Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Testing Fortifications - WordCamp Brighton

Tim Nash
August 16, 2019
Technology
0
430

Testing Fortifications - WordCamp Brighton

Early version of my WordCamp Brighton talk, minus videos.

So you’ve been to the security, that other security talk and that really scary one. You followed the advice, and you are feeling confident. Perhaps you have never been to a security talk let alone scary one but feel its time to at least find out how you stand. In this talk, Tim is going to go through how to run a basic penetration test of a WordPress website. From start to finish, looking at scope, research, execution, and remediation. He will be demonstrating tools to use and processes to follow, so you can see how secure your site is or isn’t.

Tim Nash

August 16, 2019
Tweet

More Decks by Tim Nash

See All by Tim Nash
Come to the dark side, they have cookies
timnashcouk
0
1k
Come to the dark side
timnashcouk
0
58
Practical WordPress Security 2018
timnashcouk
0
290
Practical WordPress Security
timnashcouk
0
1.6k
HTTPS and You
timnashcouk
0
980
Baking Security into your workflow - Early
timnashcouk
0
970
Security is Everyone responsibility
timnashcouk
0
1k

Other Decks in Technology

See All in Technology
よく聞くけど使ったことないソフトウェアNo.1 KafkaとSnowflake
foursue
4
360
Azureの基本的な権限管理の勉強会
yhana
0
420
Vertex AI を中心に 生成AIのアップデートを共有します
kaz1437
0
310
Delivering Millions of Messages within seconds @ Duolingo
pelelgrino
0
350
DevOpsDays History and my DevOps story
kawaguti
PRO
9
2.5k
【NW X Security JAWS#3】L3-4:AWS環境のIPv6移行に向けて知っておきたいこと
shotashiratori
0
150
アクセス制御にまつわる改善 / Improving access control
itkq
0
530
プロンプトエンジニアリングでがんばらない-Agentic Workflow へ-近藤憲児
kenjikondobai
2
530
[新卒向け研修資料] テスト文字列に「うんこ」と入れるな(2024年版)
infiniteloop_inc
4
14k
障害対応をちょっとずつよくしていくための 演習の作りかた
heleeen
0
200
MLOpsの「壁」を乗り越える、LINEヤフーの Data Quality as Code
lycorptech_jp
PRO
5
520
VS CodeでAWSを操作しよう
smt7174
8
1.7k

Featured

See All Featured
Building Applications with DynamoDB
mza
88
5.6k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
The MySQL Ecosystem @ GitHub 2015
samlambert
243
12k
Happy Clients
brianwarren
92
6.4k
Agile that works and the tools we love
rasmusluckow
325
20k
Unsuck your backbone
ammeep
663
57k
Designing Experiences People Love
moore
136
23k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
14
1.6k
4 Signs Your Business is Dying
shpigford
175
21k
From Idea to $5000 a Month in 5 Months
shpigford
377
45k
Principles of Awesome APIs and How to Build Them.
keavy
121
16k
Embracing the Ebb and Flow
colly
80
4.1k

Transcript

  1. None

  2. Once upon a time...

  3. None

  4. TIM NASH @tnash Testing the fortifications or how to hack

    yourself

  5. TIM NASH @tnash Testing the fortifications or how to hack

    yourself
  6. None

  7. WordPress Platform Lead 
 at 34SP.com Former Pen Tester co-run

    WordPress Leeds Ran a small dev agency Speaks about security 
 around the country

  8. Why?

  9. Risk

  10. None

  11. Simplified Threat Modelling What are we building? What can go

    wrong? What are we going to do about this? Did we do a good enough job?

  12. Mapping Threat Modelling to Pen Testing Scope and Boundaries Vulnerability

    Testing Presentation and remediation

  13. VM vs Installing tools

  14. Vulnerability scanners, application scanners, Fuzzers

  15. Best way to get started? https://www.kali.org

  16. So how would we do this?

  17. Scope

  18. Scope What are we targeting? Do we have access to

    code base Is network in scope? Are employees?

  19. Reconnaissance

  20. Reconnaissance Investigate site dig domain whois IP nmap IP Are

    they behind a proxy?

  21. Visit the site...

  22. None
  23. None
  24. None
  25. None

  26. Grab copy of robots.txt > curl https://example.com/robots.txt User-agent: * Disallow:

    /wp/wp-admin/ Allow: /wp/wp-admin/admin-ajax.php Sitemap: https://example.com/sitemap.xml

  27. Look at site with tools

  28. None
  29. None
  30. None
  31. None
  32. None
  33. None
  34. None

  35. dig dig A +short example.com
 
 dig NS +short example.com


    
 dig ANY example.com 
 
 dig -x 80.82.119.149 +noall +answer

  36. Reverse DNS https://opendata.rapid7.com/sonar.rdns_v2/

  37. RDNS rdns 80.82.119.149 timnash.co.uk
 meta.timnash.co.uk
 masterclass.timnash.co.uk

  38. whois 93.184.216.34

  39. What about proxies?

  40. Security Trails

  41. nmap 93.184.216.34

  42. sudo nmap -O timnash.co.uk Nmap scan report for timnash.co.uk (80.82.119.149)

    Host is up (0.040s latency). rDNS record for 80.82.119.149: 176.wp.34sp.com Not shown: 997 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|storage-misc|firewall Running (JUST GUESSING): Linux 2.6.X|3.X (90%), Synology DiskStation Manager 5.X (88%), WatchGuard Fireware 11.X (87%) OS CPE: cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3.10 cpe:/o:linux:linux_kernel cpe:/ a:synology:diskstation_manager:5.1 cpe:/o:watchguard:fireware:11.8 Aggressive OS guesses: Linux 2.6.32 (90%), Linux 2.6.39 (90%), Linux 3.10 (89%), Linux 3.4 (89%), Linux 3.1 - 3.2 (89%), Synology DiskStation Manager 5.1 (88%), Linux 2.6.32 or 3.10 (87%), WatchGuard Fireware 11.8 (87%), Linux 2.6.32 - 2.6.39 (85%) No exact OS matches for host (test conditions non-ideal). OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.11 seconds

  43. sudo nmap -sS 80.82.119.149 Nmap scan report for 176.wp.34sp.com (80.82.119.149)

    Host is up (0.035s latency). Not shown: 997 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 6.42 seconds

  44. sudo nmap -sV 80.82.119.149 Nmap scan report for 176.wp.34sp.com (80.82.119.149)

    Host is up (0.057s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) 80/tcp open http nginx 443/tcp open ssl/http nginx Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 42.17 seconds

  45. Making Noise

  46. Scrape the site > httrack https://example.com –O /tmp/ or >

    msfconsole
 use auxiliary/crawler/msfcrawler
 set rhosts example.com
 set rport 443
 exploit

  47. ruby wpscan.rb --url example.com

  48. [+] Interesting header: LINK: <https://timnash.co.uk/ wp-json/>; rel="https://api.w.org/"
 [+] Interesting header:

    REFERRER-POLICY: strict-origin- when-cross-origin
 [+] Interesting header: SERVER: nginx
 [+] Interesting header: STRICT-TRANSPORT-SECURITY: max- age=31536000; includeSubDomains; preload
 [+] Interesting header: X-CONTENT-TYPE-OPTIONS: nosniff
 [+] Interesting header: X-FASTCGI-CACHE: BYPASS
 [+] Interesting header: X-FRAME-OPTIONS: SAMEORIGIN
 [+] Interesting header: X-TEC-API-ORIGIN: https:// timnash.co.uk
 [+] Interesting header: X-TEC-API-ROOT: https:// timnash.co.uk/wp-json/tribe/events/v1/
 [+] Interesting header: X-TEC-API-VERSION: v1
 [+] Interesting header: X-XSS-PROTECTION: 1; mode=block

  49. [+] robots.txt available under: https://timnash.co.uk/robots.txt [HTTP 200] [+] Interesting entry

    from robots.txt: https://timnash.co.uk/wp/wp-admin/ [HTTP 302] [+] Interesting entry from robots.txt: https://timnash.co.uk/wp/wp-admin/ admin-ajax.php [HTTP 400] [+] Sitemap found: https://timnash.co.uk/robots.txt [HTTP 200] [+] Sitemap entry: https://timnash.co.uk/sitemap.xml [HTTP 200] [+] humans.txt available under: https://timnash.co.uk/humans.txt [HTTP 200] [+] This site has 'Must Use Plugins' (http://codex.wordpress.org/ Must_Use_Plugins) [+] API exposed: https://timnash.co.uk/wp-json/ [HTTP 200]

  50. [!] 2 users exposed via API: https://timnash.co.uk/wp- json/wp/v2/users +----+----------+-------------------------------------+ |

    ID | Name | URL | +----+----------+-------------------------------------+ | 1 | Tim Nash | https://timnash.co.uk/author/timmy/ | | 2 | Tim Nash | https://timnash.co.uk/author/tim/ | +----+----------+-------------------------------------+

  51. [+] Enumerating WordPress version ... [i] WordPress version can not

    be detected [+] Enumerating plugins from passive detection ... [+] No plugins found passively [+] Finished: Fri Aug 16 05:45:31 2019

  52. --enumerate p [+] We found 8 plugins: [+] Name: atomic-blocks

    - v2.0.1 [+] Name: ewww-image-optimizer - v4.9.1 [+] Name: fast-velocity-minify - v2.7.3 [+] Name: otter-blocks - v1.2.4 [+] Name: query-monitor - v3.3.7 [+] Name: remove-query-strings-from-static-resources - v1.4 [+] Name: stream - v3.4.1 [+] Name: the-events-calendar - v4.9.6

  53. --enumerate ap ...

  54. --enumerate ap ... ...

  55. --enumerate ap ... ... ...

  56. --enumerate ap [+] Enumerating all plugins (may take a while

    and use a lot of system resources) ... Time: 00:36:14 <=====================================================================> (82035 / 82035) 100.00% Time: 00:36:14 [+] We found 13 plugins: [+] Name: atomic-blocks - v2.0.1 [+] Name: classic-smilies - v1.3 [+] Name: ewww-image-optimizer - v4.9.1 [+] Name: fast-velocity-minify - v2.7.3 [+] Name: otter-blocks - v1.2.4 [+] Name: query-monitor - v3.3.7 [+] Name: remove-query-strings-from-static-resources - v1. [+] Name: stream - v3.4.1 [+] Name: the-events-calendar - v4.9.6 [+] Name: the-events-calendar-shortcode - v2.2.1 [+] Name: two-factor [+] Name: wp-fingerprint - v2.1.2 [+] Name: wp-notification-center - v1.0.1

  57. What if it finds something?

  58. --enumerate ap [+] Name: woocommerce - v3.4.2 | Last updated:

    2019-08-12T13:44:00.000Z | Location: http://blueteamhackers.com/wp-content/plugins/ woocommerce/ | Readme: http://blueteamhackers.com/wp-content/plugins/woocommerce/ readme.txt [!] The version is out of date, the latest version is 3.7.0 [!] Title: WooCommerce <= 3.4.4 - Potential Object Injection Reference: https://wpvulndb.com/vulnerabilities/9120 Reference: https://woocommerce.wordpress.com/2018/08/29/ woocommerce-3-4-5-security-fix-release-notes/ [i] Fixed in: 3.4.5 ....

  59. OWASP ZAP

  60. Automated scan

  61. None
  62. None
  63. None

  64. Automated scan

  65. None
  66. None

  67. Attack Mode

  68. Attack Mode

  69. Attack Mode

  70. Fuzzing

  71. None
  72. None
  73. None
  74. None
  75. None
  76. None
  77. None

  78. Exploitation

  79. None

  80. use exploit/shell/woocommerce_shell_upload
 set host blueteamhackers.com set target_uri /wp/ set payload

    exec
 set cmd cat wp-config.php

  81. PCI - DSS Scans

  82. Greenbone/OpenVAS

  83. Reporting

  84. Reporting and Assessment Known Exploits CVE and associated dread score

    Threat modelling the risk vs cost

  85. DREAD SCORE Damage – how bad would an attack be?

    Reproducibility – how easy is it to reproduce the attack? Exploitability – how much work is it to launch the attack? Affected users – how many people will be impacted? Discoverability – how easy is it to discover the threat?

  86. Remediation

  87. Remediation Fix stuff... Block or Limit access if fixing isn't

    an option Change things that can't be fixed.

  88. So take aways...

  89. Stuff you can test Locally/Against Dev Stack run WPScan locally

    against your dev stack run OWASP ZAP (via its GUI) or set it up as a proxy Metasploit/WPXF

  90. Production Consider running OpenVAS against production stack and all the

    dev stack with permission
  91. None

  92. TIM NASH @tnash | timnash.co.uk/security Thank you very much!