First of course there is the HackerTarget.com scan, externally facing and coming in at a fairly high level. The system downloads some of your pages, does analysis, checks a few additional links and gives you a tidy little report detailing any security issues discovered.

Our scan does not perform brute forcing of accounts, passwords or plugins. Brute Forcing is more appropriate in a targeted pen-test or black-box vulnerability assessment.

Simply put brute forcing for:

Additionally username’s can also be gathered through some WordPress themes, RSS feeds, and author page URI’s such as /blog/author/admin/.

These tools and scripts that can be utilized in your Penetration Testing of WordPress.

Metasploit has a module for enumerating usernames and brute forcing passwords. It is solid and convenient; everyone has Metasploit installed… don’t they?

An NSE (nmap scripting engine) script was released for Nmap that does plugin brute forcing.

Just in the last few days a new tool hit the tubes wpscan. Still under development it does a few different checks including brute forcing for accounts.

All the tools referenced above are dedicated towards external testing of wordpress installations. There are other options that involve installation of plugins into the wordpress installations for deeper monitoring.

That is almost as cool as Nmap being used in the Matrix.

The National Security Agency and the Central Security Service tested the five U.S. service academies during the 2009 Cyber Defense Exercise.Teams were tested on their ability to defend computer networks the students designed themselves. The winner took home the coveted CDX trophy. In an unclassified movie produced by the NSA, we caught a glimpse of BackTrack being used in the CyberDefence 2009 Wargames.

http://www.backtrack-linux.org/backtrack/backtrack-used-by-the-nsa/

It is a new web interface for Snort that is very pretty, but also simple. An excellent introduction to Intrusion Detection Systems, that is not going to scare anyone away.

Now how to I get hold of this I hear you cry…. head over here and grab the preconfigured security appliance.

I downloaded the iso, fired up a virtualbox machine and away it went. Seriously a working Snort install in under 10mins. Nice!

Obviously you want to test your snort, so I fired off an nmap scan with the script option against my Windows XP SP2 test machine.

# nmap -sC 192.168.56.101

Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-06-02 10:19 EST
Nmap scan report for 192.168.56.101
Host is up (0.0032s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 08:22:22:22:22:22

Host script results:
|_nbstat: NetBIOS name: ASDF, NetBIOS user: , NetBIOS MAC: 22:22:22:22:22:22
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| Name: WORKGROUP\ASDF
|_ System time: 2010-06-02 10:19:58 UTC-7
|_smbv2-enabled: Server doesn’t support SMBv2 protocol

Nmap done: 1 IP address (1 host up) scanned in 12.09 seconds

Snorby showed me some nice port scan alerts.

Now I was running through my guide to Metasploit 3.4.0 and figured I would see something in Snorby. As shown in the guide I successfully ran metasploit with ms08_067 exploit using a meterpreter payload and a vnc dll injection payload. Gaining full access to the Windows XP SP2 machine.

Snorby (and Snort) results show nothing.

Hmm, Snorby is running with up to date rules from emerging threats and snort. I was quite surprised and will be looking into the reasons for this in the near future. I would have thought I would have triggered something in the snort rules during this exploit.

Latest version includes performance improvements, new OS finger printing and a new traceroute engine.

So here is a quick start guide.

Start by heading over to the download page, here you can get the latest release (5.00) of the Linux version or the nmap windows version.

Install the Linux version is as easy as:

tar zxvf nmap-5.00.tar.gz
cd nmap-5.00
./configure
make
make install <- need to do this as root, as it will install the binaries into the bin folders.

Nmap for Windows is just a matter of running the nmap exe

1. Nmap Range of IP addressess:

nmap 192.168.0.1-10

2. Nmap Range of ports:

nmap -p 1-1024 192.168.1.1

3. Nmap service version detection:

nmap -sV 192.168.1.1

4. Nmap OS version detection:

nmap -A 192.168.1.1

5. Nmap external script checks

nmap -sC 192.168.1.1

6. Nmap scan without ping check (sometimes ping is blocked but you still want to scan)

nmap -PN 192.168.1.1

7. Nmap scan only scanning known ports (fast scan)

nmap -F 192.168.1.1

The nmap gui for those who dislike the command line is Zenmap – it is relatively new and has some powerful features for those who are afraid of a little command line kung fu.

The above commands are just a taste of the power of nmap. Check out the full set of features by running nmap with no options. A new book is also available by Fyodor.