from Application - System Services and hence Apache2 start/stop or restart. Anyways, used CLI to start apache2 and leafpad /var/www/index.html based on the wordings above. But, no changes on Iceweasel once http://localhost or 127.0.0.1. Thx for your reply in advance.
MPLEAFS,
On Kali 2 entering 'service apache2 start' into the terminal should start the apache server and display /var/www/html/index.html when pointing the browser to localhost or 127.0.0.1.
Had almost the same problem, only that https://localhost/ showed the edited site, but 127.0.0.1 did not..
A simple restart resolved the issue, but I'm still curious to why that happened..
Any ideas?
if im logged as 'Root" ,do i still need permission or what ??
i am new in linux and need some basic learning
Yes, even root needs permissions to use or execute a file.
On Ubuntu, I can't edit my apache2 index.html file in gedit located in /var/www/html/index.html because it gives a message saying, "could not create a backup file while saving /var/www/html/index.html. I have -rwxrwxrwx permissions which i found out by typing ls -l in terminal. Do you have any advice so i can make a customised page like you? Sorry for the inconvenience.
-DogJones
Never mind. Please excuse my stupid question, as I just sorted it out. So sorry!!!
hi can you assist with a LAB , objective is to access LAN from outside . only details I have is the website and 3 other servers.FTP port closed only 80 is open ...I have Kali Linux..not sure how to approach this with limited info given fro this LAB
hi otw - great introductory series, thanks for writing it! i'm wondering what happened to the follow up to this article re: configuring DVWA though.. is it around somewhere else?
Hi there, i know its 3 years old but i have a problem(i am new to Kali linux and linux generally) I installed LAMP with the link above, but when i type localhost and try to conect on my browser, a bitnami page shows up and not "It works!" page. Please help, what did i do wrong?
Hi, your result is fine and accurate for the instructions we have followed for LAMP. If you would like to create a page for apache, navigate to bitnamiDirectory/apache2/htdocs. You can then put your html file there as filename.html. To navigate there, go to the Bitnami LAMP Stack client and open the Manage Servers tab. Click on Apache Web Server and restart the server. You can now navigate to your html page by going to localhost:8080/filename.html. Hope this helps!
I'll do a tutorial on building a botnet in the near future - where I can read about it?
Hello,
at the end of this tutorial series you said that the next upcoming tutorial will be focused on "In my next Linux tutorial, we will set up PHP, MySQL, and configure our Damn Vulnerable Web Application so that we can practice website and database hacking"
But the following tutorial series #12 is all about LKMs. Where can I find the following tutorial series on this series ?
just trying to add some useful info...
for kali linux 2020 version:
-> to start/stop/restart apache/mysql from terminal:
sudo service apache2/mysql start/stop/restart
felt a lack of information about DVWA!
i hope there is a tutorial about this.
ty,
gogogo!
Share Your Thoughts