Joomla! is a very popular CMS that is used for many different purposes, including e-commerce. Detecting user accounts with weak passwords is a common task for penetration testers, and Nmap helps with that by using the NSE script http-joomla-brute
.
This recipe shows how to perform brute force password auditing against Joomla! installations.
Open your terminal and enter the following command:
$ nmap -p80 --script http-joomla-brute <target>
All of the valid accounts that were found will be returned:
PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-joomla-brute: | Accounts | king:kong => Login correct | Statistics |_ Perfomed 799 guesses in 501 seconds, average tps: 0
The argument -p80 –script http-joomla-brute
launches the NSE script http-joomla-brute
if a web server is found on port 80 (-p80
). I developed this script to perform brute force password auditing against Joomla! installations.
The script http-joomla-brute
uses the following default variables:
uri
: /administrator/index.php
uservar
: username
passvar
: passwd
Set the thread number with the argument http-joomla-brute.threads
by using the following command:
$ nmap -p80 --script http-joomla-brute --script-args http-joomla-brute.threads=5 <target>
To set the Host
field in the HTTP requests, use the script argument http-joomla-brute.hostname
, by using the following command:
$ nmap -p80 --script http-joomla-brute --script-args http-joomla-brute.hostname="hostname.com" <target>
Set a different login URI by specifying the argument http-joomla-brute.uri
using the following command:
$ nmap -p80 --script http-joomla-brute --script-args http-joomla-brute.uri="/joomla/admin/login.php" <target>
To change the name of the POST
variable that stores the usernames and passwords, set the arguments http-joomla-brute.uservar
and http-joomla-brute.passvar
by using the following command:
$ nmap -p80 --script http-joomla-brute --script-args http-joomla-brute.uservar=usuario,http-joomla-brute.passvar=pasguord <target>
There are some packet filtering products that block requests made using Nmap's default HTTP User Agent. You can use a different User Agent value by setting the argument http.useragent
:
$ nmap -p80 --script http-wordpress-brute --script-args http.useragent="Mozilla 42" <target>
The Brute library supports different modes that alter the combinations used in the attack. The available modes are:
user
: In this mode, for each user listed in userdb
, every password in passdb
will be tried$ nmap --script http-wordpress-brute --script-args brute.mode=user <target>
pass
: In this mode, for each password listed in passdb
, every user in usedb
will be tried$ nmap --script http-wordpress-brute --script-args brute.mode=pass <target>
creds
: This mode requires the additional argument brute.credfile
$ nmap --script http-wordpress-brute --script-args brute.mode=creds,brute.credfile=./creds.txt <target>
3.145.101.81