Tuesday, May 22, 2012

Enumerating Drupal modules

  Drupal is one of the widely used CMS on the web. But unlike Wordpress and Joomla, there are not a lot of tools to pentest Drupal web sites and automate some tasks, and the few that I have come across do some really basic checks.

  One of the most obvious things to do when pentesting a CMS is to try to enumerate the installed modules as they are an easier target to attack than the core and vulnerabilities are generally found most of time in them.

When creating a tool to automate this work using a list of existing modules, one has to ask two questions:
- Where are the modules ?
- How to differentiate installed modules ?


Where are the modules ?
  The recommended (and probably widely used) path to install Drupal modules is /sites/all/modules/. But this is not always true as modules may be in /sites/default/modules/ or /sites/www.example/modules/ for instance. A good way to find uncommon modules paths is to grep for them in the body of normal responses.

How to differentiate installed modules ?
  A first thought would be to query the modules folder. For example the Views module would be in /sites/all/modules/views/ and check for the returned response (status code, or any string). But I have found this to be not so reliable and varying depending on setups. Not long ago, I have found that LICENSE.txt is a file added automatically to each module uploaded on drupal.org. Perfect, as static content, we could also grep the responses to check for server configurations that return custom 200 Ok responses instead of 404 for not missing resources.

And for the scripts part, I've committed the final version of http-drupal-modules.nse to Nmap as r28601. You can get from the repository (svn co https://svn.nmap.org/nmap ) or download it directly from her.

It works as described in this blog post and defaults to checking the 100 most popular Drupal modules based on a list extracted from her.