Karl.Fail

Tag: docker

  • Damn Vulnerable Web Application (DVWA): The Classic Playground for Web App Security

    Welcome to DVWA: Learn Web Security the Hands-On Way

    Damn Vulnerable Web Application (DVWA) is a legendary tool in the cybersecurity world, purposefully crafted to be insecure. Built using PHP and MariaDB, DVWA is designed for learning, practicing, and testing web security techniques in a safe and controlled environment.

    Whether you’re a budding ethical hacker, a seasoned pentester, or a developer trying to build more secure applications, DVWA offers a rich environment filled with real-world vulnerabilities. It’s perfect for hands-on practice with web security challenges.

    Use Cases for DVWA

    DVWA is ideal for:

    • Practicing common web vulnerabilities like XSS, SQLi, CSRF, and file inclusion
    • Testing and developing security tools in a controlled environment
    • Teaching web security concepts to students in labs or classrooms
    • Running Capture The Flag (CTF) competitions

    The app includes both documented and hidden vulnerabilities, encouraging exploration and deep learning.

    Installation and Setup

    You can install DVWA in various ways based on your environment and comfort level:

    1. Manual Installation

    Clone the repository and set up the application using Apache, PHP, and MariaDB. You’ll need:

    • Apache2
    • PHP (v7.3+ recommended)
    • MariaDB server and client
    • PHP modules like mysqli and gd

    On Debian-based systems, install dependencies using:

    apt update
apt install -y apache2 mariadb-server mariadb-client php php-mysqli php-gd libapache2-mod-php

    2. Docker

    If you prefer containerization, DVWA has an official Docker image. After installing Docker and Docker Compose, simply run:

    git clone https://github.com/digininja/DVWA.git
cd DVWA
docker compose up -d

    DVWA will be available at http://localhost:4280.

    3. Windows + XAMPP

    Download and install XAMPP, then place the DVWA files in the htdocs directory. Detailed video guides are available for walkthroughs.

    Core Features

    • Multiple Security Levels: Adjust difficulty from low to high for scalable training
    • Wide Vulnerability Coverage: Practice XSS, SQLi, RFI, LFI, CSRF, command injection, and more
    • API Lab: Practice attacks on a dedicated RESTful API
    • Authentication Bypass Configs: Optional settings for disabling login, useful for automation
    • SQLite3 Support: Offers additional flexibility for SQL injection labs

    Security Considerations

    Important: DVWA is intentionally insecure. Never deploy it on a public-facing server. Use it within isolated virtual machines or containers with NAT networking. Misuse could lead to system compromise.

    By default, login credentials are:

    • Username: admin
    • Password: password

    Troubleshooting and Tips

    DVWA provides an extensive troubleshooting guide, including help with database configuration, permission issues, blank pages, and PHP errors. Enable PHP error display for debugging, and consult the video tutorials linked in the repo for additional guidance.

    Final Thoughts

    DVWA remains a cornerstone for anyone serious about understanding web application security. With its flexible deployment options, layered security levels, and support for both beginner and advanced users, it’s an essential tool in the learning arsenal of any cybersecurity enthusiast or professional.

    Set it up, start hacking, and level up your web security skills!

  • Sn1per: The Ultimate Pentesting & Attack Surface Management Toolkit

    Discover Sn1per: Your All-in-One Pentest and Recon Tool

    In the world of cybersecurity, time is critical. Sn1per, developed by @1N3, is a powerful and comprehensive automated pentesting framework designed to streamline attack surface management, reconnaissance, and vulnerability assessment in one cohesive platform. Whether you’re an ethical hacker, a red teamer, or a security analyst, Sn1per helps you uncover hidden risks and misconfigurations quickly and efficiently.

    Why Sn1per Matters

    Sn1per shines in automating and orchestrating powerful open-source and commercial tools to scan, identify, and prioritize vulnerabilities across your infrastructure. It supports external and internal scans and is structured to mirror real-world attacker behaviors.

    Real-World Use Cases

    • Attack surface discovery and mapping
    • Automated vulnerability scanning across networks and web apps
    • Red teaming and penetration testing engagements
    • Security posture assessments
    • Continuous monitoring of external assets

    Installation Made Easy

    Sn1per is versatile and can be deployed in several ways:

    Linux Installation (Kali, Ubuntu, Debian, Parrot):

    git clone https://github.com/1N3/Sn1per
cd Sn1per
bash install.sh

    AWS AMI (EC2 Instance):

    Available via the AWS Marketplace for easy cloud deployment.

    Docker Installation:

    Run via Docker Compose or directly with:

    sudo docker compose up
sudo docker run --privileged -it sn1per-kali-linux /bin/bash

    Core Features

    Sn1per includes a wide range of scanning and reporting modes:

    • NORMAL: Full port scan and reconnaissance
    • STEALTH: Low-noise scanning to evade detection
    • NUKE: Complete auditing with brute-force, OSINT, recon, and workspace management
    • DISCOVER: Subnet enumeration and scanning
    • WEBSCAN: HTTP/S application scanning via Burp Suite and Arachni
    • MASSVULNSCAN: Vulnerability scanning across multiple targets using OpenVAS
    • Scheduled Scans: Automate regular assessments (daily, weekly, monthly)

    Sample Command Usage

    sniper -t target.com -o -re         # Normal scan with OSINT and recon
sniper -f targets.txt -m nuke      # Nuke mode on multiple targets
sniper -t target.com -m stealth    # Stealth mode

    Integrations

    Sn1per integrates seamlessly with major tools and platforms:

    • Burp Suite Professional
    • OWASP ZAP
    • Metasploit
    • OpenVAS and Nessus
    • Slack (alerts)
    • Shodan, Censys, Hunter.io APIs

    Security and Operational Considerations

    Sn1per is a powerful tool intended for authorized use only. Misuse can result in legal or ethical violations. Always ensure you’re operating in an approved environment, such as a lab or during a sanctioned assessment.

    Dependencies vary by installation method and mode. Shell, Python, and external scanners may require additional configuration for full functionality.

    Sn1per Enterprise

    For enterprise users, Sn1per offers a commercial edition with advanced reporting, dashboards, and management features. Perfect for large-scale infrastructure monitoring and compliance assessments.

    Conclusion

    Sn1per is not just another recon script-it’s a powerful and extensible platform for conducting advanced penetration tests, vulnerability scans, and continuous security monitoring. Whether you’re targeting a single host or a massive enterprise network, Sn1per provides the automation and insight needed to stay ahead of threats.

    Get started with Sn1per on GitHub and level up your security assessments today.

  • Airgeddon: The Swiss Army Knife for Wireless Network Auditing

    Unleashing the Power of Airgeddon

    If you’re passionate about cybersecurity and wireless networks, Airgeddon is a must-have tool in your arsenal. Designed for Linux users, Airgeddon is a powerful, multi-use bash script that streamlines wireless network auditing, enabling ethical hackers and security professionals to conduct advanced Wi-Fi attacks and security assessments.

    What Is Airgeddon?

    Airgeddon is a feature-rich script that consolidates various Wi-Fi attack tools into a single, cohesive interface. Whether you’re testing WPA/WPA2 PSK networks, launching Evil Twin attacks, or capturing handshakes for cracking, Airgeddon simplifies it all with an intuitive menu-driven approach. It supports multiple attack vectors and is frequently updated by its active community.

    Real-World Use Cases

    • Penetration Testing: Simulate real-world Wi-Fi attacks to test your network’s defenses.
    • Training & Learning: Ideal for students and aspiring ethical hackers to understand Wi-Fi vulnerabilities.
    • Security Audits: Quickly evaluate the security of client environments or personal networks.

    Installation and Setup

    Airgeddon runs on Linux and requires Bash 4.2+. While it’s not available as a standard package, setting it up is straightforward:

    1. Clone the repository:
      git clone https://github.com/v1s1t0r1sh3r3/airgeddon
    2. Navigate to the directory:
      cd airgeddon
    3. Run the script:
      bash airgeddon.sh

    For detailed setup instructions including Docker usage and OS-specific notes (Linux, macOS, Windows), consult the official wiki.

    Core Features and Capabilities

    • Handshake Capturing: Capture WPA/WPA2 handshakes for offline cracking.
    • Evil Twin Attacks: Create rogue access points to lure users and capture credentials.
    • PMKID Attacks: Exploit vulnerabilities in routers to retrieve PMKID hashes without client interaction.
    • WPS Attacks: Test for vulnerable WPS-enabled routers using Reaver or Bully.
    • DoS Attacks: Perform deauthentication attacks to test network resilience.

    Airgeddon also integrates with popular tools like Aircrack-ng, Hashcat, BeEF, Bettercap, and more.

    Docker Support

    If you prefer containerization, Airgeddon provides Docker support for Linux, macOS, and Windows, making it easier to deploy without cluttering your system.

    Security Considerations

    Airgeddon is a dual-use tool, meaning it can be used for both ethical and malicious purposes. Always ensure you have proper authorization before performing any network audit. The tool also requires root privileges and can change network interfaces, so proceed with caution and understand the risks.

    Dependencies

    The script checks for and guides you to install any missing dependencies. These may include:

    • Aircrack-ng
    • iwconfig/ifconfig
    • macchanger
    • xterm
    • hashcat (optional but recommended)

    For the full list of essential and optional tools, visit the wiki.

    Beginner-Friendly Yet Technically Robust

    Airgeddon is designed with both newbies and seasoned professionals in mind. The guided menus and detailed documentation lower the learning curve, while the wide range of features keeps even the most experienced users engaged.

    Final Thoughts

    Airgeddon is an indispensable toolkit for wireless auditing. With its modular design, frequent updates, and strong community backing, it empowers security enthusiasts to better understand and defend against Wi-Fi threats. Download it today and start conquering the wireless frontier-ethically!

    Explore Airgeddon on GitHub