Joomla Security Scanner Detects file inclusion, sql injection, command execution vulnerabilities of a target Joomla Websites. It will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla Sites. No web security scanner is dedicated only one CMS. Features of Joomla Security Scanner
Exact version Probing (the scanner can tell whether a target is running version 1.5.12)
Common Joomla! based web application firewall detection
Searching known vulnerabilities of Joomla! and its components
Reporting to Text & HTML output
Immediate update capability via scanner or svn
How to use Joomla Security Scanner in Backtrack 5 First Open Your backtrack and Follow these path Applications->Backtrack->Vulnerability Assessment->Web Application assessment->CMS vulnerabilities identification->Joomscan
How to use Joomscan When you open joomscan, it will look like this image (shown below)
Scanning for Vulnerability Now scan our joomla site for vulnerability. To do this, enter the following command in Terminal: ./joomscan.pl -u www.example.com
Vulnerabilities Discovered It will look like this image (shown below)
CMS Explorer- Discover the CMS components behind the site CMS Explorer is designed to reveal the specific modules, plugins, components and themes that various CMS driven web sites are running. Additionally, CMS Explorer can be used to aid in security testing. While it performs no direct security checks, the “explore” option can be used to reveal hidden/library files which are not typically accessed by web clients but are nonetheless accessible. This is done by retrieving the module’s current source tree and then requesting those file names from the target system. These requests can be sent through a distinct proxy to help “bootstrap” security testing tools like Burp, Paros, Web inspect, etc. CMS Explorer currently supports module/theme discovery with the following products:
Drupal WordPress Joomla! Mambo
How to use CMS-Explorer Open your Backtrack Terminal & Type cd /pentest/enumeration/web/cms-explorer
You can also do this manually. First Open Your backtrack and Follow these path Applications->BackTrack -> Information Gathering -> Web Application Analysis -> CMS Identification -> cms-explorer
Scan Joomla Site ./cms-explorer.pl -url http://example.com -type joomla Scan WordPress Site ./cms-explorer.pl -url http://example.com -type wordpress Scan WordPress Site ./cms-explorer.pl -url http://example.com -type drupal WPScan-Wordpress Security Scanner WPScan is a black box WordPress Security Scanner written in Ruby which attempts to find known security weaknesses within WordPress installations. Its intended use it to be for security professionals or WordPress administrators to assess the security posture of their WordPress installations. Features include:
Username enumeration (from author query string and location header)
Weak password cracking (multithreaded)
Version enumeration (from generator Meta tag)
Vulnerability enumeration (based on version)
Plugin enumeration (2220 most popular by default)
Plugin vulnerability enumeration (based on version)
Plugin enumeration list generation
Other misc WordPress checks (theme name, dir listing …
How to use wpscan in BackTrack 5 Open your backtrack terminal and type cd /pentest/web/wpscan Now scan single URL ruby wpscan.rb –url www.example.com
Other Scans Only do version enumeration… ruby wpscan.rb –url www.example.com –version Do wordlist password brute force on enumerated users using 50 threads… ruby wpscan.rb –url www.example.com –wordlist darkc0de.lst –threads 50 Do wordlist password brute force on the ‘admin’ username only… ruby wpscan.rb –url www.example.com –wordlist darkc0de.lst –username admin Generate a new ‘most popular’ plugin list, up to 150 pages… ruby ./wpscan.rb –generate_plugin_list 150 Enumerate installed plugins… ruby ./wpscan.rb –enumerate p Plecost WordPress finger printer tool, plecost search and retrieve information about the plugins versions installed in WordPress systems. It can analyze a single URL or perform an analysis based on the results indexed by Google. Additionally displays CVE code associated with each Plugin, if there. Plecost retrieves the information contained on Web sites supported by WordPress, and also allows a search on the results indexed by Google. How to use plecost in backtrack Open your backtrack terminal and type ./plecost-0.2.2-9-beta.py
How to use plecost Syntax: ./plecost-0.2.2-9-beta.py -i wp_plugin_list.txt http://www.example.com –G
Google search options:
l num : Limit number of results for each plugin in google. G : Google search mode
Options:
n : Number of plugins to use (Default all – more than 7000). c : Check plugins only with CVE associated. R file : Reload plugin list. Use -n option to control the size o file : Output file. (Default “output.txt”) i file : Input plugin list. (Need to start the program) s time : Min sleep time between two probes. Time in seconds. (10) M time : Max sleep time between two probes. Time in seconds. (20) t num : Number of threads. (Default 1) h : Display help. (More info: http://iniqua.com/labs/)
What web WhatWeb is like nmap but for the web. WhatWeb recognizes web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 900 plugins, each to recognize something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more. Features:
Over 900 plugins Control the tradeoff between speed/stealth and reliability Plugins include example URLs Performance tuning. Control how many websites to scan concurrently. Multiple log formats: Brief (greppable), Verbose (human readable), XML, JSON, Magic Tree, Ruby Object, Mongo DB. Recursive web spidering Proxy support including TOR Custom HTTP headers Basic HTTP authentication Control over webpage redirection Nmap-style IP ranges Fuzzy matching Result certainty awareness Custom plugins defined on the command line
First Open Your backtrack and Follow these path Applications->BackTrack -> Information Gathering -> Web Application Analysis -> CMS Identification -> whatweb
Usage . /whatweb
Use whatweb in verbose mode ./whatweb –v www.example.com
BlindElephant-Web Application Fingerprinter The Blind Elephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all available releases. The technique is fast, low-bandwidth, non-invasive, generic, and highly automatable. Features
Fast, low-resource approach (generally <6 seconds and < 400kb)
Support for 15 commonly deployed web apps (and hundreds of versions), and very easy to add support for more
Support for web app plugins (Drupal and WordPress currently, more with community input)
How to use BlindElephant in BackTrack First Open Your backtrack and Follow these path Applications->BackTrack -> Information Gathering -> Web Application Analysis -> CMS Identification -> blindelephant
Usage ./BlindElephant.py www.example.com (CMS)