Tag Archives: hacking; WordPress

How Hackers Attack – Part 1

Most hackers have a favorite target. Some prefer web servers of a particular flavor, others prefer Remote Desktop or SSH, etc.  Knowing this ultimately helps an administrator to know and understand the threats that face their network.  So, how does this look in the real world?  Let us take a look at a practical example.

Let’s say my target of choice is the WordPress platform.   Now, because I have access to the WordPress source code, I spend all day pouring over the code looking for vulnerabilities.  (In fairness, it is not only open source code that I can do this on, but it’s easier on open source software because there’s typically less reverse engineering involved.)  Suppose now that I have found a vulnerability and want to develop an exploit for this vulnerability.  I turn to ExploitPack to write and test the exploit.

ExploitPack is a cross-platform tool that allows me to quickly write and test the exploit.  ExploitPack allows me to write my exploit(s) in Python, a language that is lightweight, powerful, and very easy to learn.  ExploitPack is essentially an integrated development environment (IDE) for developing exploits, and it’s free to anyone who can find it online.

So, now that I’ve found my vulnerability and have written an exploit for it, I now need to find a list of targets that would be affected by my vulnerability.  This can be a manual process, or a clever hacker can automate it.  Manually, I could search Google with a query of “link:wp-content/themes” and find all of the WordPress sites in the Google index, but now I have to compile that list by hand, and I’m quickly bored by that.  What are my options?  ‘zmap’ is a tool that allows me to quickly scan very large segments of the Internet for services running on specific ports.  I can find all the webservers on the “regular Internet” (I’ll write about the “dark net” later) in a couple of days.  Then I just need to crawl those sites using a tool like BurpSuite looking for “wp-content/themes.”  So, in a week’s time, I can find the vast majority of the sites on the Internet that run WordPress.

How does a hacker tie it all together?  They take the list of targets they found using zmap and burp, export it into ExploitPack, select their hand-crafted vulnerability as their payload, and select a payload (which can be any of a thousand things, but in a case like this, your attacker is probably going to use a PHP shell as their payload to allow them to do whatever they want on the box) and hit “go.”

A little patience, and now I’ve got a remote shell on potentially tens of thousands of hosts from which I can do a number of things, including deface websites, steal content, steal credentials, host malware – the list goes on.  And it only took me a couple of weeks.  If the site contained anything really juicy, I might be able to sell it, or otherwise monetize it (e.g. blackmail).

That is how hackers attack your network.  All said and told, the only tool I would need to pay for to achieve all of this would be a commercial copy of BurpSuite, which costs $300… which I could recover very quickly by ransoming the websites I’d just “pwned” (“owned,” or taken over).  In the next segment of this series, I’ll write about how we prevent these attacks in a robust fashion.

Corey Steele, Network and Security Engineer