Mutillidae Database Errors in Metasploitable 2

I really enjoy using Mutillidae, it is one of my favorite teaching tools. I usually run it on a Windows box, but when I went to use it in the Metasploitable 2 VM I was getting a lot of database errors. Scanning through the support sites and comments I finally found that their is a configuration file issue and wanted to re-post the fix here.

You need to change the database name from “metasploit” to “owasp10” in the “config.inc” file.

In Metasploitable VM navigate to /var/www/Mutillidae

  • Type, “sudo nano config.inc”

Change the database name from ‘metasploit’ to ‘owasp10’ :

metasploitable database error

metasploitable mutillidae error

  • Restart Apache by typing, “sudo /etc/init.d/apache2 reload”
  • Lastly open Mutillidae in a browser
  • Click, “Reset DB”

You should now be all set to use Mutillidae!

Book Review: “Advanced Penetration Testing for Highly Secured Environments: The Ultimate Security Guide”

You may have layers of security, popularly known as “Defense in Depth”, but are your security features setup properly? Are their configuration errors that a vulnerability scan will not find?

What information is being broadcast by your computers, company, or employees, that don’t show up in a software scan?

Many companies think that if they just run a vulnerability scan and it passes that they are good, but is this an accurate test of your network security?

Even if you have a secured environment how could you test this using the actual techniques that a hacker would use to see if your security is up to the challenge?

Enter “Advanced Penetration Testing for Highly Secured Environments: The Ultimate Security Guide” the latest book by Lee Allen and Packt Publishing.

From preparing the scope of a pentest, to learning the tools of pentesting, to installing and running a full mock pentest on a virtual lab, this book truly is the ultimate security guide!

Here is a quick overview of the main topics:

Reconnaissance

Learn about DNS data siphoning techniques, Shodan, and the Google Hacking Data Base. The chapter also covers numerous tools that can help with recovering network, computer, and user information. And sometimes even user documents.

Enumeration

This section includes a very good tutorial on Nmap scanning including using decoys and zombie hosts in your scans, and a look at gathering pertinent information from SNMP.

Exploitation

Exploitation covers installing Kioptrics (a purposefully vulnerable Linux install) and running attacks against it from the Backtrack system. In this chapter the user learns how to retrieve service information from the target system. Then searching the Exploit-DB database (online and in Backtrack) to find exploits against it, and once an exploit is found, compiling and using it in Backtrack.

This chapter then covers transferring data to and from the system and cracking passwords, and finally exploiting the machine with the Metasploit Framework.

Web App Exploitation

Covers creating a virtual lab by installing Kioptrics level 3, pfSense (firewall), HAProxy (load Balancer) and Irongeek’s Mutillidae (contains the OWASP top 10). The author covers detecting Load Balancers and WAP firewall and scanning with the Web Application Attack and Audit Framework (w3af). You also learn how to use WebScarab to record and analyze your pentest and are introduced to Mantra, the pentester’s Plug-In toolkit.

Client Side attacks

Client side attacks are covered including Buffer Overflows, fuzzing, using David Kennedy’s (ReL1K) Fast Track and the Social Engineering Toolkit.

Post Exploitation

This chapter explains data and service enumeration on the target system. This includes which files to try to recover, which logs to analyze, what processes and networking details to view on both Linux and Windows systems. And finally using the exploited machine to scan or gain access to other hosts via pivoting.

Conclusion

The book also covers bypassing firewalls, avoiding detection, data collection tools and reporting.

Okay, after you have learned all of this excellent information, what are you going to do with it? Why not put it to the test with the last two chapters where you build a full testing lab and then run through a mock penetration test using the lab and all the skills that you have learned from the book.

This book is packed full of excellent training and tutorials. The author masterfully walks you through each section with step by step instructions, including screenshots.  It is easy to read and follow, for novice and expert alike. If you are new to pentesting or want to learn more about it, then this is the book for you.

I highly recommend this book.

Practice you Penetration Testing Skills with Metasploitable 2

Good news, a new version of Metasploitable is available. Metasploitable is a Linux virtual machine that is left purposefully vulnerable so you can practice your mad cyber skills.

The latest version, Metasploitable 2, has a ton of open services for you to discover and try to exploit. Version 2 has several built in backdoors (intentional and unintentional) already present, weak passwords to crack and multiple vulnerable web services including DVWA (Damn Vulnerable Web App) and Irongeek’s vulnerable web application Mutillidae.

Mutillidae is really cool and a great learning tool as it has all the vulnerabilities from the OWASP Top Ten with a few extra thrown in for good measure. Irongeek’s website has a ton of tutorials on using Multillidae.

We had some fun a few months ago with gaining root on the first version of Metasploitable, hopefully in a week or two we will take a closer look at Metasploitable 2. In the mean time, download it and check it out!