Posted on 2 Comments

Beginners guide to WPScan

Hello aspiring ethical hackers. In this blogpost, you will learn about WPScan, a tool used to perform WordPress vulnerability assessment. WordPress is one of most popular Content Management system (CMS) WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues and also for enumeration. Let’s se how it works. It is installed by default in Kali Linux and we are going to use the same for this tutorial. Now open a terminal and update our tool by typing command as shown below.

wpscan

To scan a WordPress website, all you have to give is the URL as shown below. For this blogpost, I am using a local installation of WordPress as target.  Assign the target as shown below. The scan will start as shown below.

Here are the screenshots of result of this scan. As you can see we have  13 vulnerabilities in the present installation and the vulnerabilities are given below.

One of the easiest ways to hack a WordPress site is to exploit the plugins installed in the target as most of the WordPress vulnerabilities nowadays exist in the plugins installed on it. So it is very important to enumerate the plugins installed on our WordPress target. We can enumerate the plugins using the “enumerate” option as shown below.

The scan result will be as shown below.( And there you have the first Easter egg). So totally we found four plugins. The first one is Ajax Load More Plugin. As the red exclamation mark shows, it is vulnerable.

wpscan

The second plugin is the vulnerable version of Akismet.

The third vulnerable plugin is the WordPress Slider revolution plugin. We will see more about this in our next blogpost.

Another important aspect to find vulnerabilities in the WordPress is its theme.  Now let’s enumerate the theme as shown below. The vulnerabilities present in the theme are given below.

After that let’s enumerate the users in our remote target as shown below.

We can see that the only username in our target. That’s WPscan for you. Hope it was helpful to you and wait for the sequels.

Posted on 2 Comments

Beginners guide to OpenVAS

Hello, aspiring ethical hackers. In our previous blogpost, you learnt about vulnerability scanning. In this blogpost, you will learn about OpenVAS. OpenVAS or Greenbone Open Vulnerability Assessment Scanner is a fully featured vulnerability scanner. Its features include unauthenticated and authenticated testing, various high-level and low-level internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test. This article is a beginners guide to this tool.

It is an open source software and can be installed on Linux systems. Let’s start with installing OPENVAS on Kali Linux. Before you start the installation, update the Kali Linux system using the command shown below.

OpenVAS scanner is a part of Greenbone Vulnerability Manager (GVM) software. So, we have to install this software using command shown below.

sudo apt install gvm -y

After successfully installing it, we need to set gvm. This can be done using a simple command.

sudo gvm-setup

This simple command will take care of everything needed to setup this tool.

At the end of the setup, a password is created for the admin user of OpenVAS. It’s very important to make a note of this password. Otherwise you will not be able to login into the web interface of OpenVAS. The setup of OpenVAS is finished. It’s good to check if everything is installed correctly. Use the command below for that.

sudo gvm-check-setup

If you get a message as highlighted in the above image, it means the installation is successful without any errors. Everything’s done. Now let’s start the OpneVAS service. This can be done using command below.

sudo gvm-start

This will start OpenVAS and present you with URL of the web interface. By default, OpenVAS runs on port 9392. Click on the URL to go to its web interface. When the browser starts, you will most probably be greeted with a potential security risk. Click on “Advanced”.

As an ethical hacker, you will have to take lot of risks. This is one of the HARMLESS risks you will be taking. Click on “Accept the Risk and Continue” button.

You will be taken to the login screen of OpenVAS.

Login with the credentials. The username is “admin” and password is the password I told you to take not at the beginning of this blogpost.

You will be taken to the dashboard of OpenVAS. I don’t know about you but the first thing I want to do is change my password. To do this, go to the Admin menu and click on “My settings”.

This will take you to the “settings” page as shown below. You can see some general settings of OpenVAS.

Click on Edit tab highlighted in the above image. Next, change your password and click on “Save”.

Next to change is how you want to access the web interface of OpenVAS. By default, you can only access it from he local machine. i.e the machine on which its is installed. If you want to access the web interface from any machine on the network, it can be changed too. This configuration is stored in the “gsad.service” text file. Open it with your favorite text editor (In my case it is nano).

The line you want to change is the one that starts with ExecStart as shown below.

On that line, you can see the IP address and port on which the web interface of OpenVAS is running. By default, the IP is 127.0.0.1. Change it to 0.0.0.0. don’t forget to save the changes.

Restart the OpenVAS daemon and the gsad service.

If there ever arise a need to check logs of OpenVAS, this tool’s logs are given below.

You can stop the OpenVAS service using the command shown below.

sudo gvm-stop

Posted on

JoomScan: Joomla vulnerability scanner

Hello, aspiring ethical hackers. In this blogpost, you will learn about JoomScan, a vulnerability scanner designed for Joomla. Joomla is one of the most popular  CMS which is widely used for its flexibility, user-friendliness and extensibility. Popularity has its own cost in cyber world. It would be pretty helpful if the pen testers know the vulnerabilities in their Joomla CMS before any hacker takes advantage of them.

JoomScan is one such tool which will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites.

The features of JoomScan include,

  • 1. Exact version probing
  • 2. Common Joomla! based web application firewall detection
  • 3. Searching known vulnerabilities of Joomla! and its components
  • 4. Reporting to Text & HTML output
  • 5. Immediate update capability via scanner or svn.

    JoomScan is open source and is installed by default in almost all pen testing distros. We will be using Kali Linux for this tutorial. Now let’s see how to use this tool. Open a terminal and type command “joomscan update” first. We will update the tool first.

    joomscan

    Once the tool is updated as shown above, type command “joomscan” to see the options as shown below.

    Next, give the target joomla website as shown below. In this howto, I’m using my own Joomla website.

    The result would seem like below. Below we see that our target doesn’t have any firewall, it’s server is apache and it is powered by PHP version 5.3.10. Unfortunately it didn’t detect the version. Hmm, no probs.

    Next it will scan for vulnerabilities and check whether if this site is vulnerable for a particular vulnerability as shown below.

    At the end, it will show us the number of vulnerabilities present in our target.

    We can see that our target has 2 vulnerabilities as shown in the above image. We will see how to exploit those vulnerabilities in our future howtos. But for now we have successfully performed a vulnerability assessment of our target. Learn about WPscan, a tool used for WordPress vulnerability scanning.

    Posted on

    Beginners guide to Veil framework

    Hello, aspiring ethical hackers. In our previous blogpost, you learnt about some Antivirus bypass techniques used by hackers to keep their payloads undetected. In this blogpost, you will learn about Veil Framework, a tool to generate Metasploit payloads that can bypass common anti-virus solutions.

    Veil framework is officially supported by Debian 8 and Kali Linux rolling 2018+. It may also be run on Arch Linux, Manjaro Linux, Black Arch Linux, Deepin 15+, Elementary, Fedora 22+, Linux Mint, Parrot Security, Ubuntu 15.10+ and Void Linux.

    For this tutorial, we will be using Kali Linux. Veil framework can be installed either directly or can be downloaded from Github. Veil can be installed on Kali using apt as shown below.

    This simple command will install all the dependencies and software Veil requires like Wine etc.

    After successful installation, Veil can be started using the command shown below.

    As you can see, Veil has two tools installed: Evasion and Ordnance. Let’s focus on the evasion part for this article. We can use the command shown below to the evasion tool.

    As you can see, Veil is saying that 41 payloads have been loaded and it is displaying the commands available in Veil Evasion menu. To see all the payloads veil can create, use command “list” as shown below.

    You can select the payload you want to create as shown below. For example, here I want to create powershell/meterpreter/rev_tcp.py payload. So, I use its number as shown below.

    Along with payload information, the options required for this payload are also displayed along with the available commands.

    The required options can be set just like Metasploit. For example, set lhost using command

    Set lhost <attacker ip>
    

    After all the options are set, we can create the payload using  “generate” command.

    You will be prompted to give a name to your output payload. Click Enter to continue. The payload is successfully created as shown below.

    Posted on 2 Comments

    Complete guide to sqlmap

    Hello, aspiring ethical hackers. In our previous blogpost, you learnt what SQL injection is, different types of sql injection attacks etc. In this blogpost, how to perform SQL injection with  a tool named sqlmap. Sqlmap  is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. For this tutorial I am using Vulnerawa as target.

    sqlmap is pre-installed in Kali Linux. Open sqlmap from the path as shown below.

    Now copy the vulnerable url and type the following command the terminal. Here -u stands for url.

    The result will be as shown below. It will reveal the website technology and the scripting language used.

    SQL injection with sqlmap

    1. Grab the banner of the target:

    Now let’s grab the banner of the website. Type the following command and hit “Enter”.

    You can see the banner as shown below.

    2. Find the current user of the website:

    To see the current user of the website, type the following command.

    The current user  can be seen as below.

    3. List the current database:

    Now let us see the current database used by the website. Type the following command.

    We can see that the current database is “Vulneraw”.

    4. List all the tables in a specific database:

    Now let us see all the tables present in the database “Vulneraw” by using following command.

    We see that we have only one table in the current database. The table is “users”.

    5. List the number of columns in a specific table:

    Now lets see the number of columns in the table “users”. Type the following command.

    We see there are four columns in table “users”.

    6. Dump the values of specific columns in a table:

    Now let’s dump the values of two columns username and password by typing the following command.

    The result is as below. we got the username and passwords.

    7. Dump all values of a table:

    If we want to dump all the entries of the table, type the following command.

    Here are the entries.

    8. Grab a shell on the target:

    Now let’s see if we are lucky enough to get the shell of the target. Shell is the target machine’s command line or terminal. Type the following command.

    It will prompt us to enter the application language being used by the website. We already know it is PHP. Enter its value. Next it will prompt you to enter the writable directory. You cam choose your option wisely. I chose the default root directory for Wamp server. Hit on “Enter”.

    I successfully got the os-shell. Now let’s try some commands. Type “dir” to see the contents  of the root directory. It works as shown below.

    Let’s see how many users are there on the system. Type the command “net user” . We can see the users listed as below. Happy hacking practice.

    To find sites vulnerable to this sql injection use google dork “site:.com inurl:id=1” or similar dorks. That’s all in this tutorial.