[COURSE_PTHE] 12. 黑盒网络服务器

1. 简介:黑盒网络服务测试(Ha.cking Web Servers)

    Want to learn about actual attacks on web servers and how to mitigate them, this lesson explore that and more, even to what current & older tools work best.

    Now we’re getting to the good stuff — Hacking Web Servers!

    In this module, you’ll learn about actual attacks on web servers.  You’ll cover variations in tools, techniques and results among the most popular web servers such as Microsoft and Apache, as well as explore other non-popular ones still in use.

    You’ll also learn manual techniques, advanced automated tools and the other penetration testing strategies.

    The topics explored in the Hacking Web Servers module include:

  • Whiteboard, which shows the interrelationship of all the basic components you’ll used in this module
  • And the following simulation labs:
    • dirBuster Lab
    • wpScan Lab

    Leo Dregier in this module I want to talk about attacking the web server in itself. Now in today’s network you are going to hit a web server sooner or later. There is lot of inter-related components everything from how did the web servers communicate with databases and that opens up another pandora’s box like SQL injection or any sort of database injection. We are going to talk about the popular web servers like Microsoft and Apache but then some of the not the so popular ones as well. We are also going to talk about how to do a lot of the stuff manually in beginners section but in the advanced section I really want to start using advanced tools like Metaspled. So that is going to take off dramatically once we get to the advanced section. But all of this stems around the client and server architecture. The protocols that they use and the methodologies in which you can manipulate to ultimately get information disclosed to you or to change something on the web server itself or how it is connected to a database. And then we will follow up with some best practices like patch management and logging and monitoring to make sure that if somebody is attacking your web server. You know how to react to it defensively. So we will start off offensively but we will follow up and finish defensively. So lots to cover in the module so let us get started.

 

2. 框架

    This whiteboard lecture addresses how to hack web servers. The purpose of ethical hacking is to evaluate the security of a network or system’s infrastructure. There are many different methods and techniques that are used when hacking web servers and it is important to understand all of them so we can learn how to prevent these attacks.

    In this module I want to talk about hacking web servers which leads up to our next module of hacking the actual web applications. So let us take a look at this target. So first thing is understand the landscape of what happens on the wild wild web. Product line IIS has about 70% of the market. Apache has a whopping 65% of the market mostly because of the hosting services. it is real easy to kind of duplicate and virtualize the Apache as opposed to IIS. Inginx comes in at 13% and then everything else Google Lyke they all make up the rest of the market space. So most of what we do here is either going to be Apache based or Windows based. Impact the results of what happened is the web server world, if things were to go wrong. Most likely website defacement. This is where somebody gets access to your stuff and puts the some other banner or something on your homepage which basically says you have been hacked by so and so. Ultimately that can lead to some sort of compromise yet to really determine what the compromise means but a compromise is either in confidentiality, integrity, availability, authentication. User accounts what ever it is – if somebody compromises your website. Ultimately they can start tampering with the data. Tampering comes in very quickly, so it is either manipulating changing the integrity or attack against integrity to your web servers or theft of information. Could be things like credit cards or financial information or whatever it is an attack on integrity. It is a attack on confidentiality or just stealing the stuff they have possessed or what I think it is more important. A pivot point you get access to someone’s web server and that access is a pivot point for you to get into the internal network and then you can have your way with the organization. So we typically use this front end back end approach if you can tap into the front end and use that as the pivot point. Now you can do after the internal things like active directory or internal dns etc. So there is all sorts of techniques that can be used here. There is literally no shortage and it does help to have a programming background here. Not necessarily required but there is a lots of keywords and buzzwords to get real confusing really quick. So stay with me. Directory traversal this is really navigating the web servers directory, in some way. We can typically call this the ../ technique because that is a easy way to navigate up and down the directory tree. So you may want to start with where ever the web server is hosted the directory on which the web server is hosted ../ ../ ../ all over the way up to the root and then go back down and grab something like command prompt or something like that. Also http response splitting this is where the attacker sends code either to the client or to the web server but nonetheless it has to go to the web server and you send multiple requests to the web server and then you get multiple requests back. So it is forcing the web server to basically send multiple responses back and what should be the attacker or the penetration tester and then take advantage of web cache poisoning. Whatever web cache is on the web server if you can poison it and insert your malicious code or something to that effect. Well then penetration tester can take advantage of that – SSH brute force. This is really trying to get inside the encrypted tunnels if you can get in their whether depending on the algorithm but if you can get inside the encryption tunnels. Good news for you the penetration testers also the mail techniques these are applicable here. Password cracking techniques have a little node here – dictionary brute force or hybrid any of those are technically fair game. Form tampering, command injection, sending a command to the server saying shut down or give me the command prompt or give me IP config whatever it is. Ultimately getting the application to execute operating system commands. Tampering with cookies or doing a buffer overflow attack there is whole module on that coming on. Denial of service or distributed denial of service or cross site requests forgery or SQL injection or cross side scripting or even session hijacking. Notice that our web front ends are basically the portal in which all of these other style attacks can basically come into play. So there is no shortage of really valuable pen testing techniques – so we talked about the technique let us talk about why does this stuff happen to begin with. It is because web servers or developers and not all developers are security people. Not all security people are developers and franking everybody is lazy these days. So you have unnecessary files, unnecessary backups, unnecessary configurations, you haven’t hardened your system which increases the surface area of attack which gives the penetration tester more options to go after. Plus there might be a security conflict between security and functionality – functionality we want ABC 12 & 3 to happen and then security people are often considered the naggers or you can’t do that because of ABC or whatever it is – typically the functionality part is going to win. We want the applications to function – now security people are really people to go making everybody’s lives miserable as some say but somebody has got to put the fun in functionality. I would like to think the security folks of the guys that do that default settings. If there is default settings, default configuration, default accounts well the pen tester is certainly try to take advantage of them. Permissions default permissions what directories are set up to read – write or execute and if you can go after an executable directory. Great like for example if I can upload a page to any directory that is executable well now I can upload the file to that executable directory the php file and now I can running my own scripts and my own attacks from that. So you always look for vulnerable access control – mis configurations in whatever shape they come. Default accounts for example the first account created is the administrator account – second is normally the guest account. So the attacker knows this and is certainly going to try to go after that in terms of enumerating the accounts. Also plenty of security bugs and flaws remember we are the business to make money. The industry is in the business to make money, so there is a always a rush to get things to the marketplace. So we don’t take this regular – security development or software development. To the point where it is just perfect it is normally get it out there and whatever security weakness we find. We are going ahead and patch etc. Also temporary certificates or temporary SSL let us say that you protect the login features of your website but as soon as you login you go back to clear text. Well that is a field of dreams for a penetration tester because now you are outside of the encrypted session or improper authentication. How about no hardening – therefore you have a large surface area of attack that it gives the penetration tester tons of space to go after or the fact that joomla, drupal, WordPress now anybody can be a programmer. So literally grand moms could go to WordPress, start downloading it and a few clicks later she can have her own point and click website. Well grandmom is not probably going to be your penetration tester – apologize to all the grandmothers out here who are penetration testers. You know what I am talking about – it is basically programming out of a box. If anybody can do it well then you subject yourself to the rest of the internet and anybody can start probing your websites. Let us go up to methodology the penetration testing methodology here is relatively simple. You basically do some information gathering, your foot print find out your surface area. Is is Joomla or WordPress is it Apache is it IIS is it Inginx – what does your destination look like. Try to enumerate and foot print those services and in some cases you can even just mirror the website. I am not a fan of mirroring tools because it is pretty aggressive at least from the log file analysis point of view because when you are looking at log files it is literally looks like the whole website is getting a ripped down. But I don’t like mirroring but I do like mapping out a directory or an application through what appears to be normal browsing activities. This is where tools like the burp suite come in play because as you naturally surf it slowly starts to building that directory structure without just ripping the whole thing down and then finally doing vulnerability scans and then exploitation. So you have to know what the weaknesses are so that you can ultimately exploit them This is where the metasplaid framework has literally been wonders for the world of penetration testers because with a little bit of expertise. You have just tons and tons of vulnerabilities or exploits which take advantage of those vulnerabilities. A couple of more vibes over here the penetration tester is always looking for error messages because just like from an functionality point of you view. You need an error message in order to fix something. Well a penetration tester needs an error message or some sort of verbose logging to ultimately give the penetration tester more ammunition to go actually after. Plus anonymous users or any sort of sample configuration or scripts these are all valid for the pen tester. Remote admin capabilities since we are all over the web, nobody wants to go office to do anything anymore. So let us take advantage of remote administration that becomes a problem now because hackers can now go after this remote admin portals as well. Any sort of unnecessary services or misconfigurations. Those are also additional features of why – so now we have got the basic methodology of web server hacking – let us look at some of the most common counter measures in the grand scheme of things when you buy them. So patches – you should have a patch management process – at this point. If you don’t that is a problem – alternative sites versus alternative servers while in the world of business continuity we have alternative sites. Hot sites, warm sites or cold sites you can also apply that similar style of thinking to an alternative server in other words if you are primary server goes down. What about having a hot stand by – or maybe even a cold site that way you can keep your business up and running. Don’t do you testing in the production environment it is real easy to go okay. It is just a little file that you need upload – upload it and be done with it. But realistically all of the testing should be done in the testing validation environment and those changes should go through a change control process and then ultimately it gets your production environment. Also makes sure that you have got backups and if you require higher availability make sure you can literally flip a switch and go to another server. Another counter measure. Hire me! What that means is hire someone like me to come in and show you the weakness and tell you what you are going to need to fix them. Then you can either you will fix them or you will hire somebody else to fix them – hire someone like ourselves. Get us involved – we have too much of an opinion and expertise on this stuff for you to blatantly ignore it. So the hire concept is – don’t be cheap about this stuff. You are always going to pay for it. Your only choice in this it is cheaper proactively upfront or a much more costly if it is going to be reactively. If you have to detect and correct there is always ten times more expensive than just proactively getting an opinion to have a penetration tester come in and look at this stuff. Could protocol analysis for using things like SMTP, POP3, IMAP monitor that stuff for using directory services like LDAP. Monitor it whatever your web service architecture looks like actually monitor it. Do your protocol analysis, find out what is normal have a baseline and be able to compare against it. Monitor accounts that is another very, very easy one. How many useless accounts get created in your web application or are you disabling them. Is there some sort of manual approval process or just anybody can create a account for sake of a creating an account. Now a days we associate the growth of accounts with productivity and we don’t want to delete anybody’s account for fear of making them upset but realistically creating an account and validating an account should go hand in hand these days. Also monitor the files and directories – you may see a file uploaded to a web site but an exploit might happen two or three months later. They are just uploading the file to the website to see if anybody is looking alight. It is kind of like breaking into a house you might break and be able to pick the lock that might be time to actually go and rip out the television set out of the house. You might want to just get access to the house and then come back a month later when the people are on vacation and then take the television. Using an analogy from the physical world. Encryption, encryption, encryption you can never encrypt enough. Network layer with IPSec or equivalent or at the application layer SSL TLS or some equivalent. Especially application layer encryption. One of the things that happens in the home environment is it is really easy on a LinkSys router to go ahead and move something virtually from the inside of your network tab on dmc by a click of a button inside your LinkSys home router that obviously if you are doing something out of home that may be applicable but you are certainly at a click of a button putting whole server right out on the internet. You wouldn’t want to take that approach in the corporate environment – that means the equivalent or putting your security database right out on the internet. You know at a click of a button – have a good architecture separate your presentation or your application and your data in three separate zones and monitor that with firewalls and intrusion detection etc. Use good architecture not just your classic academic DMZ picture. Actually separate it out there is plenty of good resources if you actually want to know what architecture look like. Next vulnerability scanning do it yourself. Use tools like Nic2 or VIc2 or Nesses or any of the top ten vulnerability scanners out there and see what your own vulnerabilities are proactively yourself and then fix the vulnerabilities or at least valid that they are accurate. Don’t just not do it that is literally like you know driving down the highway with no safety mechanisms what so ever. It is a dangerous world out there – the world of the internet is no different than literally driving on the highway. So find out where you are weak you get into your car and find out you are way to get to an accident. It was because my tyres were bald and they didn’t have any tread. Proactively seek this stuff out and then lastly the concept of beta loss prevention or DLP. These tools typically sell themselves because you can get a loan or piece of equipment for data loss prevention and you can see as you are bringing stuff in the front door. Somebody else is taking the stuff right off the back door. So data loss prevention technologies are put in place to go ahead and define what good criteria is or what sensitive information is like social security numbers, emails, accounts, banking statements etc. To monitor that and so that if you see someone emailing a social security number out then that information gets quarantined and you have to get an exception if it is authorized legitimate use of that. So data loss prevention has really only come out in the last couple of years or so and started being mainstream. Remember we didn’t have patch management processes or robust change management processes either and it is just now that everybody is familiar with patch management or change management. i have seen plenty of change control boards and patch management processes and most of them that I have seen in my opinion are a joke. They don’t serve the purpose – and here how you know if you need help in the change management or patch management process. If everybody complains about it – you are not doing it right. Remember change management is really your proactive way of getting into your environment to detect and correct things prior to going to production. Change management is not just got to go to the change management board again and we got away for this. Then it is a very reactive process and probably not, you client is wasting a lot of time and money jumping through the hoops. Change management should proactively be saving the company money if it is done correctly. If it is not and you have it – it not being done correctly. Then you have got to implement a six sigma methodology find out your as is and what your tour should look like and then go ahead and get to that ideal state. So that it actually works and saves you money? So all in all hacking web servers is a lot of technologies most of them are market shares being IIS and Apache. Easy methodology to go ahead and hack this stuff lots of reasons why this stuff goes wrong and a bunch of measures basically common sense oriented. So this is the setup for what we see in the hacking web applications which is the next module. So let us go ahead and look at some examples.

 

3. dirbuster使用

    The first simulation lab in the Hacking Web Server module introduces you to dirBuster, a web application testing tool.

    dirBuster is an excellent tool for doing web application testing to target HTTP directories.  It runs on the Kali Linux system.

    In this lab, you’ll learn the mechanics behind targeted Brute Force application testing, how to define specific guest/header request, and observe a demonstration of why you must include “HTTP” in your query setup syntax as part of this penetration testing task.

    You’ll also learn target sources for controlled Brute Force testing, and how to locate the specific file or directory path target.

    Hi Leo Dregier here. I want to talk about a tool that I use when I do web application pen testing that I actually run on the country operating system called directory buster. It comes out of a OS project and it is a pretty good tool. It is really straight forward and really easy to use. You can find the tool by going to carrylinux menu. Going over to web applications and poking around in here and one place to find – is the web crawlers section and you can see directory buster right there. So once you open up the OS project you basically – go right to the target URL and go ahead and put in the target we are going to use http://www.linuxwarrior.com and you can :80 or not. It will work just fine without it but just make sure that you will actually incorporate the http in there as well or else I will tell you to put it in. You can use just get get request or switch between header and get request you can throttle the number of threads. Ten is relatively slow – so I recommend going a little bit faster since I only control this server and you should be testing this out on servers that you own and control. You can go much much faster but clearly if you have an intrusion detection system on the system and you are doing 200/400 threads a minute. It will get really, really, really aggressive really, really quick. Next you can go to scanning type and you have list based force or pure brute force. Be pure then all of the – great alp or you can go to list based brute force and before we do this I want to kind of have exactly this is working. You can go into list information here and this tells you the default list that are included within your buster application and so one easy way to find these is basically just to search for this different lists in here and so one way I would like to do this is to actually just search for a directory list. So to prove something real quick let us do locate space directory – list and this will prove that there are a whole bunch of directory lists in which you can choose from. Otherwise what I recommend is just of highlighting this doing it with Ctrl C – copy it close out and then pasting that in your list type or you can specifically browse for them if you want to. But again you live where exactly in your hard drive these are well then that is where you do the locate command. Now to find it for you – you can brute force directories. You can brute force files you can give a cursor or not. You can start at a particular directory if you know which one you are working with and you can choose specific backend database system applications like PHP or ASP, ASPX and things like that and then basically set it and then forget it. Go ahead and kick on start and it looks we do tear a little bit so I can open the file with directory list in here and basically the quick reason why is, let us do locate directory list and let us go and find it exactly where they are and you can see that they are in user shared. They are directory buster so actually in word list and then put that in. Otherwise what you can do is just browse through it if you really want to take the easy way out. This is a user in this version of caveats in user share – if you hit D here it will take your directory to the D and then you go find directory buster not too far behind. So here we go directory buster click on icons not on names – go your word list and then go ahead and take it up. Since this is a UNIX system well then I am actually testing and I already know that. I am just going to go with lower case and we are just going to small – I am really arbitrarily picking anything right now just to prove that this works and what I am proving here is they will actually give you the full path – I could have just pasted this in here. If I wanted to but otherwise I would browser through it and you can get to right length. Most people give up right here when they don’t know where to find a word list. But that is – you should not stop just there because you can’t find something you have to learn how to find it. So like I said I showed you that with the locate command – locate directory – list and that will tell you user shared etc. Then go ahead and kick start and now let us set it and forget it. This is where you go get a cup of coffee you take a break and you come back a Couple of hours late here. Because it will take some time to finish and I am already pooling directories from here. So I found index.php wp_content I found the mailman piper mailed or press includes this is a WordPress site and the cgi bin there could be variance there and more importantly it also tells you the response here and these responses are pretty important. Because like a great example here is index.php this is – we have got a bunch of pop ups here. So let us go back so we got the response here – so these three are ones or redirects where there are four or three it is going to be like permission denied. So each one of these actually means something and you can could easily google these in terms of what is a 404 error. i guess just for posterity let us do that real quick so I will go there go to Google and do a what is a 403 error and then it will tell you 403 forbidden error in http status quo. Which means that access in the page a resource is forbidden in long and short here because the permissions on the file or directory do not allow you to do it. If you didn’t know what 301 is you could go right back switch 403 to 301 and basically move permanently – etc. So that is how you research those and get familiar with those and it will tell you the size of the file as well. So it tells you some basic stuff – I found 18 files or 10 directories 400 some odd files it tells you that type right here. If you want the sword – directory or file types it will actually tell you – also you can see something like index.php is there. So if you wanted to try SQL injections from there you could do an index.php? ID=1 and try poking prodding or other site that way. I wanted to go to WordPress content post. I could try going after the back end architect for the php right there and it is telling you the speed down here, the parked queue the total request and generally the time that it is actually going to finish the take and as you can see. Gaining a lot here this is going to run for some time. So I am going to wait for this program to run just because literally this video might be a couple of hours long. See the compulsory program run the program again – look at it. You can do preview I kind of liked this a little bit better because of the hierarchal nature of the directory structure. So you can see something like students or academics or even if you found something like log in, username. Certain things are going to pop out of the rule a little bit more than others. So you can become familiar with what is popular and what is not. Also you can go to errors. So you can get an idea of how this thing is actually being threaded as it goes through so a lot of time outs here lot of time outs here and that is mostly because of how it is trying things in the word lists and guessing things. You can pay attention to airs – I have got 430 in just a couple of minutes here. That is trying to go sky rocket. Especially if you are doing something like brute force but definition you are just trying all possible combinations to get somewhere. So I expect to have basically 99.99% errors and then one match – errors are good in that sense. Just let them run then at the very end you can stop at the letter run etc and then you can go back to the scan information over here. You can see if you want to pick it up from a particular directory or not. So it will tell you the percent complete etc So this is a great way to kind of learn about the destination target that you have and really kind of take your intimacy with the web applications to the next level. Just like anything they are very well be force positives here and you would want to quantify that. But I will tell you if you really want to learn directory structures there is no better way to use a directory brute forcing tool like “directory buster”. Because there is only 59 million possible combinations that this is going to try in. How many do you have learn before you get the idea? And then at the very, very end once the tall word in theory complete running then you can get a report here. You can get a text based report you can save it with the XML, comma separated value, or choose the location that you want to save the report to and then of course. So if we do something like desktop and then generate your report. It will go ahead and save that report there and then you can get an idea of what is in it. So here is your full text you have sample lists XML and comma separated value and that is really it. That is by the far the easiest way to start learning how these directories are built on the different types of systems and the more you do this the more experience you would get with what looks normal and you know what becomes an anomaly and the more anomalies you see the more things start popping out at you. So literally time on the console here is highly. Hope you enjoyed the video don’t forget to check us out on Facebook, LinkedIn, YouTube & Twitter.

 

 

4. WPScan使用

    This lesson demonstrates how to do a vulnerability scan on web server applications to target WordPress sites. This lesson specifically uses WordPress (WP).

    This next lab in the Hacking Web Servers module introduces you to WPScan.

    WPScan stands for WordPress Scan. This lesson demonstrates how to do a vulnerability scan on web server applications to target WordPress sites. This lesson specifically uses WordPress (WP).

    You’ll learn the different target types you can execute such as password lists, user names, as well as site paths.  This direct application approach is key to helping you identify how tools work, particularly since that might vary from one web server application to another.

    Hey Leo Dregier here I want to talk to you about utility called WordPress scanner. You can use this application in web application pen testing to get a basic idea of sort of a vulnerability scan with web applications particularly WordPress sites. So what we are going to do is i am going over to my Kali back track penetration testing and you can pull up this utility a couple of different ways. You can go into Kali Linux go over to web applications, go over to content management system identification and then choose WordPress scanner or you can go ahead and just type it from the command prompt. It is really easy you basically just type in WordPress scan hit enter and it will basically tell you some basic stuff. WordPress scanner, WordPress security scanner WP scan teen tells you the version of the tool. Who has sponsored the project and then some different examples. So ruby./ WPScan.org rb.tac.tac help or tac.tac URL and then in particular URL that you want or you can use a specific word list to do password to brute force attempts. You can do that specifically for admin and it will show you how you can incorporate a wordlist and there are many word list already included in the Kali penetration testing operating system and try to brute force to login information. How to enumerate installed plugins to see what is installed on it. How do you find out when themes are relevant to the WordPress site. How to enumerate what users is this? It is just the example enumerate tech u – how to look at installed thumb nails. How to look at http proxies, socs proxy which is a bit more rare. How to look for content directories of the default directory names like basic anything that UT whatever directory. Using custom plugins updating the database in itself. So that is easy that is Just literally you wanted to update this and you can just copy this and click update. That is easy enough to do – you can do a ruby./ wpskin.rb tech tech update and let the update run. And you are going to run this from the directory. It is a little bit easier if you are doing it that way – I have already updated it using a different directory here. You can take that out and get the actual update or the update run. I am not going to worry about that here and now. Actually just want to show you the skin, the URL and you are going to use the before //url and don’t forget to include the http://linuxwarrior.com and basically just let that run and it will take a couple of minutes for it to enumerate the alpha because it is working in the background. So we want to talk freely here about it. Now when you are doing the application pen testing it is very, very similar of a life cycle to regular hacking and ethical hacking and penetration testing life cycles. You want to do your foot print your skin, your reconnaissance your enumeration and then of course the one at the top of glory the actual system hacks. So in this case this is what found as scanning or web application vulnerability scanning specifically. So it is not very much I mean normally the difference is penetration testing and ethical hacking and things like that. They normally are for networks or operating systems where web application vulnerability and penetration testing is more for web servers specifically. Similar life cycles except your targets are exclusively web targets as opposed to networks and operating systems. So what you can see here is the URL so great make sure you type that correctly. Your skin started here it will give you a little time stamp, the WordPress site defines a little readme.html file and you want to go ahead and open that. Specifically because if there is a readme sometimes these readme files can actually disclose the different versions of things in them. So we will just go ahead and open that up and in this case you can see a plauser version 3.9.3 and this is a standard WordPress readme file. So what I would always recommend doing is deleting this file of course I have got a test website here that I am testing all of this up. I own and I control so it has not been hardened but it also tells me the php version 5.2.4 mySQL so it is using the limp architecture php mySQL etc. mySQL is running at version 5 or higher and you would have to question if the mod_apache module is actually configured appropriately at this point. The mod_apache module what that does is that it changes your URLs and allows you to rewrite the extensions. So that you don’t have .php and things like listed in your URL. Sometimes we call those search engine friendly URLs when you try to hide things Like aspX or php because then you can basically start guessing queries like ID=1 or something like that. So you would want to ultimately get rid of that. But it is clearly indicative of a WordPress site or somebody’s taken a lot of effort to try to mimic a WordPress site which I would then in turn validate this by looking at the directory structure and if I see something like wpadmin and wpcontent or content or somebody like that. Then it is probably spot on but the impact is a word press site. So it has found the readme file – full path disclosure or fpd and you can see the wp include – rss functions. So that is disclosed – it has found that it was an apache webserver also found the interesting header that is powered by php5.3 and the readme file I believe we only knew that it was greater than 5.0 and found the XML RPC interface. So you would have to wonder if that is found the boom. The WordPress version is 393 – we got that out of the help me file. The WordPress theme in this case is actually knows that it is a 2014 theme. The name the location of the theme and any sort of content that you can find that is related to that and it is pretty indicative because you get the plus sign here and just dashes and this is all part of the same header if you will and the reason why these themes are good is because sometimes people use themes. They don’t update the themes and there is vulnerability specifically related to them and you can exploit the system by going after the theme in itself. Enumerating plugins from passive detection, no plugins found which would not be a false positive because this tool cannot find them because there is plugins on this website. Then your skin finished – the date and time in which it finished. The memory that was used and the total time about two minute and thirty one seconds. So within a couple of minutes I can get a basic recon from a scanning utility which is a ruby script and get a basic idea of what my target is. So if we kind of go back to this and look at the help and again you can just do a wp scan here to give you the syntax. You can start looking at different options in here. There is more to it, it is not just doing a WordPress scanner and that is it. You can look for users – you can do http proxies look for themes and plugins and things like that – so if I wanted to really push the enumeration. I would just redo my skin and would just do enumerate-p which is the enumerate plugins. So that would be dash – dash enumerate p and that will check the syntax. it is just a p dash and then go ahead and run that again. And again the skinner will now look for that one specific sub model, so at first I would like to do this and run it as a complete – tell me everything you can find and then you can poke and prod and just look at some of the specifics but definitely look at the latest and greatest version. Throw it against your target – see what you get document all of this and if you wanted to document this I would just control C. So that is why we have got a bunch of airs here. If i want to document this I just want to redirect the output here to wp scan.txt and then all my output would be dumped right there. So if I just less file wp scan – you can see where the content would be – you got to get a couple of more minutes to run. But other than that – that is it – it is a great quick sand b check especially if you know the type of site that you are looking at and then you can and if it is WordPress then you can go into that detail specifically. So hope you enjoy the video my name is Leo Dregier. Don’t forget to check this out on Cybrary Facebook, LinkedIn, Youtube, Twitter and connect share and the cool part of the Cybrary website is this is the network that you are building. You have to make this an awesome product. So I look forward to all the connection requests and sharing that is about to come. My Leo Dregier thank you for watching.

 

 

posted @ 2015-09-30 22:07  It's_Lee  阅读(593)  评论(0编辑  收藏  举报