Pentesting Your Own Website to Improve Security

The best way to determine if your web site has built in vulnerabilities that an attacker could exploit is to hack your website yourself.  This is not typically a do-it-yourself project, unless you have some decent technical skills.  But with a little time and a few free downloadable tools, it could be something you could try, if for no other reason than to learn how easy this can be.  This type of website penetration testing is used to find unpatched vulnerabilities, test the security of web applications, and meet regulatory compliance requirements

A good way to start is to scan your website using WPScan.  WPScan is a black box vulnerability scanner for WordPress written in PHP.  It is installed in Kali Linux, and other security distros, or can be downloaded from Git Hub for installation in your preferred distro.  WPScan searches for version information on installations of Apache Web Server, WordPress, WordPress themes, and plugins.  WPScan uses a database of 18,000 plugins and 2600 themes during scanning the target to find outdated versions and vulnerabilities.  WPScan can:

  • Detect a version of currently installed WordPress.
  • Detect enabled features on currently installed WordPress.
  • Enumerate theme version and name.
  • Detect installed plugins and can tell you if it is outdated or not.
  • Enumerate user names also.
  • Detect sensitive files like readme, robots.txt, database replacing files, etc.

Once you have a  list of vulnerabilities at hand, you can use Metaploit to find exploits that would work against them.  From Metasploit you could run Meterpreter in order to spawn a terminal or shell session, and launch pass the hash tool like Mimikatz.  From here you could:

In Metasploit

  • Enumerate user names
  • Enumerate plugins
  • Enumerate themes
  • Brute force passwords with WPScan
  • Generate PHP backdoor
  • Clear Event Viewer in Windows
  • Download files
  • Upload files
  • Edit in vim
  • Execute commands
  • Dump contents of SAM database
  • Change the local working directory
  • List directories and files
  • Search the file contents of target
  • Open a shell
  • Turn on webcam
In Mimikatz

  • Get Kerberos credentials
  • Get msv (NTLM) creds (hashes)
  • Get livessp credentials (cleartext)
  • Retrieve ssp (MS digest) creds
  • Retrieve tspkg creds (LSASS)
  • Retrieve wdigest creds (cleartext)
  • Pass the hash attack
  • Hash function
  • Get security certificates
  • Manipulate processes, threads, and services
  • Impersonate through token replay
  • Dump the SAM database
  • Inject DLLs
  • Get a terminal or shell
  • Manipulate EFS

These techniques are available to potential attackers as well.  The quick fix to any vulnerabilities you discover is to update your Apache, WordPress, plugin, and theme versions to the latest release.  Once you have upgraded everything, run another scan to see if an vulnerabities remain.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.