Monthly Archives: February 2016

How to use WPScan WordPress Scan Kali Linux Vulnerability Scan + Snort Rule Example

Running a wordpress site means that you have to always be on the ball when it comes to updating your plugins, themes and wordpress itself. It is a good idea to scan yourself on a regular basis using simple Kali built in tools such as wpscan and sqlmap. You don’t have to be too intrusive if your worried about crashing your server but it is always best to backup your site and hammer it as hard as you can during off peak hours if you have them. Here are some simple tests you can run against your wordpress site:

 

Using wpscan from the command line:

First you want to update your wpscan database before scanning (wpscan –update)

-Do ‘non-intrusive’ checks …
wpscan –url www.example.com

-Do wordlist password brute force on enumerated users using 50 threads …
wpscan –url www.example.com –wordlist darkc0de.lst –threads 50

-Do wordlist password brute force on the ‘admin’ username only (which you should have renamed!)
wpscan –url www.example.com –wordlist darkc0de.lst –username admin

-Enumerate installed plugins …
wpscan –url www.example.com –enumerate p

-Enumerate installed themes …
wpscan –url www.example.com –enumerate t

-Enumerate users …
wpsca –url www.example.com –enumerate u

-Enumerate installed timthumbs …
wpscan –url www.example.com –enumerate tt

 

These are some basic scans you can run but always make sure to confirm any findings as there can always be false positives. Here is an example of a user enumeration scan against this site (however I do have a plugin to detect these attacks which you’ll see fool the wpscan)

 

root@kali:/etc/sudoers.d# wpscan –url www.computersecurity.org –enumerate u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __
\ \/ \/ / | ___/ \___ \ / __|/ _` | ‘_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 2.9
Sponsored by Sucuri – https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://www.computersecurity.org/
[+] Started: Fri Feb 19 19:36:59 2016

[+] Enumerating usernames …
[!] Stop User Enumeration plugin detected, results might be empty. However a bypass exists for v1.2.8 and below, see stop_user_enumeration_bypass.rb in /usr/share/wpscan
[+] Identified the following 10 user/s:
+—-+——————+—————————+
| Id | Login | Name |
+—-+——————+—————————+
| 1 | admin | Posts by admin |
| 2 | nedthrelkeld | Posts by NedThrelkeld |
| 3 | alejandrocastell | Posts by AlejandroCastell |
| 4 | yfhcarley34435 | Posts by YFHCarley34435 |
| 5 | lashaybrubaker | Posts by LashayBrubaker |
| 6 | terrancethayer | Posts by TerranceThayer |
| 7 | mallorygottschal | Posts by MalloryGottschal |
| 8 | marcel6116 | Posts by Marcel6116 |
| 9 | kerrytitsworth7 | Posts by KerryTitsworth7 |
| 10 | arronbarraza71 | Posts by ArronBarraza71 |
+—-+——————+—————————+
[!] Default first WordPress username ‘admin’ is still used

[+] Finished: Fri Feb 19 19:38:01 2016
[+] Requests Done: 82
[+] Memory used: 130.32 MB
[+] Elapsed time: 00:01:01

 

I can assure you, I do not have an account named “admin” – it is detecting it being used from posts on the site that are tagged with “Posted by admin” – however if you do actually have an account name “admin” I would advise changing it as typical attackers will attempt brute force attacks against that username (also install plugins to prevent brute force and adjust wordpress settings accordingly to deny failed login attempts)

 

The traffic generated looks like this by default for the above results:

 

2016-02-19 19:35:41.903429 IP 192.168.1.100.35356 > 104.238.84.235.80: Flags [S], seq 3308505360, win 29200, options [mss 1460,sackOK,TS val 392292628 ecr 0,nop,wscale 7], length 0
E..< .@.@……dh.T….P.3……..r…………
.a……….
2016-02-19 19:35:41.990245 IP 104.238.84.235.80 > 192.168.1.100.35356: Flags [S.], seq 3619129687, ack 3308505361, win 14480, options [mss 1460,sackOK,TS val 2237980975 ecr 392292628,nop,wscale 7], length 0
E .<..@.6…h.T….d.P…..W.3….8…………
.d./.a……
2016-02-19 19:35:41.990291 IP 192.168.1.100.35356 > 104.238.84.235.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 392292650 ecr 2237980975], length 0
E..4 .@.@……dh.T….P.3…..X………..
.a.*.d./
2016-02-19 19:35:41.990356 IP 192.168.1.100.35356 > 104.238.84.235.80: Flags [P.], seq 1:152, ack 1, win 229, options [nop,nop,TS val 392292650 ecr 2237980975], length 151: HTTP: GET / HTTP/1.1
E… .@.@..A…dh.T….P.3…..X………..
.a.*.d./GET / HTTP/1.1
Host: www.computersecurity.org
Accept: */*
Referer: http://www.computersecurity.org/
User-Agent: WPScan v2.9 (http://wpscan.org)
2016-02-19 19:35:42.074058 IP 104.238.84.235.80 > 192.168.1.100.35356: Flags [.], ack 152, win 122, options [nop,nop,TS val 2237981064 ecr 392292650], length 0
E .4h.@.6.[.h.T….d.P…..X.3…..z…….
.d…a.*
2016-02-19 19:35:44.591889 IP 104.238.84.235.80 > 192.168.1.100.35356: Flags [.], seq 1:1449, ack 152, win 122, options [nop,nop,TS val 2237983580 ecr 392292650], length 1448: HTTP: HTTP/1.1 200 OK
E ..h.@.6.VEh.T….d.P…..X.3…..z…….
.d.\.a.*HTTP/1.1 200 OK
Date: Sat, 20 Feb 2016 00:35:32 GMT
Server: Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
X-Powered-By: PHP/5.4.33
Link: <http://www.computersecurity.org/wp-json/>; rel=”https://api.w.org/”
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

20ffb
<!DOCTYPE html>
<!–[if IE 7]>
<html class=”ie ie7″ lang=”en” prefix=”og: http://ogp.me/ns# fb: http://ogp.me/ns/fb# article: http://ogp.me/ns/article#”>
<![endif]–>
<!–[if IE 8]>
<html class=”ie ie8″ lang=”en” prefix=”og: http://ogp.me/ns# fb: http://ogp.me/ns/fb# article: http://ogp.me/ns/article#”>
<![endif]–>
<!–[if !(IE 7) | !(IE 8) ]><!–>
<html lang=”en” prefix=”og: http://ogp.me/ns# fb: http://ogp.me/ns/fb# article: http://ogp.me/ns/article#”>
<!–<![endif]–>
<head>
<meta charset=”UTF-8″ />
<meta name=”viewport” content=”width=device-width” />
<title>Computer Security.org – CyberSecurity News, Information, Education, Certifications, Vulnerabilities and Guides</title>
<link rel=”profile” href=”http://gmpg.org/xfn/11″ />
<link rel=”pingback” href=”http://www.computersecurity.org/xmlrpc.php” />
<!–[if lt IE 9]>
<script src=”http://www.computersecurity.org/wp-content/themes/iconic-one/js/html5.js” type=”text/javascript”></script>
<![endif]–>
<script>
(function(d){
var js, id = ‘powr-js’, ref = d.getElementsByTagName(‘script’)[0];
if (d
2016-02-19 19:35:44.591926 IP 192.168.1.100.35356 > 104.238.84.235.80: Flags [.], ack 1449, win 251, options [nop,nop,TS val 392293301 ecr 2237983580], length 0
E..4 .@.@……dh.T….P.3……………..
.a…d.\
2016-02-19 19:35:44.592134 IP 104.238.84.235.80 > 192.168.1.100.35356: Flags [.], seq 1449:2897, ack 152, win 122, options [nop,nop,TS val 2237983580 ecr 392292650], length 1448: HTTP
E ..h.@.6.VDh.T….d.P…….3…..z?……
.d.\.a.*.getElementById(id)) {return;}
js = d.createElement(‘script’); js.id = id; js.async = true;
js.src = ‘//www.powr.io/powr.js’;
js.setAttribute(‘powr-token’,’JjYwSRwdMk1435449530′);
js.setAttribute(‘external-type’,’wordpress’);
ref.parentNode.insertBefore(js, ref);
}(document));
</script>
<meta property=”og:image” content=”http://www.computersecurity.org/wp-content/uploads/2016/01/2016_trends-1-300×225.png”/>
<!– SEO Ultimate (http://www.seodesignsolutions.com/wordpress-seo/) –>
…skipping…
.bqe.g..
2016-02-19 19:38:01.531633 IP 104.238.84.235.80 > 192.168.1.100.35430: Flags [.], ack 11332, win 499, options [nop,nop,TS val 2238120518 ecr 392327518], length 0
E .4..@.6…h.T….d.P.fD..=. ………….
.g.F.bq^
2016-02-19 19:38:01.532078 IP 104.238.84.235.80 > 192.168.1.100.35452: Flags [F.], seq 199639, ack 166, win 122, options [nop,nop,TS val 2238120518 ecr 392327518], length 0
E .4..@.6…h.T….d.P.|.G’d{w4w…z…….
.g.F.bq^
2016-02-19 19:38:01.532101 IP 192.168.1.100.35452 > 104.238.84.235.80: Flags [.], ack 199640, win 1444, options [nop,nop,TS val 392327536 ecr 2238120518], length 0
E..4X.@.@.b….dh.T..|.P{w4w.G’e………..
.bqp.g.F
2016-02-19 19:38:01.542743 IP 104.238.84.235.80 > 192.168.1.100.35432: Flags [.], ack 209, win 122, options [nop,nop,TS val 2238120529 ecr 392327521], length 0
E .4 .@.6..-h.T….d.P.h1……….zA……
.g.Q.bqa
2016-02-19 19:38:01.546346 IP 104.238.84.235.80 > 192.168.1.100.35450: Flags [F.], seq 118280, ack 162, win 122, options [nop,nop,TS val 2238120533 ecr 392326311], length 0
E .42.@.6…h.T….d.P.z………..z.n…..
.g.U.bl.
2016-02-19 19:38:01.546362 IP 192.168.1.100.35450 > 104.238.84.235.80: Flags [.], ack 118281, win 1156, options [nop,nop,TS val 392327539 ecr 2238120533], length 0
E..4.N@.@……dh.T..z.P……………….
.bqs.g.U
2016-02-19 19:38:01.547365 IP 104.238.84.235.80 > 192.168.1.100.35436: Flags [F.], seq 118288, ack 161, win 122, options [nop,nop,TS val 2238120533 ecr 392326311], length 0

 

A simple snort rule to detect those attempting to scan your site using the default methods would be something like this if you have enabled http inspect preprocessors:

 

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:”WPScan in progress”; content:”GET”; http_method; content:”User-Agent: WPScan”; http_header; tag:session,60,seconds; reference:http://www.computersecurity.org/?p=10492; rev:1; sid:9999123;)

Share Button