Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Testing Fortifications - WordCamp Brighton

Tim Nash
August 16, 2019

Testing Fortifications - WordCamp Brighton

Early version of my WordCamp Brighton talk, minus videos.

So you’ve been to the security, that other security talk and that really scary one. You followed the advice, and you are feeling confident. Perhaps you have never been to a security talk let alone scary one but feel its time to at least find out how you stand. In this talk, Tim is going to go through how to run a basic penetration test of a WordPress website. From start to finish, looking at scope, research, execution, and remediation. He will be demonstrating tools to use and processes to follow, so you can see how secure your site is or isn’t.

Tim Nash

August 16, 2019
Tweet

More Decks by Tim Nash

Other Decks in Technology

Transcript

  1. WordPress Platform Lead 
 at 34SP.com Former Pen Tester co-run

    WordPress Leeds Ran a small dev agency Speaks about security 
 around the country
  2. Simplified Threat Modelling What are we building? What can go

    wrong? What are we going to do about this? Did we do a good enough job?
  3. Scope What are we targeting? Do we have access to

    code base Is network in scope? Are employees?
  4. Grab copy of robots.txt > curl https://example.com/robots.txt User-agent: * Disallow:

    /wp/wp-admin/ Allow: /wp/wp-admin/admin-ajax.php Sitemap: https://example.com/sitemap.xml
  5. dig dig A +short example.com
 
 dig NS +short example.com


    
 dig ANY example.com 
 
 dig -x 80.82.119.149 +noall +answer
  6. sudo nmap -O timnash.co.uk Nmap scan report for timnash.co.uk (80.82.119.149)

    Host is up (0.040s latency). rDNS record for 80.82.119.149: 176.wp.34sp.com Not shown: 997 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|storage-misc|firewall Running (JUST GUESSING): Linux 2.6.X|3.X (90%), Synology DiskStation Manager 5.X (88%), WatchGuard Fireware 11.X (87%) OS CPE: cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3.10 cpe:/o:linux:linux_kernel cpe:/ a:synology:diskstation_manager:5.1 cpe:/o:watchguard:fireware:11.8 Aggressive OS guesses: Linux 2.6.32 (90%), Linux 2.6.39 (90%), Linux 3.10 (89%), Linux 3.4 (89%), Linux 3.1 - 3.2 (89%), Synology DiskStation Manager 5.1 (88%), Linux 2.6.32 or 3.10 (87%), WatchGuard Fireware 11.8 (87%), Linux 2.6.32 - 2.6.39 (85%) No exact OS matches for host (test conditions non-ideal). OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.11 seconds
  7. sudo nmap -sS 80.82.119.149 Nmap scan report for 176.wp.34sp.com (80.82.119.149)

    Host is up (0.035s latency). Not shown: 997 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 6.42 seconds
  8. sudo nmap -sV 80.82.119.149 Nmap scan report for 176.wp.34sp.com (80.82.119.149)

    Host is up (0.057s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) 80/tcp open http nginx 443/tcp open ssl/http nginx Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 42.17 seconds
  9. Scrape the site > httrack https://example.com –O /tmp/ or >

    msfconsole
 use auxiliary/crawler/msfcrawler
 set rhosts example.com
 set rport 443
 exploit
  10. [+] Interesting header: LINK: <https://timnash.co.uk/ wp-json/>; rel="https://api.w.org/"
 [+] Interesting header:

    REFERRER-POLICY: strict-origin- when-cross-origin
 [+] Interesting header: SERVER: nginx
 [+] Interesting header: STRICT-TRANSPORT-SECURITY: max- age=31536000; includeSubDomains; preload
 [+] Interesting header: X-CONTENT-TYPE-OPTIONS: nosniff
 [+] Interesting header: X-FASTCGI-CACHE: BYPASS
 [+] Interesting header: X-FRAME-OPTIONS: SAMEORIGIN
 [+] Interesting header: X-TEC-API-ORIGIN: https:// timnash.co.uk
 [+] Interesting header: X-TEC-API-ROOT: https:// timnash.co.uk/wp-json/tribe/events/v1/
 [+] Interesting header: X-TEC-API-VERSION: v1
 [+] Interesting header: X-XSS-PROTECTION: 1; mode=block
  11. [+] robots.txt available under: https://timnash.co.uk/robots.txt [HTTP 200] [+] Interesting entry

    from robots.txt: https://timnash.co.uk/wp/wp-admin/ [HTTP 302] [+] Interesting entry from robots.txt: https://timnash.co.uk/wp/wp-admin/ admin-ajax.php [HTTP 400] [+] Sitemap found: https://timnash.co.uk/robots.txt [HTTP 200] [+] Sitemap entry: https://timnash.co.uk/sitemap.xml [HTTP 200] [+] humans.txt available under: https://timnash.co.uk/humans.txt [HTTP 200] [+] This site has 'Must Use Plugins' (http://codex.wordpress.org/ Must_Use_Plugins) [+] API exposed: https://timnash.co.uk/wp-json/ [HTTP 200]
  12. [!] 2 users exposed via API: https://timnash.co.uk/wp- json/wp/v2/users +----+----------+-------------------------------------+ |

    ID | Name | URL | +----+----------+-------------------------------------+ | 1 | Tim Nash | https://timnash.co.uk/author/timmy/ | | 2 | Tim Nash | https://timnash.co.uk/author/tim/ | +----+----------+-------------------------------------+
  13. [+] Enumerating WordPress version ... [i] WordPress version can not

    be detected [+] Enumerating plugins from passive detection ... [+] No plugins found passively [+] Finished: Fri Aug 16 05:45:31 2019
  14. --enumerate p [+] We found 8 plugins: [+] Name: atomic-blocks

    - v2.0.1 [+] Name: ewww-image-optimizer - v4.9.1 [+] Name: fast-velocity-minify - v2.7.3 [+] Name: otter-blocks - v1.2.4 [+] Name: query-monitor - v3.3.7 [+] Name: remove-query-strings-from-static-resources - v1.4 [+] Name: stream - v3.4.1 [+] Name: the-events-calendar - v4.9.6
  15. --enumerate ap [+] Enumerating all plugins (may take a while

    and use a lot of system resources) ... Time: 00:36:14 <=====================================================================> (82035 / 82035) 100.00% Time: 00:36:14 [+] We found 13 plugins: [+] Name: atomic-blocks - v2.0.1 [+] Name: classic-smilies - v1.3 [+] Name: ewww-image-optimizer - v4.9.1 [+] Name: fast-velocity-minify - v2.7.3 [+] Name: otter-blocks - v1.2.4 [+] Name: query-monitor - v3.3.7 [+] Name: remove-query-strings-from-static-resources - v1. [+] Name: stream - v3.4.1 [+] Name: the-events-calendar - v4.9.6 [+] Name: the-events-calendar-shortcode - v2.2.1 [+] Name: two-factor [+] Name: wp-fingerprint - v2.1.2 [+] Name: wp-notification-center - v1.0.1
  16. --enumerate ap [+] Name: woocommerce - v3.4.2 | Last updated:

    2019-08-12T13:44:00.000Z | Location: http://blueteamhackers.com/wp-content/plugins/ woocommerce/ | Readme: http://blueteamhackers.com/wp-content/plugins/woocommerce/ readme.txt [!] The version is out of date, the latest version is 3.7.0 [!] Title: WooCommerce <= 3.4.4 - Potential Object Injection Reference: https://wpvulndb.com/vulnerabilities/9120 Reference: https://woocommerce.wordpress.com/2018/08/29/ woocommerce-3-4-5-security-fix-release-notes/ [i] Fixed in: 3.4.5 ....
  17. DREAD SCORE Damage – how bad would an attack be?

    Reproducibility – how easy is it to reproduce the attack? Exploitability – how much work is it to launch the attack? Affected users – how many people will be impacted? Discoverability – how easy is it to discover the threat?
  18. Remediation Fix stuff... Block or Limit access if fixing isn't

    an option Change things that can't be fixed.
  19. Stuff you can test Locally/Against Dev Stack run WPScan locally

    against your dev stack run OWASP ZAP (via its GUI) or set it up as a proxy Metasploit/WPXF