Posted on

WordPress Version detection with Metasploit

Hello aspiring Ethical Hackers. In this article we will learn about a WordPress Version Detection Module. WordPress is one of the most popular CMS available for websites.  Its latest release to time, 4.5 has been downloaded 40,446,377 times till editing of this howto. But being popular in field of hacking has its own disadvantages. This Metasploit  Module performs wordpress version detectionlatest version suffers from oEmbed Denial of Service (DoS), Password Change via Stolen Cookie and Redirect Bypass vulnerabilities.

Similarly every version of WordPress has some vulnerability or other. But how do we find out which version of WordPress is the site running. Metasploit has an auxiliary module for WordPress version detection. Let’s see how it works.

Start Metasploit and load the module. Type command “show options” to see the options we required for this module.

Multiple IP addresses can be set as shown below. I am trying five targets.

After assigning IP addresses, type command “run” to execute the exploit. The first target is my own. As you can see, our two of our targets responded with their version. But what about others? Maybe a firewall is blocking our request or maybe our targeturi is wrong. Please try this scan with targeturi set to “/” and also “/wordpress” for better results.

By the way, version 4.1 suffers from a arbitrary file upload vulnerability. See how to perform complete WordPress vulnerability scan with WPscan  on a WordPress website.

Posted on 4 Comments

SMB enumeration with Kali Linux

In the previous part of the tutorial, we performed a vulnerability scan on our target Metasploitable and got some high ranking vulnerabilities. Before we take the plunge and exploit those vulnerabilities, let’s do some enumeration first.

Enumeration is the process of collecting information about user names, network resources, other machine names,  shares and services running on the network. Although little bit boring, it can be very helpful for the success of the hack in real time. In our previous parts, we have performed scanning and banner grabbing. So we already know what services are running on the target machine. They include FTP, telnet, SMTP and SMB etc. We can perform enumeration on all these services.

SMB stands for Server Message Block. Its mainly used for providing shared access to files, printers and miscellaneous communications between nodes on a network. It also provides an authenticated inter-process communication mechanism. It is a predecessor of  Common Internet File system (CIFS). To know more about SMB please go here.

SMB enumeration can provide a treasure trove of information about our target. So for today’s tutorial let’s see how to perform SMB enumeration with Kali Linux. I will use three tools inbuilt in Kali Linux : enum4linux, acccheck and SMBMap.

The first tool we will use is enum4linux. As the name suggests, it is a tool used for enumeration of Linux. To see all the options of this tool, just type “enum4linux -h“. Using this tool, first let us see the users of the SMB service. Open terminal and type command “enum4linux -U 192.168.25.129” as shown below.

As we can see above, this system is part of a workgroup. Know the difference between domain and workgroup. We can see below that it has listed all the SMB users present on the target.

Of all the usernames the tool got us, I am assuming only three usernames are useful to us: user,root and msfadmin since others seem more like processes but we will keep our fingers crossed.

Before we check for validity of these credentials, let us perform a full enumeration with enum4linux. In the terminal type command “enum4linux 192.178.25.129” i.e without any options.  As you can see below, it lists us Nbtstat information of what services are active on the target.

It also provides us with the OS information.

And crucial info about Shares, i.e which user has what rights on the target.

It provides us password policy info, in case we don’t get the credentials and want to crack them.

Groups present on the system.

It will also display users based on RID cycling.

It seems there are no printers connected to the target.

Ok, now we know the users. Let’s try to find out the passwords for the usernames we seem to have got. We will use a tool called acccheck for this purpose. It is a password dictionary attack tool that targets windows authentication via the SMB protocol.  We will see more about password cracking later. First I will try it with the user “user”. In Kali Linux, most of the password dictionaries are present in “usr/share/dirb” directory. So I specify a dictionary which consists of most common passwords used.

Here, I am just guessing that the user may be using a common password. After specifying all the options, Hit Enter. The cracking process starts as shown below.

Once the tool gets the correct password, it stops the scan and displays a success message as shown below. Voila … the password of the user “user” is “user” only.

Seeing this result, I get a new idea. There might be a possibility that all the users may be using their username as password. To find out this, I create a new file called user.txt with all the usernames we got with enum4linux and specify the file for both username and password as shown below.

We got succces with three users; user, msfadmin and a blank user with password “games”. Since we successfully got some credentials, it’s time to see the share drives on our target system. For this, we will use another tool called SMBMap.

SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands.

First let us check the rights of each user we got as shown below.

We can see that users user and msfadmin have READ,WRITE permissions on tmp directory only and the Blank user doesn’t have much. Next let us try to list all the drives on the target system with user “msfadmin”. We can see we don’t have enough privileges to execute a command.

Since we have READ privileges, let us read the drive on the target system as shown below. Well that’s all for SMB enumeration guys. If you want to read  about SMTP enumeration, you can go here.

RESULT: We got some usernames which may be useful to us while exploiting the system in future.

Posted on

Joomla Enumeration with Metasploit

Hello aspiring hackers. Previously we have seen how to perform Joomla version enumeration  with Metasploit. Metasploit also has a module for Joomla webpages enumeration which can be useful in seeing pages of a Joomla website which can give further information about the website.

Start Metasploit and load the module as shown below.  Type command “show options” to see the options we need to set.

joomla enumeration

As other auxiliary options, it has RHOSTS option instead of RHOST option. We can set multiple IP addresses to scan for their pages with space in between as shown below. Set the targeturi.

Type command “run” to execute the exploit. We will get the result as shown below.

Want to learn Ethical Hacking in Real World Scenarios? subscribe to our Digital Magazine.

Posted on 2 Comments

Joomla Plugin enumeration with Metasploit

Good evening aspiring ethical hackers. Joomla is one of the most popular CMS for websites. To further improve its features Joomla has components or extensions which can be installed by the web admin as per requirement. These are similar to plugins in WordPress. Last month hackers found many vulnerabilities in so many extensions of Joomla.

But how do we find out Joomla websites with this vulnerable plugins installed. Once again, Metasploit saves the day for us as it has an auxiliary module for Joomla plugin enumeration. Start Metasploit and load the module as shown below.

This module has Rhosts option instead of Rhost option as we generally scan multiple IP addresses to check for vulnerable websites. Set the IP addresses as shown below with space between each IP address.

Now type command “run” to see the plugins installed on all these websites.

How does this module work? If you have seen in the first image, this module takes the list of plugins to enumerate from file “usr/share/metasploit-framework/data/wordlists/joomla.txt”. I have little knowledge whether this file is updated as fast as the Joomla plugins developed.  You can open this file with any text editor as shown below.

If the component you want to search for is not listed, you can make your own entry as shown below. I have added two components here, which are vulnerable to sql injection but not included in the file before. Save and close the file.

I run the scan again and found one Joomla website with this plugin installed.  Happy hacking.

Posted on

HTTP client information gathering with Metasploit

Good morning friends. Hope you are doing well. Today we are going to see HTTP client information gathering exploit of Metasploit. As the name explains, this exploit gathers information about our target’s browser which may be useful to us in further exploiting the system. We get information like  OS name, browser version, plugins, etc. Let us see how this exploit works. Start Metasploit and load the exploit as shown below.

This exploit will run a server on the attacker system( here Kali rolling ). So SRVhost IP address should be Kali’s IP address. The port can be default or it can be set to 80 as I have done.

Run the exploit as shown below. It will start a server as shown below. Now we need to send this link to our victim’s.

When the victim clicks on the link, he will be shown a 404 error as shown below.

In the meantime, we will be getting the target information. Given below are the information we gathered from three browsers, Chrome,

Firefox

and Internet explorer.

We got information like target OS, browser info along with its version, architecture etc. The most valuable info from this can be the OS of our target, the knowledge we can use in choosing our exploits to hack it. Happy hacking.