Pentesting Your Own Website to Improve Security

The best way to determine if your web site has built in vulnerabilities that an attacker could exploit is to hack your website yourself.  This is not typically a do-it-yourself project, unless you have some decent technical skills.  But with a little time and a few free downloadable tools, it could be something you could try, if for no other reason than to learn how easy this can be.  This type of website penetration testing is used to find unpatched vulnerabilities, test the security of web applications, and meet regulatory compliance requirements

A good way to start is to scan your website using WPScan.  WPScan is a black box vulnerability scanner for WordPress written in PHP.  It is installed in Kali Linux, and other security distros, or can be downloaded from Git Hub for installation in your preferred distro.  WPScan searches for version information on installations of Apache Web Server, WordPress, WordPress themes, and plugins.  WPScan uses a database of 18,000 plugins and 2600 themes during scanning the target to find outdated versions and vulnerabilities.  WPScan can:

  • Detect a version of currently installed WordPress.
  • Detect enabled features on currently installed WordPress.
  • Enumerate theme version and name.
  • Detect installed plugins and can tell you if it is outdated or not.
  • Enumerate user names also.
  • Detect sensitive files like readme, robots.txt, database replacing files, etc.

Once you have a  list of vulnerabilities at hand, you can use Metaploit to find exploits that would work against them.  From Metasploit you could run Meterpreter in order to spawn a terminal or shell session, and launch pass the hash tool like Mimikatz.  From here you could:

In Metasploit

  • Enumerate user names
  • Enumerate plugins
  • Enumerate themes
  • Brute force passwords with WPScan
  • Generate PHP backdoor
  • Clear Event Viewer in Windows
  • Download files
  • Upload files
  • Edit in vim
  • Execute commands
  • Dump contents of SAM database
  • Change the local working directory
  • List directories and files
  • Search the file contents of target
  • Open a shell
  • Turn on webcam
In Mimikatz

  • Get Kerberos credentials
  • Get msv (NTLM) creds (hashes)
  • Get livessp credentials (cleartext)
  • Retrieve ssp (MS digest) creds
  • Retrieve tspkg creds (LSASS)
  • Retrieve wdigest creds (cleartext)
  • Pass the hash attack
  • Hash function
  • Get security certificates
  • Manipulate processes, threads, and services
  • Impersonate through token replay
  • Dump the SAM database
  • Inject DLLs
  • Get a terminal or shell
  • Manipulate EFS

These techniques are available to potential attackers as well.  The quick fix to any vulnerabilities you discover is to update your Apache, WordPress, plugin, and theme versions to the latest release.  Once you have upgraded everything, run another scan to see if an vulnerabities remain.

More information:


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.