The scan uses techniques that include brute forcing the plugins directory of a wordpress installation to find installed plugins. This is an accurate way to find plugins and can even pinpoint plugins that are disabled within the site but still installed in the wp-content/plugins directory and possibly a security risk.

Features of the active WPScan component include:

• Username discovery; with usernames an attacker can then start brute forcing account passwords
• Enhanced version enumeration, from both the meta generator tag and client side files
• Vulnerability identification, comparing current version with known vulnerabilities
• Timbthumb file discovery – this is a vulnerability affecting hundreds of thousands of WordPress sites
• Plugin enumeration (over 2000 plugins tested)
• Plugin vulnerability identification (from plugin name)
• Test for directory indexing on any discovered plugins

Due to the aggressive nature of the plugin and username discovery techniques we have decided to make the WPScan component of our online scanner available only to members.

If you would like to run WPScan from your own installation there are excellent getting started guides on the google-code site and in the README file. Getting it installed and running on Ubuntu or Back-track does not take much effort; so fire up your Linux distro and start testing.

Did you known that wordpress runs more than 11% of the worlds top web sites.

Joomla is a popular content management system; that is very extensible. This popularity and wide range of extensions makes it a popular target for hackers.

The Joomscan tool has the following features:

Back in 2009 HackerTarget.com had the Joomscan scanner as a free scanning tool, however due to abuse we decided to dis-continue the tool. With a recent update we have decided to make this version an extension of our current non-intrusive tool. Use of the active Joomscan component will require a valid HackerTarget.com membership. This will ensure any abuse of the tool is limited; and will provide a better experience for all our users.

Joomscan is a perl based tool that anyone can download and install. Why not give it a go yourself. Head over to the project page and start your own testing.

We have launched our new monitoring tool; use it to alert you to changes that occur on your network perimeter or Internet facing servers. Systems administrators and security teams should be aware of what services are available from the Internet.

With regular monitoring you can be alerted when something changes; here are a few examples:

Detect firewall changes

Detect Internet facing service changes

These questions will not be answered by the new monitoring service; but you will know a change has occurred and at least be able to ask the question.

Features of the new monitoring service include:

These screen shots, give a brief overview of what the service looks like. There is essentially two components from an end user perspective; a dashboard giving a summary of enabled scans and a form to schedule new tests.

Screenshot 1: Dashboard

Screenshot 2: Schedule New Monitor

Gold or Silver membership is required to use the scheduled port scanning. Immediate access is available to new members or login now if you have a valid membership.

×

×

The primary reason for the change is that even with multiple layers of restrictions in place, a very small percentage of users continued to attempt to abuse the systems.

While the occurrences of abuse was very low, the ongoing maintenance required when playing a game of whack a mole was taking time away from further development and improvements to the services on offer. Blacklists were continually being updated with free email provider domains, Tor IP addresses, and other anonymous services.

Security Scans that are now restricted include the Nikto Web Site Scanner, the SQL Injection Scan and the OpenVas Vulnerability Scan. These are scans that are quite noisy and can result in Intrusion Detection Systems Alerts and large numbers of log file entries.

All non-intrusive security scans and information gathering tools will continue to be available for Free as will be the most popular on-line Nmap scan.

Membership will provide access to all current scans and some new tools that are under development. The requirement to pay for membership adds an additional layer of identification before any intrusive scans can be initiated.

Information technology professionals who use our services will find the low cost and enhanced service offerings a most welcome addition.

Stay in touch with twitter or our new mailing list for these exciting new developments.

Regards,

Peter
Director and Lead Analyst

It is important to understand what ports are open and listening on your perimeter network or hosted Internet servers. With the updated tool you can now quickly determine what ports are listening on both your IPv4 based address and your IPv6 address. As people move towards IPv6 (will 2012 be the year of IPv6?), it is necessary to ensure that network protection devices and software are configured and capable of protecting both IPv4 and IPv6 traffic.

An AAAA DNS record has been added to our main site, and if you try our powered by tool (part of the IP Tools), you will be able to see that we are serving pages to both IPv4 and IPv6 addresses.

If 2012 is going to be year of IPv6 we are ready to go.

Now for a quick background check; Ubuntu is stable, easy to use and a rock solid desktop. I have been using it since the Warty Warthog (Ubuntu 4.10 ~ 2004), it runs on all my systems: home server, virtual servers and laptops.

Back to the question:

An Ubuntu Virus?

, the short answer is no there is no significant threats to an Ubuntu system from a virus. There are cases where you may want to run it on a desktop or server but for the majority of users, you do not need antivirus on Ubuntu.

Keep in mind that while you don’t need anti-virus does not mean you don’t need to be security aware.

Members of the Ubuntu community have put together an excellent introduction to Security on Ubuntu Linux. There are also free firewall test and other scanning tools available to ensure your network is correctly configured.

Once you have familiarized yourself with the concepts and information in the guide; if you are really keen (or paranoid) I would suggest a security addition to your systems, it is known as Host Based Intrusion Detection system. My HIDS agent of choice is ossec.net, it will not detect a virus as such but it does alert you to anomalous behavior on the system by examining system logs and watching the file system. If you chose to run OSSEC you probably do not need to run rkhunter and chkrootkit that are mentioned on the Basic Security Wiki page.

This old install guide I did for OSSEC on Ubuntu has the basic steps in getting it up and running.

Finally if you have a need for running anti-virus on Ubuntu, there is a good article on the Ubuntu wiki that has links to the popular and free antivirus software available (such as AVG, Avast, Avira) and the open source clamAV.

Recall back in November last year when we published a history of sql injection attacks, and followed that up with a sql injection tutorial. The purpose of these publications is to increase awareness of sql injection and to familiarize users with securing dynamic web applications. For testing and understanding the attack we have an online sql injection test that allows anyone to quickly test a HTTP GET based URL for a sql injection vulnerability.

It is normal to assume that when implementation of security has a cost associated with it; in the form of development time or code fixing, there will be those who hold off until disaster strikes. However it seems that unless that disaster directly affects the organisation, pushing applications out that have been untested or security reviewed continues to be the normal practice.

Around the same time we have been putting a wordpress infographic that highlights some of the findings from our analysis of wordpress usage among the top 100K sites (as rated by Alexa).

WordPress Usage in the Top 100K Infographic

Hit the link for the full list – SQL Injection Scanners

First of course there is the HackerTarget.com scan, externally facing and coming in at a fairly high level. The system downloads some of your pages, does analysis, checks a few additional links and gives you a tidy little report detailing any security issues discovered.

Our scan does not perform brute forcing of accounts, passwords or plugins. Brute Forcing is more appropriate in a targeted pen-test or black-box vulnerability assessment.

Simply put brute forcing for:

Additionally username’s can also be gathered through some WordPress themes, RSS feeds, and author page URI’s such as /blog/author/admin/.

These tools and scripts that can be utilized in your Penetration Testing of WordPress.

Metasploit has a module for enumerating usernames and brute forcing passwords. It is solid and convenient; everyone has Metasploit installed… don’t they?

An NSE (nmap scripting engine) script was released for Nmap that does plugin brute forcing.

Just in the last few days a new tool hit the tubes wpscan. Still under development it does a few different checks including brute forcing for accounts.

All the tools referenced above are dedicated towards external testing of wordpress installations. There are other options that involve installation of plugins into the wordpress installations for deeper monitoring.