Aljdfl;jsa
Lsjdlfa
Sdjaflksdjafs
Dalkjf;a
kdf
Lsjaf
I'm trying to update Git from my shared hosting. For that I'm following these steps:
Keep in mind a website may use multiple CMS'. Wordpress may be used as the primary
CMS, while using vBulletin on a subdomain (forum.example.com) or subdirectory
(example.com/forum). For this reason, you can enter any url in the form above to see
what CMS is being used on a specific page.
2] BuiltWith represents a really powerful tool that even in its free version shows a
technology profile for given a website which includes information on:
4] CMS Detector works perfectly for revealing the webserver, framework or language
used by a website. Unfortunately it lacks this power of identifying the CMS.
5] CMSeye is a simple tool focused only on identifying the CMS, it mostly works only
for open source CMSs and sometimes its not accurate (even we dont believe that the
Ektron website does run on Wordpress).
BlindElephant
The BlindElephant Web Application Fingerprinter attempts to discover the version of a
(known) web application by comparing static files at known locations against
precomputed hashes for versions of those files in all all available releases. The
technique is fast, low-bandwidth, non-invasive, generic, and highly automatable.
Scan the remote host (http://192.168.1.252/wp), specifying the web application in use
(wordpress):
root@kali:~# BlindElephant.py http://192.168.1.252/wp wordpress
Plecost
WordPress finger printer tool, plecost search and retrieve information about the
plugins versions installed in WordPress systems. It can analyze a single URL or
perform an analysis based on the results indexed by Google. Additionally displays CVE
code associated with each plugin, if there. Plecost retrieves the information contained
on Web sites supported by WordPress, and also allows a search on the results indexed
by Google.
Use 100 plugins (-n 100), sleep for 10 seconds between probes (-s 10) but no more than
15 (-M 15) and use the plugin list (-i /usr/share/plecost/wp_plugin_list.txt) to scan the
given URL (192.168.1.202/wordpress):
root@kali:~# plecost -n 100 -s 10 -M 15 -i /usr/share/plecost/wp_plugin_list.txt
192.168.1.202/wordpress
WPScan
WPScan is a black box WordPress vulnerability scanner that can be used to scan
remote WordPress installations to find security issues.
Scan a target WordPress URL and enumerate any plugins that are installed:
root@kali:~# wpscan --url http://wordpress.local --enumerate p
Database Exploitation
These tools are used to pentest the database including finding vulnerability,exploiting
the vulnerability to gather database.
bbqsql
BBQSQL is a SQL injection framework specifically designed to be hyper fast, database
agnostic, easy to setup, and easy to modify. The tool is extremely effective at exploiting
a particular type of SQL injection flaw known as blind/semi-blind SQL injection. When
doing application security assessments we often uncover SQL vulnerabilities that are
difficult to exploit.
While current tools have an enormous amount of capability, when you cant seem to
get them to work you are out of luck. We frequently end up writing custom scripts to
help aid in the tricky data extraction, but a lot of time is invested in developing, testing
and debugging these scripts.
BBQSQL helps automate the process of exploiting tricky blind SQL injection. We
developed a very easy UI to help you setup all the requirements for your particular
vulnerability and provide real time configuration checking to make sure your data
looks right. On top of being easy to use, it was designed using the event driven
concurrency provided by Pythons gevent. This allows BBQSQL to run much faster than
existing single/multithreaded applications.
root@kali:~# bbqsql
sqlninja
Fancy going from a SQL Injection on Microsoft SQL Server to a full GUI access on the
DB? Take a few new SQL Injection tricks, add a couple of remote shots in the registry
to disable Data Execution Prevention, mix with a little Perl that automatically
generates a debug script, put all this in a shaker with a Metasploit wrapper, shake well
and you have just one of the attack modules of sqlninja!
Its main goal is to provide a remote access on the vulnerable DB server, even in a very
hostile environment. It should be used by penetration testers to help and automate the
process of taking over a DB Server when a SQL Injection vulnerability has been
discovered.
Connect to the target in test mode (-m t) with the specified config file (-f
/root/sqlninja.conf):
root@kali:~# sqlninja -m t -f /root/sqlninja.conf
sqlsus
sqlsus is an open source MySQL injection and takeover tool, written in perl.
Via a command line interface, you can retrieve the database(s) structure, inject your
own SQL queries (even complex ones), download files from the web server, crawl the
website for writable directories, upload and control a backdoor, clone the database(s),
and much more
sqlsus focuses on speed and efficiency, optimising the available injection space, making
the best use (I can think of) of MySQL functions.
It uses stacked subqueries and an powerful blind injection algorithm to maximise the
data gathered per web server hit.
If the privileges are high enough, sqlsus will be a great help for uploading a backdoor
through the injection point, and takeover the web server.
It uses SQLite as a backend, for an easier use of what has been dumped, and integrates
a lot of usual features (see below) such as cookie support, socks/http proxying, https.
IDS/IPS Identification
Used in computer security, intrusion detection refers to the process of monitoring
computer and network activities and analyzing those events to look for signs of
intrusion in your system. The point of looking for unauthorized intrusions is to alert IT
professionals and system administrators within your organization to potential system
or network security threats and weaknesses.
An intrusion detection system (IDS) is designed to monitor all inbound and outbound
network activity and identify any suspicious patterns that may indicate a network or
system attack from someone attempting to break into or compromise a system. IDS is
considered to be a passive-monitoring system, since the main function of an IDS
product is to warn you of suspicious activity taking place not prevent them. An IDS
essentially reviews your network traffic and data and will identify probes, attacks,
exploits and other vulnerabilities. IDSs can respond to the suspicious event in one of
several ways, which includes displaying an alert, logging the event or even paging an
administrator. In some cases the IDS may be prompted to reconfigure the network to
reduce the effects of the suspicious intrusion.
An IDS specifically looks for suspicious activity and events that might be the result of a
virus, worm or hacker. This is done by looking for known intrusion signatures or attack
signatures that characterize different worms or viruses and by tracking general
variances which differ from regular system activity. The IDS is able to provide
notification of only known attacks.
The term IDS actually covers a large variety of products, for which all produce the end
result of detecting intrusions. An IDS solution can come in the form of cheaper
shareware or freely distributed open source programs, to a much more expensive and
secure vendor software solution. Additionally, some IDSs consist of both software
applications and hardware appliances and sensor devices which are installed at
different points along your network.
IPS or intrusion prevention system, is definitely the next level of security technology
with its capability to provide security at all system levels from the operating system
kernel to network data packets. It provides policies and rules for network traffic along
with an IDS for alerting system or network administrators to suspicious traffic, but
allows the administrator to provide the action upon being alerted. Where IDS informs
of a potential attack, an IPS makes attempts to stop it. Another huge leap over IDS, is
that IPS has the capability of being able to prevent known intrusion signatures, but
also some unknown attacks due to its database of generic attack behaviors. Thought of
as a combination of IDS and an application layer firewall for protection, IPS is
generally considered to be the "next generation" of IDS.
Currently, there are two types of IPSs that are similar in nature to IDS. They consist of
host-based intrusion prevention systems (HIPS) products and network-based intrusion
prevention systems (NIPS).
ua-tester
This tool is designed to automatically check a given URL using a list of standard and
non-standard User Agent strings provided by the user (1 per line). The results of these
checks are then reported to the user for further manual analysis where required.
Connect to the URL (-u http://192.168.1.202/joomla) and use mobile device User-
Agent strings (-d M) to check for different content:
root@kali:~# ua-tester -u http://192.168.1.202/joomla -d M
Burp Suite
Burp Suite is an integrated platform for performing security testing of web
applications. Its various tools work seamlessly together to support the entire testing
process, from initial mapping and analysis of an applications attack surface, through
to finding and exploiting security vulnerabilities.
Burp gives you full control, letting you combine advanced manual techniques with
state-of-the-art automation, to make your work faster, more effective, and more fun.
root@kali:~# burpsuite
Powerfuzzer
Powerfuzzer is a highly automated and fully customizable web fuzzer (HTTP protocol
based application fuzzer) based on many other Open Source fuzzers available and
information gathered from numerous security resources and websites. It was designed
to be user friendly, modern, effective and working.
Designed and coded to be modular and extendable. Adding new checks should simply
entail adding new methods.
root@kali:~# powerfuzzer
WebScarab
WebScarab is designed to be a tool for anyone who needs to expose the workings of an
HTTP(S) based application, whether to allow the developer to debug otherwise difficult
problems, or to allow a security specialist to identify vulnerabilities in the way that the
application has been designed or implemented.
root@kali:~# webscarab
WebSlayer
Webslayer is a tool designed for brute forcing Web Applications, it can be used for
finding resources not linked (directories, servlets, scripts,files, etc), brute force GET
and POST parameters, bruteforce Forms parameters (User/Password), Fuzzing, etc.
The tools has a payload generator and an easy and powerful results analyzer.
Wfuzz
Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding
resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST
parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce
Forms parameters (User/Password), Fuzzing,etc.
Owasp-zap
OWASP ZAP is a web application penetration testing tool that has some great features.
It is a very easy to use scanner that allows you to do manual or automatic website
security checks. In this tutorial we will learn how to use the automatic attack feature.
For this tutorial we will be using Kali Linux and Metasploitable 2 virtual machines.
Before we get started and as always, never use any security tools to scan or test a
network that you do not own or have permission to do so. Also do not put
Metasploitable 2 on a system that has open access to the internet as it is very
vulnerable!
Paros
A Java based HTTP/HTTPS proxy for assessing web application vulnerability. It
supports editing/viewing HTTP messages on-the-fly. Other featuers include spiders,
client certificate, proxy-chaining, intelligent scanning for XSS and SQL injections etc.
root@kali:~# paros
ProxyStrike
ProxyStrike is an active Web Application Proxy. Its a tool designed to find
vulnerabilities while browsing an application. It was created because the problems we
faced in the pentests of web applications that depends heavily on Javascript, not many
web scanners did it good in this stage, so we came with this proxy.
Right now it has available Sql injection and XSS plugins. Both plugins are designed to
catch as many vulnerabilities as we can, its that why the SQL Injection plugin is a
Python port of the great DarkRaver Sqlibf.
The process is very simple, ProxyStrike runs like a proxy listening in port 8008 by
default, so you have to browse the desired web site setting your browser to use
ProxyStrike as a proxy, and ProxyStrike will analyze all the paremeters in background
mode. For the user is a passive proxy because you wont see any different in the
behaviour of the application, but in the background is very active.
root@kali:~# proxystrike
Vega
Vega is a free and open source scanner and testing platform to test the security of web
applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting
(XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is
written in Java, GUI based, and runs on Linux, OS X, and Windows.
Vega includes an automated scanner for quick tests and an intercepting proxy for
tactical inspection. The Vega scanner finds XSS (cross-site scripting), SQL injection,
and other vulnerabilities. Vega can be extended using a powerful API in the language of
the web: Javascript.
root@kali:~# v
Web Crawlers
apache-users
This Perl script will enumerate the usernames on any system that uses Apache with the
UserDir module.
Run against the remote host (-h 192.168.1.202), passing a dictionary of usernames (-l
/usr/share/wordlists/metasploit/unix_users.txt), the port to use (-p 80), disable SSL
(-s 0), specify the HTTP error code (-e 403), using 10 threads (-t 10):
CutyCapt
CutyCapt is a small cross-platform command-line utility to capture WebKits rendering
of a web page into a variety of vector and bitmap formats, including SVG, PDF, PS,
PNG, JPEG, TIFF, GIF, and BMP.
DIRB
DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It
basically works by launching a dictionary based attack against a web server and
analizing the response.
DIRB comes with a set of preconfigured attack wordlists for easy usage but you can use
your custom wordlists. Also DIRB sometimes can be used as a classic CGI scanner, but
remember is a content scanner not a vulnerability scanner.
other generic CGI scanners cant look for. It doesnt search vulnerabilities nor does it
look for web contents that can be vulnerables.
Scan the web server (http://192.168.1.224/) for directories using a dictionary file
(/usr/share/wordlists/dirb/common.txt):
DirBuster
DirBuster is a multi threaded java application designed to brute force directories and
files names on web/application servers. Often is the case now of what looks like a web
server in a state of default installation is actually not, and has pages and applications
hidden within. DirBuster attempts to find these. However tools of this nature are often
as only good as the directory and file list they come with. A different approach was
taken to generating this. The list was generated from scratch, by crawling the Internet
and collecting the directory and files that are actually used by developers! DirBuster
comes a total of 9 different lists, this makes DirBuster extremely effective at finding
those hidden files and directories. And if that was not enough DirBuster also has the
option to perform a pure brute force, which leaves the hidden directories and files
nowhere to hide.
root@kali:~# dirbuster
Web Vulnerability Scanner
DAVTest
DAVTest tests WebDAV enabled servers by uploading test executable files, and then
(optionally) uploading files which allow for command execution or other actions
directly on the target. It is meant for penetration testers to quickly and easily
determine if enabled DAV services are exploitable.
deblaze
Through the use of the Flex programming model and the ActionScript language, Flash
Remoting was born. Flash applications can make request to a remote server to call
server side functions, such as looking up accounts, retrieving additional data and
graphics, and performing complex business operations. However, the ability to call
remote methods also increases the attack surface exposed by these applications. This
tool will allow you to perform method enumeration and interrogation against flash
remoting end points. Deblaze came about as a necessity during a few security
assessments of flash based websites that made heavy use of flash remoting. I needed
something to give me the ability to dig a little deeper into the technology and identify
security holes. On all of the servers Ive seen so far the names are not case sensitive,
making it much easier to bruteforce. Often times HTTP POST requests wont be logged
by the server, so bruteforcing may go unnoticed on poorly monitored systems.
fimap
fimap is a little python tool which can find, prepare, audit, exploit and even google
automaticly for local and remote file inclusion bugs in webapps. fimap should be
something like sqlmap just for LFI/RFI bugs instead of sql injection. Its currently
under heavy development but its usable.
Grabber
Grabber is a web application scanner. Basically it detects some kind of vulnerabilities
in your website. Grabber is simple, not fast but portable and really adaptable. This
software is designed to scan small websites such as personals, forums etc. absolutely
not big application: it would take too long time and flood your network.
Spider the web application to a depth of 1 (spider 1) and attempt SQL (sql) and XSS
(xss) attacks at the given URL (url http://192.168.1.224):
joomscan
Joomla! is probably the most widely-used CMS out there due to its flexibility, user-
friendlinesss, extensibility to name a few. So, watching its vulnerabilities and adding
such vulnerabilities as KB to Joomla scanner takes ongoing activity. It will help web
developers and web masters to help identify possible security weaknesses on their
deployed Joomla! sites.
Scan the Joomla installation at the given URL (-u http://192.168.1.202/joomla) for
vulnerabilities:
jSQL
jSQL Injection is a lightweight application used to find database information from a
distant server. jSQL is free, open source and cross-platform (Windows, Linux, Mac OS
X, Solaris).
root@kali:~# jsql
PadBuster
PadBuster is a Perl script for automating Padding Oracle Attacks. PadBuster provides
the capability to decrypt arbitrary ciphertext, encrypt arbitrary plaintext, and perform
automated response analysis to determine whether a request is vulnerable to padding
oracle attacks.
Skipfish
Skipfish is an active web application security reconnaissance tool. It prepares an
interactive sitemap for the targeted site by carrying out a recursive crawl and
dictionary-based probes. The resulting map is then annotated with the output from a
number of active (but hopefully non-disruptive) security checks. The final report
generated by the tool is meant to serve as a foundation for professional web application
security assessments.
Using the given directory for output (-o 202) , scan the web application URL
(http://192.168.1.202/wordpress):
Uniscan
Uniscan is a simple Remote File Include, Local File Include and Remote Command
Execution vulnerability scanner.
Scan the given URL (-u http://192.168.1.202/) for vulnerabilities, enabling directory
and dynamic checks (-qd):
w3af
w3af is a Web Application Attack and Audit Framework which aims to identify and
exploit all web application vulnerabilities. This package provides a graphical user
interface (GUI) for the framework. If you want a command-line application only,
install w3af-console. The framework has been called the metasploit for the web, but
its actually much more than that, because it also discovers the web application
vulnerabilities using black-box scanning techniques!. The w3af core and its plugins are
fully written in Python. The project has more than 130 plugins, which identify and
exploit SQL injection, cross site scripting (XSS), remote file inclusion and more.
root@kali:~# w3af