Use JoomScan to scan Joomla for vulnerabilities on Kali

When installing a content management system for your website, it’s easy to get lazy and assume that it’s going to do all the work for you. A CMS like Joomla certainly does make things more convenient, and lets you publish a polished website very quickly, but that doesn’t mean you shouldn’t take some extra time to secure it.

If your website is running Joomla, you can use the JoomScan utility against your site to uncover vulnerabilities or just general information that can assist in an attack against your site. Once you’re aware of the the site’s weak spots, you can take the proper steps to secure it. JoomScan works similarly to WPScan, which is used for scanning WordPress sites for vulnerabilities.

In this guide, we’ll see how to use JoomScan on Kali Linux. JoomScan itself is not a tool that can be used maliciously while performing simple scans against a site, unless you consider the extra traffic itself to be malicious. But the information it reveals about a site can be leveraged by attackers to launch an attack. Therefore, make sure you have permission to scan a website when using this tool.

In this tutorial you will learn:

  • How to use JoomScan
Using JoomScan on Kali Linux

Using JoomScan on Kali Linux

Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Kali Linux
Software JoomScan
Other Privileged access to your Linux system as root or via the sudo command.
Conventions # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires given linux commands to be executed as a regular non-privileged user

How to use JoomScan

You can install JoomScan on your system (or update it, if it’s already installed) with apt package manager by using the following commands in terminal.

$ sudo apt update
$ sudo apt install joomscan

We’ve setup a test server with Apache and Joomla installed. Follow along with our example commands below as we check the security of our test website.

Use the --url option and specify the URL of the Joomla site in order to scan it with JoomScan.

$ joomscan --url

JoomScan will then perform a scan against the website, which usually concludes in a few seconds.

Some things revealed by the scan are as follows:

  • Type of firewall being used to protect the site
  • Which version of Joomla is running
  • Whether that version has any core vulnerabilities
  • Directories with listings available
  • URL of admin login
  • URLs found inside robots.txt
  • Backup and log files
  • User registration page
Findings from JoomScan

Findings from JoomScan

Some of this information is useful to attackers. The scan shows that directory listings are turned on, which potentially allows attackers to find files that the owner thought to be hidden. Knowing the admin URL means an attacker can use Hydra or another similar tool to launch a dictionary attack against the login credentials.

Full report from JoomScan

Full report from JoomScan

In the test results from our screenshots, no vulnerabilities have been uncovered, but the fact our admin page is easily found and directory listing is turned on can be cause for concern.

JoomScan can also enumerate components, which will reveal what extra Joomla software the site owner has installed. If any of them have known security holes, they will act as another attack vector.

$ joomscan --url --enumerate-components

Joomla components, vulnerabilities, and directory listings exposed

Joomla components, vulnerabilities, and directory listings exposed

Not only will JoomScan list out the components a site is using, but if they contain any known vulnerabilities, JoomScan will alert you to this and supply a link so you can read more about it.

Other options for JoomScan include the ability to set a user agent, or a random agent.

$ joomscan --url --user-agent "Googlebot/2.1 (+"
$ joomscan --url --random-agent

Use a proxy to scan the Joomla site with the --proxy option.

$ joomscan --url --proxy

To see all these options at any time, see the JoomScan help menu.

$ joomscan --help

Closing Thoughts

In this guide, we learned how to scan a Joomla site with JoomScan on Kali Linux. We saw various options to specify with the command, which can help us learn about components on the site or cover our tracks through proxies and user agents.