Categories
Cracking Password WordPress WPScan

Brute Force WordPress Passwords with WPScan and Tor


Visit Center City Security for WordPress Penetration Testing and Security services.

I took another crack, pun intended, at brute forcing my WordPress password using WPScan.  Unlike when I tried it the other day, this time I used Tor and set up a SOCKs proxy to make use of a false IP address.  My thinking was that my web host might black list my IP after a certain number of failed attempts, so by using Tor I could simply switch IP addresses once the blacklist went into effect.

I am happy to say the proxy worked and the following command worked as expected:

sudo wpscan --url technicalagain.com --wordlist darkc0de.txt --username [redacted] --proxy socks5://127.0.0.1:9050 -v

The behavior of my web host did not match what I expected. Instead of blacklisting the IP, as soon as the 38th incorrect password was entered, the web host put up a 406 error and stopped allowing  log in attempts for five minutes. Why does it allow 38 password attempts? Good question. So, to work around this I would have to enter 37 passwords, then wait five minutes, then enter the next 37 passwords, then wait five minutes, and slowly work through the entire dictionary list. At 37 passwords per five minutes it would take 121 days to exhaust the list of passwords on darkc0de.txt.  Suffice it to say that this password policy control in place by the web host is a satisfactory deterrent for 99.99% of attackers that are not going to wait up to half a year just in hopes that my password is on the darkc0de list.  It isn’t.

Visit Center City Security for WordPress Penetration Testing and Security services.

Categories
Scrapy Web Crawler

Writing a Web Crawler with Scrapy


Scrapy is a Python application framework for crawling web sites and extracting structured data.  I challenged myself to see if I could write a web crawler that I could use to crawl this blog and scrape all of the post titles.  Here’s the code I ended up using.


import scrapy

class BlogSpider(scrapy.Spider):
name = 'blogspider'
start_urls = ['https://technicalagain.com/']

def parse(self, response):
for title in response.css('h1.title'):
yield {'title': title.css('a ::text').extract_first()}

for next_page in response.css('div.nav-previous > a'):
yield response.follow(next_page, self.parse)

After writing the crawler above, one simple command then executes the crawler and writes the output to a .csv or .json file which is shown at the top of the post.

scrapy crawl blogspider -o blogs.json

There are duplicates due to the way the “previous” page renders in WordPress. I could put in some extra logic to remove duplicates but that can be a challenge for another day. This got the job done and is a nice utility that can come in handy.

Categories
Vulnerability Scanning WordPress WPScan

Scan WordPress for Vulnerabilities with WPScan

I scanned my own WordPress sites for vulnerabilites using a powerful command-line utility, WPScan. WPScan is a black box vulnerability scanner specifically for WordPress. It is a stark reminder why it is so important to minimize the number of plugins you use, delete the ones you have deactivated, and make sure you are keeping your software up-to-date. One simple little command: sudo wpscan example.com -u will list all the WordPress usernames, plugins installed, whether active or not, as well as all published vulnerabilities for the plugins, whether they have been fixed, as well as how to exploit them.

WPScan also peeks at the robots.txt file to discover “interesting” content that the author wants hidden from search engines. I made this mistake when I wrote about rolling my own password manager.  Errantly thinking that it would be a good idea to list the directories I don’t want indexed in the robots.txt file, I have since deleted this content.

I used WPScan to search for TimThumb (tt) files and used WPScan to brute force password attempts against the usernames I discovered when enumerating the site.

TimThumb is a tool used by WordPress themes and plugins to resize images. Old versions of TimThumb have a security vulnerability that lets attackers upload malicious (“bad”) files from another website. The first bad file then lets the attacker upload more malicious files to the hosting account.

Great utility, powerful, and simple to use.

Next Steps

It would be a good idea to install a WordPress plugin that forces users to use sufficiently complex passwords and blacklists IP addresses after a certain number of failed login attempts–essentially nullifying the efficacy of bruteforce attacks.

It would also be a good idea to install the Tor proxy so the web host cannot block the IP using WPScan–just a simple technique to hide footprints.

Categories
Projects ProjectSuccess Stripe WooCommerce WordPress

Build an eCommerce Website with WooCommerce

I spent the last three weeks designing, building, testing, debugging and putting the finishing touches on my first eCommerce website, complete with a full shopping cart experience and product purchase workflow.  One of my original project goals in launching this site was to learn how to take a payment online.  This turned out to be relatively straight forward.

This project would have been all but impossible in 1998 and still very, very challenging in 2008.  In 2018, I didn’t even write a single line of code.

I considered three possible approaches for this project: WordPress with WooCommerce, Bootstrap with a shopping cart add-in, and Shopify.  I ultimately decided on WooCommerce for two reasons: there was an overwhelming number of different shopping cart options within the Bootstrap community.  Although they are reasonably well supported, they couldn’t match the centralized level of community support available through WooCommerce.  The second reason I settled on WooCommerce was that the actual implementation of payment options were sufficiently abstracted from the code – which appealed to me.  Bootstrap is more customizable, but from what I could tell would require me to setup my own piping to test and establish the payment workflow.  Bootstrap may be more appropriate for a large scale legitimate online retailer, but seemed too complex than what I needed for a single product sole proprietorship.  I turned away from Shopify due to the recurring fee structure.

The installation of WooCommerce started by first installing WordPress, then adding the WooCommerce plug-in, and then using the guided WooCommerce installation process to pick payment options.  Originally, I decided to use Stripe and PayPal, but ended up backing off PayPal because I felt it was sufficiently redundant to the features included in Stripe.  Knowing data minification is a technique to reduce the possibility of breach I decided to just use one payment system and can always add in PayPal if warranted in the future.  WooCommerce has a very smooth installation process.

I finished by picking a theme and stylizing the site, integrating Google Analytics, customizing the product description and pricing, nailing down the cart and checkout workflows, and finishing with the “after sales” experience–which was basically just a follow up email.  I also setup  Google AdWords.  The pricing for Stripe is very affordable, something akin to 3% per transaction plus 30 cents and no recurring fees.  WooCommerce can make some improvements.

Learning

This was a good and straight forward project. WooCommerce is satisfactory, but not a great product yet.  There were a number of features I’d expect to be customizable right out of the box but instead required me to install additional plug-ins (some free and some proprietary) or do some hacking deep into the configuration files.  Three examples come to mind:

  1. To change the text on the “Add to Cart” button to say “Buy Now”
  2. To customize the “purchase confirmed” email
  3. To rearrange where the price shows up–whether above or below the product description

I was also disappointed that WooCommerce does not have a built in visitor tracking/analytics or marketing package-s-requiring me to, you guessed it, install yet another  batch of plug-ins.

After getting reasonably familiar with WooCommerce and participating in the community I noticed that it is not uncommon for administrators to have up to 30 or 40 different plug-ins running for a single WooCommerce site.  That makes debugging really hard, keeping the plug-ins up-to-date almost impossible, and adds a lot more opportunities for defects and breach.  Room for improvement, I think, for sure.

I didn’t have any real technical snags or frustrations, and I appreciated having the chance to learn about staging servers, testing the purchase process, applying a digital certificate (yet again), and a dash of search engine optimization and internet marketing.

It is truly amazing that we live in an era that a team of one guy can buy a domain name and hosting, get a digital certificate,  build a website and shopping cart, and can create an internet business in under three weeks for less than $80.  Eric Ries talks about this concept in his book The Lean Startup (summary) but it never really hit home for me how truly accessible technology is until I did this project.  We live in an amazing time!  This project would have been all but impossible in 1998 and still very, very challenging in 2008.  In 2018, I didn’t even write a single line of code.

Categories
Kali Linux

Install Kali Linux on a MacBook

I installed Kali Linux on a dualbooted MacBook Pro last week. The frst thing I did was delete unnecessary files on the Mac to free up space and then shrunk the size of the partition using Apple’s built-in Disk Utility. I then manually installed Kali on the remaining unused portion of the hard drive.

This wasn’t a particularly challenging project but it wasn’t easy either. The only real issue I experienced was related to my bootable USB hard drive. I used a utility called Rufus to turn the Kali.iso file into a bootable install on an external hard drive.  I messed up a configuration setting on Rufus, though. Although I could boot Kali into “live mode” just fine, I could only get about half way into the installation until Kali could not detect my CD-ROM. You’d think this wouldn’t be a big deal, but a material part of the installation occurs when the contents of the USB drive are mounted and copied into a folder called /cdrom and the installer is “faked” into thinking the data is coming from a CD/DVD rather than a thumb drive.  I tried to mount and create the directory manually and move the contents in, but I was unable to get past this point.  So back to the drawing  board.  This time I used Apple’s built in dd terminal utility to create the bootable USB and the install went much smoother.

Once I got Kali installed, I noticed a few more odd things.  Example, the mouse did not work during the install, but worked fine after.  The /etc/apt/sources.list was blank.  When I added a new non-root user, I had to log out and log back in before I could see the user even though I was logged in as root.  Once the new user was created, he wasn’t part of the sudoers file.  Not a big deal there, but one more step I had to follow up on.  Overall ease of installation and first use I would give a score of about 7/10.

After playing with Kali for about three days now, I am really excited about all the penetration testing tools to learn, but I can’t say the experience is much better or worse really than when I have used the GNOME desktop on other Linux distributions like Ubuntu or Fedora.

My home network is really coming together now.  I now have access to Windows and Mac desktops, I have a nice Ubuntu server setup and my main machine is Kali running on a late 2011 MacBook.  We continue to abide by the ground rules by doing the work ourselves and breathing new life into old things.  More fun ahead.

Categories
Cracking Ophcrack Password Projects

More Password Cracking – Windows Edition with Ophcrack

I continued the work I previously explained by attempting to crack a Windows administrator password. This time I created a new windows administrator, booted up using a Kali Linux USB and launched Ophcrack to go after the administrator account I set up.

After lauching Ophcrack, I navigated to the Windows partition and then \WINDOWS\System32\Config to access the SAM database.  I then downloaded a Rainbow Table called Vista Free and after about 10 minutes, the admittedly weak password I setup hello123 was cracked.  I was not able to crack all of the accounts – presumably because they were adequately complex.

I think next time I will experiment with chntpw to reset the Administrator password instead of attempting to crack it.

 

Categories
Cracking John Password

Password Cracking with John the Ripper

I did some preliminary experimenting with password cracking utility John the Ripper to test the security of my own root password.  I started by installing John and  dumping the /etc/passwd file.

sudo apt-get install john

unshadow /etc/passwd /etc/shadow > mypasswd.txt

The mypasswd.txt file now holds a salted hash of my root password.  I then passed this over to John to work its magic.

john mypasswd.txt

John is very powerful.  I experimented with the most basic of cracking settings starting with single mode, then word lists and John would have moved to an incremental mode.  I am happy to say I chose a sufficiently complex password that withstood John’s single crack mode and word lists.

Password cracking is very CPU intensive and the 10+ year old server that I am working with is probably about the least appropriate computer to attempt a rigorous cracking approach.  The fan kicked on immediately and my laptop starting running hot.  After more than 10 minutes of cracking attempts I aborted John and you can see the output below.

This was a fun and great learning exercise.  I am going to continue experimenting with John. I will test John on the passwords stored in my Password Manager next.  Using this technique I will also mount the Windows partition I have on my server and attempt to access and crack the Windows password hashes from Ubuntu.

Categories
Server Ubuntu

Setting Up A New Ubuntu Linux Server

I have plans to start a second open source project that will need a server so over the past few days I re-purposed an old Windows laptop into a server running Ubuntu Linux.

The installation was a little tricky because after I downloaded the Ubuntu installation file, I discovered that the DVD burner on this old laptop was no longer working. Instead, I needed to create a bootable USB. Rufus is a great utility that made this very fast and easy.  I deleted an old recovery partition, added a 1 GB swap partition for virtual memory and loaded Ubuntu into the remaining free space.  I preserved the Windows partition and can now dual boot between the Ubuntu and Windows operating systems.

I created a new user account and landed on the third rung of the Password Ladder.  I configured SSH to access the server remotely and I am good to go.

I plan to make a few more configuration changes so the server stays awake persistently. I plan to turn off the Ubuntu GUI and configure the SSH server to start on login.  For now I’ve got enough traction to get started on my open source project.

Categories
Password

The Password Ladder

Where are you on the Password Ladder and what can you do to move one rung higher?

You’re standing next to the ladder, holding it if you are using one of the world’s most common passwords like 123456, password, qwerty, 123456789, or letmein.  Amazingly, even in 2018, 8-10% of people still use these most basic of passwords.  If your username is discovered, your password is immediately compromised by even the simplest of dictionary attacks. Heck, you don’t even need a dictionary to guess the password.  Forget about if just the password hash is discovered or an encrypted version of the password is acquired.  You’re sunk no matter what.

You’re on the first rung of the ladder, if you are reusing the same username and password combination on the majority of the websites you visit.  This is especially problematic if the credentials you use for your bank account or email address are not unique.  Most email accounts serve as a gateway to other account credentials.  If you’re on the first rung of the ladder, basically any website getting hacked puts in jeopardy your identity and financial assets.

You’re on the second rung of the ladder, if you are reusing the same username and a password that is made up of a basic combination of personal information like your children’s names and your anniversary date.  The second rung is barely any better than the first rung.

Third rung if you are using a single base word and then substituting special characters and capitalization instead of random word combinations. Thank you xkcd.  No simpler way to describe this than below.

If you made it here you are in the top 5%. The fourth rung has two factor authentication turned on for important accounts like your email, bank, benefits, and retirement vehicles.  Incredibly, it is estimated that only 5-10% of people have voluntarily enabled two factor authentication on Gmail even though it has been available for a number of years.

Top of the ladder if you are randomly generating usernames and passwords (not reusing them), you have two factor authentication turned on and you are using a structured approach to manage your passwords like using a password manager or browser autocomplete to make sure your passwords are maximum length and complexity.

Please remember that there is no perfect system. Even the fifth rung here can be debated about whether the use of password managers and browser autocomplete provide additional security or if they introduce additional risk vectors. The debate is warranted, but I believe the benefits outweigh the risks. Just know that no approach is impervious to all attacks and keep in mind:

1. Phishing attacks actually work.

2. Credential theft via phishing and administrator credential theft are the most common way external actors gain access.

3. Social engineering attacks (pretext calling), over the shoulder snooping, and man-in-the-middle attacks are still a very effective way to steal credentials.

4. Many people still write their passwords down, store them in text documents on their hard drive or server, or hard code passwords into source code and stored procedures. This includes storing encryption keys in the same folder as the encrypted material.

5. If there is data loss or ex-filtration, it is much more likely to come from an internal actor’s intentional or unintentional activities (mis-configurations, forgetting to encrypt, copying the whole file instead of one record, etc.).

6. Zero day (undiscovered defects) happen only 1-5% of the time. It is much more common that a known defect will be exploited. Some known defects are aged 5 or more years and still unpatched in production. Bad actors scan and fingerprint unpatched defects and they have open source exploit kits to take advantage of the defect once spotted. Malicious actors don’t even have to be that technical to be effective.

Control what you can and take necessary precautions.  Move yourself up one rung of the ladder.

Categories
Books

Book Review: From the Outside

From the Outside is a nice memoir from NBA Hall of Famer, Ray Allen. I chose to read this book because of this article that Ray Allen published in the Players Tribune last year.  Allen is known for having one of the best work ethics in the NBA – his 18 year career proved that he did a lot of things right.  While the memoir details a number of conflicts and drama Allen experienced with teammates and coaches, I was particularly attracted to the book to see if I could learn more about Allen’s habits.

Self-diagnosed as suffering from a partial case of obsessive compulsion, Allen emphasizes how commitment to routines and habits were instrumental to his success and longevity.  Allen really shares a lifestyle that we see many athletes emulating today: no alcohol, clean diet, plenty of rest, focus on stretching and recovery, showing up to every game three hours early.

There are some sneaky good lessons relevant to professional success: making unpopular choices doesn’t mean they are wrong, most people are rooting against you, not for you, it’s not that most people aren’t willing to do the work, it’s that most people aren’t willing to do the work when it gets really hard – stick-to-it-iveness.  There are many similarities to one of my all time favorite books, The Slight Edge.  This was an excellent book that I recommend.  Sports fans will enjoy it.