Multiple Ways to Crack WordPress login

In this article, you will be learning how to compromise a WordPress website’s credentials using different brute forcing techniques.

Table of Content

  • Pre-requisites
  • WPscan
  • Metasploit
  • Burp Suite
  • How to avoid a Brute Force Attack?

Pre-requisites:

Target: WordPress 

Attacker: Kali Linux (WPscan)

Burp Suite (Intruder)

WPscan

WPscan is a command-line tool which is used as a black box vulnerability scanner. It is commonly used by security professionals and bloggers to test the security of their website. WPscan comes pre-installed on the most security-based Linux distributions and it is also available as a plug-in.

Here, I am using a WordPress website hosted on localhost as you can see in the image given below

While brute-forcing you can either use your own common username and password lists or the ones provided with Kali Linux. I have used rockyou.txt password file which comes with kali standard installation and contains 14341564 unique passwords.

 –URL  is URL parameter, followed by URL of the wordpress website to be scanned

-U will only bruteforce the supplied usernames, in our case it is users.txt

-P will bruteforce the passwords from the provided list rockyou.txt

The scan duration mainly depends on how large the password dictionary file is and as we are mapping a large number of users with even larger numbers of passwords it could also impact the performance of the website if left running for a long time.

The screen shows the attack as a success with the username as admin and password as flower.

Metasploit

As we know Metasploit comes preinstalled with Kali Linux, so our first step is to get to the Metasploit console and then run WordPress module used below.

This msf module will run a username and password audit. It will first validate usernames and then map passwords with them.  

Yet again successful brute force login with credentials “Admin and flower” can be seen in the following screenshot.

Burp Suite

For this install Burp suite community edition or use the one you get pre-installed in Kali Linux. Fire up Burp Suite and open WordPress login page then turn on intercept tab in Burp Proxy, next supply any username and password of your choice to login into the wordpress website. This will intercept the response of the current request.

Look at the image below and notice the last line of the intercepted message, it shows the captured login credentials as raj:raj which I used to login as username and password respectively. Next, Send the captured message to the intruder by right-clicking the blank message space and choosing to Send to Intruder option or by just pressing ctrl + I. If you are not familiar with burp Intruder working go through this article first ( https://www.hackingarticles.in/beginners-guide-burpsuite-payloads-part-1/ )

Now open the Intruder tab and you can see the base template request that we sent here. Select Positions tab, hereby default multiple positions are selected, these positions are marked using § characters. Anything between two § characters is replaced by a payload. But we don’t need them all right now so click on the clear button at right bottom corner of the editor window.

Next, select the positions as shown in the screenshot and click on add button to the right of the frame. This will configure these two selected positions as payload insertion points. Now to customize the attack select the attack type. As we are having 2 payload positions, I am choosing cluster bomb (This attack type is useful for a brute-force attack as It puts the first payload in the first position and the second payload in the second position. But when it loops through the payload sets, it tries all combinations. For example, if you have 1000 user names and 1000 passwords, this will perform 1000000 requests.)

Now hit up the start attack button.

In payloads tab, click on payload set drop-down, here you can see numbers 1 and 2. Select number 1 for the first payload position. Choose a simple list from payload type, this list lets you configure a simple list of strings that are used as payloads. you can manually add items to the list using the text box and the Add button, or you can paste a list from the clipboard, or load from file.

Similarly select number 2 for another payload position and select runtime file from payload type, this is useful when a very large list of payloads is needed, to avoid holding the entire list in memory. Add the path of any dictionary file having password only. Click on start attack.

It will match the combination of both payloads and would try to login in with username and password as you can see below. By paying attention to the status and length of the payloads you can see login credentials admin and flower are having status as 302 and length as 1203 which is different than all other combinations indicating these are the results we are looking for. Hence username and password are admin and flower respectively

How to avoid a Brute Force attack?

One can certainly avoid these attacks using some precautionary measures as following:

Password Length: An ideal length should be 8-16 characters long for passwords. It’s important to avoid the most common passwords and to change them frequently                          

Password Complexity: A password should consist of UPPERCASE and lowercase alphabets and should also include

numbers and special characters. Users should choose complex passphrases rather than single words; the complexity of the password delays the cracking process.

Limit Login Attempts: Limit the login attempts on your WordPress admin. For example, after three failed login attempts; it should block that particular IP for a certain period of time to stop it for making further login attempts.

Two Factor Authentication: The next way to be secure from brute-forcing is two-factor authentication or 2FA. This is a process that gives web services secondary access to the account owner in order to verify a login attempt. Generally, this involves a phone number and/or an email address.

Using Captcha: Installing captcha in your WordPress site is fairly easy and they help to prevent bots from executing automated scripts to login into your account.

Install a WordPress Firewall Plugin: Even the unsuccessful brute force attacks can slow down your website or completely crash the server. This is why it’s important to block them and to do that, you’ll need a website firewall solution. A firewall filters out bad traffic and blocks it from accessing your site.

Cloudflare: It is a renowned service to provide a protective shield against brute force attacks

Install and Setup a WordPress Backup Plugin: If everything fails, one must have a backup plan!

There are several great WordPress backup plugins, which allow you to schedule automatic backups.

Disabling Directory Browsing and Installing WordPress Updates regularly can also help to be safe from brute-forcing attacks against a WordPress website.

Thank you!!

Author: Nisha Yadav is trained in Certified Ethical hacking and Bug Bounty Hunter. She is currently working at Ignite Technologies as a Security Analyst. Connect with her here

Drupal: Reverseshell

In this post, you will learn how to test security loopholes in Drupal CMS for any critical vulnerability which can cause great damage to any website if found on any webserver.  In this article, you will learn how a misconfigured web application can be easily exploited.

Remote Code Execution: Remote Code Evaluation is a vulnerability that occurs because of the unsafe handling of inputs by the server application or that can be exploited if user input is injected into a File or a String and executed by the programming language’s parser or the user input is not sanitised properly in POST request and also when accepting query string param during GET requests.

Therefore a Remote Code Evaluation can lead to a full compromise of the vulnerable web application and also a web server.

Let’s Begin!!

So the drupal is accessible through a web browser by exploring the following URL:

And this opens the default home page, to access the dashboard you must-have credential for login.

So, to access the user console, I used following creds.

After accessing the admin console, it was time to exploit web application by injecting malicious content inside it. Directly writing malicious scripts as web content will not give us the reverse shell of the application but after spending some time, we concluded that it requires PHP module. We, therefore, move to install new module through Manage>Extend>List>Install new module.

You can download the PHP package for Drupal from the URL below and upload the tar file to install the new module.

https://www.drupal.org/project/php

To install php module upload the tar file that was downloaded.

So, when the installation is completed, we need to enable to the added module.

Again, move to Manage > Extend >filters and enable the checkbox for PHP filters.

Now use the Pentest monkey PHP script, i.e. “reverse shell backdoor.php” to be injected as basic content. Don’t forget to add a “listening IP & port” to get a reversed connection. Continue to change the “text format to PHP” and enable the publishing checkbox. Keep the netcat listener ON in order to receive the incoming shell.

When everything is set accordingly, click the preview button and you’ll get the reverse connection over the netcat.

Hence, we got the reverse connection of the host machine.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

Joomla: Reverse Shell

Joomla is one of the popular Content Management System (CMS) which helps you to build your website. Joomla has gained its popularity by being user-friendly as its complication-free when during installation; and it is also pretty reliable. In this article, we learn how to get a reverse shell of Joomla.

As you can see in the image below, the website is made in Joomla. Now, that we have our Joomla environment we start exploiting it. 

The attack that we are going to show is categorised under post-exploitation; which means one should have login credentials of Joomla. The URL of the login page of Joomla will be consisted of ‘joomla/administrator’ and here, enter username and password as shown in the image below :

Once you are logged in, go to extensions. A drop-down menu will appear, from this menu select templates; just like it has been shown in the image below :

Implementing the above will show you the list of templates present in the website and so we will exploit one of them i.e. Beez3 details and files.  

Once, you are in the template, go to index.php as shown in the image below :

This way you will able to edit index.php in the template as you can see in the image below :

Now, swap the code of index.php with the reverse shellcode i.e. found in Kali Linux and add your IP and port in the code just like it has been shown in the image below :

Now, activate netcat to get a session with the following command :

Another way to get a reverse shell is by msfvenom, and for this type the following command :

The above command will give you the malicious php code. Swap this code just like before  and simultaneously start the multi/handler as shown in the image below :

These were the two ways to get a reverse shell in Joomla.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

Web Application Lab Setup on Windows

Hello friends! Today we are going to show you how you can set up a vulnerable web application server in a Windows system using Xampp. Here we will be configuring the most popular web applications (DVWA, bwapp, SQLI, Mutillidae). So, let’s do that.

Table of Content

Requirement

  • Web application
  • Xampp Server Installation in Windows
  • DVWA
  • bWAPP
  • Sqli
  • Mutillidae

Requirement-Xampp server (Windows-X64)

Web Application

A web application is a computer program that utilizes web browsers and web technology to perform tasks over the Internet. Web apps can be built for a wider use which can be used by anyone; from an enterprise to an entity for a variety of reasons. Frequently used Web applications can include webmail.

Xampp Server Installation

XAMPP stand for Apache + MariaDB + PHP + Perl

XAMPP is a free and open-source cross-platform web server solution stack package developed by Apache Friends, consisting mainly of the Apache HTTP Server, MariaDB database, and interpreters for scripts written in the PHP and Perl programming languages. Since most actual web server deployments use the same components as XAMPP, it makes transitioning from a local test server to a live server possible. (read more from Wikipedia)

Download from here

Once the installation is done, we need to start the service of Mysql and Apache service in Xampp server.

DVWA

DVWA is a web application that is damn sensitive to PHP / MySQL. The main objectives are to provide security professionals with assistance to test their skills and resources in a legal environment, enable web developers to better understand the processes of protecting web applications and assist teachers/students to teach/learn protection in the classroom.

Download from here

Once the dvwa is installed completely then we will navigate to C:/Xampp/htdocs/dvwa/config.inc.php.dist to change the username and password for the database.

Open the configuration file to set the Username and Password.

Here, you can notice that the default username is root and password is password which we will modify.

Now here you may notice that we have set the password “blank” for user “root”. Now save these settings and quit.

Rename the file as “config.inc.php” after making above changes and save it.

Now we need to open the DVWA application in our localhost to create the database.

Now click on create database and database is created.

Now click on login and you are done with the setup.

For login, we will use the DVWA username which is admin and password which is DVWA password by default.

 

Bwapp

Now let’s set up a new lab which is BWAPP.

BWAPP is a free, open-source and intentionally unreliable web application, or a web buggy program. It helps security enthusiasts, designers and students discover Web bugs and stop them from doing so. BWAPP plans for positive penetration tests and cyber ethics initiatives.

Download it from here.

Now navigate to “C:/Xampp/htdoc/bwapp/admin” folder to change the default username and password for the database.

Now you can see that the default username is root and password is bug which we will modify.

 

Now here the username is root and password we have set blank. Now save the settings and quit.

Now let’s open “bwapp/install.php” in the localhost and click on “here” to complete the installation.

Now the installation is complete.

When you will login as bee:bug; you will get the portal to test your penetration testing skill

Here you can click on bugs and all bugs will be displayed to you which are there in bwapp web application.

SQLI

SQLi: A facility that provides a robust testing environment for those involved in SQL injection acquisition and enhancement. Let’s start. First, we will download the SQLI lab through GitHub.

Now we will navigate to C:/htdocs/sqlilabs/sqli-connections to edit the setup-db.php.

 

Now here we will set the password “blank” and save the changes and then quit.

Now browse this web application from through this URL: localhost/sqli and click on Setup/reset Databases for labs.

Now the sqli lab is ready to use. Now a page will open up in your browser which is an indication that we can access different kinds of Sqli challenges

Now you can see that we have opened lesson 1. So, we have successfully set Sqli labs for practice.

Mutillidae

OWASP Mutillidae is an open-source web application that is intentionally vulnerable and actively aims at web security. It’s a laboratory for those involved in SQL injection acquisition and development, which offers a full test environment. This internet hacking framework is simple to use and is designed for labs, safety lovers, schools, CTFs and vulnerability assessments.

First, we will navigate to “C:/Xampp/htdocs/mutillidae/includes” to edit the “database-config.php” as shown below.

Here we can see that password is set mutillidae which we will replace with blank.

You can view that we have set the password “blank”. Now save the settings and quit.

Now you can see the page where you need to click on opt out tap.

 

Now we will open this our local browser by the following URL: localhost/mutillidae where we will find an option of reset database. Just click on it to reset the database. So, In this way, we can setup our vulnerable web application lab for penetration testing.

Now you will be redirected to a page which will ask you to click ok to proceed. Here you need to click on OK and you are done with the configuration of the Mutillidae lab.

We have successfully set all the web applications in Xampp server in Windows.

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information SecurityContact here