Posted on

WiFi hacking: complete guide for beginners

Hello aspiring ethical hackers. In this blogpost, we bring you the complete guide to WiFi hacking. WiFi hacking or wireless hacking is compromising of the wireless networks. Before going deep into hacking wireless networks, let us give you a brief history of Wi–Fi.

History of Wi-Fi

Wi-Fi is the name given to a family of wireless network protocols, based on the IEEE 802.11 family of standards. These are commonly used for local area networking of devices and also for Internet access. Simply put, this allows nearby digital devices to exchange data using radio waves. No need to mention what these devices are.

The beginning of Wi – Fi happened in the form of ALOHAnet which successfully connected the Great Hawaiian Islands with a UHF wireless packet network in 1971. ALOHA net and the ALOHA protocol in fact were precursors of Ethernet and 802.11 protocols.

After another 14 years, in 1985 a ruling by the U.S. Federal Communications Commission released the band for unlicensed use. These frequency bands are the 2.4 gigahertz (120 mm) UHF and 5 gigahertz (60 mm) SHF radio bands. These frequency bands are the same ones used by equipment such as microwave ovens, wireless devices etc.

The first version of the 802.11 protocol was released in year 1997 and provided speed up to 2 Mbit/s. The 802.1a came as an improvement over the original standard. It operates in 5 GHz band, uses a 52-subcarrier orthogonal frequency-division multiplexing (OFDM) and has speed of mid 20 Mbit/s. This was replaced with 802.11b protocol in 1999 and this had 11 Mbit/s speed. It is this protocol that would eventually make Wi -Fi popular.

In the same year, a non-profit association named Wi-Fi Alliance was formed which restricted the use of the term Wi-Fi Certified to products that successfully complete interoperability certification testing. By 2017, the Wi-Fi Alliance had more than 800 companies from around the world and shipped over 3.05 billion Wi-Fi enabled devices by year 2019.
The first devices to use Wi-Fi connectivity were made by Apple which adopted this option in their laptops. 802.11g was adopted to the 802.11 specification in year 2003. It operated in the 2.4 GHz microwave band and provided speed upto 11 Mbit/s. Another standard was adopted in year 2008, named 802.11n which operated in both 2.4 and 5 GHz and had a linkrates 72 to 600 Mbit/s. This standard was also known as WI-Fi 4.

Similarly, 802.11ac, 802.11ax and standards were also adopted later which further improved speed and performance of Wi -Fi. Now, let us learn about some terms that frequently occur regarding wireless.

Basic terminology Of Wi-Fi hacking

Wireless Access Point (WAP): A Wireless Access Point (WAP), commonly known as Access Point (AP) is a networking hardware device that allows other Wi-Fi devices to connect to it. This Access Point allows wireless devices to connect to wired devices and generally provides internet. Mostly the Access Point is a Wi -Fi Router.

Wireless Client: A Wireless Device that connects to the Wireless Access Point to access internet is known as a Wireless Client. Ex : all the devices that connect to a Wi- Fi Router.

Wireless Local Area Network (WLAN) : The Computer Network comprising of the Wireless Access Point and two or more Wireless Clients is known as Wireless Local Area Network. This is a LAN but without wires.

Service Set Identifier (SSID) : A Service Set Identifier (SSID) is the name of the Wireless network. Normally, it is broadcast in the clear by Wireless Access Points in beacon packets to announce the presence of a Wi -Fi network. The SSIDs can be up to 32 octets (32 bytes) long. For example, SSID in our first wireless hacking article is “Hack_Me_If_You_Can”.

Extended Service Set Identifier (ESSID): An Extended Service Set Identifier (ESSID) is a wireless network created by multiple access points. This is useful in providing wireless coverage in a large building or area in which a single Access Point (AP) is not enough. However, this appears as a single seamless network to users. The name is same as SSID.

Basic Service Set Identifier (BSSSID): Previously our readers learnt that every hardware device in computing is hardcoded with a MAC Address. A BSSID is the MAC address of the Access Point.

Channels: Readers have learnt that Wi- Fi operates in the frequency range of 2.5GHz and 5GHz. These frequency bands are divided into smaller frequency bands which are known as channels. Usually, these channels are of width 20MHz. The 2.5 GHz range is divided into 14 channels each spaced 5Mhz apart to avoid interference and disturbance. Similarly, The 5GHz band is divided into 24 channels.

In our First wireless hacking attack, the channel of our Access Point is 1.

Beacons: Beacons are one of the management frames in IEEE 802.11 based WLANs. A Beacon Frame contains all the information about the network and is transmitted periodically to announce the presence of a wireless LAN and to synchronize the members of the WLAN.

Signal Strength : Wi-Fi signal strength refers to the strength of the Wi-Fi network connection. The correct way to express Wi-Fi signal strength is mW but it is also very complex. So for simplicity, the signal strength is expressed in as dBm, which stands for decibels relative to a milliwatt.

dBm works in negatives. For example, change the values here. -34 is a higher signal than -64 or -94 because -80 is a much lower number.

Data: Data needs no explanation.

Encryption: Encryption refers to the Wi fi Encryption protocol used for security. There are three types of wireless encryption protocols at present. Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and Wi-Fi Protected Access Version 2 (WPA2). More about them soon.

Authentication: The authentication method used by wireless clients to authenticate with wireless access point. More about it soon too.

Cipher : Ciphers are standard security. ciphers are part of Wi-FI security to enhance the security of wireless networks. Example WPA can use either CCMP or TKIP ciphers.

Various Wireless threats

1. Wardriving

Wardriving is searching for publicly accessible Wi-Fi networks. Publicly accessible networks or open Wi-Fi networks are those wireless networks that are configured without any passwords. Since this attack is usually performed while driving, it is known as war driving. The term War driving originated from the term wardialing, the method which was popularized by a character played by Matthew Broderick in the film WarGames. There are other variants of Wardriving like Warbiking, Warcycling and Warwalking which are similar to wardriving but use other modes of transportation.

2. Password attacks

Just now, you have read that, Wi-Fi networks can be configured without a password. This is dangerous in real-world. So, in real world, Wi-Fi networks are usually secured using a password. Only those users who are authorized to use the Wi-Fi are provided with a password using which they can connect. Here are the types of Wireless security protocols that can be used to secure the WiFi network.

  1. Wired Equivalent Privacy (WEP)
  2. Wi-Fi Protected Access (WPA)
  3. Wi-Fi Protected Access 2 (WPA2)
  4. Wi-Fi Protected Access 3 (WPA3)

Let’s learn about each of these security protocols and how they are cracked in detail.

Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP) is the first security algorithm for IEEE 802.11 wireless networks that was introduced as part of the original 802.11 standard ratified in 1997. As its name implies, the intention was to provide data confidentiality equivalent to that of a traditional wired network. WEP was the only encryption protocol available to 802.11a and 802.11b devices as these were built before the WPA standard was released. WEP was ratified as a Wi-Fi security standard in 1999. The first versions of WEP used only 64-bit encryption as U.S.A restricted export of cryptographic technology.

WEP uses the Rivest Cipher 4 (RC4) for confidentiality and the Cyclic Redundancy Check (CRC) 32 checksum for integrity. RC4 is a stream cipher known for simplicity and speed. Standard 64-bit WEP uses a 40 bit key which is concatenated with a 24-bit initialization vector (IV, remember something) to form the RC4 key. A 64-bit WEP key usually has a string of 10 hexadecimal (base 16) characters (0–9 and A–F). See Image below.

Each character in the key represents 4 bits. 10 digits of these 4 bits each give 40 bits. When we add 24-bit Initialization Vector to this 40 bits, complete 64-bit WEP key is produced. Some devices also allow the user to enter the key as 5 ASCII characters (0–9, a–z, A–Z), each of which is turned into 8 bits using the character’s byte value in ASCII. However, this restricts each byte to be a printable ASCII character, which is only a small fraction of possible byte values, greatly reducing the possible keys. After USA lifted restrictions on export of cryptographic technology, 128bit WEP key came into existence.

Each digit is of 4 bits. 26 digits of these 4 bits each give 104 bits. When we add a 24-bit IV to this 104 bits produced the complete 128-bit WEP key. Most devices allowed the user to enter 13 ASCII characters as WEP key.

understanding wireless security

Although some vendors made 152-bit and 256-bit WEP systems also available, 128 bit WEP was widely used.

Authentication System of WEP:

WEP uses two methods of authentication. They are,

1. Open System Authentication:

In Open System authentication, the WLAN client that wants to connect to a Access Point doesn’t need any credentials during authentication. Simply put, no authentication occurs. Subsequently, WEP keys are used for encrypting data frames. At this point, the client needs to have correct WEP key.

2. Shared Key Authentication:

In Shared key authentication, authentication takes place in a four-step challenge-response handshake :

Step 1: The client sends an authentication request to the Access Point.
Step 2: The Access Point replies with a clear-text challenge.
Step 3: The client encrypts the challenge-text using the configured WEP key and sends it back in another authentication request.
Step 4: The Access Point decrypts the response. If this matches the challenge text, the Access Point sends back a positive reply.

After the authentication and association is successful, the pre-shared WEP key is also used for encrypting the data frames using RC4. Although Shared Key Authentication appears secure than Open System Authentication, it is actually vice versa.

How to crack WEP passwords:

WEP uses RC4 which is a stream cipher. Hence the same traffic key cannot be used twice. It is due to this purpose that WEP uses Initialization Vectors (IVs). But the problem is WEP uses 24 bit IVs for both 64 bit and 128 bit key. This 24bit IV is not long enough to ensure non-repetition on a busy network. For a 24-bit IV, there is a 50% probability the same IV will repeat after 5,000 packets. So WEP key in a busy network can be easily cracked since it has lot of traffic.

Attackers can even create fake connections ( to generate more traffic and then crack the WEP key. As we have seen in this article, the more IVs we captured the faster it is to crack WEP and it usually takes only minutes to crack the WEP key with besside-ng tool. That’s all in our Part 1 of Understanding wireless security. In Part 2 of this article, readers will learn about WPA / WPA2.

Wi-Fi Protected Access (WPA)

Also known as Temporal Key Integrity Protocol (TKIP) standard, WPA implements the TKIP encryption method and was introduced in 2003. TKIP introduced three new methods to overcome weaknesses in Wired Equivalent Privacy (WEP) standard.

1. TKIP implements a key mixing function that combines the secret root key with the initialization vector before passing it to the RC4 cipher initialization. WEP on the other hand merely concatenated the initialization vectors to the root key and passed this value to the RC4 cipher.
2. A sequence counter is implemented to protect against replay attacks. Hence, packets received out of order will be rejected by the Access point.
3.TKIP implements a 64-bit Message Integrity Check (MIC) replacing Cyclic Redundancy Check (CRC) used in WEP. This re-initializes the sequence number each time when a new key (Temporal Key) is used.

Wi-Fi Protected Access 2 (WPA2)

WPA 2 was introduced in 2004 to replace WPA. It implemented the mandatory elements of IEEE 802.11i. 802.11i makes use of the Advanced Encryption Standard (AES) block cipher instead of RC4 stream cipher used by both WEP and WPA. It also uses Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) encryption protocol. It provides the following security services.

1. Data Confidentiality: It ensures only authorized parties can access the information.
2. Authentication: provides proof of genuineness of the user
3. Access control in conjunction with layer management.

WPA – versions:

There are two versions of WPA. They are,

1. WPA – Personal:

Wi-Fi Protected Access (WPA) – Personal is designed for home and small office networks. This version uses Pre- Shared Key (PSK) and hence it is also referred as WPA-PSK (pre-shared key) mode. The network traffic is encrypted using a 128-bit encryption key derived from a 256-bit shared key. WPA-Personal mode is available on all three WPA versions.

2. WPA – Enterprise:

As its name implies, this is designed for enterprise networks and requires a RADIUS authentication server. This requires a more complicated setup but provides additional security like protection against dictionary attacks on short passwords. Various kinds of the Extensible Authentication Protocol (EAP) are used for authentication. WPA-Enterprise mode is available on all three WPA versions.

How to crack WPA/WPA2 passwords:

1. Pre-shared key WPA and WPA2 remain vulnerable to password cracking attacks if users rely on a weak password or passphrase.
2. WPA passphrase hashes are seeded from the SSID name and its length; rainbow tables exist for the top 1,000 network SSIDs and a multitude of common passwords, requiring only a quick lookup to speed up cracking WPA-PSK

Brute forcing of simple passwords can be attempted using the Aircrack Suite starting from the four-way authentication handshake exchanged during association or periodic re-authentication. In this article, readers have seen how WPA password was cracked. One important feature of cracking WPA /WPA2 is that we don’t need a lot of traffic to crack it. We just need one client connected to the Wi-Fi Access point. Then we de authenticate it from the Wi-Fi Access point. The client automatically tries to connect to the Wi-Fi access point again.

It is at this stage, we try to capture the WPA handshake. If you have noticed, while using aircrack, to crack the password, we supplied a dictionary or wordlist. While cracking WEP we didn’t.

So what is a weak password? Any password that is part of a dictionary or wordlist can be called a weak password in WPA. Otherwise, WPA /WPA2 is considered secure. WPA3 replaces cryptographic protocols susceptible to off-line analysis with protocols that require interaction with the infrastructure for each guessed password, supposedly placing temporal limits on the number of guesses. However, design flaws in WPA3 enable attackers to plausibly launch brute-force attacks.

Wi-Fi Protected Access 3 (WPA3)

The Wi-Fi Alliance announced WPA3 as a replacement to WPA2 in 2018. The new standard uses an equivalent 192-bit cryptographic strength in WPA3-Enterprise mode (AES-256 in GCM mode with SHA-384 as HMAC) and still mandates the use of CCMP-128 (AES-128 in CCM mode) as the minimum encryption algorithm in WPA3-Personal mode.
The WPA3 standard also replaces the pre-shared key (PSK) exchange with Simultaneous authentication of Equals (SAE) exchange, a method originally introduced with IEEE 802.11s. This results in a more secure initial key exchange in personal mode and forward secrecy.

Wi-Fi Protected Setup (WPS)

In year 2007, the Wi-Fi Alliance introduced Wi-Fi Protected Setup (WPS). The main feature of this protocol is to allow home users who have little knowledge about wireless security to set up Wi-Fi Protected Access (For some users, accessing the router dashboard and setting passwords can be too complex). It also makes it easy to add new devices to an existing Wireless network without entering long passphrases. WPS also allows the owner of Wi-Fi privileges to block other users from using their household Wi-Fi. There are two common methods to use WPS.

1. PIN method:

Every Wireless Router with WPS enabled has a PIN on the Wi-Fi Router (which is usually printed on a sticker). This PIN must then be entered into any new device that wants to connect to this Wireless network. No need of memorizing any password.

2. Push Button method:

In this method, the user has to PUSH a WPS button on both the Access point and the new wireless client device. On most devices, this discovery mode turns itself off as soon as a connection is established or after a delay (typically 2 minutes or less), whichever comes first, thereby minimizing its vulnerability.

How to crack WPS pin:

Although WPS was introduced to simplify Wi-Fi Connection issues, it suffers from a major vulnerability. Any remote attacker can recover the WPS pin in a few hours by using brute force attack. Once he does this, he can easily recover WPA/WPA2 key also. Nowadays, all recent models of Wireless Routers have WPS enabled by default. It is wise to turn off WPS PIN feature although this is not possible on many routers.
WPS is widely understood to have added insecurity to otherwise secure WPA/WPA2. WPS pin is a 8 digit PIN that is required by clients to connect to the Wireless Router. The Wireless Router instead of checking the entire 8 digit PIN at once, checks the first four digits initially and then checks the last four digits. This makes brute forcing WPS PINs very easy.
This is because there are only 11,000 possible 4 digit pins and once the brute force software gets the first 4 digit pin right, the attacker can move on to cracking the latter 4 digit pin.
Tools Bully and Reaver are first to come to mind when we want to crack WPS pin. However, in our latest tests, both the tools are presenting some problems. You can read our previous articles on Bully and Wifite.

That was a complete guide to understanding wireless security. Hope our readers now have a better understanding of Wireless security. You can read Part 1 of Understanding Wireless security here. Happy hacking.

3. Rogue Access Point attack

A Rogue Access Point is a wireless access point in a secure network but runs without the authorization from the network administrator. If this Rogue Access Point runs with weak security, it can compromise the security of the entire network.

4. Evil Twin attack

As the name implies, an evil twin is an access point set with the same name as that of a legitimate Wi-Fi access point.For example, let’s say there is a Wi-Fi access point with name “shunya” that is configured with WPA2 password. Hackers setup another access point with the same name but without a password (open network). Users while trying to connect to the legitimate access point, get connected to this Evil Twin. Evil Twin can be considered as wireless equivalent of the phishing. This is usually done to capture credentials.

5. WiFi DoS attack

In a Wi-Fi DoS attack, the wireless access point is flooded with so many packets that it becomes unavailable to genuine users.

6. WiFi Packet capture attack

This attack occurs after the hacker gains access to the Wi-Fi network. After gaining access, hackers try to sniff on the traffic of the entire network. Learn more about Packet sniffing.

Posted on

How Windows authentication works?

Hello, aspiring ethical hackers. In this article, you will learn how Windows authentication works? Our readers have seen multiple instances where we have dumped Windows password hashes as part of our hacking tutorials. This should have brought some pertinent questions in the minds of the readers.
As to know how hashdump command of meterpreter, Mimikatz and cachedump module of Metasploit dump credential hashes, where are these hashes stored and why are they in the form of hashes, readers need to get a deep understanding of how Windows authentication works.

Windows Logon Process starts as soon as you go to the Login Screen of a Windows system. The Logon Process is different in different network scenarios for Windows. There are two network types into which a Windows system can be configured. They are,

  1. WorkGroup
  2. Domain

Windows systems in Workgroup network use Local Authentication whereas Windows systems connected in Domain network use Remote Authentication.

How Local Authentication works in Windows?

Let’s first see how Local Authentication takes place. In local authentication, the password hash is stored on the same computer on which users are trying to log on.
In Windows, the passwords are stored in the form of a hash in a file known as Security Accounts Manager (SAM) file. The SAM file is located in %SystemRoot%/system32/config/SAM location and it can neither be deleted nor copied while Windows is running.
This is because the Windows kernel obtains and keeps an exclusive filesystem lock on the SAM file which it will release only after the operating system has shut down or a “Blue Screen of Death” exception has been thrown. It is mounted on HKLM/SAM and SYSTEM privileges are required to view it. Readers have already learnt that passwords are stored in SAM file in encrypted form. These passwords are stored in two hash formats in SAM file.

1. Lan Manager Hash (LM Hash)

2. New Technology Lan Manager Hash (NTLM Hash)

LAN Manager Hash

Lan Manager Hashing was used by Windows operating systems prior to Windows NT 3.1. In LM hashing, the password hash is computed as follows,

a. The user’s password is restricted to a maximum of fourteen characters.
b. The password of the user is converted to Uppercase.
c. Then user’s password is encoded in the System OEM code page.
d. This password is NULL-padded to 14 bytes.
e. This 14 bytes “fixed-length” password is then split into two 7-byte halves.
f. Both of these 7-byte halves are used to create two DES keys, one from each 7-byte half. This is done by converting the seven bytes into a bit stream with the most significant bit first and then inserting a parity bit after every seven bits (so 1010100 becomes 10101000). This is done to generate the 64 bits needed for a DES key.
g. Each of this two keys is used to DES-encrypt the constant ASCII string “KGS!@#$%” resulting in two 8-byte ciphertext values.
h. These two ciphertext values are then concatenated to form a 16-byte value, which is the final LM hash.

how windows authentication works

Security of LAN Manager Hash

LM Hash has several weaknesses. The major weaknesses are :

1. The maximum length of Password while using LM authentication can only be 14 characters.
2. All passwords in LM hash are converted into UPPERCASE before generating the hash value. This means LM hash treats ABcd1234, ABCD1234 and abCD1234 and AbCd1234 as same as ABCD1234. This reduces the LM hash key space to just 69 characters.
3. As already explained above, 14 character password is broken into two halves of 7 characters e- ach and then the LM hash is calculated for each half separately. This makes it easier to crack a LM hash, as the attacker only needs to brute-force 7 characters twice instead of the full 14 charact- ers.
4. As of 2020, a computer equipped with a high-end graphics processor (GPUs) can compute 40 billion LM-hashes per second. At that rate, all 7-character passwords from the 95-character set can be tested and broken in half an hour; all 7-character alphanumeric passwords can be tested and broken in 2 seconds.
5. If the password created is 7 characters or less than that, then the second half of hash will alway- s produce same constant value which is (0xAAD3B435B51404EE). Therefore, if a password is les- s than or equal to 7 characters long, it can easily be identified even without using any tools.
6. While using Remote Login over a network, the LM hash value is sent to servers without any salting, thus making it vulnerable to man-in-the-middle attacks.
7. Without salting, it is also vulnerable to Rainbow Table Attack.
To overcome this weaknesses, Microsoft Starting with Windows Vista and Windows Server 2008, Microsoft disabled the LM hash by default.

NT Hash

Also called NTLM, this is the hash many modern Windows systems store the password hashes. Introduced in 1993. The process of calculating NT Hash is,

1. The password is converted into Unicode characters.
2. Then MD4 encryption is run on these converted characters to get the NT hash which is then stored in SAM database or NTDS file (Domain). NTHash is case sensitive but it still doesn’t provide salting.

The Local Logon Process

1. The Windows authentication process starts from the Windows Login screen. LogonUI.exe han- dles the process by displaying correct logon input boxes depending on the authenticator put in place.
2. When users enter the password on the login interface, winlogon.exe collects those credentials and passes them to the lsass.exe (Local Security Authority Subsystem Service). Winlogon.exe is the executable file responsible for managing secure user interactions. The Winlogon service initiat -es the logon process for Windows operating systems by passing the credentials collected by user action to Lsass.
3. LsaLogonUser supports interactive logons, service logons, and network logons. The LsaLogon User API authenticates users by calling an authentication package which is most probably MSV1_ 0 (MSV) authentication package which is included with Windows NT.
4. The MSV authentication package is divided into two parts. In Local authentication, both parts run on the same computer. The first part of the MSV authentication package calls the second part.
5. The first part of the MSV authentication package converts the clear-text password both to a LAN Manager Hash and to a Windows NT hash. The second part then queries the SAM databas- e for the password hashes and makes sure that they are identical.
6. If the hash is identical, access is granted.

How Windows Domain Authentication takes place?

1. The Windows authentication process starts from the Windows Login screen. LogonUI.exe handles the process by displaying correct logon input boxes depending on the authenticator put in place.
2. When users enter the password on the login interface, winlogon.exe collects those credentials and passes them to the lsass.exe (Local Security Authority Subsystem Service). Winlogon.exe is the executable file responsible for managing secure user interactions. The Winlogon service initiates the logon process for Windows operating systems by passing the credentials collected by user action to Lsass.
3. LsaLogonUser supports interactive logons, service logons, and network logons. The LsaLogon User API authenticates users by calling an authentication package which is most probably MSV1_ 0 (MSV) authentication package which is included with Windows NT.
4. The MSV authentication package is divided into two parts. The first part of the MSV authentication package runs on the computer that is being connected to and the second part runs on the computer that contains the user account. When the first part of the MSV authentication package recognizes that network authentication is required because the domain name passed is not its own domain name, it passes the request to the Netlogon service. Netlogon service is a Authentication Mechanism used in the Windows Client Authentication Architecture that is used to verify logon requests. It registers, authenticates and locates Domain Controllers. It’s functions include,

a. Selecting the domain to pass the authentication request to.

b. Selecting the server within the domain.

c. Passing the authentication request through to the selected server.

5. The Netlogon service (client computer) then forwards the login request to the Netlogon service on the destination computer (i.e domain controller).
6. In turn, the Netlogon service passes the request to the second part of the MSV authentication package on that destination computer.
7. First, the second part queries the password hashes from the SAM database or from the Active Directory database. Then, the second part computes the challenge response by using the password hash from the database and the challenge that was passed in. The second part then compares the computed challenge response to passed-in challenge response.
8. If the hash is identical, access is granted.

That was all about how Windows authentication.

Posted on

Joomla enumeration with Metasploit

Hello, aspiring ethical hackers. In this article, you will learn how to perform Joomla enumeration with Metasploit. Although its share is less than WordPress in CMS usage, Joomla is still one of the top 5 used CMS. To further improve its features Joomla has components or extensions which can be installed by the web admin as per requirement. These are similar to plugins in WordPress. Metasploit has some modules which can be used to enumerate a website using Joomla.

Version Detection

The first Metasploit module you will learn about is the version detection module of Joomla. Prior to starting Metasploit, we open Shodan and search for “Joomla”. We will get many IP addresses where Joomla is running. We collect some.

Next, we start Metasploit and load the joomla_version auxiliary module given below. Type command “show options” to see the required options for this module.

We need to set two options for this module to do its job: RHOSTS (which are target IP addresses) and Targeturi. Set Targeturi as shown below. Coming to “RHOSTS” option, we copy and paste the IP addresses we got in our Shodan search giving space between each IP address as shown below. Here I have given five IP addresses.

Check whether all options are set correctly by typing command “show options“.

All the options are set. Next, it’s time to run our exploit. Type command “run” and you will get the results as shown below.

As readers can see, the versions of Joomla running on the target machines are displayed.

Plugin Enumeration

Once we know the version of Joomla running on the target website, the next important information to find out is about the extensions installed on the target Joomla. Metasploit has a module for that too. Since the Joomla extensions or components are similar to WordPress plugins, this module is called as Joomla Plugin enumeration module. Load the module as shown below.

Just like the earlier module, this module too can be used to scan multiple targets at once. Set the IP addresses of targets as shown below with space between each IP address.

Next, execute the module.

As readers can see, all the plugins installed on the target Joomla site are displayed. But how does this module scan for plugins? The list of plugins this module scans are in file “usr/share/metasploit-framework/data/wordlists/joomla.txt”.

If the plugin you want to scan for is not in this list, you can just add it manually by opening this file with any text editor.

Don’t forget to save changes after making them. I once again execute the module after applying changes and the result is shown below.

Webpage Enumeration

Metasploit also has a module for enumerating webpages on the Joomla target. This module can be useful in viewing pages of a Joomla website that can give further information about the website. Load the module as shown below. Type command “show options” to see the options we need to set.

We can set multiple IP addresses to scan for their pages with space in between as shown below. Set the targeturi.

Execute the exploit. We will get the result as shown below.

As readers can see, this module enumerated the webpages of our target. That is how we can perform Joomla enumeration with Metasploit. Read how to perform WordPress enumeration with Metasploit.

Posted on

Follina : Explained with POC

Hello aspiring Ethical Hackers. In this article, readers will learn about Follina, the latest Zero-Day vulnerability in Microsoft.

Vulnerability & Impact

Follina is the name given to a remote code execution (RCE) vulnerability in the Microsoft Support Diagnostic Tool (MSDT). This vulnerability allows a remote attacker to use a Microsoft Office document template to execute code via MSDT and download a malicious payload from a remote URL. It affects Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365.

What actually is Follina?

Follina is a municipality that is located 60 kms northwest of Venice in Italy. Completely unrelated, the vulnerability has been named Follina as the malicious file was referencing to an executable that was named 0438. This is the area code of Follina, hence the zero-day has been named so.

What is MSDT?

Follina exploits MSDT but what is MSDT? Microsoft Support Diagnostic Tool (MSDT) is a service used for gathering diagnostic data about the system.

Proof Of Concept

Let’s see how to exploit Follina practically. For this let’s download a exploit from Github. Navigate into the cloned directory and you will files as shown below.

Two files are important in this directory. The “clickme.docx” is the file that uses MSDT to connect to a remote website and execute the exploit. The exploit is present in the “exploit.html” file. If this POC is successful, the exploit will popup calc.exe.

I tested this exploit on MS Office 2019 running on Windows 10. I hosted the exploit using Wamp server running on localhost.

I opened the clickme.doc and waited. Nothing happened. Then I saved it as clickme.rtf file as shown below.

This time when I clicked on clickme.rtf file, this happened,

And the calculator popped up. The Proof Of Concept Is Successful.

follina

Posted on

WordPress enumeration with Metasploit

Hello aspiring Ethical Hackers. In this article, readers will learn how to perform WordPress enumeration using Metasploit. WordPress is one of the most popular CMS available and as of 2021, 39.5% percent of websites are powered by WordPress. Hence gauging the security of WordPress installation is always important.

Metasploit has a few modules that can be used to perform WordPress Enumeration. Let’s see a few of them. The first module we will see is the WordPress Scanner module that scans for installed themes, installed plugins, installed WordPress version and more information about target WordPress.

Let’s see how this Module works. Start Metasploit and load the WordPress scanner module. Then, type command “show options” to see the options we require for this module. We are testing this module on WordPress installed on Ubuntu 20.

After all the options are set and the module is executed,

the module successfully detected the target WordPress version as 6.0. It also detected plugins installed on the target WordPress along with their versions. The module will also try to enumerate users although it failed to detect any users here.

This module can be useful to find if there are any vulnerabilities on the WordPress target. For example, one of the plugins installed on this target wp_pie_register has an exploit module related to it.

Some of the vulnerabilities in WordPress require credentials for successful exploitation. Metasploit also has a WordPress login enumeration module that not only helps in user enumeration but also brute forcing their password.

Load the WordPress user enumeration exploit as shown below. Type command “show options” to see the options this module requires.

Assuming we have no idea about any user credentials on the target machine, the first thing to do is enumerating and validating usernames. So set “bruteforce” option to false as shown below.

Validating usernames is a process where we check if a particular username is present on the target WordPress site. We can validate a single username or many usernames using a wordlist. For example, let’s use the wordlist “common.txt” as users file. We also want to set the STOP_ON_SUCCESS option to TRUE. This will stop the enumeration as soon as we get one valid username.

Let’s execute the module now.

The module found one valid username on the target. It’s “admin”. Since we have found one valid username on the target, lets try to find out the password for this user. For doing this, we need to set the options as shown below.

ENUMERATE_USERNAMES : FALSE

VALIDATE_USERS : FALSE

BRUTEFORCE : TRUE

We need to also set the password file for that is required for brute forcing. Since we now know the username, we set it using option “username” option.

We need to also set the password file for that is required for brute forcing. Since we now know the username, we set it using option “username” option.

wordpress enumeration

The module found one successful LOGIN using credentials “admin : admin”. See how to perform WordPress Enumeration with WPScan.