24 ago 2012

Auditando un Wordpress (Parte V)

Buenas a todos, hoy continuaremos con el proceso de auditoría a Wordpress con la explotación de la autenticación mediante Metasploit. Hay otras herramientas y scripts rondando por Internet que funcionan muy bien también, pero Metasploit es posiblemente uno de los más sencillos de utilizar y más potentes.

Metasploit publicó un módulo para el CVE-2009-2335:

WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience."

El módulo se llama "Wordpress Brute Force and User Enumeration Utility". Podéis descargar el código fuente del módulo aquí. Es un módulo bastante completo, os dejo a continuación sus opciones:

 
BLANK_PASSWORDSTry blank passwords for all users (default: true)
BRUTEFORCEPerform brute force authentication (default: true)
BRUTEFORCE_SPEEDHow fast to bruteforce, from 0 to 5 (default: 5)
PASSWORDA specific password to authenticate with
PASS_FILEFile containing passwords, one per line
ProxiesUse a proxy chain
RHOSTSThe target address range or CIDR identifier
RPORTThe target port (default: 80)
STOP_ON_SUCCESSStop guessing when a credential works for a host
THREADSThe number of concurrent threads (default: 1)
URIDefine the path to the wp-login.php file (default: /wp-login.php)
USERNAMEA specific username to authenticate as
USERPASS_FILEFile containing users and passwords separated by space, one pair per line
USER_AS_PASSTry the username as the password for all users (default: true)
USER_FILEFile containing usernames, one per line
VALIDATE_USERSEnumerate usernames (default: true)
VERBOSEWhether to print output for all attempts (default: true)
VHOSTHTTP server virtual host
BasicAuthPassThe HTTP password to specify for basic authentication
BasicAuthUserThe HTTP username to specify for basic authentication
DOMAINThe domain to use for windows authentification
DigestAuthIISConform to IIS, should work for most servers. Only set to false for non-IIS servers
DigestAuthPasswordThe HTTP password to specify for digest authentication
DigestAuthUserThe HTTP username to specify for digest authentication
FingerprintCheckConduct a pre-exploit fingerprint verification
MaxGuessesPerServiceMaximum number of credentials to try per service instance. If set to zero or a non-number, this option will not be used.
MaxGuessesPerUserMaximum guesses for a particular username for the service instance. Note that users are considered unique among different services, so a user at 10.1.1.1:22 is different from one at 10.2.2.2:22, and both will be tried up to the MaxGuessesPerUser limit. If set to zero or a non-number, this option will not be used.
MaxMinutesPerServiceMaximum time in minutes to bruteforce the service instance. If set to zero or a non-number, this option will not be used.
NTLM::SendLMAlways send the LANMAN response (except when NTLMv2_session is specified)
NTLM::SendNTLMActivate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses
NTLM::SendSPNSend an avp of type SPN in the ntlmv2 client Blob, this allow authentification on windows Seven/2008r2 when SPN is required
NTLM::UseLMKeyActivate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent
NTLM::UseNTLM2_sessionActivate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session
NTLM::UseNTLMv2Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key is true
REMOVE_PASS_FILEAutomatically delete the PASS_FILE on module completion
REMOVE_USERPASS_FILEAutomatically delete the USERPASS_FILE on module completion
REMOVE_USER_FILEAutomatically delete the USER_FILE on module completion
SSLNegotiate SSL for outgoing connections
SSLVersionSpecify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
ShowProgressDisplay progress messages during a scan
ShowProgressPercentThe interval in percent that progress should be shown
UserAgentThe User-Agent header to use for all requests
WORKSPACESpecify the workspace for this module
HTTP::header_foldingEnable folding of HTTP headers
HTTP::method_random_caseUse random casing for the HTTP method
HTTP::method_random_invalidUse a random invalid, HTTP method for request
HTTP::method_random_validUse a random, but valid, HTTP method for request
HTTP::pad_fake_headersInsert random, fake headers into the HTTP request
HTTP::pad_fake_headers_countHow many fake headers to insert into the HTTP request
HTTP::pad_get_paramsInsert random, fake query string variables into the request
HTTP::pad_get_params_countHow many fake query string variables to insert into the request
HTTP::pad_method_uri_countHow many whitespace characters to use between the method and uri
HTTP::pad_method_uri_typeWhat type of whitespace to use between the method and uri (accepted: space, tab, apache)
HTTP::pad_post_paramsInsert random, fake post variables into the request
HTTP::pad_post_params_countHow many fake post variables to insert into the request
HTTP::pad_uri_version_countHow many whitespace characters to use between the uri and version
HTTP::pad_uri_version_typeWhat type of whitespace to use between the uri and version (accepted: space, tab, apache)
HTTP::uri_dir_fake_relativeInsert fake relative directories into the uri
HTTP::uri_dir_self_referenceInsert self-referential directories into the uri
HTTP::uri_encode_modeEnable URI encoding (accepted: none, hex-normal, hex-all, hex-random, u-normal, u-all, u-random)
HTTP::uri_fake_endAdd a fake end of URI (eg: /%20HTTP/1.0/../../)
HTTP::uri_fake_params_startAdd a fake start of params to the URI (eg: /%3fa=b/../)
HTTP::uri_full_urlUse the full URL for all HTTP requests
HTTP::uri_use_backslashesUse back slashes instead of forward slashes in the uri
 

Como veis, opciones no le faltan :) Permite desde usar un proxy y/o modificar el user agent de las peticiones, hasta hacer ataques por diccionario con contraseñas, probar todos los usuarios con la contraseña en blanco, etc. También permite enumerar los usuarios al igual que hacía W3af.

Le sacaremos mucha utilidad en una auditoría de Wordpress, pero tened en cuenta que vamos a dejar un gran rastro en los logs y aumentaremos la carga del servidor, por lo que cuidado al usarlo.

Saludos!

 

 

No hay comentarios:

Publicar un comentario