May 8, 2020
The most powerful scanner for WordPress.
Among the various challenges we have at Wavy, sometimes we need to perform some tests on platforms with WordPress and for this our security team usually uses WPscan.
WordPress is today the largest blogging platform and website used on the internet and being the largest or being among the largest, is always the target of crackers. To help Penetration Testers and developers keep their applications secure, a team of researchers developed the WPScan.
The WPscan (Wordpress Security Scanner) as his name implies, is a tool to perform pentests BlackBox type in Wordpress platform.
It was developed and is maintained by the own WPscan Team and receives sponsorship from Sucuri Company.
As the vast majority of pentest tools, the WPscan comes installed in major distributions aimed at the realization of Pentest, like Kali Linux and BackBox.
Installation
If you prefer to perform a manual installation of the tool, you can follow the steps below:
First, install the dependencies:
** For the article, will be used as an example the Ubuntu and Fedora, other distros and info can be found in the article reference links
Ubuntu:
sudo apt-get install libcurl4-OpenSSL-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential libgmp-dev zlib1g-dev
Fedora:
sudo dnf install gcc ruby-devel libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel patch rpm-build
Now we can do the direct clone from GitHub:
git clone https://github.com/wpscanteam/wpscan.git
cd wpscan
sudo gem install bundler && bundle install — without test
If you prefer, we still have the option of using the Docker. Download the WPscan image straight from the repository Docker following the steps below:
docker pull wpscanteam/wpscan
To run, follows sample line
docker run -it — rm wpscanteam/wpscan -u https://target.com
Use
As we can see the WPscan has many options, but we will demonstrate the use of three options in that article, which are: BruteForce, Enumerate users and plugins.
Our target is the site running in 192.168.63.1
The first time you run WPscan, you will be asked if you want to check if there is any update.
Passing only the URL, without using the options, the WPscan brings us some interesting information, such as version of WordPress vulnerable version of web server and other important information about the server and about the theme installed.
We did a passive attack and from now on we do tests and more intrusive attacks and for this I recommend use of SOCKS5, when using the tool outside of your lab tests, which allow us to perform the WPscan through the TOR network.
** We could use proxychains to such activity.
Let’s enumerate users and system plugins.
$ wpscan -u http://192.168.63.1/wordpress -e u,p — log wordpress.pwned
Now we have some more interesting information about our target.
For example, we now have active plugin information
When we have a plugin active and with a vulnerability published, it is reported by the WPscan, but it’s not our case.
And we have a list of users, that we use to make our brute force attack.
To execute the attack having a single user targets, use the following command:
$ wpscan -u http://192.168.63.1/wordpress — wordlist /root/wordlist.lst — username admin
If we want to use all the users that were listed, simply omit the — user option.
$ wpscan -u http://192.168.63.1/wordpress — wordlist /root/wordlist.lst
* Important pass the full path of the wordlist file, otherwise the WPscan will get the default path that is/usr/share/wpscan/, or you can copy your wordlist to it.
Conclusion
As we can see the wpscan is a very useful and effective tool for attacks on top of platforms WordPress.
A very complete tool that allows us to go from a single fingerprint to brute force attacks.
Has several options that can help you in day to day problems of Penetration Testers, allowing various types of obfuscation of the attacks.
