Author: Blogger

I am the one who publishes all the blogs for ENCIPHERS :-)
06 Oct 2017

Pentesting a wordpress website using WPSCAN

Ever thought of quickly testing a WordPress website for known vulnerabilities and expired plugins or themes? Well, here is a blog on one of such fantastic tool

$wpscan

What is WordPress and why is it famous?

WordPress is an online, open source website creation tool. It makes website creation super easy and is very user-friendly. Nowadays people tend to use WordPress more instead of learning to code in HTML, CSS, and Javascript to create the website. The reason is even a non-technical guy can learn how to use WordPress and can create a website in a couple of hours. That’s why it is famous and most of the personal blogs, websites for various startups, are mostly on WordPress.

Pro Tip: If you are a bug bounty hunter or a penetration tester, finding a vulnerable wordpress installation under scope may give you numerous easily exploitable vulnerabilities and huge cash rewards.

But how am I supposed to know if a website is created on WordPress?

Don’t worry, you don’t have to get very technical for that. There are several tools already available for it. The tool I personally use is:

Just install any of these add-ons for your favorite browser and when you visit a website it will show all the technologies that have been used on the website. For websites created through WordPress, it will show an icon W. In this way, you will be able to find out which part of the Website is on WordPress.

Note that in many cases, the whole website might be built on a different framework, but a part of the website like Blog Section can be on WordPress. So keep watching the addon.

Why is it important to test vulnerabilities in a WordPress website? Won’t the people who manage WordPress take care of that?

Yes, WordPress will make sure that no one will be able to use your site in a way that it isn’t meant to. WordPress security engineers maintain their own database of vulnerabilities and they patch it in the next upcoming version. So you just have to make sure that you keep the version of your WordPress updated and don’t use any old plugins or themes.

So where do I need to start then?

While browsing the target, you came to know that this domain is on WordPress platform. The first thing you can do is try adding wp-admin in the URL at the end.

For example, let’s consider that the domain blog.examplewebsite.com is on WordPress platform(by looking at the addon). Now you just have to do blog.examplewebsite.com/wp-admin/ to get the below form.

This page is what users use to login to their respective accounts. So how to crack the username and password? We all know that cracking the password is every hacker’s dream.

This is where a tool like Wpscan comes into play. Wpscan has several different options to get the vulnerabilities in a WordPress website and also brute-force a user login.

How to download and install Wpscan?

Using Wpscan is rather pretty easy. Just go to this page and download Wpscan the way most suitable for you. If you have downloaded the zip or tar file just extract them and you are good to go. Wpscan comes pre-installed in Kali Linux, so need to do all of these. Just jump to the next section.

Important commands

For all the below commands to work, you need to go the folder where you have extracted the Wpscan zip file using terminal.

Command 1: Update WPScan’s databases.

ruby wpscan.rb --update

This command is the first command to use when you are using Wpscan for the first time. It will update the full Wpscan database which contains the whole vulnerabilities and exploits list for WordPress websites.

Command 2: To enumerate all the usernames

ruby wpscan.rb --url www.example.com --enumerate u

Let’s break the command step by step.

Since wpscan.rb is a ruby file, we need to use ruby to run it. Then we are using --url option with the target’s URL. And for the last part, the --enumerate is the argument and we are giving ‘u’ as the option to enumerate all the usernames available.

If the site owner isn’t using any plugin to stop the attackers from enumerating the usernames, this command will list out all the available usernames registered on the WordPress.

Command 3: Password brute-force attack

ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50

Knowing only usernames won’t do us any good. We need to know the password before thinking of it as a critical vulnerability.

Here, we are using two new arguments. The first argument is --wordlist and with it, you need to give the full path to where you have downloaded the wordlist file. If you have the wordlist in the folder of Wpscan you just need to write the name of the wordlist. The --thread argument is the number of threads to use for multi-threading. Greater the number the faster will be the Wpscan but it depends on your computer architecture also. So it’s better to use it between 20-50.

It has been said that “Human is the weakest link in any company’s security”. We as humans tend to use passwords which are easy to remember. Many times admin use passwords like their date of birth, letmein, password, 123456789 and many other which can be cracked with a little use of social engineering and in many cases by brute force attack. This command uses dictionary-based attack and in case such passwords are used it will be very easy to crack.

A good place to download passwords lists is here. It’s very useful, don’t forget to $git clone.

Command 4: Enumerating vulnerable plugins

ruby wpscan.rb --url www.example.com --enumerate vp

This command is specially used to find the vulnerable plugins in the WordPress website. vp option denotes vulnerable plugins. The wpscan will also give you the reference to where you can read about the vulnerability. The vulnerabilities will have different color flags on them. The Red flag means that this vulnerability is the most critical whereas Green means it’s the least.

Command 5: Enumerating vulnerable themes

ruby wpscan.rb --url www.example.com --enumerate vt

This command checks for vulnerable themes within the website. vt denotes vulnerable themes. Here also, try to find vulnerabilities with the Red sign because they are the most critical vulnerability which if exploited could be lethal for a company.

Important points

  • First of all, don’t try to use this on any WordPress site you come across. Many times after a certain number of incorrect logins, or wpscan, the site may permanently block your IP, so that you won’t be able to access it and not to forget it would be illegal.
  • Don’t think that you will get results every time. Brute Forcing username and password will be useless if the admin is using a password with the strong password policy( to use each of small and capital letters, numbers, and special characters).
  • Check each and every vulnerability and try to exploit those. Even one vulnerability can lead to the breaking of the whole system.

There are many more commands and arguments available for Wspcan. To see the complete list available, check out the Wpscan official page.

In case of any queries while downloading or using wpscan or anything, feel free to ask them in the comment section and we will be more than happy to help you out.

Till then, keep learning and Happy hacking..:)

06 Oct 2017

5 nmap scans to help you in Penetration testing

Hi, everyone. In this post, we are going to discuss the 5 Nmap scans every penetration tester should add in their arsenal.

So what is Nmap and why is it widely used?

In simple terms, Nmap(Network Mapper) is a security scanner which is used to discover hosts and services on a computer network. It is widely used during penetration testing process because lots of information can be gathered by doing the correct Nmap scan on your target.
Information like

  • Which operating system the target is using
  • Which ports are open or closed
  • Identifying different hosts on the network
  • Which version of software the target is running

can be found out from a Nmap scan which is very useful in the information gathering process.

Installing Nmap

To use Nmap, you need to download and install it on your system. Nmap comes for all flavors of Operating Systems. It comes pre-installed with Kali Linux. We would like this post to be on the specific topic of Nmap commands so it will be better if you could search on how to install Nmap for your respective Operating System. There are many Youtube videos tutorials on that. In case of any problems, please comment and we will be glad to help.

Basic Syntax for Nmap:

nmap [ Scan Type ] [ Options ] { target specification }

e.g. nmap -A -T4 192.168.213.129

Don’t worry about what -A and -T4 for now. Just keep reading and you will understand everything by the time you complete this post.

Tools required to follow along with this post

1. Nmap correctly installed on the system.Check by using the command nmap in terminal.

2. Install VMware Player or VirtualBox.

3. Download metasploitable from here -> Extract the zip file -> Open VMware or VirtualBox whichever you have installed -> select the Open a Virtual Machine option -> Browse to where you have extracted Metasploitable -> Select Metasploitable.vmx -> Both Username and password are msfadmin.

Everything has been set up and you are good to go now. Let’s start some Nmap scanning.

Previously we used. nmap -A -T4 192.168.213.129
Let’s break it part by part.

You need to use the nmap command for doing Nmap scan. '-A' is the scan type. It is to enable OS and version detection, script scanning, and traceroute. '-T4' is the option for faster scanning. Its values can be from 0 (slowest) to 5 (fastest). The last part is the target’s name or IP address.

Note that '-A' and '-T4' are not the only scan type and option available, there are others available also. To check out the full list of different flags that can be used just use the command nmap in the terminal.

Now, let’s do something practical.

In the real world, you will either be given the target specification or the IP address for penetration testing. We can’t just do Nmap scan on any application available on the internet because it is illegal so we are using Metasploitable as our target because it is meant to be used for testing purposes.

Step 1: To find the IP address of Metasploitable. Since we have already downloaded and installed Metasploitable just use the command ifconfig in the Metasploitable terminal.
It will show two options eth0 and lo. The inet addr given in the eth0 section is the IP address of Metasploitable.

Now, we know the target’s address, so all we have to do is scan using different scan types and options to get the most useful information. This information can then be used to test if malicious activities could be performed on the open ports and how the version of different services running can lead to the hacking of the whole system.

We have installed nmap on my Ubuntu OS. The IP address for Metasaploitable in my case is 192.168.213.129.

Command 1: Scanning for open ports.(Default stealth scan)

$ nmap -sS 192.168.213.129

This is the most used default scan for nmap. It is used for checking if the host is up. With the help of this scan, Nmap attempts a TCP SYN connection to 1000 of the most common ports.
Type the command as it is by changing the IP address with the IP address of your Metasploitable instance.
The command and the output will look like this:

Command 2: TCP Connect Scan.

$ nmap -sT 192.168.213.129

This command is similar to the first one i.e TCP SYN scan however rather than sending a SYN packet and reviewing the headers it will ask the OS to establish a TCP connection to the 1000 common ports.

The output will look like this. On first glance, both the results will look same. But if you look at the execution time they will be different because the first command performs a stealth scan while the second is a non-stealthy scan.

After reading this far, if you are still confused what TCP,SYN or packets mean, search for how TCP works and the 3 way handshake for TCP.

Command 3: To scan a specific port or a port ranges

To scan a specific port, use the command

$ nmap -p 80 192.168.213.129

Here, we are scanning the port 80 which is the HTTP port.

To scan ports between a certain range, use
$ nmap -p 80-2000 192.168.213.129
Nmap scanning for ports between 80 and 2000

Command 4: Aggressive scan
$ nmap -T4 -A 192.168.213.129

This is used for aggressively scanning of the target system.
The ‘-A‘ simply means to perform OS and version checking.
-T4‘ is the speed factor on how quickly to perform the scan. Its values can be from 0(slowest) to 5(fastest).
The output will look like this and most of the times the output can be quite large.

Command 5: TCP SYN and UDP scan for all ports.

$ nmap -sS -sU -Pn -p 1-65535 192.168.213.129

This command is used when we are scanning all the 65535 TCP and 65535 UDP ports. The flag ‘-Pn‘ means that we are assuming that the host is up. This is done because sometimes firewalls are setup which prevents ICMP replies.

Some Important Points:

  • Many times, some Nmap features will not work if you are not a root user(Linux) or an user with Administrative privileges (Windows). So in case of any errors, try to use Nmap as the root user.
  • Try different combinations for scan types and options. Nmap has many interesting things. We have only described the most common scans that are used by penetration testers.

Additional references:

Now if you think that you are ready to learn Nmap in depth, check out this page:

Nmap Official page

You can find the whole list of things for which Nmap is used. Also, we have left an important portion Nmap scripts. We will write about it in depth in another post. But feel free to learn what it is and why is it so popular.

Have any questions about a problem in installation or any errors obtained during scanning? Feel free to comment and we will reply back as soon as possible.

Till then keep learning and Happy hacking..:)