Application security

Penetration Testing with the Joomla Security Scanner

Raj Chandel
September 21, 2012 by
Raj Chandel

Joomla Security Scanner

Joomla Security Scanner Detects file inclusion, sql injection, command execution vulnerabilities of a target Joomla Websites.

It will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla Sites. No web security scanner is dedicated only one CMS.

11 courses, 8+ hours of training

11 courses, 8+ hours of training

Learn cybersecurity from Ted Harrington, the #1 best-selling author of "Hackable: How to Do Application Security Right."

11 courses, 8+ hours of training

11 courses, 8+ hours of training

Learn cybersecurity from Ted Harrington, the #1 best-selling author of "Hackable: How to Do Application Security Right."

Features of Joomla Security Scanner

  • Exact version Probing (the scanner can tell whether a target is running version 1.5.12)
  • Common Joomla! based web application firewall detection
  • Searching known vulnerabilities of Joomla! and its components
  • Reporting to Text & HTML output
  • Immediate update capability via scanner or svn

How to use Joomla Security Scanner in Backtrack 5

First Open Your backtrack and Follow these path

Applications->Backtrack->Vulnerability Assessment->Web Application assessment->CMS vulnerabilities identification->Joomscan


How to use Joomscan

When you open joomscan, it will look like this image (shown below)

Scanning for Vulnerability

Now scan our joomla site for vulnerability. To do this, enter the following command in Terminal: 

./joomscan.pl -u www.example.com

Vulnerabilities Discovered

It will look like this image (shown below)

CMS Explorer-

Discover the CMS components behind the site

CMS Explorer is designed to reveal the specific modules, plugins, components and themes that various CMS driven web sites are running.

Additionally, CMS Explorer can be used to aid in security testing. While it performs no direct security checks, the "explore" option can be used to reveal hidden/library files which are not typically accessed by web clients but are nonetheless accessible. This is done by retrieving the module's current source tree and then requesting those file names from the target system. These requests can be sent through a distinct proxy to help "bootstrap" security testing tools like Burp, Paros, Web inspect, etc.

CMS Explorer currently supports module/theme discovery with the following products:

  • Drupal
  • Wordpress
  • Joomla!
  • Mambo

How to use CMS-Explorer

Open your Backtrack Terminal & Type cd /pentest/enumeration/web/cms-explorer


You can also do this manually. First Open Your backtrack and Follow these path

Applications->BackTrack -> Information Gathering -> Web Application Analysis -> CMS Identification -> cms-explorer


Scan Joomla Site

./cms-explorer.pl -url http://example.com -type joomla

Scan Wordpress Site

./cms-explorer.pl -url http://example.com -type wordpress

Scan Wordpress Site

./cms-explorer.pl -url http://example.com -type drupal

WPScan-Wordpress Security Scanner

WPScan is a black box Wordpress Security Scanner written in Ruby which attempts to find known security weaknesses within Wordpress installations. Its intended use it to be for security professionals or Wordpress administrators to assess the security posture of their WordPress installations.

Features include:

  • Username enumeration (from author query string and location header)
  • Weak password cracking (multithreaded)
  • Version enumeration (from generator Meta tag)
  • Vulnerability enumeration (based on version)
  • Plugin enumeration (2220 most popular by default)
  • Plugin vulnerability enumeration (based on version)
  • Plugin enumeration list generation
  • Other misc WordPress checks (theme name, dir listing ...

How to use wpscan in BackTrack 5

Open your backtrack terminal and type cd /pentest/web/wpscan

Now scan single URL ruby wpscan.rb --url www.example.com


Other Scans

Only do version enumeration...

ruby wpscan.rb --url www.example.com –version

Do wordlist password brute force on enumerated users using 50 threads...

ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50

Do wordlist password brute force on the 'admin' username only...

ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin

Generate a new 'most popular' plugin list, up to 150 pages...

ruby ./wpscan.rb --generate_plugin_list 150

Enumerate installed plugins...
ruby ./wpscan.rb --enumerate p

Plecost

Wordpress finger printer tool, plecost search and retrieve information about the plugins versions installed in Wordpress systems. It can analyze a single URL or perform an analysis based on the results indexed by Google. Additionally displays CVE code associated with each Plugin, if there.

Plecost retrieves the information contained on Web sites supported by Wordpress, and also allows a search on the results indexed by Google.

How to use plecost in backtrack

Open your backtrack terminal and type ./plecost-0.2.2-9-beta.py


How to use plecost

Syntax:


./plecost-0.2.2-9-beta.py -i wp_plugin_list.txt http://www.example.com –G


  • Google search options:
    • l num : Limit number of results for each plugin in google.
    • G : Google search mode
  • Options:
    • n : Number of plugins to use (Default all – more than 7000).
    • c : Check plugins only with CVE associated.
    • R file : Reload plugin list. Use -n option to control the size
    • o file : Output file. (Default "output.txt")
    • i file : Input plugin list. (Need to start the program)
    • s time : Min sleep time between two probes. Time in seconds. (10)
    • M time : Max sleep time between two probes. Time in seconds. (20)
    • t num : Number of threads. (Default 1)
    • h : Display help. (More info: http://iniqua.com/labs/)

What web

WhatWeb is like nmap but for the web. WhatWeb recognizes web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 900 plugins, each to recognize something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.

Features:

  • Over 900 plugins
  • Control the tradeoff between speed/stealth and reliability
  • Plugins include example URLs
  • Performance tuning. Control how many websites to scan concurrently.
  • Multiple log formats: Brief (greppable), Verbose (human readable), XML, JSON, Magic Tree, Ruby Object, Mongo DB.
  • Recursive web spidering
  • Proxy support including TOR
  • Custom HTTP headers
  • Basic HTTP authentication
  • Control over webpage redirection
  • Nmap-style IP ranges
  • Fuzzy matching
  • Result certainty awareness
  • Custom plugins defined on the command line

First Open Your backtrack and Follow these path

Applications->BackTrack -> Information Gathering -> Web Application Analysis -> CMS Identification -> whatweb


Usage

. /whatweb

Use whatweb in verbose mode

./whatweb –v www.example.com

BlindElephant-Web Application Fingerprinter

The Blind Elephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all available releases. The technique is fast, low-bandwidth, non-invasive, generic, and highly automatable.

Features

  • Fast, low-resource approach (generally <6 seconds and < 400kb)
  • Support for 15 commonly deployed web apps (and hundreds of versions), and very easy to add support for more
  • Support for web app plugins (Drupal and Wordpress currently, more with community input)

How to use BlindElephant in BackTrack

First Open Your backtrack and Follow these path

Applications->BackTrack -> Information Gathering -> Web Application Analysis -> CMS Identification -> blindelephant


Usage

./BlindElephant.py www.example.com (CMS)

Raj Chandel
Raj Chandel

Raj Chandel is a Skilled and Passionate IT Professional especially in IT-Hacking Industry. At present other than his name he can also be called as An Ethical Hacker, A Cyber Security Expert, A Penetration Tester. With years of quality Experience in IT and software industry. He is Also a Founder of www.hackingarticles.in.