Pentesting Your Own Website to Improve Security

The best way to determine if your web site has built in vulnerabilities that an attacker could exploit is to hack your website yourself.  This is not typically a do-it-yourself project, unless you have some decent technical skills.  But with a little time and a few free downloadable tools, it could be something you could try, if for no other reason than to learn how easy this can be.  This type of website penetration testing is used to find unpatched vulnerabilities, test the security of web applications, and meet regulatory compliance requirements

A good way to start is to scan your website using WPScan.  WPScan is a black box vulnerability scanner for WordPress written in PHP.  It is installed in Kali Linux, and other security distros, or can be downloaded from Git Hub for installation in your preferred distro.  WPScan searches for version information on installations of Apache Web Server, WordPress, WordPress themes, and plugins.  WPScan uses a database of 18,000 plugins and 2600 themes during scanning the target to find outdated versions and vulnerabilities.  WPScan can:

  • Detect a version of currently installed WordPress.
  • Detect enabled features on currently installed WordPress.
  • Enumerate theme version and name.
  • Detect installed plugins and can tell you if it is outdated or not.
  • Enumerate user names also.
  • Detect sensitive files like readme, robots.txt, database replacing files, etc.

Once you have a  list of vulnerabilities at hand, you can use Metaploit to find exploits that would work against them.  From Metasploit you could run Meterpreter in order to spawn a terminal or shell session, and launch pass the hash tool like Mimikatz.  From here you could:

In Metasploit

  • Enumerate user names
  • Enumerate plugins
  • Enumerate themes
  • Brute force passwords with WPScan
  • Generate PHP backdoor
  • Clear Event Viewer in Windows
  • Download files
  • Upload files
  • Edit in vim
  • Execute commands
  • Dump contents of SAM database
  • Change the local working directory
  • List directories and files
  • Search the file contents of target
  • Open a shell
  • Turn on webcam
 In Mimikatz

  • Get Kerberos credentials
  • Get msv (NTLM) creds (hashes)
  • Get livessp credentials (cleartext)
  • Retrieve ssp (MS digest) creds
  • Retrieve tspkg creds (LSASS)
  • Retrieve wdigest creds (cleartext)
  • Pass the hash attack
  • Hash function
  • Get security certificates
  • Manipulate processes, threads, and services
  • Impersonate through token replay
  • Dump the SAM database
  • Inject DLLs
  • Get a terminal or shell
  • Manipulate EFS

These techniques are available to potential attackers as well.  The quick fix to any vulnerabilities you discover is to update your Apache, WordPress, plugin, and theme versions to the latest release.  Once you have upgraded everything, run another scan to see if an vulnerabities remain.

More information:

Be Sociable, Share!

20
APR
0

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.