Author: kanishka10

Posted on by 1 Comment

WAPT with HPwebinspect : Part 1

WAPT or Web application penetration testing refers to evaluating the security of websites and web applications. Websites evolved from being simple static HTML pages to incorporate complex dynamic features with bells and whistles. These bells and whistles also brought with them lot of vulnerabilities and thus websites became common targets for hackers. So web application penetration testing is considered very important nowadays.

WAPT could be performed manually or through automatic tools. Automated tools provide lot of advantages over manual testing most importantly the speed. HP Webinspect is one such tool.

It is an automated web application security scanning tool from HP. It helps the security professionals to assess the potential vulnerabilities in the web application. It is basically an automated dynamic application security testing (DAST) tool that mimics real-world hacking techniques and attacks, and provides comprehensive dynamic analysis of complex web applications and services.

Today we will see how to perform website vulnerability assessment with HPWebinspect. Open the program and click on basic scan. We will see other scan options in the following parts of this tutorial. As its name implies, this option performs a basic security scan on a website.

As we select the basic scan option, the “scan wizard” opens as shown below. As I am using a trial version of HPWebinspect I am only allowed to scan the website deliberately provided by HP for this purpose. This website simulates a bank ( named zero bank ) and this will be our target from now on.

I allot the given name. Below the scan name option, we have features with radio buttons. Let’s see these options.

crawl:-This process makes a list of all the pages on the entire website and builds its structure.

auditing:-Auditing is the process in which HPwebinspect will attack the website to find out the vulnerabilities.

I have selected the “crawling and auditing” option. HP Webinspect provides four types of scans.

Standard scan:- Normal scan.
List Driven scan:-You can specify the list of urls for the tool to scan. It will only scan those urls.
Workflow Driven scan:- Similar to list driven scan. You can scan a port of your website by specifying a macro.
Manual scan:-You can specify each link you want to scan. step by step.

Next specify the website you want to scan and click on “Next”.

wapt

In the next window, you will be prompted for authentication. If your website or network requires authentication, provide them . Choose if you want network proxy or not and click on “Next“.

The profiler automatically samples the website and recommends best configuration for the scan. You can select the option. We will see more about profiler later. There are some other settings. Leave them to their default settings and click on “Next”.

You will get a congrats message telling about the successful configuration of scan settings. It’s time to start the scan. Click on “scan”.

The scan will start as shown below. It will take some time dependent on the size of the website you are scanning.

After the scan is finished, it will show the results as shown below. This tool classifies vulnerabilities into critical, high, medium, low and info. That was about basic scanning of website with HPWebinspect.

That’s all in WAPT with HPwebinspect. In our next part, we will see analyzing these vulnerabilities.

Posted on by

Install SQL server 2012 express in Windows 10

Good morning friends. Today we will see how to install SQL server express 2012 in Windows 10. Download the relevant SQL server 2012 express from the website of Microsoft. Right click on the downloaded file and run with administrator privileges. The below window should open. Click on the “New SQL server stand-alone installation” option since we are installing a new version of the database server.

Accept the license terms and click on “Next”.

Most probably the server will update to service pack 1. Leave it to update and after successful update, click on “Next”.

Click on “Install”. The installation process will start. As it will download setup files, it will take some time.

It will prompt you to select the features you want to install. If you are not sure what you want, leave the default selection and click on “Next”.

The Instance configuration window opens. Leave the default options and click on “Next”.

Click on “Next”.

Configure the authentication for the SQL server. If you have no idea, once again leave the default options and click on “Next”.

If you want to send any errors to Microsoft, select the option and click on “Next”.

The installation will start as shown below.

The installation progress will end with the below window. Congrats, You have successfully installed SQL server express 2012 in Windows 10.

That’s how we install SQL Server 2012 in Windows.

Posted on by

WordPress user enumeration with Metasploit

Good morning friends. Not all vulnerabilities are unauthenticated, sometimes we require credentials to exploit a vulnerability. But how do we get these credentials. Metasploit has an auxiliary module for WordPress user enumeration. Let’s see how this exploit works.

Start Metasploit and load the wordpress user enumeration exploit as shown below. Type command “show options” to see the options we can specify. We can see a variety of options. All the options are self explanatory but let us see some of the options.

The “BLANK_PASSWORDS” option if set will check if any of the users are without any password. The “VERBOSE”option will display more clearly what the module is doing. The “USERNAME” and “PASSWORD” option will check for single username and password respectively. The “USER_AS_PASS” option will check whether the username itself is being used as password. The USER_FILE and PASS_FILE are used to specify file for usernames and passwords to enumerate respectively. The VALIDATE_USERS option will first validate if user exists on the target even before trying to crack his password. The “USER_PASS” file option allows us to specify the same file for username and password as shown below. Here I have specified a wordlist consisting of most common passwords as the USER_PASS file.

When we execute the module, we can see that it will first validate all the usernames.

wordpress user enumeration

What if we know the username? The first question is how will we know the username. Just go through one of our previous howto : WordPress vulnerability assessment with WPSCAN. The tool gave use a hint that username is “root”. Now we will set the username as root, specify a common password dictionary as password file as shown below.

When I run the script, it confirms that the username is valid and tries all words in the dictionary as password one by one.

After some time we can see that we successfully cracked the password for user “root” as “123456”.

HOW TO STAY SAFE:

Never use not only common passwords but also common usernames for your websites. Still most of the people tend to use common usernames like admin, administrator etc. and common passwords.

Posted on by

WordPress version detection with Metasploit

Hello aspiring Ethical Hackers. In this article we will learn about a WordPress Version Detection Module. WordPress is one of the most popular CMS available for websites. Its latest release to time, 4.5 has been downloaded 40,446,377 times till editing of this howto. But being popular in field of hacking has its own disadvantages. This Metasploit Module performs wordpress version detectionlatest version suffers from oEmbed Denial of Service (DoS), Password Change via Stolen Cookie and Redirect Bypass vulnerabilities.

Similarly every version of WordPress has some vulnerability or other. But how do we find out which version of WordPress is the site running. Metasploit has an auxiliary module for WordPress version detection. Let’s see how it works.

Start Metasploit and load the module. Type command “show options” to see the options we required for this module.

Multiple IP addresses can be set as shown below. I am trying five targets.

After assigning IP addresses, type command “run” to execute the exploit. The first target is my own. As you can see, our two of our targets responded with their version. But what about others? Maybe a firewall is blocking our request or maybe our targeturi is wrong. Please try this scan with targeturi set to “/” and also “/wordpress” for better results.

wordpress version detection

By the way, version 4.1 suffers from a arbitrary file upload vulnerability. See how to perform complete WordPress vulnerability scan with WPscan on a WordPress website.

Posted on by 2 Comments

SMB enumeration for beginners

In the previous part of the tutorial, we performed a vulnerability scan on our target Metasploitable and got some high ranking vulnerabilities. Before we take the plunge and exploit those vulnerabilities, let’s do some enumeration first.

Enumeration is the process of collecting information about user names, network resources, other machine names, shares and services running on the network. Although little bit boring, it can be very helpful for the success of the hack in real time. In our previous parts, we have performed scanning and banner grabbing. So we already know what services are running on the target machine. They include FTP, telnet, SMTP and SMB etc. We can perform enumeration on all these services.

SMB stands for Server Message Block. Its mainly used for providing shared access to files, printers and miscellaneous communications between nodes on a network. It also provides an authenticated inter-process communication mechanism. It is a predecessor of Common Internet File system (CIFS). To know more about SMB please go here.

SMB enumeration can provide a treasure trove of information about our target. So for today’s tutorial let’s see how to perform SMB enumeration with Kali Linux. I will use three tools inbuilt in Kali Linux : enum4linux, acccheck and SMBMap.

The first tool we will use is enum4linux. As the name suggests, it is a tool used for enumeration of Linux. To see all the options of this tool, just type “enum4linux -h“. Using this tool, first let us see the users of the SMB service. Open terminal and type command “enum4linux -U 192.168.25.129” as shown below.

As we can see above, this system is part of a workgroup. Know the difference between domain and workgroup. We can see below that it has listed all the SMB users present on the target.

Of all the usernames the tool got us, I am assuming only three usernames are useful to us: user,root and msfadmin since others seem more like processes but we will keep our fingers crossed.

Before we check for validity of these credentials, let us perform a full enumeration with enum4linux. In the terminal type command “enum4linux 192.178.25.129” i.e without any options. As you can see below, it lists us Nbtstat information of what services are active on the target.

SMB enumeration

It also provides us with the OS information.

And crucial info about Shares, i.e which user has what rights on the target.

It provides us password policy info, in case we don’t get the credentials and want to crack them.

Groups present on the system.

It will also display users based on RID cycling.

It seems there are no printers connected to the target.

Ok, now we know the users. Let’s try to find out the passwords for the usernames we seem to have got. We will use a tool called acccheck for this purpose. It is a password dictionary attack tool that targets windows authentication via the SMB protocol. We will see more about password cracking later. First I will try it with the user “user”. In Kali Linux, most of the password dictionaries are present in “usr/share/dirb” directory. So I specify a dictionary which consists of most common passwords used.

Here, I am just guessing that the user may be using a common password. After specifying all the options, Hit Enter. The cracking process starts as shown below.

Once the tool gets the correct password, it stops the scan and displays a success message as shown below. Voila … the password of the user “user” is “user” only.

Seeing this result, I get a new idea. There might be a possibility that all the users may be using their username as password. To find out this, I create a new file called user.txt with all the usernames we got with enum4linux and specify the file for both username and password as shown below.

We got succces with three users; user, msfadmin and a blank user with password “games”. Since we successfully got some credentials, it’s time to see the share drives on our target system. For this, we will use another tool called SMBMap.

SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands.

First let us check the rights of each user we got as shown below.

We can see that users user and msfadmin have READ,WRITE permissions on tmp directory only and the Blank user doesn’t have much. Next let us try to list all the drives on the target system with user “msfadmin”. We can see we don’t have enough privileges to execute a command.

Since we have READ privileges, let us read the drive on the target system as shown below. Well that’s all for SMB enumeration guys. If you want to read about SMTP enumeration, you can go here.

RESULT: We got some usernames which may be useful to us while exploiting the system in future.