nse script – HackerTarget.com

WordPress Security Testing with Nmap

the admin — Wed, 04 Feb 2015 11:33:47 +0000

With the popularity of WordPress as a publishing platform, security testing is an important part of ensuring the installation is secure. Nmap has a couple of NSE scripts specifically for the testing of WordPress installations. Using those scripts as a base I developed a couple more that expanded the capabilities of using Nmap to audit WordPress installations. These scripts were then merged with nmap's http-wordpress-enum.nse script

Nmap comes with two Lua NSE scripts for high level testing of WordPress installations. The scripts allow for brute forcing of the plugins on the system and for enumerating WordPress user accounts that are on the system.

5998
published CVE's (vulnerabilities) for
WordPress and its components

As with any security testing, make sure you fully understand what the script will do and how it might affect a target system. Only test systems you have permission to scan!

NMAP NSE Scripts for WordPress

http-wordpress-info.nse

Rather than brute forcing paths, this script is much more polite and will only download the main page of the WordPress site and examine the theme and plugin paths in the html. The WordPress version will also be identified using the default readme.html file if the meta generator is not present.

http-wordpress-enum.nse

The http-wordpress-enum.nse script comes with default Nmap installation and allows you to attempt to identify users of the WordPress installation. Once you have user names it is possible to brute force the passwords using methods I detailed in the attacking wordpress article.

Hacker Target NMAP-nse-scripts for WordPress

http-wordpress-plugins.nse

Deprecated as http-wordpress-enum.nse updated to include this functionality,

In addition to identifying the plugins in use, I added a feature to the http-wordpress-plugins.nse script that will identify the version of the installed plugin and compare that to the latest version that is checked in real time against the WordPress Plugin API.

-- Interesting ports on my.woot.blog (123.123.123.123):
-- PORT   STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- | http-wordpress-plugins:
-- | search amongst the 500 most popular plugins
-- |   akismet 3.0.4 (latest version: 3.0.4)
-- |   wordpress-seo 1.7 (latest version: 1.7.1)
-- |   disqus-comment-system 2.83 (latest version: 2.84)
-- |_  wp-to-twitter 1.2 (latest version: 1.45)

http-wordpress-themes.nse

Deprecated as http-wordpress-enum.nse updated to include this functionality,

Based on the NSE script http-wordpress-plugins.nse I created out a variation that tests for WordPress themes. One of the often overlooked parts of keeping a secure WordPress installation is ensuring all themes (even inactive ones) are kept up to date or removed if not in use. Security vulnerabilities can be found in WordPress themes and these are often exploitable even if the theme is inactive.

The wp-theme.lst was created after I crawled the Alexa top 1 million sites and found around 200000 WordPress sites. By basing the theme list on the in use themes and sorting by popularity this list is a good representation of the most popular themes in being used across the web.

-- Interesting ports on my.woot.blog (123.123.123.123):
-- PORT   STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- | http-wordpress-themes:
-- | search amongst the 500 most popular themes 
-- |   twentyfourteen 1.3
-- |   canvas 5.8.7
-- |_  twentytwelve 1.5

Assess the risk and work on mitigation.

Remove limits with a full membership.

Membership

We host OpenVAS, Nmap and other Vulnerability Scanners.

Trusted tools. Hosted for easy access.

Use cases & more info

The post WordPress Security Testing with Nmap appeared first on HackerTarget.com.

Parse Nmap XML to get SSL Certificate details

the admin — Sat, 24 May 2014 03:33:36 +0000

Extract SSL certificate details from a range of IP addresses using Nmap XML and a simple python script.

The python script parses the Nmap XML output from the ssl-cert.nse script and produces csv output with the target SSL certificate details.

libssl-dev package

When compiling Nmap you need the libssl-dev package installed. Nmap nse scripts such as ssl-cert will not work without it.

Once this is installed ./configure, make, make install to install the latest version of Nmap.

apt-get install libssl-dev

Once the package is installed go ahead and install Nmap from source. Extract the source into a folder, configure and install.

Testing the SSL cert parse script

For a quick test of the SSL cert parse script I grabbed the top 25 computing sites from Alexa.

Start Nmap with the ssl-cert nse script. The -iL option loads the list 25 target host names with the -oX producing the Nmap XML results.

nmap -iL top25-tech.txt -sV -p 443 -oX nmap-results-top25 --script=ssl-cert

Python script

Once the scan has completed, the python script below can be used to parse the Nmap XML and produce the csv output. The results can be loaded into a spreadsheet, or parsed further, depending on your needs.

testuser@ubuntu:~$ python nmap-ssl-certs.py nmap-results-top25.xml
 
150.101.195.240,www.google.com,Google Inc,US,2014-05-07,2014-08-05
31.13.70.17,*.facebook.com,Facebook, Inc.,US,2014-02-28,2015-04-13
150.101.195.212,*.google.com,Google Inc,US,2014-05-07,2014-08-05
74.125.237.149,mail.google.com,Google Inc,US,2014-05-07,2014-08-05
98.139.183.24,www.yahoo.com,Yahoo Inc.,US,2014-04-09,2015-04-09
198.35.26.96,*.wikipedia.org,Wikimedia Foundation, Inc.,US,2012-10-21,2016-01-20
199.59.148.82,twitter.com,Twitter, Inc.,US,2014-04-08,2016-05-09
216.52.242.80,www.linkedin.com,LinkedIn Corporation,US,2013-12-19,2016-12-30
98.136.189.41,*.login.yahoo.com,Yahoo Inc.,US,2014-04-08,2015-04-09
65.55.143.19,mail.live.com,Microsoft Corporation,US,2013-05-21,2015-05-22
150.101.195.216,*.google.com,Google Inc,US,2014-05-07,2014-08-05
150.101.195.227,*.google.com,Google Inc,US,2014-05-07,2014-08-05
119.160.243.163,search.yahoo.com,Yahoo Inc.,US,2014-04-08,2015-04-09
192.0.82.252,wordpress.com,Automattic, Inc.,US,2014-04-16,2016-04-16
204.79.197.200,*.bing.com,Microsoft Corporation,US,2014-05-20,2016-05-19
54.225.139.43,*.pinterest.com,Pinterest Inc,US,2014-04-09,2017-04-13
66.235.120.127,,,,,
150.101.195.249,*.google.com,Google Inc,US,2014-05-07,2014-08-05
65.55.206.228,,,,,
66.211.169.66,paypal.com,PayPal, Inc.,US,2013-01-09,2015-01-11
134.170.188.221,microsoft.com,,,2013-06-20,2015-06-20
17.172.224.47,apple.com,Apple Inc.,US,2012-11-13,2014-11-03
23.23.110.81,*.imgur.com,Imgur, Inc.,US,2013-06-25,2016-08-31
198.252.206.140,*.stackexchange.com,Stack Exchange, Inc.,US,2013-07-02,2016-07-06
68.71.220.3,,,,,

The script is simple but it works. It should be pretty easy to read allowing modification to parse other NSE scripts and results from the Nmap XML output.

Parse XML data

There are many ways to parse XML data. The xml.dom method used here seems to be one of the more straightforward for parsing the Nmap XML. Another option could include using ElementTree, or even using xmlstarlet in bash as seen on this stack.exchange post.

#!/usr/bin/env python
import xml.dom.minidom
import sys
import getopt
try: 
    scandata = sys.argv[1]
except:
    print "*** You need to supply an Nmap XML file ***"
if scandata:
    doc = xml.dom.minidom.parse(scandata)
    output = []
    for host in doc.getElementsByTagName("host"):
        ip = ''
        commonName = ''
        organizationName = ''
        countryName = ''
        notBefore = ''
        notAfter = ''
        addresses = host.getElementsByTagName("address")
        ip = addresses[0].getAttribute("addr")                         # Get IP address from addr element 
        scripts = host.getElementsByTagName("script")
        for script in scripts:
              for elem in script.getElementsByTagName("elem"):         # Get cert details for each target 
                 try:
                    if elem.getAttribute("key") == 'commonName':
                       if commonName == '':                            # Only get the first commonName 
                           commonName =  elem.childNodes[0].nodeValue
                 except:
                    pass
                 try:
                    if elem.getAttribute("key") == 'organizationName':
                       if organizationName == '': 
                           organizationName =  elem.childNodes[0].nodeValue
                 except:
                    pass
                 try:
                    if elem.getAttribute("key") == 'countryName':
                       countryName =  elem.childNodes[0].nodeValue
                 except:
                    pass
                 try:
                    if elem.getAttribute("key") == 'notBefore':
                       notBefore =  elem.childNodes[0].nodeValue
                       notBefore = notBefore.split('T')[0]
                 except:
                    pass
                 try:
                    if elem.getAttribute("key") == 'notAfter':
                       notAfter =  elem.childNodes[0].nodeValue
                       notAfter = notAfter.split('T')[0]
                 except:
                    pass
        output.append(ip + ',' + commonName + ',' + organizationName + ',' + countryName + ',' + notBefore + ',' + notAfter)
    for i in output:
        print i

Nmap XML to CSV

Not specifically tied to the SSL results; we have another script that converts Nmap XML to CSV. This is an easy to use script that can be adapted to achieve the output needed for reporting.

Different organisations have different reporting requirements so this simple script was created to enable anyone to modify it as required with minimal python knowledge.

https://github.com/hackertarget/nmap-csv-xlsx

Get the most from this powerful tool.

Practical example commands for running Nmap

nmap cheatsheet

Next level testing with advanced Security Vulnerability Scanners.

Trusted tools. Hosted for easy access.

Use cases & more info

The post Parse Nmap XML to get SSL Certificate details appeared first on HackerTarget.com.