In this article, you will be learning how to compromise a
WordPress website’s credentials using different brute forcing techniques.
Table of Content
·
Pre-requisites
·
WPscan
·
Metasploit
·
Burp
Suite
·
How to avoid a Brute Force Attack?
Pre-requisites:
Target: WordPress
Attacker: Kali Linux (WPscan)
Burp Suite (Intruder)
WPscan
WPscan is a command line tool which is used as a black
box vulnerability scanner. It is commonly used by security
professionals and bloggers to test the security of their website. WPscan comes pre-installed on the most security-based Linux
distributions and it is also available as a plug-in.
Here, I am using a WordPress website hosted on
localhost as you can see in image given below
While brute forcing you can either use your own common
username and password lists or the ones provided with kali Linux. I have used
rockyou.txt password file which comes with kali standard installation and
contains 14341564 unique passwords.
wpscan –url http://192.168.1.100/wordpress/
-U users.txt -P /usr/share/wordlists/rockyou.txt
–url is
url parameter, followed by url of the wordpress website to be scanned
-U will only bruteforce the
supplied usernames, in our case it is users.txt
-P will bruteforce the
passwords from the provided list rockyou.txt
The scan duration mainly
depends on how large the password dictionary file is and as we are mapping a large number of users with even larger
numbers of passwords it could also impact the websites performance if left
running for a long time.
The screen shows the attack as a success with the username
as admin and password as flower.
Metasploit
As we know Metasploit comes preinstalled with Kali Linux, so
our first step is to get to the Metasploit console and then run WordPress
module used below.
This msf module will run a username and password audit. It will
first validate usernames and then map passwords with them.
msf > use auxiliary/scanner/http/wordpress_login_enum
msf auxiliary(wordpress_login_enum) > set rhosts
192.168.1.100
msf auxiliary(wordpress_login_enum) > set targeturi
/wordpress
msf auxiliary(wordpress_login_enum) > set user_file user.txt
msf auxiliary(wordpress_login_enum) > set pass_file /pass.txt
msf auxiliary(wordpress_login_enum) > exploit
Yet again successful brute force login with credentials “Admin
and flower” can be seen in following screenshot.
Burp Suite
For this install Burp suite
community edition or use the one you get pre-installed in kali Linux. Fire up
Burp suite and open WordPress login page then turn on intercept tab in
Burp Proxy, next supply any username and password of your choice to login into
the wordpress website. This will intercept the response of current request.
Look at image below and notice the
last line of intercepted message, it shows the captured login credentials as raj:raj
which I used to login as username and password respectively. Next Send the
captured message to the intruder by right clicking the blank message space
and choosing Send to Intruder option or
by just pressing ctrl + I. If you are not
familiar with burp Intruder working go through this article first ( https://www.hackingarticles.in/beginners-guide-burpsuite-payloads-part-1/
)
Now open
the Intruder tab and you can see the base template
request that we sent here. Select Positions tab,
here by default multiple positions are selected, these positions are marked
using § characters. Anything between two § characters is replaced by a payload.
But we don’t need them all right now so click on clear button at right
bottom corner of editor window.
Next select
the positions as shown in screenshot and click on add button to the right of
frame. This will configure these two selected positions as payload insertion
points. Now to customize the attack select the attack type. As we are
having 2 payload positions, I am choosing cluster
bomb (This attack type is useful
for a brute-force attack as It puts the first payload in the first position,
and the second payload in the second position. But when it loops through the
payload sets, it tries all combinations. For example, if you have 1000 user
names and 1000 passwords, this will perform 1000000 requests.)
Now hit up
the start attack button.
In payloads tab, click on payload set drop down, here you can see numbers 1 and 2.
Select number 1 for first payload position. Choose simple list
from payload type, this list lets you configure a simple list of strings that are used as
payloads. you can
manually add items to the list using the text box and the Add button, or
you can paste a list from the clipboard, or load from file.
Similarly select number 2 for another
payload position and select runtime file from payload type, this is useful when a very
large list of payloads is needed, to avoid holding the entire list in memory. Add path of any dictionary file having password only.
Click on start attack.
It will match the combination of both payloads and would try
to login in with username and password as you can see below. By paying
attention to the status and length of the payloads you can see
login credentials admin and flower are having status as 302 and
length as 1203 which is different than all other combinations indicating these
are the results we are looking for. Hence username and password are
admin and flower respectively
How to avoid a Brute Force attack?
One can certainly avoid these attacks using some
precautionary measures as following:
Password Length: An ideal length should be 8-16
characters long for passwords. It's important to avoid the most common
passwords and to change them frequently
Password Complexity: A password should consist of UPPERCASE and lowercase alphabets and should
also include
numbers and special characters.
Users should choose complex passphrases rather than single words; complexity of the password delays the cracking
process.
Limit Login Attempts: Limit the login attempts on your WordPress admin. For example, after
three failed login attempts; it should block that particular IP for a certain
period of time to stop it for making further login attempts.
Two Factor Authentication: The next way to be secure
from brute forcing is two-factor authentication, or 2FA. This is a process that
gives web services secondary access to the account owner in order to verify a
login attempt. Generally, this involves a phone number and/or an email address.
Using Captcha: Installing captcha in
your WordPress site is fairly easy and they help to prevent bots from executing
automated scripts to login into your account.
Install
a WordPress Firewall Plugin: Even the unsuccessful brute force
attacks can slow down your website or completely crash the server. This is why
it’s important to block them and to do that, you’ll need a website
firewall solution. A firewall filters out bad traffic and blocks it from
accessing your site.
Cloudflare: It is a renowned service to provide a protective shield
against brute force attacks
Install and Setup a WordPress Backup Plugin: If
everything fails, one must have a backup plan!
0 comments:
Post a Comment