Wordpress

Jaidam – Open Source Penetration Testing Framework

Written by Mubassir patel
                           ;                                            
                           ED.                                          
                           E#Wi                                         
  itttttttt            t   E###G.                                       
  fDDK##DDi         .. Ej  E#fD#W;               ..           ..       :
     t#E           ;W, E#, E#t t##L             ;W,          ,W,     .Et
     t#E          j##, E#t E#t  .E#K,          j##,         t##,    ,W#t
     t#E         G###, E#t E#t    j##f        G###,        L###,   j###t
     t#E       :E####, E#t E#t    :E#K:     :E####,      .E#j##,  G#fE#t
     t#E      ;W#DG##, E#t E#t   t##L      ;W#DG##,     ;WW; ##,:K#i E#t
   jfL#E     j### W##, E#t E#t .D#W;      j###DW##,    j#E.  ##f#W,  E#t
   :K##E    G##i,,G##, E#t E#tiW#G.      G##i,,G##,  .D#L    ###K:   E#t
     G#E  :K#K:   L##, E#t E#K##i      :K#K:   L##, :K#t     ##D.    E#t
      tE ;##D.    L##, E#t E##D.      ;##D.    L##, ...      #G      .. 
       . ,,,      .,,  ,;. E#t        ,,,      .,,           j          
                           L:                          
GENERAL INFORMATION

Jaidam is an open source penetration testing tool that a security tools that would take as input a list of domain names, scan them, determine if wordpress or joomla platform was used and finally check them automatically, for web vulnerabilities using two well‐known open source tools :

The innovative part of Jaidam security tool is that it combines the modules of Joomscan and WPScan in one package providing more functionality to the user saving up much time. Moreover it can handle a list of sites taken as an input so as the user has the ability to run a distributed web vulnerability scan. There is a builtin multithreaded function for faster results in determining the kind of CMS a site uses.

When the scanning of domain names is completed the user is asked whether he likes to perform a WPScan or a Joomscan. By choosing for example a WPScan then it starts to scan for vulnerabilities all the sites that have recognized as WordPress sites

After completing the scan procedure, jaidam stores the results in the wp_vulne_table for wordpress results or in the jm_vulne_table for joomla results in a sqlite3 database within the file jaidamSQLite.db.

The categories of the vulnerabilities the tool will scan for have been chosen based on the Owasp’s top 10 vulnerability list and are the following:

For wordpress sites:

For Joomla sites:

INSTALL

Jaidam has been written and tested in debian-like distros. The main distro that it was tested on is the new generation of the industry-leading BackTrack Linux penetration testing and security auditing distribution, Kali Linux. In order for the program to run in a kali linux distro it is necessary for the distro to be fully updated, upgraded :

  • apt-get update && apt-get upgrade
  • apt-get dist-upgrade

After being download and extracted, the program runs in standalone mode. In case of other debian-like distros the prerequisites are:

  • Ruby >= 1.9.2 – Recommended: 1.9.3
  • Curl >= 7.21 – Recommended: latest – FYI the 7.29 has a segfault
  • RubyGems – Recommended: latest
  • Pyhon = 2.7
  • Git
  • WPScan
  • JoomScan
STRACTURE

Jaidam is written in Python programming language and its structure is shown below :

.
|-- core
|   |-- colors.py
|   |-- config.py
|   |-- __init__.py
|   |-- menu.py
|   `-- update.py
|-- modules
|   |-- grscan.py
|   |-- __init__.py
|   |-- modmenu.py
|   `-- otenet.py
|-- jaidam.py
|-- README
|-- scan
|   |-- __init__.py
|   |-- jms.py
|   |-- lst.py
|   `-- wps.py
|-- sites
`-- VERSION

4 directories, 16 files
OPTIONS
  L / l: Create List
  C / c: Create list of custom TXT file
  S / s: Scan a single site

  W / w: Use WPScan for scanning wordpress sites
  J / j: Use Joomscan for scanning joomla sites
  M / m: Use Jaidam Extra Modules(*)
  D / d: Automatic creation of list using built in function 
  G / g: Automatic creation of list using built in function (aproximatly 14000 gr sites)

  U / u: Update Jaidam to the latest version
  Q / q: Quit
ADDING EXTRA MODULES

In this section anyone can write his own python modules for this tool . Example can be another scanner or another list generator script.

The only thing that you must have in mind is that : You must include your script in the /modules folder and add your script to the menu in /modules/modmenu.py

WHO CAN USE IT?

Everyone can use this tool. Jaidam Tolkit has a simple environment and can be used, from web developers that want to test their sites, from pentesters that have multiple/single site to check , either from a researcher that want to have statistics for the situation of specific websites.

WHAT JAIDAM CAN NOT DO?

Jaidam Toolking will not attempt to penetrate any of this site or to find any 0day. This tool will only warn you if there is a possible vulnerability in the site. More information about the vulnerability are presented but in no way this tool will exploit that vulnerability.

KNOWN ISSUES

The tool is not compatible (yet) with any other linux distribution except from debian based distros.

FUTURE WORK

Jaidam is a security tool that has shown to have much potential as fas as development concerns. There are a lot of aspects that could be improved like:

  • Graphical User Interface
  • Support for redhat and fedora distros.
  • Features like importing address spaces to be scanned.
LICENSE
Jaidam Toolkit
Copyright (C) 2013 Jaidam Development Team.

 [*] Paraskevopoulos Ioannis   -  iparaskev[AT]gmail[DOT]com
 [*] Stasinopoulos Anastasios  -  stasinopoulos[AT]unipi[DOT]gr
 [*] Tasiopoulos Vasilis       -  tasiopoulos[DOT]vasilis[AT]gmail[DOT]com

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.
ACKNOWLEDGMENTS

Jaidam was developed as a project for the Postgraduate course Digital Forensics and Web Security in the Department of Digital System, University of Piraeus.

About the author

Mubassir patel

Mubassir is a founder and developer of this site. He is a computer science engineer. He has a very deep interest in ethical hacking, penetration testing, website development and including all technology topic.

Leave a Comment