今天我们就来玩玩大名鼎鼎的黑客神器--Kali Linux,相信绝大部分了解安全信息的都听说或者用过这个神器:Kali Linux是基于Debian的Linux发行版, 设计用于数字取证操作系统由Offensive Security Ltd维护和资助。

最先由Offensive Security的Mati Aharoni和Devon Kearns通过重写BackTrack来完成,BackTrack是他们之前写的用于取证的Linux发行版 Kali Linux预装了许多渗透测试软件,包括nmap 、Wireshark 、John the Ripper ,以及Aircrack-ng.[2] 用户可通过硬盘、live CD或live USB运行Kali Linux。

Kali Linux既有32位和64位的镜像可用于x86 指令集同时还有基于ARM架构的镜像,可用于树莓派和三星的ARM Chromebook通过以上百度百科的简单信息看得出来这款工具的厉害之处,对于我们这种菜鸟级别的“黑客”,通过类似的专业工具来学习一些必要的黑客知识还是非常方便的。

Kali Linux是一个基于Debian的Linux发新版,相信用过Ubuntu的用户,不会对这个版本陌生,命令行几乎一样,当然既然是一个独立的Linux版本,自然安装过程有一定的难度,直接找一台独立的电脑来安装肯定没问题,但是为了学习这个系统就单独购买一台电脑来安装显然有点浪费,因此我们就采用虚拟机的方式来安装,这里我们采用VirtualBox的方式来装。


安装过程非常简单,不在此赘述,接下来就是下载Kali Linux的Vbox版本:https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-hyperv-image-download/

在Mac OS上推荐使用Flox下载工具来下载Torrent文件,速度非常快。



界面非常的干净清爽,而且完全可视化操作,当然绝大部分工具打开运行的时候都还是命令行操作的,因此需要你具备一定的Linux命令行基础知识默认安装成功以后的账号密码是:root toor 密码可以自己修改为任何其他密码。

这里我们重点针对WordPress的安全来做讲解,Kali Linux里边内置了一款Sucuri开发的wpscan工具,可以检测任意一个网站的所有漏洞,并且详细的给予解决方案:__ _______ _____

@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_我们随意选择一个正在运行的WordPress网站用来检测这款工具的强大之处,我们随便拿一个互联网的知名WordPress网站,比如 cPanel Blog http://blog.cpanel.com/ 作为检测对象,检测结果如下:

root@kali:~# wpscan --url blog.cpanel.com_______________________________________________________________

_______________________________________________________________[i] The remote host tried to redirect to: https://blog.cpanel.com/

[?] Do you want follow the redirection ? [Y]es [N]o [A]bort, default: [N]Y[+] URL: https://blog.cpanel.com/

[+] Started: Mon Mar 12 04:29:09 2018[+] robots.txt available under: https://blog.cpanel.com/robots.txt

[+] Interesting entry from robots.txt: https://blog.cpanel.com/xmlrpc.php[+] Interesting header: LINK: ; rel="https://api.w.org/"

[+] Interesting header: SERVER: Apache[+] Interesting header: X-CONTENT-TYPE-OPTIONS: nosniff[+] Interesting header: X-FRAME-OPTIONS: SAMEORIGIN

[+] Interesting header: X-XSS-PROTECTION: 1; mode=block[i] WordPress version can not be detected[+] WordPress theme in use: cpBlog15 - v3.3.4

[+] Name: cpBlog15 - v3.3.4| Location: https://blog.cpanel.com/wp-content/themes/cpBlog15/| Style URL: https://blog.cpanel.com/wp-content/themes/cpBlog15/style.css

| Theme Name: cPBlog15| Theme URI: http://blog.cpanel.com/| Description: A versatile HTML5 responsive WordPress framework based on Bootstrap.

| Author: cPanel Madmen| Author URI: http://lduong.com/[+] Enumerating plugins from passive detection ...

| 5 plugins found:[+] Name: add-to-any - v1.7.23| Last updated: 2018-02-16T04:44:00.000Z| Location: https://blog.cpanel.com/wp-content/plugins/add-to-any/

| Readme: https://blog.cpanel.com/wp-content/plugins/add-to-any/README.txt[!] The version is out of date, the latest version is 1.7.25

[+] Name: disqus-comment-system| Latest version: 3.0.15| Last updated: 2018-03-02T22:23:00.000Z| Location: https://blog.cpanel.com/wp-content/plugins/disqus-comment-system/

[!] We could not determine a version so all vulnerabilities are printed out[!] Title: Disqus <= 2.75 - Remote Code Execution (RCE)

Reference: https://wpvulndb.com/vulnerabilities/6357Reference: http://blog.sucuri.net/2014/06/anatomy-of-a-remote-code-execution-bug-on-disqus.html

[i] Fixed in: 2.76[!] Title: Disqus Comment System <= 2.68 - Reflected Cross-Site Scripting (XSS)Reference: https://wpvulndb.com/vulnerabilities/6358

Reference: http://blog.dewhurstsecurity.com/2011/12/11/wordpress-plugin-disqus-comment-system-xss.html

[i] Fixed in: 2.69[!] Title: Disqus Blog Comments <= 2.77 - Blind SQL InjectionReference: https://wpvulndb.com/vulnerabilities/6359

Reference: https://www.exploit-db.com/exploits/20913/[i] Fixed in: 2.7.8[!] Title: Disqus <= 2.77 - Cross-Site Request Forgery (CSRF)

Reference: https://wpvulndb.com/vulnerabilities/7537Reference: https://vexatioustendencies.com/csrf-in-disqus-wordpress-plugin-v2-77/

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5346[i] Fixed in: 2.79[!] Title: Disqus <= 2.75 - Cross-Site Scripting (XSS) & CSRF

Reference: https://wpvulndb.com/vulnerabilities/7538Reference: https://www.nikcub.com/posts/multiple-vulnerabilities-in-disqus-wordpress-plugin/

Reference: https://gist.github.com/nikcub/cb5dc7a5464276c8424aReference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5345

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5347[i] Fixed in: 2.76[+] Name: stop-user-enumeration

| Latest version: 1.3.15| Last updated: 2018-01-23T09:50:00.000Z| Location: https://blog.cpanel.com/wp-content/plugins/stop-user-enumeration/

[!] We could not determine a version so all vulnerabilities are printed out[!] Title: Stop User Enumeration 1.2.4 - POST Request Protection Bypass

Reference: https://wpvulndb.com/vulnerabilities/7125Reference: http://packetstormsecurity.com/files/125035/

Reference: http://seclists.org/fulldisclosure/2014/Feb/3Reference: https://secunia.com/advisories/56643/

[i] Fixed in: 1.2.5[!] Title: Stop User Enumeration <= 1.3.3 - Username Enumeration BypassReference: https://wpvulndb.com/vulnerabilities/8436

Reference: https://wordpress.org/plugins/stop-user-enumeration/changelog/Reference: https://plugins.trac.wordpress.org/changeset/1390935/stop-user-enumeration

[i] Fixed in: 1.3.4[!] Title: Stop User Enumeration <= 1.3.4 - Username Enumeration BypassesReference: https://wpvulndb.com/vulnerabilities/8712

Reference: http://seclists.org/fulldisclosure/2017/Jan/10Reference: https://security.dxw.com/advisories/stop-user-enumeration-does-not-stop-user-enumeration/

[i] Fixed in: 1.3.5[!] Title: Stop User Enumeration 1.3.5-1.3.7 - Unauthenticated Reflected Cross-Site Scripting (XSS)

Reference: https://wpvulndb.com/vulnerabilities/8723Reference: https://plugins.trac.wordpress.org/changeset/1575129/stop-user-enumeration

[i] Fixed in: 1.3.8[!] Title: Stop User Enumeration <= 1.3.8 - REST API BypassReference: https://wpvulndb.com/vulnerabilities/8874

Reference: https://security.dxw.com/advisories/stop-user-enumeration-rest-api/Reference: http://seclists.org/fulldisclosure/2017/Jul/67

[i] Fixed in: 1.3.9[+] Name: wp-jquery-lightbox| Latest version: 1.4.8| Last updated: 2016-03-15T16:02:00.000Z

| Location: https://blog.cpanel.com/wp-content/plugins/wp-jquery-lightbox/[+] Name: wp-pagenavi| Latest version: 2.92

| Last updated: 2017-06-30T08:12:00.000Z| Location: https://blog.cpanel.com/wp-content/plugins/wp-pagenavi/

[+] Finished: Mon Mar 12 04:40:58 2018[+] Requests Done: 396[+] Memory used: 145.371 MB[+] Elapsed time: 00:11:48


以下为最新版Wpscan的使用方法:root@kali:~# wpscan -h_______________________________________________________________

__ _______ _____\ \ / / __ \ / ____|\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®\ \/ \/ / | ___/ \___ \ / __|/ _` | _ \

\ /\ / | | ____) | (__| (_| | | | |\/ \/ |_| |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan Team

Version 2.9.3Sponsored by Sucuri - https://sucuri.net@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_

_______________________________________________________________Help :Some values are settable in a config file, see the example.conf.json

--update Update the database to the latest version.--url | -u The WordPress URL/domain to scan.

--force | -f Forces WPScan to not check if the remote site is running WordPress.--enumerate | -e [option(s)] Enumeration.

option :u usernames from id 1 to 10u[10-20] usernames from id 10 to 20 (you must write [] chars)p plugins

vp only vulnerable pluginsap all plugins (can take a long time)tt timthumbst themesvt only vulnerable themes

at all themes (can take a long time)Multiple values are allowed : "-e tt,p" will enumerate timthumbs and plugins

If no option is supplied, the default is "vt,tt,u,vp"--exclude-content-based ""Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied.

You do not need to provide the regexp delimiters, but you must write the quotes (simple or double).--config-file | -c Use the specified config file, see the example.conf.json.

--user-agent | -a Use the specified User-Agent.--cookie String to read cookies from.

--random-agent | -r Use a random User-Agent.--follow-redirection If the target url has a redirection, it will be followed without asking if you wanted to do so or not

--batch Never ask for user input, use the default behaviour.--no-color Do not use colors in the output.

--log [filename] Creates a log.txt file with WPScans output if no filename is supplied. Otherwise the filename is used for logging.

--no-banner Prevents the WPScan banner from being displayed.--disable-accept-header Prevents WPScan sending the Accept HTTP header.

--disable-referer Prevents setting the Referer header.--disable-tls-checks Disables SSL/TLS certificate verification.

--wp-content-dir WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specify it.

Subdirectories are allowed.--wp-plugins-dir Same thing than --wp-content-dir but for the plugins directory.

If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed--proxy Supply a proxy. HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported.

If no protocol is given (format host:port), HTTP will be used.--proxy-auth Supply the proxy login credentials.

--basic-auth Set the HTTP Basic authentication.--wordlist | -w Supply a wordlist for the password brute forcer.

--username | -U Only brute force the supplied username.--usernames Only brute force the usernames from the file.

--cache-dir Set the cache directory.--cache-ttl Typhoeus cache TTL.--request-timeout Request Timeout.

--connect-timeout Connect Timeout.--threads | -t The number of threads to use when multi-threading requests.

--max-threads Maximum Threads.--throttle Milliseconds to wait before doing another web request. If used, the --threads should be set to 1.

--help | -h This help screen.--verbose | -v Verbose output.--version Output the current version and exit.

Examples :-Further help ...ruby ./wpscan.rb --help-Do non-intrusive checks ...ruby ./wpscan.rb --url www.example.com

-Do wordlist password brute force on enumerated users using 50 threads ...ruby ./wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50

-Do wordlist password brute force on the admin username only ...ruby ./wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin

-Enumerate installed plugins ...ruby ./wpscan.rb --url www.example.com --enumerate p-Enumerate installed themes ...

ruby ./wpscan.rb --url www.example.com --enumerate t-Enumerate users ...ruby ./wpscan.rb --url www.example.com --enumerate u

-Enumerate installed timthumbs ...ruby ./wpscan.rb --url www.example.com --enumerate tt-Use a HTTP proxy ...

ruby ./wpscan.rb --url www.example.com --proxy a SOCKS5 proxy ... (cURL >= v7.21.7 needed)

ruby ./wpscan.rb --url www.example.com --proxy socks5:// custom content directory ...

ruby ./wpscan.rb -u www.example.com --wp-content-dir custom-content-Use custom plugins directory ...ruby ./wpscan.rb -u www.example.com --wp-plugins-dir wp-content/custom-plugins

-Update the DB ...ruby ./wpscan.rb --update-Debug output ...ruby ./wpscan.rb --url www.example.com --debug-output 2>debug.log

See README for further information.另外深入一步来说,Wpscan还可以针对WordPress进行一些暴力攻击:1、先执行命令,进行简单的初步攻击:Wpscan –url 192.*.*.*

以上初步列举出WordPress相关信息以及存在哪些漏洞信息以及对应的CVE信息;2、攻击WordPress,列举出存在的用户名列表:原始命令:wpscan –url [wordpress url]–wordlist [path to wordlist]–username [username to brute force//可以指定用户名或者空]–threads [number of threads to use//攻击次数]

执行以下命令:wpscan –u 192.*.*.* -e u vp通过利用现有的漏洞,获取到WordPress数据库的用户表信息,查到有一个用户admin;3、利用字典进行暴力破解:这一步有一点要注意的是,字典是小编提前做好,放在当前目录下,所以下面命令执行的时候直接是当前目录查询txt文件;

命令如下:Wpscan –url 192.*.*.* -e u --wordlist /root/abcwordlist.txt综上所述,这个Wpscan只是Kali Linux所带的300多款黑客工具中的一款很入门的工具,如果大家有兴趣完全可以深入研究学习一下这个神器里边其他工具,当然还是那句话,黑客工具就像菜刀,好人拿他来做菜,坏人拿他来杀人,因此工具不分好坏,人心分好坏,学习好的工具用于提升网络安全,为何不可。



