When installing a content management system for your website, it's easy to get lazy and assume that it's going to do all the work for you. A CMS like Joomla certainly does make things more convenient, and lets you publish a polished website very quickly, but that doesn't mean you shouldn't take some extra time to secure it.
If your website is running Joomla, you can use the JoomScan utility against your site to uncover vulnerabilities or just general information that can assist in an attack against your site. Once you're aware of the the site's weak spots, you can take the proper steps to secure it. JoomScan works similarly to WPScan, which is used for scanning WordPress sites for vulnerabilities.
In this guide, we'll see how to use JoomScan on Kali Linux. JoomScan itself is not a tool that can be used maliciously while performing simple scans against a site, unless you consider the extra traffic itself to be malicious. But the information it reveals about a site can be leveraged by attackers to launch an attack. Therefore, make sure you have permission to scan a website when using this tool.In this tutorial you will learn:
- How to use JoomScan
|Category||Requirements, Conventions or Software Version Used|
|Other||Privileged access to your Linux system as root or via the |
|Conventions|| # - requires given linux commands to be executed with root privileges either directly as a root user or by use of |
How to use JoomScan
$ sudo apt update $ sudo apt install joomscan
We've setup a test server with Apache and Joomla installed. Follow along with our example commands below as we check the security of our test website.
--url option and specify the URL of the Joomla site in order to scan it with JoomScan.
$ joomscan --url http://example.com
JoomScan will then perform a scan against the website, which usually concludes in a few seconds.
Some things revealed by the scan are as follows:
- Type of firewall being used to protect the site
- Which version of Joomla is running
- Whether that version has any core vulnerabilities
- Directories with listings available
- URL of admin login
- URLs found inside robots.txt
- Backup and log files
- User registration page
Some of this information is useful to attackers. The scan shows that directory listings are turned on, which potentially allows attackers to find files that the owner thought to be hidden. Knowing the admin URL means an attacker can use Hydra or another similar tool to launch a dictionary attack against the login credentials.
In the test results from our screenshots, no vulnerabilities have been uncovered, but the fact our admin page is easily found and directory listing is turned on can be cause for concern.
JoomScan can also enumerate components, which will reveal what extra Joomla software the site owner has installed. If any of them have known security holes, they will act as another attack vector.
$ joomscan --url http://example.com --enumerate-components
Not only will JoomScan list out the components a site is using, but if they contain any known vulnerabilities, JoomScan will alert you to this and supply a link so you can read more about it.
Other options for JoomScan include the ability to set a user agent, or a random agent.
$ joomscan --url http://example.com --user-agent "Googlebot/2.1 (+http://www.googlebot.com/bot.html)" OR $ joomscan --url http://example.com --random-agent
Use a proxy to scan the Joomla site with the
$ joomscan --url www.example.com --proxy http://127.0.0.1:8080
To see all these options at any time, see the JoomScan help menu.
$ joomscan --help
In this guide, we learned how to scan a Joomla site with JoomScan on Kali Linux. We saw various options to specify with the command, which can help us learn about components on the site or cover our tracks through proxies and user agents.