Joomla Security Scanner

Joomla Security Scanner Detects file inclusion, sql injection, command execution vulnerabilities of a target Joomla Websites.
It will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla Sites. No web security scanner is dedicated only one CMS.

Features of Joomla Security Scanner

  • Exact version Probing (the scanner can tell whether a target is running version 1.5.12)
  • Common Joomla! based web application firewall detection
  • Searching known vulnerabilities of Joomla! and its components
  • Reporting to Text & HTML output
  • Immediate update capability via scanner or svn

How to use Joomla Security Scanner in Backtrack 5

First Open Your backtrack and Follow these path

Applications->Backtrack->Vulnerability Assessment->Web Application assessment->CMS vulnerabilities identification->Joomscan


How to use Joomscan

When you open joomscan, it will look like this image (shown below)

Scanning for Vulnerability

Now scan our joomla site for vulnerability. To do this, enter the following command in Terminal: 

./joomscan.pl -u www.example.com

Want to learn more?? The InfoSec Institute Web Application Penetration Testing Boot Camp focuses on preparing you for the real world of Web App Pen Testing through extensive lab exercises, thought provoking lectures led by an expert instructor. We review of the entire body of knowledge as it pertains to web application pen testing through a high-energy seminar approach.

The Web Application Penetration Testing course from InfoSec Institute is a totally hands-on learning experience. From the first day to the last day, you will learn the ins and outs of Web App Pen Testing by attending thought provoking lectures led by an expert instructor. Every lecture is directly followed up by a comprehensive lab exercise (we also set up and provide lab workstations so you don't waste valuable class time installing tools and apps). Benefits to you are:

  • Get CWAPT Certified
  • Learn the Secrets of Web App Pen Testing in a totally hands-on classroom environment
  • Learn how to exploit and defend real-world web apps: not just silly sample code
  • Complete the 83 Step "Web App Pen Test Methodology", and bring a copy back to work with you
  • Learn how perform OWASP Top 10 Assessments: for PCI DSS compliance

Vulnerabilities Discovered

It will look like this image (shown below)

CMS Explorer-
Discover the CMS components behind the site

CMS Explorer is designed to reveal the specific modules, plugins, components and themes that various CMS driven web sites are running.

Additionally, CMS Explorer can be used to aid in security testing. While it performs no direct security checks, the “explore” option can be used to reveal hidden/library files which are not typically accessed by web clients but are nonetheless accessible. This is done by retrieving the module’s current source tree and then requesting those file names from the target system. These requests can be sent through a distinct proxy to help “bootstrap” security testing tools like Burp, Paros, Web inspect, etc.

CMS Explorer currently supports module/theme discovery with the following products:

  • Drupal
  • WordPress
  • Joomla!
  • Mambo

How to use CMS-Explorer

Open your Backtrack Terminal & Type cd /pentest/enumeration/web/cms-explorer


You can also do this manually. First Open Your backtrack and Follow these path

Applications->BackTrack -> Information Gathering -> Web Application Analysis -> CMS Identification -> cms-explorer


Scan Joomla Site

./cms-explorer.pl -url http://example.com -type joomla

Scan WordPress Site

./cms-explorer.pl -url http://example.com -type wordpress

Scan WordPress Site

./cms-explorer.pl -url http://example.com -type drupal

WPScan-WordPress Security Scanner

WPScan is a black box WordPress Security Scanner written in Ruby which attempts to find known security weaknesses within WordPress installations. Its intended use it to be for security professionals or WordPress administrators to assess the security posture of their WordPress installations.

Features include:

  • Username enumeration (from author query string and location header)
  • Weak password cracking (multithreaded)
  • Version enumeration (from generator Meta tag)
  • Vulnerability enumeration (based on version)
  • Plugin enumeration (2220 most popular by default)
  • Plugin vulnerability enumeration (based on version)
  • Plugin enumeration list generation
  • Other misc WordPress checks (theme name, dir listing …

How to use wpscan in BackTrack 5

Open your backtrack terminal and type cd /pentest/web/wpscan

Now scan single URL ruby wpscan.rb –url www.example.com


Other Scans

Only do version enumeration…
ruby wpscan.rb –url www.example.com –version

Do wordlist password brute force on enumerated users using 50 threads…
ruby wpscan.rb –url www.example.com –wordlist darkc0de.lst –threads 50

Do wordlist password brute force on the ‘admin’ username only…
ruby wpscan.rb –url www.example.com –wordlist darkc0de.lst –username admin

Generate a new ‘most popular’ plugin list, up to 150 pages…
ruby ./wpscan.rb –generate_plugin_list 150

Enumerate installed plugins…
ruby ./wpscan.rb –enumerate p

Plecost

WordPress finger printer tool, plecost search and retrieve information about the plugins versions installed in WordPress systems. It can analyze a single URL or perform an analysis based on the results indexed by Google. Additionally displays CVE code associated with each Plugin, if there.

Plecost retrieves the information contained on Web sites supported by WordPress, and also allows a search on the results indexed by Google.

How to use plecost in backtrack

Open your backtrack terminal and type ./plecost-0.2.2-9-beta.py


How to use plecost

Syntax:


./plecost-0.2.2-9-beta.py -i wp_plugin_list.txt http://www.example.com –G


  • Google search options:
    • l num : Limit number of results for each plugin in google.
    • G : Google search mode
  • Options:
    • n : Number of plugins to use (Default all – more than 7000).
    • c : Check plugins only with CVE associated.
    • R file : Reload plugin list. Use -n option to control the size
    • o file : Output file. (Default “output.txt”)
    • i file : Input plugin list. (Need to start the program)
    • s time : Min sleep time between two probes. Time in seconds. (10)
    • M time : Max sleep time between two probes. Time in seconds. (20)
    • t num : Number of threads. (Default 1)
    • h : Display help. (More info: http://iniqua.com/labs/)

What web

WhatWeb is like nmap but for the web. WhatWeb recognizes web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 900 plugins, each to recognize something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.

Features:

  • Over 900 plugins
  • Control the tradeoff between speed/stealth and reliability
  • Plugins include example URLs
  • Performance tuning. Control how many websites to scan concurrently.
  • Multiple log formats: Brief (greppable), Verbose (human readable), XML, JSON, Magic Tree, Ruby Object, Mongo DB.
  • Recursive web spidering
  • Proxy support including TOR
  • Custom HTTP headers
  • Basic HTTP authentication
  • Control over webpage redirection
  • Nmap-style IP ranges
  • Fuzzy matching
  • Result certainty awareness
  • Custom plugins defined on the command line

First Open Your backtrack and Follow these path

Applications->BackTrack -> Information Gathering -> Web Application Analysis -> CMS Identification -> whatweb


Usage

. /whatweb

Use whatweb in verbose mode

./whatweb –v www.example.com

BlindElephant-Web Application Fingerprinter

The Blind Elephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all available releases. The technique is fast, low-bandwidth, non-invasive, generic, and highly automatable.

Features

  • Fast, low-resource approach (generally <6 seconds and < 400kb)
  • Support for 15 commonly deployed web apps (and hundreds of versions), and very easy to add support for more
  • Support for web app plugins (Drupal and WordPress currently, more with community input)

How to use BlindElephant in BackTrack

First Open Your backtrack and Follow these path

Applications->BackTrack -> Information Gathering -> Web Application Analysis -> CMS Identification -> blindelephant


Usage

./BlindElephant.py www.example.com (CMS)