fromAugust 2015

Black Box – White Hat

Automated Penetration Testing for Drupal

Photo Drupal has a pretty secure structure: a small, simple and stable core that can be extended with tons of modules and themes. From Drupal 7’s initial release on January 5, 2011 until now, there were only 17 core security updates, which is quite a small number for a period lasting longer than four years.

But when it comes to third-party modules and themes, the picture is quite different. Although only modules with official releases are reviewed by the security team, or have security announcements issued, the majority of the 11,000+ third-party modules and themes for Drupal 7 get weekly reports for security issues.

And using custom modules is even more dangerous if they are not tested properly. Let’s face it: no one uses Drupal without modules. That’s why I will share with you some of the best open source tools to improve the security of your website.

Knowing your opponent’s moves helps you better prepare your defenses. That’s why we will try to attack with every known-at-the-moment method of testing vulnerability. All the tools I will show are easy to use without any knowledge of the source code. And the best part is, you can use this strategy indefinitely, if you keep these tools up-to-date. Remember: update first, then test.

Being Up-to-Date

I can’t emphasize enough how important it is to keep all your stuff up-to-date, so let’s start with that idea: If one tiny part of your website has a security breach, the whole system is corrupted. That’s why you should check for updates for the core and the modules you are using. There are reports you can find on Drupal’s official page; if you find that there is a security update available, immediately apply it.

Metasploit + Armitage = Hail Mary!

Start with Kali Linux: it's small, and has Metasploit and Armitage pre-installed. Armitage gives you a GUI, exploit recommendations, and use of the advanced features of Metasploit Framework's Meterpreter. (But remember to get updates every time you're about to run tests.)

Then, get an exact clone of the server; same machine, database, structure, OS version, etc.

NOTE: It is not recommended you use this technique on live websites because there is a chance the server will go down.

Now you’re ready to put on the white hat and get the party started.

  1. Do a scan. Nmap Scan is integrated into Armitage. However, I recommend using it outside Armitage since you can configure the scan parameters better. There are a lot of different options to choose from. I use the GUI version Zenmap – which also comes preinstalled on Kali Linux – and the following command:
    nmap -sS -p 1-65535 -T4 -A -v
    • sS: Stealth SYN scan
    • p 1-65536: All ports
    • T4: Prohibits the dynamic scan delay from exceeding 10 ms for TCP ports
    • A: Enable OS detection, version detection, script scanning, and traceroute
    • v: Increase verbosity level
  2. After you scan, save the file (scan.xml).
  3. Add host: From the navigation menu “Hosts” -> “Import Hosts” and choose scan.xml.
  4. From the navigation menu, choose “Attacks” -> “Find Attacks”.
  5. From the navigation menu, choose “Attacks” -> “Hail Mary”.

PhotoHail Mary finds exploits relevant to your targets, filters the exploits using known information, and then sorts them into an optimal order.

Important: When you use msfupdate, the database doesn’t get all the possible exploits. When you find some exploit that you want to try on your site, you have to manually add it and execute it. Here’s how:

  1. Download the exploit from exploit-db or write a script on your own.
  2. Put it in the ~/.msf4/modules/exploit/<your_folder> directory. Any exploit put here will be detected by Metasploit when it starts.
  3. Execute it with: use /exploit/your_folder/exploit_name.


Wapiti is a powerful scanner. It supports a variety of attacks and, in the end, provides nice reports in different formats. You can read more about it on the official site. When you open the console and type in wapiti, the wapiti help will load. I use
wapiti <a href=""></a> -n 10 -b folder -u -v 1 -f html -o /tmp/scan_report.

  • n: Define a limit of URLs to read with the same pattern, to prevent endless loops, here, limit must be greater than 0.
  • b: Set the scope of the scan; analyze all the links to the pages which are in the same domain as the URL passed.
  • u: Use color to highlight vulnerable parameters in output.
  • v: Define verbosity level; print each URL.
  • f: Define report type; choose HTML format.
  • o: Define report destination; in our case, it must be a directory because we chose HTML format.

NOTE: It is possible that you’ll encounter “You have an outdated version of python-requests. Please upgrade.” The fix is pip install requests –upgrade.


So, CMSmap is another free open source vulnerability scanner which supports Wordpress, Joomla, and Drupal. It also supports brute force, but Drupal is solid there since it blocks the user after a fifth wrong password attempt.

CMSmap is not preinstalled in Kali, so you’ll have to download it: git clone <a href="">[/geshifilter-code]
To run the tool, type:

cd CMSmap/

I use the following configuration command:
./ -t <a href=""></a> -f D -F -o CMSmap_example_results.txt

  • t: Target URL.
  • f D: Force scan for Drupal.
  • F: Full scan using large plugin lists.
  • o: Save output in file.

That’s all, folks.

But remember: “The quieter you become, the more you are able to hear.”

Image: "Security" by Henri Bergius is licensed under CC BY-SA 2.0