Penetration Testing with the Joomla Security Scanner
Joomla Security Scanner
Joomla Security Scanner Detects file inclusion, sql injection, command execution vulnerabilities of a target Joomla Websites.
It will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla Sites. No web security scanner is dedicated only one CMS.
11 courses, 8+ hours of training
11 courses, 8+ hours of training
Features of Joomla Security Scanner
-
Exact version Probing (the scanner can tell whether a target is running version 1.5.12)
-
Common Joomla! based web application firewall detection
-
Searching known vulnerabilities of Joomla! and its components
-
Reporting to Text & HTML output
-
Immediate update capability via scanner or svn
How to use Joomla Security Scanner in Backtrack 5
First Open Your backtrack and Follow these path
Applications->Backtrack->Vulnerability Assessment->Web Application assessment->CMS vulnerabilities identification->Joomscan
How to use Joomscan
When you open joomscan, it will look like this image (shown below)
Scanning for Vulnerability
Now scan our joomla site for vulnerability. To do this, enter the following command in Terminal:
./joomscan.pl -u www.example.com
Vulnerabilities Discovered
It will look like this image (shown below)
CMS Explorer-
Discover the CMS components behind the site
CMS Explorer is designed to reveal the specific modules, plugins, components and themes that various CMS driven web sites are running.
Additionally, CMS Explorer can be used to aid in security testing. While it performs no direct security checks, the "explore" option can be used to reveal hidden/library files which are not typically accessed by web clients but are nonetheless accessible. This is done by retrieving the module's current source tree and then requesting those file names from the target system. These requests can be sent through a distinct proxy to help "bootstrap" security testing tools like Burp, Paros, Web inspect, etc.
CMS Explorer currently supports module/theme discovery with the following products:
- Drupal
- Wordpress
- Joomla!
- Mambo
How to use CMS-Explorer
Open your Backtrack Terminal & Type cd /pentest/enumeration/web/cms-explorer
You can also do this manually. First Open Your backtrack and Follow these path
Applications->BackTrack -> Information Gathering -> Web Application Analysis -> CMS Identification -> cms-explorer
Scan Joomla Site
./cms-explorer.pl -url http://example.com -type joomla
Scan Wordpress Site
./cms-explorer.pl -url http://example.com -type wordpress
Scan Wordpress Site
./cms-explorer.pl -url http://example.com -type drupal
WPScan-Wordpress Security Scanner
WPScan is a black box Wordpress Security Scanner written in Ruby which attempts to find known security weaknesses within Wordpress installations. Its intended use it to be for security professionals or Wordpress administrators to assess the security posture of their WordPress installations.
Features include:
-
Username enumeration (from author query string and location header)
-
Weak password cracking (multithreaded)
-
Version enumeration (from generator Meta tag)
-
Vulnerability enumeration (based on version)
-
Plugin enumeration (2220 most popular by default)
-
Plugin vulnerability enumeration (based on version)
-
Plugin enumeration list generation
-
Other misc WordPress checks (theme name, dir listing ...
How to use wpscan in BackTrack 5
Open your backtrack terminal and type cd /pentest/web/wpscan
Now scan single URL ruby wpscan.rb --url www.example.com
Other Scans
Only do version enumeration...
ruby wpscan.rb --url www.example.com –version
Do wordlist password brute force on enumerated users using 50 threads...
ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50
Do wordlist password brute force on the 'admin' username only...
ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin
Generate a new 'most popular' plugin list, up to 150 pages...
ruby ./wpscan.rb --generate_plugin_list 150
Enumerate installed plugins...
ruby ./wpscan.rb --enumerate p
Plecost
Wordpress finger printer tool, plecost search and retrieve information about the plugins versions installed in Wordpress systems. It can analyze a single URL or perform an analysis based on the results indexed by Google. Additionally displays CVE code associated with each Plugin, if there.
Plecost retrieves the information contained on Web sites supported by Wordpress, and also allows a search on the results indexed by Google.
How to use plecost in backtrack
Open your backtrack terminal and type ./plecost-0.2.2-9-beta.py
How to use plecost
Syntax:
./plecost-0.2.2-9-beta.py -i wp_plugin_list.txt http://www.example.com –G
-
Google search options:
- l num : Limit number of results for each plugin in google.
- G : Google search mode
-
Options:
- n : Number of plugins to use (Default all – more than 7000).
- c : Check plugins only with CVE associated.
- R file : Reload plugin list. Use -n option to control the size
- o file : Output file. (Default "output.txt")
- i file : Input plugin list. (Need to start the program)
- s time : Min sleep time between two probes. Time in seconds. (10)
- M time : Max sleep time between two probes. Time in seconds. (20)
- t num : Number of threads. (Default 1)
- h : Display help. (More info: http://iniqua.com/labs/)
What web
WhatWeb is like nmap but for the web. WhatWeb recognizes web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 900 plugins, each to recognize something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.
Features:
- Over 900 plugins
- Control the tradeoff between speed/stealth and reliability
- Plugins include example URLs
- Performance tuning. Control how many websites to scan concurrently.
- Multiple log formats: Brief (greppable), Verbose (human readable), XML, JSON, Magic Tree, Ruby Object, Mongo DB.
- Recursive web spidering
- Proxy support including TOR
- Custom HTTP headers
- Basic HTTP authentication
- Control over webpage redirection
- Nmap-style IP ranges
- Fuzzy matching
- Result certainty awareness
- Custom plugins defined on the command line
First Open Your backtrack and Follow these path
Applications->BackTrack -> Information Gathering -> Web Application Analysis -> CMS Identification -> whatweb
Usage
. /whatweb
Use whatweb in verbose mode
./whatweb –v www.example.com
BlindElephant-Web Application Fingerprinter
The Blind Elephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all available releases. The technique is fast, low-bandwidth, non-invasive, generic, and highly automatable.
Features
-
Fast, low-resource approach (generally <6 seconds and < 400kb)
-
Support for 15 commonly deployed web apps (and hundreds of versions), and very easy to add support for more
-
Support for web app plugins (Drupal and Wordpress currently, more with community input)
How to use BlindElephant in BackTrack
First Open Your backtrack and Follow these path
Applications->BackTrack -> Information Gathering -> Web Application Analysis -> CMS Identification -> blindelephant
Usage
./BlindElephant.py www.example.com (CMS)
11 courses, 8+ hours of training
11 courses, 8+ hours of training
Learn how to secure systems with 11 courses from Infosec Skills instructor and #1 best-selling author Ted Harrington.
- Hack your system
- Establish your threat model
- Spend wisely
- And more
In this Series
- Penetration Testing with the Joomla Security Scanner
- DevSecOps: Moving from “shift left” to “born left”
- What’s new in the OWASP Top 10 for 2023?
- DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
- Introduction to DevSecOps and its evolution and statistics
- MongoDB (part 3): How to secure data
- MongoDB (part 2): How to manage data using CRUD operations
- MongoDB (part 1): How to design a schemaless, NoSQL database
- Understanding the DevSecOps Pipeline
- API Security: How to take a layered approach to protect your data
- How to find the perfect security partner for your company
- Security gives your company a competitive advantage
- 3 major flaws of the black-box approach to security testing
- Can bug bounty programs replace dedicated security testing?
- The 7 steps of ethical hacking
- Laravel authorization best practices and tips
- Learn how to do application security right in your organization
- How to use authorization in Laravel: Gates, policies, roles and permissions
- Is your company testing security often enough?
- Authentication vs. authorization: Which one should you use, and when?
- Why your company should prioritize security vulnerabilities by severity
- There’s no such thing as “done” with application security
- Understanding hackers: The insider threat
- Understanding hackers: The 5 primary types of external attackers
- Want to improve the security of your application? Think like a hacker
- 5 problems with securing applications
- Why you should build security into your system, rather than bolt it on
- Why a skills shortage is one of the biggest security challenges for companies
- How should your company think about investing in security?
- How to carry out a watering hole attack: Examples and video walkthrough
- How cross-site scripting attacks work: Examples and video walkthrough
- How SQL injection attacks work: Examples and video walkthrough
- Securing the Kubernetes cluster
- How to run a software composition analysis tool
- How to run a SAST (static application security test): tips & tools
- How to run an interactive application security test (IAST): Tips & tools
- How to run a dynamic application security test (DAST): Tips & tools
- Introduction to Kubernetes security
- Key findings from ESG’s Modern Application Development Security report
- Microsoft’s Project OneFuzz Framework with Azure: Overview and concerns
- Software maturity models for AppSec initiatives
- Best free and open source SQL injection tools [updated 2021]
- Pysa 101: Overview of Facebook’s open-source Python code analysis tool
- Improving web application security with purple teams
- Open-source application security flaws: What you should know and how to spot them
- Android app security: Over 12,000 popular Android apps contain undocumented backdoors
- 13 common web app vulnerabilities not included in the OWASP Top 10
- Fuzzing, security testing and tips for a career in AppSec
- 14 best open-source web application vulnerability scanners [updated for 2020]
- 6 ways to address the OWASP top 10 vulnerabilities
- Ways to protect your mobile applications against hacking
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, ISC2, Cisco, Microsoft and more!
Application security
Application security
Application security
DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
Application security