Joomla! is a very popular CMS that is used for many different purposes, including e-commerce. Detecting user accounts with weak passwords is a common task for penetration testers, and Nmap helps with that by using the NSE script http-joomla-brute.
This recipe shows how to perform brute force password auditing against Joomla! installations.
Open your terminal and enter the following command:
$ nmap -p80 --script http-joomla-brute <target>
All of the valid accounts that were found will be returned:
PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-joomla-brute: | Accounts | king:kong => Login correct | Statistics |_ Perfomed 799 guesses in 501 seconds, average tps: 0
The argument -p80 –script http-joomla-brute launches the NSE script http-joomla-brute if a web server is found on port 80 (-p80). I developed this script to perform brute force password auditing against Joomla! installations.
The script http-joomla-brute uses the following default variables:
uri:/administrator/index.phpuservar:usernamepassvar:passwd
Set the thread number with the argument http-joomla-brute.threads by using the following command:
$ nmap -p80 --script http-joomla-brute --script-args http-joomla-brute.threads=5 <target>
To set the Host field in the HTTP requests, use the script argument http-joomla-brute.hostname, by using the following command:
$ nmap -p80 --script http-joomla-brute --script-args http-joomla-brute.hostname="hostname.com" <target>
Set a different login URI by specifying the argument http-joomla-brute.uri using the following command:
$ nmap -p80 --script http-joomla-brute --script-args http-joomla-brute.uri="/joomla/admin/login.php" <target>
To change the name of the POST variable that stores the usernames and passwords, set the arguments http-joomla-brute.uservar and http-joomla-brute.passvar by using the following command:
$ nmap -p80 --script http-joomla-brute --script-args http-joomla-brute.uservar=usuario,http-joomla-brute.passvar=pasguord <target>
There are some packet filtering products that block requests made using Nmap's default HTTP User Agent. You can use a different User Agent value by setting the argument http.useragent:
$ nmap -p80 --script http-wordpress-brute --script-args http.useragent="Mozilla 42" <target>
The Brute library supports different modes that alter the combinations used in the attack. The available modes are:
user: In this mode, for each user listed inuserdb, every password inpassdbwill be tried$ nmap --script http-wordpress-brute --script-args brute.mode=user <target>pass: In this mode, for each password listed inpassdb, every user inusedbwill be tried$ nmap --script http-wordpress-brute --script-args brute.mode=pass <target>creds: This mode requires the additional argumentbrute.credfile$ nmap --script http-wordpress-brute --script-args brute.mode=creds,brute.credfile=./creds.txt <target>
- The Detecting possible XST vulnerabilities recipe
- The Discovering interesting files and directories on various web servers recipe
- The Brute forcing HTTP authentication recipe
- The Abusing mod_userdir to enumerate user accounts recipe
- The Testing default credentials in web applications recipe
- The Brute-force password auditing WordPress installations recipe
- The Detecting web servers vulnerable to slowloris denial of service attacks recipe