Buenas a todos, hoy continuaremos con el proceso de auditoría a Wordpress con la explotación de la autenticación mediante Metasploit. Hay otras herramientas y scripts rondando por Internet que funcionan muy bien también, pero Metasploit es posiblemente uno de los más sencillos de utilizar y más potentes.
Metasploit publicó un módulo para el CVE-2009-2335:
WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience."
El módulo se llama "Wordpress Brute Force and User Enumeration Utility". Podéis descargar el código fuente del módulo aquí. Es un módulo bastante completo, os dejo a continuación sus opciones:
BLANK_PASSWORDS | Try blank passwords for all users (default: true) |
BRUTEFORCE | Perform brute force authentication (default: true) |
BRUTEFORCE_SPEED | How fast to bruteforce, from 0 to 5 (default: 5) |
PASSWORD | A specific password to authenticate with |
PASS_FILE | File containing passwords, one per line |
Proxies | Use a proxy chain |
RHOSTS | The target address range or CIDR identifier |
RPORT | The target port (default: 80) |
STOP_ON_SUCCESS | Stop guessing when a credential works for a host |
THREADS | The number of concurrent threads (default: 1) |
URI | Define the path to the wp-login.php file (default: /wp-login.php) |
USERNAME | A specific username to authenticate as |
USERPASS_FILE | File containing users and passwords separated by space, one pair per line |
USER_AS_PASS | Try the username as the password for all users (default: true) |
USER_FILE | File containing usernames, one per line |
VALIDATE_USERS | Enumerate usernames (default: true) |
VERBOSE | Whether to print output for all attempts (default: true) |
VHOST | HTTP server virtual host |
BasicAuthPass | The HTTP password to specify for basic authentication |
BasicAuthUser | The HTTP username to specify for basic authentication |
DOMAIN | The domain to use for windows authentification |
DigestAuthIIS | Conform to IIS, should work for most servers. Only set to false for non-IIS servers |
DigestAuthPassword | The HTTP password to specify for digest authentication |
DigestAuthUser | The HTTP username to specify for digest authentication |
FingerprintCheck | Conduct a pre-exploit fingerprint verification |
MaxGuessesPerService | Maximum number of credentials to try per service instance. If set to zero or a non-number, this option will not be used. |
MaxGuessesPerUser | Maximum guesses for a particular username for the service instance. Note that users are considered unique among different services, so a user at 10.1.1.1:22 is different from one at 10.2.2.2:22, and both will be tried up to the MaxGuessesPerUser limit. If set to zero or a non-number, this option will not be used. |
MaxMinutesPerService | Maximum time in minutes to bruteforce the service instance. If set to zero or a non-number, this option will not be used. |
NTLM::SendLM | Always send the LANMAN response (except when NTLMv2_session is specified) |
NTLM::SendNTLM | Activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses |
NTLM::SendSPN | Send an avp of type SPN in the ntlmv2 client Blob, this allow authentification on windows Seven/2008r2 when SPN is required |
NTLM::UseLMKey | Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent |
NTLM::UseNTLM2_session | Activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session |
NTLM::UseNTLMv2 | Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key is true |
REMOVE_PASS_FILE | Automatically delete the PASS_FILE on module completion |
REMOVE_USERPASS_FILE | Automatically delete the USERPASS_FILE on module completion |
REMOVE_USER_FILE | Automatically delete the USER_FILE on module completion |
SSL | Negotiate SSL for outgoing connections |
SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) |
ShowProgress | Display progress messages during a scan |
ShowProgressPercent | The interval in percent that progress should be shown |
UserAgent | The User-Agent header to use for all requests |
WORKSPACE | Specify the workspace for this module |
HTTP::header_folding | Enable folding of HTTP headers |
HTTP::method_random_case | Use random casing for the HTTP method |
HTTP::method_random_invalid | Use a random invalid, HTTP method for request |
HTTP::method_random_valid | Use a random, but valid, HTTP method for request |
HTTP::pad_fake_headers | Insert random, fake headers into the HTTP request |
HTTP::pad_fake_headers_count | How many fake headers to insert into the HTTP request |
HTTP::pad_get_params | Insert random, fake query string variables into the request |
HTTP::pad_get_params_count | How many fake query string variables to insert into the request |
HTTP::pad_method_uri_count | How many whitespace characters to use between the method and uri |
HTTP::pad_method_uri_type | What type of whitespace to use between the method and uri (accepted: space, tab, apache) |
HTTP::pad_post_params | Insert random, fake post variables into the request |
HTTP::pad_post_params_count | How many fake post variables to insert into the request |
HTTP::pad_uri_version_count | How many whitespace characters to use between the uri and version |
HTTP::pad_uri_version_type | What type of whitespace to use between the uri and version (accepted: space, tab, apache) |
HTTP::uri_dir_fake_relative | Insert fake relative directories into the uri |
HTTP::uri_dir_self_reference | Insert self-referential directories into the uri |
HTTP::uri_encode_mode | Enable URI encoding (accepted: none, hex-normal, hex-all, hex-random, u-normal, u-all, u-random) |
HTTP::uri_fake_end | Add a fake end of URI (eg: /%20HTTP/1.0/../../) |
HTTP::uri_fake_params_start | Add a fake start of params to the URI (eg: /%3fa=b/../) |
HTTP::uri_full_url | Use the full URL for all HTTP requests |
HTTP::uri_use_backslashes | Use back slashes instead of forward slashes in the uri |
Como veis, opciones no le faltan :) Permite desde usar un proxy y/o modificar el user agent de las peticiones, hasta hacer ataques por diccionario con contraseñas, probar todos los usuarios con la contraseña en blanco, etc. También permite enumerar los usuarios al igual que hacía W3af.
Le sacaremos mucha utilidad en una auditoría de Wordpress, pero tened en cuenta que vamos a dejar un gran rastro en los logs y aumentaremos la carga del servidor, por lo que cuidado al usarlo.
Saludos!
No hay comentarios:
Publicar un comentario