Posted on 2 Comments

Find out Joomla version with Metasploit

Hello aspiring hackers. In this howto, we will see how to find out Joomla version with Metasploit. Many a times a vulnerability is released saying that so and so version of a specific software has so and so vulnerability and an exploit is released for that vulnerability. In order for an exploit to work successfully it becomes necessary to find our target’s exact version. For example, take Joomla, a popular CMS. Recently we have seen Joomla HTTP Header Unauthenticated Remote Code Execution exploit which affects Joomla versions 1.5.0 to 3.4.5. To successfully exploit these vulnerabilities, it becomes important to first fingerprint the Joomla version of our target. Luckily Metasploit has an auxiliary module to find out the exact version of our Joomla target. Today we will see fingerprinting Joomla version with Metasploit. Before we start Metasploit, open Shodan and search for “Joomla”. We will get many IP addresses where Joomla is running. Now start Metasploit and load the module given below. Type command “show options” to see the required options for this module.

We need to set two options: rhosts( which is target IP addresses ) and targeturi. Set targeturi as shown below. Coming to “rhosts” option, copy and paste the IP addresses we got in our shodan search giving space between each IP address as shown below.  Here I have given five IP addresses.

Check whether all options are set correctly by typing command “show options“.

Next it’s time to run our exploit. Type command “run” and you will get the results as shown below. From our results we can conclude that all of the five targets may be vulnerable to Joomla HTTP Header Unauthenticated Remote Code Execution exploit and targets 2 and 3 may be vulnerable to Joomla Error-Based SQL Injection exploit for enumeration exploit.

Posted on 5 Comments

Hacking Metasploitable : Information Gathering

This howto is part of  a  series called  Hacking Metasploitable.  So it would be good if you follow this as part of that series. Today we will see scanning and banner grabbing of Metasploitable. Scanning is the second stage of hacking where we gather more information about our target. Imagine a scenario where we got the IP address range  of our target and we want to check how many live systems are there. This is network scanning. There are many tools in our attacker system but we will use Zenmap.  Open a terminal and type command “zenmap”. It would open a GUI tool as shown below. Give the IP address range as shown below. (192.168.25.100-130, it may differ for you ) and select “ping scan” . Then click on “scan”. It will show all the live systems. In our case, only Metasploitable.

Now let’s do port scanning of the live system. Now in target field, specify only the IP address of Metasploitable. In Profile, select “slow and comprehensive scan” and click on “scan”. It will show all the open ports as shown below.

But there is another tool which is widely used for port scanning. Enter nmap. Nmap is a versatile port scanner. (Zenmap is the GUI version of Nmap). The default way to use Nmap is shown below. It would list all the open ports.

Next we will see how to grab banners.  Banners display information about  the type of service running at the open ports of our target. This can reveal some important information about our target which can be used for hacking. The Nmap command for banner grabbing  and its results are shown below. We got a lot of banners.

Next we will use Nmap to find out the operating system of our target. The command is given below.

The OS details are given below.

There is another way of grabbing banners. It is telnetting to each port as shown below. The results can also be seen.

That’s all in Hacking Metasploitable : information Gathering stage.

Posted on

Webserver banner grabbing and countermeasures

Webserver Banner grabbing or fingerprinting is the method of gaining information about the target host OS. web server type, version etc. Once the hacker gets the needed information about the target OS etc, he can easily find out the vulnerabilities present in particular version and launch his attacks against it. Today we are going to see how webserver banner grabbing is performed on web servers and how to apply counter measures to it. We will see Apache and IIS 8 server examples in this article.

Apache:

Imagine I have set up a website named www.shunya.com on an Apache server. A hacker can easily find Information about the web server in different ways. For example, a hacker can visit the website and and try to open a webpage which is not existent on my server, like below.

In the above example, hacker tried to open page named “admin.php” which was not available on my server and in turn the server responded with a type of web server, the target OS and the scripting language. This is giving out too much information.

The traditional and popular way of fingerprinting is through telnet. A hacker opens command line or terminal. and types the command “telnet www.shunya.com 80″. When the screen goes black, type “HEAD / HTTP/1.0″ and this will give the server information.

There are also many fingerprinting tools available. I am gonna show you only one, Id serve. Let’s see how to banner grab using Id serve.

Now what are the preventive measures we can take in Apache server to disable or atleast prevent fingerprinting to some extent. Apache web server has a configuration file called “httpd.conf” where we can make changes to fight fingerprinting. Go to httpd.conf and change the value of the option “Server Signature  to off”. This will not display any information about server when an nonexistent page has been accessed.

In the httpd.conf file, changing the value of “Server Tokens” from “Full” to “Prod” will only show the minimum server information as shown below.

This still discloses that our web server is Apache but it doesn’t show the version. In Kautilya’s words this is delaying the march of enemy. Here are the options we set.

IIS 8:

Now imagine we changed our www.shunya.com website from Apache server to the latest version of Microsoft web server, IIS 8. To prevent error pages form revealing any information in IIS server, we can set custom error pages.  Now let’s use IDserve tool to fingerprint the IIS 8 server.

It shows the server version. Now how can we prevent this. Microsoft provides a tool named UrlScan freely available for download which can be used easily to process HTTP requests. Download this tool and install it. ( See how to configure Urlscan for IIS 7.5 and IIS 8 ). Then go to the configuration file of UrlScan, “UrlScan.ini” located at “C:WindowsSystem32inetservUrlscan” by default and change the value of “RemoveServerHeader’ from “0″ to “1″.

This will not reveal the server version information as shown below.

We can further mislead the attacker by setting our server name to some other value different than our original one. This can be done by setting the value of “RemoveServerHeader” to “0 “and changing the value of “AlternateServerName” to the value we want to specify ( in our example Nginx ).

So when the attacker tries to fingerprint our website, he will be misleaded.

Note: Taking this preventive measures will not stop a determined hacker to find out our server information.

That’s all in webserver banner grabbing and countermeasures.