Online Vulnerability Scanners and Port Scans https://hackertarget.com Security Vulnerability Scanners and Assessments Mon, 06 Jul 2015 13:31:11 +0000 en-US hourly 1 http://wordpress.org/?v=4.2.2 Quietly Mapping the Network Attack Surface https://hackertarget.com/quietly-mapping-the-network-attack-surface/ https://hackertarget.com/quietly-mapping-the-network-attack-surface/#comments Mon, 04 May 2015 11:55:40 +0000 http://hackertarget.com/?p=7377 When assessing the network security of an organization it is important to understand the breadth of the attack surface. A single forgotten host or web application in the network will often become the initial foothold for an attacker. Passively Mapping the Network Attack Surface Using open source intelligence (OSINT) techniques and tools it is possible […]

The post Quietly Mapping the Network Attack Surface appeared first on Online Vulnerability Scanners and Port Scans.

]]>
When assessing the network security of an organization it is important to understand the breadth of the attack surface. A single forgotten host or web application in the network will often become the initial foothold for an attacker.

Passively Mapping the Network Attack Surface

Using open source intelligence (OSINT) techniques and tools it is possible to map an organizations Internet facing networks and services without actually sending any packets (or just a few standard requests) to the target network.

Open source intelligence (OSINT) is defined as deriving intelligence from publicly available resources.

Looking at this another way an attacker can do a comprehensive analysis and mapping of your network infrastructure and technologies without actually sending you any packets, and therefore without you having any knowledge that this reconnaissance has taken place.

Consider the following graphic; you will notice that as the analysis is progressed, newly discovered items (IP address / host names / net blocks) can open up new areas to explore (and attack).

Identifying all known hosts for an organization allows us to continue to dig deeper for more systems and hosts to target. By examining all discovered IP address blocks (ASN) we can find other hosts within the net block of interest. Identifying related domains will lead to the discovery of more hosts.

Think of a single web server; the actual open services (ssh, http, rdp) are all points of attack; discovering all the virtual hosts running on the server is also important as web applications running on any of the virtual hosts are also an attack vector.

In this overview the focus is the gathering of information specifically related to the organizations network footprint and services. Open source intelligence from social networks, email addresses, search engines and document meta data is often used for the purpose of developing a social engineering attack.

Basic DNS queries

Most domains will have a web site, mail server and dns servers associated with it. These will be our initial point of reference when discovering the attack surface. We can use DNS lookup tools and whois to find where the web (A records), mail (MX records) and DNS (NS records) services are being hosted.

hackertarget.com.	3600	IN	A	178.79.163.23
hackertarget.com.	3600	IN	AAAA	2a01:7e00::f03c:91ff:fe70:d437
hackertarget.com.	3600	IN	MX	10 aspmx.l.google.com.
hackertarget.com.	3600	IN	MX	20 alt1.aspmx.l.google.com.
hackertarget.com.	3600	IN	MX	20 alt2.aspmx.l.google.com.
hackertarget.com.	3600	IN	MX	30 aspmx2.googlemail.com.
hackertarget.com.	3600	IN	NS	ns51.domaincontrol.com.
hackertarget.com.	3600	IN	NS	ns52.domaincontrol.com.

Initial Host discovery (Google, Bing and Netcraft)

A simple search for all host names related to the target domain is also a good starting point. Using search engines such as Google (site:example.com) and Bing (site:example.com) can reveal sub-domains and web hosts that may be of interest.

When searching with Google if there are a large number of results you can remove the known domains with the following query.

site:example.com -site:www.example.com

Google Hacking is a well documented technique that involves getting Google to reveal technical information that is of interest to an attacker. The Google hacking database is the best place to get started if you are not familiar with this technique.

Another handy tool is the netcraft host search. Enter the domain as your search term (be sure to include the . before your domain name to only get sub-domains of your target domain. You can see the Netcraft search provides a quick overview of known web hosts for the domain and the net blocks that they are hosted in. Another interesting piece of information is the historical data, Netcraft have been collecting this data for a long time.

Finding more hosts through data mining DNS records

Passive DNS reconnaissance allows discovery of DNS host records without actively querying the target DNS servers. If DNS monitoring is in place active dns recon could be detected by the target. Techniques that can be classed as active DNS recon include brute forcing common sub-domains of the target or attempting DNS zone transfers (query type=AXFR).

There are many on line resources for passive DNS analysis and searching, rather than sticking to regular DNS lookups we can perform large scale searches using DNS data sets. One such resource is that provided by scans.io.

the scans.io data

Scans.io and Project Sonar gather Internet wide scan data and make it available to researchers and the security community. This data includes port scans and a dump of all the DNS records that they can find.

Using the DNS records dump you can search through over 80GB of DNS data for all entries that match your target domain. If you do not wish to go through the trouble of downloading and extracting such a large chunk of data you can use our free tools to get started with your network reconnaissance.

Name Servers (type=NS)

The location of the DNS servers may be internal to the organization network or as is often the case they be a hosted service. This can be often be determined by simply looking up the net block owner (ASN) of the IP address of the DNS server.

When looking at DNS servers we can not only review the Host (A) records that point to the IP address of the DNS server but also do a reverse search across DNS data for all hosts that use the same DNS server. In a hosted situation this may not be as valuable but if its an internal company DNS server we will quickly identify all related domains for the organization (that are at least using this DNS infrastructure).

targetdomain.com
targetdomain.co.uk
targetdomain.net
forgotten-footy-tipping-site-with-no-security-controls.com
vpn.targetdomain.com
webmail.targetdomain.com

SPF Records (type=TXT)

Sender Policy Framework is configured through the TXT DNS record. If configured this will contain all servers (or networks) that are allowed to send email from the domain. This can often reveal IP addresses (and net blocks) of the organization that you may not have been aware of.

hackertarget.com.	3600	IN	TXT	"v=spf1 include:_spf.google.com ip4:178.79.163.23 ip4:66.228.44.129 ip4:173.255.225.101 ip4:66.175.214.247 ip6:2a01:7e00::f03c:91ff:fe70:d437 ip6:2600:3c03::f03c:91ff:fe6e:d558 include:_spf.google.com ~all"

Reverse DNS across IP blocks of Interest

Once you have a list of all IP addresses and ASN's of interest you can attempt to find more active hosts within those net blocks that the organizations owns or has assets within. A good way of finding more hosts is to perform a reverse DNS search across the full net blocks of interest.

178.79.x.22 host4.example.com
178.79.x.23 targetdomain.com
178.79.x.24 forgotten-unpatched-dev-host.targetdomain.com
178.79.x.25 host6.example.com

Finding Web Servers

When it comes to mapping a network the web servers of an organization open up a wide attack surface. They also contain a wealth of information, not just published but insights into the technologies in use, operating systems and even how well managed the information technology resources of the organization are.

To map the attack surface of a web server it is important to consider the available network services, the virtual hosts (websites) and the web applications in use.

Identifying all virtual web hosts on the web server is an important part of the information gathering process. Different web sites on the same web server will often be managed using different content management systems and web applications. A vulnerability in any of these web applications could allow code execution on the web server.

To identify the virtual web hosts on a particular IP Address there are a number of well known web based tools such as Bing and Robtex. An IP address search using the ip:1.1.1.1 search term on the Bing search engine will reveal all web sites that Bing has in its index that point to that same IP address. Experience shows this is a good starting place but like the Bing search engine in general, can contain stale entries and limited results.

As previously mentioned scans.io regularly compiles all the DNS data it can publicly find, we can use this data to identify the web server hosts (A records). By searching for an IP address in all the known DNS records, we can find all the hosts that resolve to that IP. This is the method we use for the Reverse IP Address Search tool we created and also parts of the dnsdumpster.com project.

Other Network Services

In any vulnerability assessment it is essential to identify all listening services. A web server will of course usually have a web server (port 80), an ftp server will have an FTP service (port 21) and a mail server will be listening for mail (smtp on 25, pop3 on 110, imap on 143 and more).

It is important to discover all the listening services in order to determine if they are vulnerable to exploitation or authentication attacks.

Traditionally these services would be identified using Port Scans with tools such as the Nmap Port Scanner. Of course using a port scanner is no longer a passive undertaking, as using a tool such as Nmap involves sending packets to the target systems.

shodan.io search engine

To passively find open services and the banners for the open services we can use the shodan.io search engine. From the banners of services such as web servers, mail and ftp we are able to identify the version of the server software running the service and often the operating system of the server. All without sending any packets to the target organization.

dnsdumspter.com is a Free tool that automagically collates DNS and host data.

Becoming the attacker and the Next Steps

Putting yourself in the shoes of an attacker and attempting to map out an organizations Internet facing systems is a great way to develop an understanding of the attack surface of a network. Start by finding all the public IP addresses of known hosts for a domain, expand this to include net blocks of interest that are hosting these services. Now try to find all virtual host names that are hosted on the IP addresses and from this you can map out the web applications in use.

From this initial passive analysis it may be possible to identify vulnerable or possibly vulnerable points in the network, this can inform your next steps and where to focus your attack or vulnerability assessment.

Moving on from passive analysis the next steps to consider are active information gathering such as DNS zone transfers or sub-domain brute forcing. Followed by active network scanning such as Nmap Port Scans and vulnerability scanning.

Ultimately the next steps will be determined by your scope and purpose for the performing the analysis.

The post Quietly Mapping the Network Attack Surface appeared first on Online Vulnerability Scanners and Port Scans.

]]>
https://hackertarget.com/quietly-mapping-the-network-attack-surface/feed/ 0
tshark tutorial and filter examples https://hackertarget.com/tshark-tutorial-and-filter-examples/ https://hackertarget.com/tshark-tutorial-and-filter-examples/#comments Wed, 22 Apr 2015 13:56:25 +0000 http://hackertarget.com/?p=7337 tshark is a packet capture tool that also has powerful reading and parsing features for pcap analysis. Rather than repeat the information in the extensive man page and on the wireshark.org documentation archive, I will focus on providing practical examples for how you can get started using tshark and begin carving valuable information from the […]

The post tshark tutorial and filter examples appeared first on Online Vulnerability Scanners and Port Scans.

]]>
tshark is a packet capture tool that also has powerful reading and parsing features for pcap analysis.

Rather than repeat the information in the extensive man page and on the wireshark.org documentation archive, I will focus on providing practical examples for how you can get started using tshark and begin carving valuable information from the wire.

tshark examples

Use these as the basis for starting to build your extraction commands. As you can see the syntax is very similar to tcpdump.

tshark -i wlan0 -w capture-output.pcap
tshark -r capture-output.pcap

In the following example you can see that we extract data from any HTTP requests that are seen. Using the -T we specify that we want to extract fields and with the -e options we identify which fields we want to extract.

tshark -i wlan0 -Y http.request -T fields -e http.host -e http.user_agent

searchdns.netcraft.com	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
1 searchdns.netcraft.com	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
ads.netcraft.com	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0

The default separator for the fields in the output above is TAB. We could also use the parameter -E seperator=, to change the delimeter to a comma.

Here is an example that extracts both the DNS query and the response address.

tshark -i wlan0 -f "src port 53" -n -T fields -e dns.qry.name -e dns.resp.addr

68 campus-map.stanford.edu	171.64.144.142
www.google.com	
itunes.apple.com	104.74.40.29
71 itunes.apple.com	
campus-map.stanford.edu	
admission.stanford.edu	171.67.215.200
74 financialaid.stanford.edu	171.67.215.200
admission.stanford.edu	

Add time and source / destination IP addresses -e frame.time -e ip.src -e ip.dst to your output.

tshark -i wlan0 -f "src port 53" -n -T fields -e frame.time -e ip.src -e ip.dst -e dns.qry.name -e dns.resp.addr

Apr 22, 2015 23:20:16.922103000 8.8.8.8 192.168.1.7 wprecon.com	198.74.56.127
1 Apr 22, 2015 23:20:17.314244000 8.8.8.8 192.168.1.7 wprecon.com	
2 Apr 22, 2015 23:20:18.090110000 8.8.8.8 192.168.1.7 code.jquery.com
One of the great advantages that tshark has over the wireshark GUI is stdout giving you many options to manipulate and clean the output.

Lets get passwords.... in a HTTP post. By not specifying the fields option as above we will receive the full TCP stream of the HTTP Post. If we add the filter tcp contains "password" and grep for that password we will just get the actual POST data line.

tshark -i wlan0 -Y 'http.request.method == POST and tcp contains "password"' | grep password

csrfmiddlewaretoken=VkRzURF2EFYb4Q4qgDusBz0AWMrBXqN3&password=abc123

Hopefully this tutorial has given you a quick taste of the useful features that are available to you when using tshark for extracting data from the wire or from pcaps.

The post tshark tutorial and filter examples appeared first on Online Vulnerability Scanners and Port Scans.

]]>
https://hackertarget.com/tshark-tutorial-and-filter-examples/feed/ 0
WordPress Security Testing with Nmap https://hackertarget.com/wordpress-security-testing-with-nmap/ https://hackertarget.com/wordpress-security-testing-with-nmap/#comments Wed, 04 Feb 2015 11:33:47 +0000 http://hackertarget.com/?p=7225 With the popularity of WordPress as a publishing platform, security testing is an important part of ensuring the installation is secure. Nmap has a couple of NSE scripts specifically for the testing of WordPress installations. Using those scripts as a base I have developed a couple more that expand the capabilities of using Nmap to […]

The post WordPress Security Testing with Nmap appeared first on Online Vulnerability Scanners and Port Scans.

]]>
With the popularity of WordPress as a publishing platform, security testing is an important part of ensuring the installation is secure. Nmap has a couple of NSE scripts specifically for the testing of WordPress installations. Using those scripts as a base I have developed a couple more that expand the capabilities of using Nmap to audit WordPress installations.

Looking for the code? Jump over to my github repo for my latest updates.

Nmap comes with two Lua NSE scripts for high level testing of WordPress installations. The scripts allow for brute forcing of the plugins on the system and for enumerating WordPress user accounts that are on the system.

http-wordpress-plugins.nse

In addition to identifying the plugins in use I have added a feature to the http-wordpress-plugins.nse script that will identify the version of the installed plugin and compare that to the latest version that is checked in real time against the WordPress Plugin API.

-- Interesting ports on my.woot.blog (123.123.123.123):
-- PORT   STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- | http-wordpress-plugins:
-- | search amongst the 500 most popular plugins
-- |   akismet 3.0.4 (latest version: 3.0.4)
-- |   wordpress-seo 1.7 (latest version: 1.7.1)
-- |   disqus-comment-system 2.83 (latest version: 2.84)
-- |_  wp-to-twitter 1.2 (latest version: 1.45)

http-wordpress-themes.nse

Based on the NSE script http-wordpress-plugins.nse I cranked out a variation that tests for WordPress themes. One of the often overlooked parts of keeping a secure WordPress installation is ensuring all themes (even inactive ones) are kept up to date or removed if not in use. Security vulnerabilities can be found in WordPress themes and these are often exploitable even if the theme is inactive.

The wp-theme.lst was created after I crawled the Alexa top 1 million sites and found around 200000 WordPress sites. By basing the theme list on the in use themes and sorting by popularity this list is a good representation of the most popular themes in being used across the web.

-- Interesting ports on my.woot.blog (123.123.123.123):
-- PORT   STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- | http-wordpress-themes:
-- | search amongst the 500 most popular themes 
-- |   twentyfourteen 1.3
-- |   canvas 5.8.7
-- |_  twentytwelve 1.5

http-wordpress-info.nse

Rather than brute forcing paths this script is much more polite and will only download the main page of the WordPress site and examine the theme and plugin paths in the html. The WordPress version will also be identified using the default readme.html file if the meta generator is not present.

http-wordpress-enum.nse

The http-wordpress-enum.nse script comes with default Nmap installation and allows you to attempt to identify users of the WordPress installation. Once you have user names it is possible to brute force the passwords using methods I detailed in the attacking wordpress article.

The post WordPress Security Testing with Nmap appeared first on Online Vulnerability Scanners and Port Scans.

]]>
https://hackertarget.com/wordpress-security-testing-with-nmap/feed/ 0
28 Days After Drupal Exploit https://hackertarget.com/28-days-after-drupal-exploit/ https://hackertarget.com/28-days-after-drupal-exploit/#comments Thu, 13 Nov 2014 13:13:12 +0000 http://hackertarget.com/?p=7229 Last month a critical Drupal security exploit was released. Critical vulnerabilities in the core of content management systems are not as common as they once were, as can be seen in the amount of media coverage that this one generated. Using a custom Nmap NSE script I surveyed the top 10 thousand sites that are […]

The post 28 Days After Drupal Exploit appeared first on Online Vulnerability Scanners and Port Scans.

]]>
Last month a critical Drupal security exploit was released. Critical vulnerabilities in the core of content management systems are not as common as they once were, as can be seen in the amount of media coverage that this one generated.

Using a custom Nmap NSE script I surveyed the top 10 thousand sites that are powered by Drupal. Expecting to find a number of sites that had not been patched the actual number (57.5%) found still surprised me. After all this is not a random selection of Drupal sites, these are typically high traffic sites that I would expect to have some level of ongoing maintenance. The survey was conducted 28 days after the public release on 15th of October 2014.

Understanding the Results

The easiest way to determine the exact version of a Drupal powered site is to examine the CHANGELOG.txt file in the root of the site. This is a file that can be removed to make fingerprinting the exact version of the site more difficult. An Nmap NSE script was customised for this purpose and used this method to determine the version.

5630 out of the full 10'000 had the CHANGELOG.txt file in place enabling the exact version detection to take place. Of these I separated Drupal 6 and Drupal 7 installs to determine the percentage of Drupal 7 installs that have been patched.

The bar graph pictured in the graphic show the totals found for each of the categories, these are the total sites within the 5630 that were successfully fingerprinted.

Updated to show the distribution of versions in use

This chart shows a break down of the versions found, staying focused on Drupal 7 it shows that there are a range of Drupal version 7 releases in use. Some of these may have been patched manually, however I would be confident in predicting the majority of these older versions have not had security patches applied.

A number of responses in the comments have indicated that 7.31 installs may have been patched manually, fixing the vulnerability without updating the CHANGELOG.txt. Looking closer at the results we could remove both 7.32 and 7.31 from the Drupal 7 installs, and we still find 49% of Drupal 7 installations in the top 10'000 sites to be potentially (likely?) vulnerable.

Vulnerable Drupal Installations in the Top 10K

The need for better management

The key point in this experiment is that systems that are not regularly maintained and updated when patches become available will be a liability for your organization. Ensure you have a process in place for updating all your software including web applications and add-ons. If you do not have the expertise or time to patch your web applications consider getting a managed hosting provider that does the job for you.

Today a spacecraft landed on a comet, is patching really that hard?

The post 28 Days After Drupal Exploit appeared first on Online Vulnerability Scanners and Port Scans.

]]>
https://hackertarget.com/28-days-after-drupal-exploit/feed/ 0
7 Nmap NSE Scripts for Recon https://hackertarget.com/7-nmap-nse-scripts-recon/ https://hackertarget.com/7-nmap-nse-scripts-recon/#comments Wed, 24 Sep 2014 14:36:09 +0000 http://hackertarget.com/?p=7101 As with any security testing, make sure you fully understand what the script will do and how it might affect a target system. Only test systems you have permission to scan! Information Gathering 1. DNS Brute Force Find sub-domains with this script. Detecting sub-domains associated with an organizations domain can reveal new targets when performing […]

The post 7 Nmap NSE Scripts for Recon appeared first on Online Vulnerability Scanners and Port Scans.

]]>
These Nmap NSE Scripts are all included in standard installations of Nmap. Use them to gather additional information on the targets you are scanning. The information can both add context to the hosts you are scanning and widen the attack surface of the systems you are assessing.
7 Nmap NSE Scripts for Recon

As with any security testing, make sure you fully understand what the script will do and how it might affect a target system. Only test systems you have permission to scan!

Information Gathering

1. DNS Brute Force

Find sub-domains with this script. Detecting sub-domains associated with an organizations domain can reveal new targets when performing a security assessment. The discovered hosts may be virtual web hosts on a single web server or may be distinct hosts on IP addresses spread across the world in different data centres.

The dns-brute.nse script will find valid DNS (A) records by trying a list of common sub-domains and finding those that successfully resolve.

nmap -p 80 --script dns-brute.nse vulnweb.com

Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 19:58 EST
Nmap scan report for vulnweb.com (176.28.50.165)
Host is up (0.34s latency).
rDNS record for 176.28.50.165: rs202995.rs.hosteurope.de
PORT   STATE SERVICE
80/tcp open  http

Host script results:
| dns-brute: 
|   DNS Brute-force hostnames: 
|     admin.vulnweb.com - 176.28.50.165
|     firewall.vulnweb.com - 176.28.50.165
|_    dev.vulnweb.com - 176.28.50.165

Nmap done: 1 IP address (1 host up) scanned in 28.41 seconds

2. Find Hosts on IP

Another tactic for expanding an attack surface is to find virtual hosts on an IP address that you are attempting to compromise (or assess). This can be done by using the hostmap-* scripts in the NSE collection. The hostmap-bfk.nse seems to work reasonably well providing a good starting point for your recon (IP to Host services do vary in accuracy).

nmap -p 80 --script hostmap-bfk.nse nmap.org

Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 19:47 EST
Nmap scan report for nmap.org (173.255.243.189)
Host is up (0.19s latency).
PORT   STATE SERVICE
80/tcp open  http

Host script results:
| hostmap-bfk: 
|   hosts: 
|     www.nmap.org
|     173.255.243.189
|     seclists.org
|     sectools.org
|     svn.nmap.org
|     nmap.org
|     hb.insecure.org
|     insecure.org
|     images.insecure.org
|     189.243.255.173.in-addr.arpa
|_    www.insecure.org

Nmap done: 1 IP address (1 host up) scanned in 2.10 seconds
Try our Free IP Tool Host search tool that uses the scans.io DNS data to reverse lookup an IP address to host name. Another option is bing.com that has the ability to search with ip:x.x.x.x however recently the accuracy of this search seems hit and miss.

3. Traceroute Geolocation

Perform a traceroute to your target IP address and have geolocation data plotted for each hop along the way. Makes correlating the reverse dns names of routers in your path with locations much easier.

sudo nmap --traceroute --script traceroute-geolocation.nse -p 80 hackertarget.com

Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 21:03 EST
Nmap scan report for hackertarget.com (178.79.163.23)
Host is up (0.31s latency).
PORT   STATE SERVICE
80/tcp open  http

Host script results:
| traceroute-geolocation: 
|   HOP  RTT     ADDRESS                                                GEOLOCATION
|   1    2.09    192.168.1.1                                            - ,- 
|   2    25.55   core-xxxxx.grapevine.net.au (203.xxx.32.20)            -27,133 Australia (Unknown)
|   3    31.61   core-xxxxx.grapevine.net.au (203.xxx.32.25)            -27,133 Australia (Unknown)
|   4    25.02   xe0-0-0-icr1.cbr2.transact.net.au (202.55.144.117)     -27,133 Australia (Unknown)
|   5    23.48   xe11-3-0.cr1.cbr2.on.ii.net (150.101.33.62)            -27,133 Australia (Unknown)
|   6    43.45   ae2.br1.syd4.on.ii.net (150.101.33.22)                 -27,133 Australia (Unknown)
|   7    175.24  te0-0-0-1.br1.lax1.on.ii.net (203.16.213.69)           -27,133 Australia (Unknown)
|   8    181.29  TenGE13-2.br02.lax04.pccwbtn.net (206.223.123.93)      38,-97 United States (Unknown)
|   9    310.46  telecity.ge9-9.br02.ldn01.pccwbtn.net (63.218.13.222)  51,0 United Kingdom (London)
|   10   309.63  212.111.33.238                                         51,0 United Kingdom (Unknown)
|_  11   338.95  hackertarget.com (178.79.163.23)                       51,0 United Kingdom (Unknown)

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   2.09 ms   192.168.1.1
2   25.55 ms  core-xxxxx.grapevine.net.au (203.xxx.32.20)
3   31.61 ms  core-xxxxx.grapevine.net.au (203.xxx.32.25)
4   25.02 ms  xe0-0-0-icr1.cbr2.transact.net.au (202.55.144.117)
5   23.48 ms  xe11-3-0.cr1.cbr2.on.ii.net (150.101.33.62)
6   43.45 ms  ae2.br1.syd4.on.ii.net (150.101.33.22)
7   175.24 ms te0-0-0-1.br1.lax1.on.ii.net (203.16.213.69)
8   181.29 ms TenGE13-2.br02.lax04.pccwbtn.net (206.223.123.93)
9   310.46 ms telecity.ge9-9.br02.ldn01.pccwbtn.net (63.218.13.222)
10  309.63 ms 212.111.33.238
11  338.95 ms hackertarget.com (178.79.163.23)

HTTP Recon

Nmap comes with a wide range of NSE scripts for testing web servers and web applications. An advantage of using the NSE scripts for your HTTP reconnaissance is that you are able to test aspects of a web server against large subnets. This can quickly provide a picture of the types of servers and applications in use within the subnet.

4. http-enum.nse

One of the more aggressive tests, this script effectively brute forces a web server path in order to discover web applications in use. Attempts will be made to find valid paths on the web server that match a list of known paths for common web applications. The standard test includes testing of over 2000 paths, meaning that the web server log will have over 2000 entries that are HTTP 404 not found, not a stealthy testing option! This is very similar to the famous Nikto web server testing tool (that performs 6000+ tests).

nmap --script http-enum 192.168.10.55

Nmap scan report for ubuntu-test (192.168.10.55)
Host is up (0.024s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
| http-enum: 
|   /robots.txt: Robots file
|   /readme.html: WordPress version 3.9.2
|   /css/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
|   /images/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
|_  /js/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'

Additional options:

Specify base path, for example you could specify a base path of /pub/.

nmap --script -http-enum --script-args http-enum.basepath='pub/' 192.168.10.55

Nmap scan report for xbmc (192.168.1.5)
Host is up (0.0012s latency).
PORT   STATE SERVICE
80/tcp open  http
| http-enum: 
|   /pub/: Root directory w/ listing on 'apache/2.2.22 (ubuntu)'
|   /pub/images/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
|_  /pub/js/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'

Nmap done: 1 IP address (1 host up) scanned in 1.03 seconds

5. HTTP Title

It is not a difficult thing to find the Title of the web page from a web server, this script just makes it easier to get those title's in one set of results from a range of IP addresses.

Having the title of the page included in the Nmap scan results can provide context to a host, that may identify the primary purpose of the web server and whether that server is a potential attack target.

nmap --script http-title -sV -p 80 192.168.1.0/24

Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 20:47 EST
Nmap scan report for 192.168.1.1
Host is up (0.0018s latency).
PORT   STATE SERVICE VERSION
80/tcp open  http    Linksys wireless-G WAP http config (Name RT-N16)
|_http-title: 401 Unauthorized
Service Info: Device: WAP

Nmap scan report for xbmc (192.168.1.115)
Host is up (0.0022s latency).
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).

Nmap scan report for 192.168.1.118
Host is up (0.0035s latency).
PORT   STATE SERVICE VERSION
80/tcp open  upnp    Epson WorkForce 630 printer UPnP (UPnP 1.0; Epson UPnP SDK 1.0)
|_http-title: WorkForce 630
Service Info: Device: printer; CPE: cpe:/h:epson:workforce_630

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 256 IP addresses (8 hosts up) scanned in 10.17 seconds

Microsoft Windows Network Recon

Find operating systems, users, processes and more from systems within your local windows network with these information gathering scripts. Generally these smb-* scripts will get you a lot more information if you have valid credentials. However, with even Guest or Anonymous access you will usually be able to at least expand your knowledge of the network.

6. smb-os-discovery.nse

Determine operating system, computer name, netbios name and domain with the smb-os-discovery.nse script. An example use case could be to use this script to find all the Windows XP hosts on a large network, so they can be unplugged and thrown out (Windows XP is no longer supported by Microsoft). The key advantage to using Nmap for something like this rather than a Microsoft native tool is that it will find all systems connected to the network not just those attached to a domain.

nmap -p 445 --script smb-os-discovery 192.168.1.0/24

Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 23:32 EST

Nmap scan report for test1 (192.168.1.115)
Host is up (0.0035s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-os-discovery: 
|   OS: Unix (Samba 3.6.3)
|   Computer name: ubuntu003
|   NetBIOS computer name: 
|   Domain name: 
|   FQDN: ubuntu003
|_  System time: 2014-09-24T23:34:41+10:00

Nmap scan report for 192.168.1.101
Host is up (0.018s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: test-xp3
|   NetBIOS computer name: TEST-XP3
|   Workgroup: WORKGROUP
|_  System time: 2014-09-24T23:33:01+01:00

7. smb-brute.nse

Another example of the smb series of NSE scripts is the smb-brute.nse that will attempt to brute force local accounts against the SMB service.

While I would not classify brute forcing accounts as a recon function of the assessment process this script can lead to large amount of recon if we do get valid credentials as there are other smb-* scripts that can be leveraged to retrieve all local user accounts (smb-enum-users.nse), groups (smb-enum-groups.nse), processes (smb-enum-processes.nse) and even execute processes remotely with the smb-psexec.nse script.

nmap -sV -p 445 --script smb-brute 192.168.1.101

Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 23:47 EST
Nmap scan report for 192.168.1.101
Host is up (0.060s latency).
PORT    STATE SERVICE      VERSION
445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-brute: 
|_  No accounts found

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 115.04 seconds

As can be seen in the example above we have not found any accounts. So lets take a look at the activity on the wire while the smb-brute.nse script was running.

Nmap NSE SMB Brute Wireshark Capture

It is pretty clear from this Wireshark capture that sessions were being established and a large number of account credentials were being tested.

Digging deeper and finding Gold with Nmap NSE scripts

After this quick skim of the capabilities of a sample of the Nmap NSE scripts. My suggestion is to look a bit deeper. There are literally hundreds of scripts now available and included in a regular Nmap installation. Each of the .nse files comes with pretty good documentation right there in the script or more information can be found on the NSE scripts documentation portal.

Find the NSE scripts location for your Nmap installation (locate nse | grep scripts) and take a look through the included scripts. There are many surprising finds; not only for reconnaissance but also scripts for discovery of exploitable services.

HackerTarget.com offers a hosted version of Nmap for port scanning your Internet perimeter. Simply Convenient.

The post 7 Nmap NSE Scripts for Recon appeared first on Online Vulnerability Scanners and Port Scans.

]]>
https://hackertarget.com/7-nmap-nse-scripts-recon/feed/ 0
Parse Nmap XML to get SSL Certificate details https://hackertarget.com/parse-nmap-xml-ssl-certificate/ https://hackertarget.com/parse-nmap-xml-ssl-certificate/#comments Sat, 24 May 2014 03:33:36 +0000 http://hackertarget.com/?p=6392 Extract SSL certificate details from a range of IP addresses using Nmap XML and a simple python script. The python script parses the Nmap XML output from the ssl-cert.nse script and produces csv output with the target SSL certificate details. When compiling Nmap you will need to have the libssl-dev package installed as Nmap nse […]

The post Parse Nmap XML to get SSL Certificate details appeared first on Online Vulnerability Scanners and Port Scans.

]]>
Extract SSL certificate details from a range of IP addresses using Nmap XML and a simple python script. The python script parses the Nmap XML output from the ssl-cert.nse script and produces csv output with the target SSL certificate details.

When compiling Nmap you will need to have the libssl-dev package installed as Nmap nse scripts such as ssl-cert will not work without it being installed. Once this is installed ./configure, make, make install to install the latest version of Nmap.

apt-get install libssl-dev

Once the package is installed go ahead and install Nmap from source. Extract the source into a folder, configure and install.

For a quick test of the SSL cert parse script I grabbed the top 25 computing sites from Alexa. Start Nmap with the ssl-cert nse script. The -iL option loads the list 25 target host names with the -oX producing the Nmap XML results.

nmap -iL top25-tech.txt -sV -p 443 -oX nmap-results-top25 --script=ssl-cert

Once the scan has completed the python script below can be used parse the Nmap XML and produce the csv output. The results can then be loaded into a spreadsheet, or parsed further to depending on your needs.

testuser@ubuntu:~$ python nmap-ssl-certs.py nmap-results-top25.xml
 
150.101.195.240,www.google.com,Google Inc,US,2014-05-07,2014-08-05
31.13.70.17,*.facebook.com,Facebook, Inc.,US,2014-02-28,2015-04-13
150.101.195.212,*.google.com,Google Inc,US,2014-05-07,2014-08-05
74.125.237.149,mail.google.com,Google Inc,US,2014-05-07,2014-08-05
98.139.183.24,www.yahoo.com,Yahoo Inc.,US,2014-04-09,2015-04-09
198.35.26.96,*.wikipedia.org,Wikimedia Foundation, Inc.,US,2012-10-21,2016-01-20
199.59.148.82,twitter.com,Twitter, Inc.,US,2014-04-08,2016-05-09
216.52.242.80,www.linkedin.com,LinkedIn Corporation,US,2013-12-19,2016-12-30
98.136.189.41,*.login.yahoo.com,Yahoo Inc.,US,2014-04-08,2015-04-09
65.55.143.19,mail.live.com,Microsoft Corporation,US,2013-05-21,2015-05-22
150.101.195.216,*.google.com,Google Inc,US,2014-05-07,2014-08-05
150.101.195.227,*.google.com,Google Inc,US,2014-05-07,2014-08-05
119.160.243.163,search.yahoo.com,Yahoo Inc.,US,2014-04-08,2015-04-09
192.0.82.252,wordpress.com,Automattic, Inc.,US,2014-04-16,2016-04-16
204.79.197.200,*.bing.com,Microsoft Corporation,US,2014-05-20,2016-05-19
54.225.139.43,*.pinterest.com,Pinterest Inc,US,2014-04-09,2017-04-13
66.235.120.127,,,,,
150.101.195.249,*.google.com,Google Inc,US,2014-05-07,2014-08-05
65.55.206.228,,,,,
66.211.169.66,paypal.com,PayPal, Inc.,US,2013-01-09,2015-01-11
134.170.188.221,microsoft.com,,,2013-06-20,2015-06-20
17.172.224.47,apple.com,Apple Inc.,US,2012-11-13,2014-11-03
23.23.110.81,*.imgur.com,Imgur, Inc.,US,2013-06-25,2016-08-31
198.252.206.140,*.stackexchange.com,Stack Exchange, Inc.,US,2013-07-02,2016-07-06
68.71.220.3,,,,,

Here is the python script. The script is simple but it works, it should be pretty easy to read allowing modification to parse other NSE scripts and results from the Nmap XML output. There are many ways to parse XML data, the xml.dom method used here seems to be one of the more straightforward for parsing the Nmap XML. Another option could include using ElementTree, or even using xmlstarlet in bash as seen on this stack.exchange post.

#!/usr/bin/env python
import xml.dom.minidom
import sys
import getopt
try: 
    scandata = sys.argv[1]
except:
    print "*** You need to supply an Nmap XML file ***"
if scandata:
    doc = xml.dom.minidom.parse(scandata)
    output = []
    for host in doc.getElementsByTagName("host"):
        ip = ''
        commonName = ''
        organizationName = ''
        countryName = ''
        notBefore = ''
        notAfter = ''
        addresses = host.getElementsByTagName("address")
        ip = addresses[0].getAttribute("addr")                         # Get IP address from addr element 
        scripts = host.getElementsByTagName("script")
        for script in scripts:
              for elem in script.getElementsByTagName("elem"):         # Get cert details for each target 
                 try:
                    if elem.getAttribute("key") == 'commonName':
                       if commonName == '':                            # Only get the first commonName 
                           commonName =  elem.childNodes[0].nodeValue
                 except:
                    pass
                 try:
                    if elem.getAttribute("key") == 'organizationName':
                       if organizationName == '': 
                           organizationName =  elem.childNodes[0].nodeValue
                 except:
                    pass
                 try:
                    if elem.getAttribute("key") == 'countryName':
                       countryName =  elem.childNodes[0].nodeValue
                 except:
                    pass
                 try:
                    if elem.getAttribute("key") == 'notBefore':
                       notBefore =  elem.childNodes[0].nodeValue
                       notBefore = notBefore.split('T')[0]
                 except:
                    pass
                 try:
                    if elem.getAttribute("key") == 'notAfter':
                       notAfter =  elem.childNodes[0].nodeValue
                       notAfter = notAfter.split('T')[0]
                 except:
                    pass
        output.append(ip + ',' + commonName + ',' + organizationName + ',' + countryName + ',' + notBefore + ',' + notAfter)
    for i in output:
        print i
Wait. There's more. Additional Nmap resources and tips are just a click away or check out the hosted vulnerability scanners

The post Parse Nmap XML to get SSL Certificate details appeared first on Online Vulnerability Scanners and Port Scans.

]]>
https://hackertarget.com/parse-nmap-xml-ssl-certificate/feed/ 0
List all IPs in Subnet with Nmap https://hackertarget.com/list-all-ips-in-subnet-with-nmap/ https://hackertarget.com/list-all-ips-in-subnet-with-nmap/#comments Sat, 17 May 2014 14:41:46 +0000 http://hackertarget.com/?p=6333 testsystem:~$ nmap -sL -n 192.168.1.0/30 Starting Nmap 6.25 ( http://nmap.org ) at 2014-05-17 23:33 EST Nmap scan report for 192.168.1.0 Nmap scan report for 192.168.1.1 Nmap scan report for 192.168.1.2 Nmap scan report for 192.168.1.3 Nmap done: 4 IP addresses (0 hosts up) scanned in 0.00 seconds In the second example the results are piped […]

The post List all IPs in Subnet with Nmap appeared first on Online Vulnerability Scanners and Port Scans.

]]>
Nmap has a handy feature that allows you to list all IP addresses in a subnet. The option -sL will list all IP's that are the targets on an Nmap command line.

Multiple subnets can be listed as targets for Nmap, so you can for example list 3 subnets as targets to Nmap and using the -sL parameter we will get a list of IPs for all listed subnets.

Another relevant parameter is whether you want a reverse DNS lookup performed on each of the IP addresses being listed. Use the -n option to force no dns lookups.

In this example we have listed the IP addresses in the target subnet with no reverse DNS lookups.

More Nmap Tips to get the most of out of this powerful tool.

Nmap Tips

testsystem:~$ nmap -sL -n 192.168.1.0/30

Starting Nmap 6.25 ( http://nmap.org ) at 2014-05-17 23:33 EST
Nmap scan report for 192.168.1.0
Nmap scan report for 192.168.1.1
Nmap scan report for 192.168.1.2
Nmap scan report for 192.168.1.3
Nmap done: 4 IP addresses (0 hosts up) scanned in 0.00 seconds

In the second example the results are piped through grep and cut to extract just the IP addresses we wanted in our list. Additionally a second target range has been added to the target list. The target list can contain hostnames, IP addresses, subnets or a range of IPs such as 192.168.1.1-5.

testsystem:~$ nmap -sL -n 192.168.2.1/32, 192.168.1.0/30 | grep 'Nmap scan report for' | cut -f 5 -d ' '
192.168.2.1
192.168.1.0
192.168.1.1
192.168.1.2
192.168.1.3

Want to list 4 billion IP addresses? Use the very same command to list all possible IPv4 addresses target 0.0.0.0/0.

testsystem:~$ nmap -sL -n 0.0.0.0/0 | grep 'Nmap scan report for' | cut -f 5 -d ' '
0.0.0.0
0.0.0.1
0.0.0.2
0.0.0.3
0.0.0.4
***** ctrl-c, listing all IP addresses will waste a lot of pixels ******

The commands in the above examples send no packets to the target systems, Nmap is simply listing the IP addresses in the subnet. If we however do not use the -n the command will attempt to resolve each IP address, this will take longer and will send dns queries.

Further targeting parameters that may be of use;

  • When selecting a large range of targets you may wish to specifically exclude some IP addresses. For example you could scan a subnet and use the --exclude parameter to not scan an IP within that range.
  • Use a dns server that is different than the default to perform reverse dns lookups --dns-server.
  • Select targets from a file using the -iL option. You can use a file containing a list of IP addresses, subnets and hostnames, one per line to feed into Nmap. From this file we could create a full list of all IP addresses.
Our hosted version of Nmap allows you to scan for open ports on any Internet facing IP address. Let us do the management for you.

The post List all IPs in Subnet with Nmap appeared first on Online Vulnerability Scanners and Port Scans.

]]>
https://hackertarget.com/list-all-ips-in-subnet-with-nmap/feed/ 0
500K HTTP Headers https://hackertarget.com/500k-http-headers/ https://hackertarget.com/500k-http-headers/#comments Sun, 11 May 2014 02:52:38 +0000 http://hackertarget.com/?p=6315 Recently we crawled the Top 500K sites (as ranked by Alexa). Following requests from readers we are making available the HTTP Headers for research purposes. Download Headers (75MB) The publication of the statistics of WordPress usage is an example of the research that can be conducted. It is possible to determine Web Applications, Web Servers, […]

The post 500K HTTP Headers appeared first on Online Vulnerability Scanners and Port Scans.

]]>
Recently we crawled the Top 500K sites (as ranked by Alexa). Following requests from readers we are making available the HTTP Headers for research purposes.

The publication of the statistics of WordPress usage is an example of the research that can be conducted. It is possible to determine Web Applications, Web Servers, Server side scripting, Load balancers and much more.

HTTP Headers that could be examined:

Security Headers

  • HTTP Only (Set-Cookie)
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Security-Policy

Server Headers

  • Server:
  • X-Powered-By:

Recommended Tools for Analysis

A number of basic text manipulation tools will make it easier to search through the data. Start with a *nix based system; grep, cut, sed and some simple bash scripting will make your life easier. The file contains 5 folders with 100K headers in each. The headers will have to be correlated with the site list file to determine the site host name.

When counting sites with grep be sure to use the -m 1 this will ensure that you do not get a count of two from sites with multiple headers (HTTP 302 Redirects).

Our hosted Open Source Security Tools allow you to scan for vulnerabilities on any Internet facing IP address. Nothing to install.

The post 500K HTTP Headers appeared first on Online Vulnerability Scanners and Port Scans.

]]>
https://hackertarget.com/500k-http-headers/feed/ 2
WordPress Statistics for the Top 500K Sites https://hackertarget.com/wordpress-statistics-top-500k/ https://hackertarget.com/wordpress-statistics-top-500k/#comments Sat, 10 May 2014 14:34:39 +0000 http://hackertarget.com/?p=6251 Results in the charts below are derived from examining the Alexa top 500K sites. WordPress sites were identified through discovery of /wp-content/plugins/ and / or /wp-content/themes/ in the HTML source of the page. 104684 / 500K = 20.9%sites were found to be running WordPress Other studies of WordPress have found total number of WordPress sites […]

The post WordPress Statistics for the Top 500K Sites appeared first on Online Vulnerability Scanners and Port Scans.

]]>
Results in the charts below are derived from examining the Alexa top 500K sites. WordPress sites were identified through discovery of /wp-content/plugins/ and / or /wp-content/themes/ in the HTML source of the page.

104684 / 500K = 20.9%
sites were found to be running WordPress

Other studies of WordPress have found total number of WordPress sites in the 20% - 25% range. The number of 20.9% that has been observed here is significant due to fact that these sites are not personal blogs, they are some of the most high traffic sites on the Internet.

Plugin count from the top WordPress sites

A number of popular plugins such as Yoast WordPress SEO, W3 Total Cache and WP Super Cache do not have visibility in the HTML source from the /wp-content/plugins/ folder. They are however usually listed in the comments. Due to the popularity of the these plugins they have been searched separately in the HTML source to determine the plugin count.

Since Google introduced speed based advantages for site listings, site administrators are more often using Caching Plugins and Minification of css and javascript. If "minified" code is being used, many plugins will not be discovered in the plain HTML source of the page.

Top 20 Plugins
Plugin Name Count
contact-form-7
24242
Yoast WordPress SEO
15208
jetpack
14755
WP SuperCache
13415
W3 Total Cache
11721
wp-pagenavi
9237
wp-polls
5004
nextgen-gallery
4826
wordpress-popular-posts
4202
google-analyticator
3616
revslider
3136
digg-digg
2617
woocommerce
2324
addthis
2280
wp-postratings
2143
commentluv
2137
social-media-widget
2060
vipers-video-quicktags
1874
mailchimp
1810
simple-social-icons
1727

Plugins
Calculated from WordPress HTML source
(/wp-content/plugins/$name/)

Theme count from the Top WordPress sites

The theme counts are based purely on the presence of the theme folder name in the HTML source as listed in /wp-content/themes/. Popular themes such as Thesis have multiple listings based on the version.

WordPress.com are offering a variety of hosting options that include the premier WordPress hosting VIP, from theme paths there appears to be 218 sites registered for VIP in the top 500K sites in the world. I have no idea if this is accurate, its just an observation from the results.


Themes
Calculated from WordPress HTML source
(/wp-content/themes/$name/)
Top 20 WordPress Themes
Theme Name Count
genesis
2747
pub
1293
twentytwelve
1159
sahifa
1038
twentyeleven
858
canvas
705
twentyfourteen
573
OptimizePress
566
jarida
510
thesis_185
474
Avada
453
twentythirteen
428
optimizePressTheme
416
lifestyle
370
twentyten
368
responsive
350
news
321
suffusion
303
enfold
296
thesis_18
290

Hosting providers of the Top WordPress sites

Update: these results have been changed this from ASN owner to organization lookup using Maxmind database. It has better granularity for Hosting companies.

We can examine who is hosting the WordPress sites by resolving the IP address and checking this against the ASN owner hosting provider using the Maxmind database .

It is difficult to get 100% accuracy with these results, there are addresses that resolve as "IP Address Not Found" by Maxmind (about 4%) and some hosting companies may be using IP blocks associated with other companies or ASN owners.

Observant readers will see that WP Engine is not listed, however we do have a count for them from the web server usage count, a solid 1831 sites. Checking the IP of wpengine.com and using Maxmind we can see this IP address is resolved to Softlayer by Maxmind.

For those wondering about Digital Ocean, the high profile new kid on the block for VPS hosting, we found 177 sites for DO.

Top 20 Hosting / Network Providers
Hosting Provider Count
Unified Layer
6958
CloudFlare
5140
GoDaddy.com,LLC
3892
OVH SAS
3170
Hetzner Online AG
2531
Amazon.com
2334
Rackspace Hosting
2131
Media Temple
1821
1&1 Internet
1192
Softlayer
1110
New Dream Network, LLC
969
Server Block
894
SAKURA Internet Inc.
831
Leaseweb
781
Net Access Corporation
650
SingleHop
634
Linode
564
Liquid Web
523
The Endurance International Group
514
Hosting Services
450
SourceDNS
435

Hosting
Listing derived IP and Maxmind

How are the updates going?

Keeping WordPress updated is an important security consideration stated in every securing WordPress guide. The versions gathered here are from the meta generator tag, not all of the sites we found have the tag present. It is sometimes removed to hide the version. We found 69376 sites with the Meta Generator Tag in place, that is 69% of the WordPress sites.

you should always keep up to date with the latest version of WordPress. Older versions of WordPress are not maintained with security updates.
WordPress.org Security Advice

From the table below it seems not everyone reads the WordPress hardening advice.


Version
Calculated from WordPress HTML source
(meta generator tags)
WordPress Major Versions
Version Count
WordPress 3.8
25658
WordPress 3.9
19951
WordPress 3.5
6068
WordPress 3.6
4206
WordPress 3.7
3737
WordPress 2.5
2664
WordPress 3.4
2227
WordPress 3.3
1478
WordPress 3.2
646
WordPress 3.0
617
WordPress 3.1
534
WordPress 2.9
261
WordPress 2.7
248
WordPress 2.8
211
WordPress 1.1
174
WordPress 201
89
WordPress 2.6
65
WordPress 4.0
45
WordPress 101
37
WordPress 3
36

Web Server Usage

By examining the HTTP Headers it is a simple matter to determine the type of web server that these WordPress sites are running on. If anyone has ideas to why there are 2563 sites running on Microsoft IIS please let me know in the comments.

Interesting to see the listing for WP Engine in the results. Nice way to get the word out.

Web Server usage by the Top WordPress Sites
HTTP Server Header Count
Apache
62532
nginx
31443
Litespeed
4344
Microsoft IIS
2563
WP Engine
1831
other
1656

Web Servers

Have you seen the WordPress Security Scanners. Nothing to install. Free and advanced options available using the excellent WPScan.

The post WordPress Statistics for the Top 500K Sites appeared first on Online Vulnerability Scanners and Port Scans.

]]>
https://hackertarget.com/wordpress-statistics-top-500k/feed/ 18
Install OpenVAS 7 on Ubuntu 14.04 https://hackertarget.com/install-openvas-7-ubuntu/ https://hackertarget.com/install-openvas-7-ubuntu/#comments Fri, 09 May 2014 16:14:10 +0000 http://hackertarget.com/?p=6237 Get started with OpenVAS version 7 with this straight forward installation guide. Ubuntu 14.04 is a LTS release meaning it is a good option for any server including an OpenVAS vulnerability scanning server. A nice change in the latest version of OpenVAS is the simplification of the structure. There are now four components that make […]

The post Install OpenVAS 7 on Ubuntu 14.04 appeared first on Online Vulnerability Scanners and Port Scans.

]]>
Get started with OpenVAS version 7 with this straight forward installation guide. Ubuntu 14.04 is a LTS release meaning it is a good option for any server including an OpenVAS vulnerability scanning server.

A nice change in the latest version of OpenVAS is the simplification of the structure. There are now four components that make up the solution.



All the components rely on having the OpenVAS libraries installed correctly. So that is the first item that will be installed after we use apt-get install to prepare the system for installation. The procedure below builds OpenVAS 7 from source.

OpenVAS Source Installation Steps

First we need to download and extract the required source files for OpenVAS.

mkdir openvas-src
cd openvas-src/
wget http://wald.intevation.org/frs/download.php/1638/openvas-libraries-7.0.1.tar.gz
wget http://wald.intevation.org/frs/download.php/1640/openvas-scanner-4.0.1.tar.gz
wget http://wald.intevation.org/frs/download.php/1637/openvas-manager-5.0.0.tar.gz
wget http://wald.intevation.org/frs/download.php/1639/greenbone-security-assistant-5.0.0.tar.gz
wget http://wald.intevation.org/frs/download.php/1633/openvas-cli-1.3.0.tar.gz
tar zxvf openvas-{component}.tar.gz

Next step is to install the Ubuntu 14.04 packages that will allow us to compile the code.

apt-get install build-essential bison flex cmake pkg-config libglib libglib2.0-dev libgnutls libgnutls-dev libpcap libpcap0.8-dev libgpgme11 libgpgme11-dev doxygen libuuid1 uuid-dev sqlfairy xmltoman sqlite3 libxml2-dev libxslt1.1 libxslt1-dev xsltproc libmicrohttpd-dev

With necessary packages installed we can move on to compiling and installing the different OpenVAS components. Enter each of the components directories and perform the following steps. The order should not matter as long as openvas-libraries-7.0.1 is installed correctly.

cd {component}
mkdir source
cd source
cmake ..
make
make install

Now we are getting close, a few more steps and you will be able login to the OpenVAS scanner and start testing your system.

openvas-mkcert
ldconfig
openvassd

Check that openvassd has started correctly and is running.

ps -ef | grep openvas

Lets sync NVT plugins and the vulnerability data.

openvas-nvt-sync
openvas-scapdata-sync
openvas-certdata-sync

Nearly there! Create a user account and client certificate.

openvasmd --create-user=admin --role=Admin
openvas-mkcert-client -n -i

Start All the Things! Note you can run the Greenbone Security Assistant Client with gsad --http-only to run it without SSL support, however clear text protocols are for wimps so get on the HTTPS. Then check you have openvassd / openvasmd / gsad running.

openvasmd --rebuild --progress
openvasmd
gsad

ps -ef | grep openvas

And confirm each component is listening on its port.

netstat -anp | grep LISTEN

tcp        0      0 0.0.0.0:9390            0.0.0.0:*               LISTEN      3067/openvasmd  
tcp        0      0 0.0.0.0:9391            0.0.0.0:*               LISTEN      2453/openvassd: Waiting
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      2772/sshd       
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      3070/gsad

The Web Console

Now that we have OpenVAS up and running its time to look at the web console. From the netstat -anp above we can see that gsad is running on port 443. Loading up a browser we can simply go to HTTPS on the IP of our server.

Our hosted version of OpenVAS allows you to scan for vulnerabilities on any Internet facing IP address. We do the management for you.

The post Install OpenVAS 7 on Ubuntu 14.04 appeared first on Online Vulnerability Scanners and Port Scans.

]]>
https://hackertarget.com/install-openvas-7-ubuntu/feed/ 10