Penetration Testing with the Joomla Security Scanner
Joomla Security Scanner
Joomla Security Scanner Detects file inclusion, sql injection, command execution vulnerabilities of a target Joomla Websites.
It will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla Sites. No web security scanner is dedicated only one CMS.
11 courses, 8+ hours of training
11 courses, 8+ hours of training
Features of Joomla Security Scanner
-
Exact version Probing (the scanner can tell whether a target is running version 1.5.12)
-
Common Joomla! based web application firewall detection
-
Searching known vulnerabilities of Joomla! and its components
-
Reporting to Text & HTML output
-
Immediate update capability via scanner or svn
How to use Joomla Security Scanner in Backtrack 5
First Open Your backtrack and Follow these path
Applications->Backtrack->Vulnerability Assessment->Web Application assessment->CMS vulnerabilities identification->Joomscan
How to use Joomscan
When you open joomscan, it will look like this image (shown below)
Scanning for Vulnerability
Now scan our joomla site for vulnerability. To do this, enter the following command in Terminal:
./joomscan.pl -u www.example.com
Vulnerabilities Discovered
It will look like this image (shown below)
CMS Explorer-
Discover the CMS components behind the site
CMS Explorer is designed to reveal the specific modules, plugins, components and themes that various CMS driven web sites are running.
Additionally, CMS Explorer can be used to aid in security testing. While it performs no direct security checks, the "explore" option can be used to reveal hidden/library files which are not typically accessed by web clients but are nonetheless accessible. This is done by retrieving the module's current source tree and then requesting those file names from the target system. These requests can be sent through a distinct proxy to help "bootstrap" security testing tools like Burp, Paros, Web inspect, etc.
CMS Explorer currently supports module/theme discovery with the following products:
- Drupal
- Wordpress
- Joomla!
- Mambo
How to use CMS-Explorer
Open your Backtrack Terminal & Type cd /pentest/enumeration/web/cms-explorer
You can also do this manually. First Open Your backtrack and Follow these path
Applications->BackTrack -> Information Gathering -> Web Application Analysis -> CMS Identification -> cms-explorer
Scan Joomla Site
./cms-explorer.pl -url http://example.com -type joomla
Scan Wordpress Site
./cms-explorer.pl -url http://example.com -type wordpress
Scan Wordpress Site
./cms-explorer.pl -url http://example.com -type drupal
WPScan-Wordpress Security Scanner
WPScan is a black box Wordpress Security Scanner written in Ruby which attempts to find known security weaknesses within Wordpress installations. Its intended use it to be for security professionals or Wordpress administrators to assess the security posture of their WordPress installations.
Features include:
-
Username enumeration (from author query string and location header)
-
Weak password cracking (multithreaded)
-
Version enumeration (from generator Meta tag)
-
Vulnerability enumeration (based on version)
-
Plugin enumeration (2220 most popular by default)
-
Plugin vulnerability enumeration (based on version)
-
Plugin enumeration list generation
-
Other misc WordPress checks (theme name, dir listing ...
How to use wpscan in BackTrack 5
Open your backtrack terminal and type cd /pentest/web/wpscan
Now scan single URL ruby wpscan.rb --url www.example.com
Other Scans
Only do version enumeration...
ruby wpscan.rb --url www.example.com –version
Do wordlist password brute force on enumerated users using 50 threads...
ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50
Do wordlist password brute force on the 'admin' username only...
ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin
Generate a new 'most popular' plugin list, up to 150 pages...
ruby ./wpscan.rb --generate_plugin_list 150
Enumerate installed plugins...
ruby ./wpscan.rb --enumerate p
Plecost
Wordpress finger printer tool, plecost search and retrieve information about the plugins versions installed in Wordpress systems. It can analyze a single URL or perform an analysis based on the results indexed by Google. Additionally displays CVE code associated with each Plugin, if there.
Plecost retrieves the information contained on Web sites supported by Wordpress, and also allows a search on the results indexed by Google.
How to use plecost in backtrack
Open your backtrack terminal and type ./plecost-0.2.2-9-beta.py
How to use plecost
Syntax:
./plecost-0.2.2-9-beta.py -i wp_plugin_list.txt http://www.example.com –G
-
Google search options:
- l num : Limit number of results for each plugin in google.
- G : Google search mode
-
Options:
- n : Number of plugins to use (Default all – more than 7000).
- c : Check plugins only with CVE associated.
- R file : Reload plugin list. Use -n option to control the size
- o file : Output file. (Default "output.txt")
- i file : Input plugin list. (Need to start the program)
- s time : Min sleep time between two probes. Time in seconds. (10)
- M time : Max sleep time between two probes. Time in seconds. (20)
- t num : Number of threads. (Default 1)
- h : Display help. (More info: http://iniqua.com/labs/)
What web
WhatWeb is like nmap but for the web. WhatWeb recognizes web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 900 plugins, each to recognize something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.
Features:
- Over 900 plugins
- Control the tradeoff between speed/stealth and reliability
- Plugins include example URLs
- Performance tuning. Control how many websites to scan concurrently.
- Multiple log formats: Brief (greppable), Verbose (human readable), XML, JSON, Magic Tree, Ruby Object, Mongo DB.
- Recursive web spidering
- Proxy support including TOR
- Custom HTTP headers
- Basic HTTP authentication
- Control over webpage redirection
- Nmap-style IP ranges
- Fuzzy matching
- Result certainty awareness
- Custom plugins defined on the command line
First Open Your backtrack and Follow these path
Applications->BackTrack -> Information Gathering -> Web Application Analysis -> CMS Identification -> whatweb
Usage
. /whatweb
Use whatweb in verbose mode
./whatweb –v www.example.com
BlindElephant-Web Application Fingerprinter
The Blind Elephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all available releases. The technique is fast, low-bandwidth, non-invasive, generic, and highly automatable.
Features
-
Fast, low-resource approach (generally <6 seconds and < 400kb)
-
Support for 15 commonly deployed web apps (and hundreds of versions), and very easy to add support for more
-
Support for web app plugins (Drupal and Wordpress currently, more with community input)
How to use BlindElephant in BackTrack
First Open Your backtrack and Follow these path
Applications->BackTrack -> Information Gathering -> Web Application Analysis -> CMS Identification -> blindelephant
Usage
./BlindElephant.py www.example.com (CMS)