A) Starting nikto on a webserver
For the starting of the web scanning server, you need to have a host address
and hostname along with a tuning mechanism. By using this command, you
can easily detect the versions of the webserver or the programming
language that has been used
Here is the command for the starting of the Nikto :
example@ linuxwar : start Nikto www.exampleweb.com
B) Running all tasks
Usually, there are a lot of hosts that we can attack. Hackers try to do things
at a fast rate by attacking all of the hosts at once. For this reason, Nikto
provided a tool that lets you insert the word file so that you can scan all of
them at once.
Here is the command that can be used to run all tasks :
example@ linuxwar : run Nikto 193.3234.33.23
C) Running against multiple hosts
Where the prior command attacks on different servers at once with a single
address in this process we will use different network addresses while
attacking the host interfaces.
Here is the command that explains this process.
example@ linuxwar : run hosts host1 host2 host3
With this, we have given a complete introduction to the manual web
scanners and in the next section, we will start learning about Wordpress and
its vulnerabilities in detail.
Hacking a WordPress Website
Normally websites are developed from scratch using different web
programming languages like PHP and javascript. But normally not every
small business can afford good web programmers to write separate code for
them.
So, a lot of internet users rely on content management systems. And out of
a lot that is available WordPress is the most famous. It is used in more than
25℅ of the websites that are present .
It offers good security features along with a lot of themes and plugins that
can be used. However, WordPress is not fully safe from a few
vulnerabilities. There are more chances of an XSS or CSRF vulnerability to
be found. And the worst part of using WordPress is plugins and themes can
be used to insert malicious code. A lot of hackers use this strategy to steal
information from the WordPress servers.
To get rid of this problem, we can use a tool called WPscan to scan
WordPress websites.
a) First of all, before starting the Wordpress scanner test you need to update
the system so that there will be no way that any outdated vulnerabilities can
be found.
b) After using the update, you can start the real start with the scanner. All
you need to do is to enter the Wordpress URL that needs to be scanned.
Here is the command that needs to be used
example@ linuxwar : start wpscan www.exampleweb.com
c) In the next step, we can use the tool to get the list of users who are
present is the Wordpress system. Wordpress consists of a directory of
systematic users that maintain or a part of that website. For this reason, this
scanner should be used as an enumeration tool whenever it is possible.
d) There are also options in the scanner that lets you brute force the system
for root privilege or stop the enumeration system that is present on the
website.
If you are the owner of a Wordpress website, you can use this tool to check
the security of your website and if it doesn't turn out well you need to install
web server security technologies like cloud fare for an additional layer of
security mechanisms.
|
