Ok, so today I will be providing you with a brief introduction and tutorial on how to use the WPScan ruby script. We can use this script to quickly identify plugin modules being used on a target WordPress site as well as enumeration of version info and potential users. Once that is done we can also supply a wordlist and try to bruteforce the WP login page to see if we can get access to the admin panel (if we don’t find an open door in an existing installed module). The script is very easy to use and comes pre-installed with all dependencies on BackTrack 5 (R1 and/or R2). I will walk through the script using the latest BackTrack 5R2 which was just recently released. There is also a video at the end for those who need a visual experience, but it is simple enough to figure out if you just poke around a bit. Here goes…
We first start by launching the script and generating the help menu so we can get an idea of what we will be working with here. This brings up help menu:
COMMAND: ./wpscan.rb -h
You can see we have a few options but it is not overwhelming like some of the other tools I have shown you in the past. Before we get started we generate a plugins list for scanning, like so:
COMMAND: ./wpscan.rb --generate_plugin_list 150
My understanding of this feature is that this creates a plugins list to use for enumeration, which will trim the full list of 2000+ to a workable number based on a most popular for sorting purposes, so a top 150-500 would be sufficient in most cases...it appears to be an optional step and still not 100% on its impact on success or failure (sorry)
NOTE: this might take a few minutes depending on how high you set it
Once that is done we can start scanning our target site. I typically do things in layers so I start general and then add to it as we go. In order to run a generic scan just launch the script and point it at your target site, like so:
COMMAND: ./wpscan.rb --url www.site.com
When that is done you may or may not have some information. Assuming we still want to dig a bit deeper we now scan using the “—enumerate” feature and set the argument for what we want to enumerate. We set one per scan, as my experience seems to show that it ignores any additional arguments (i.e. only 1 at a time). The syntax works the same as our generic scan but with the enumerate option added, like so:
COMMAND: ./wpscan.rb --url www.site.com --enumerate u|v|p|t
- Users (u)
- Version (v)
- Plugins (p)
- Timthumb (t)
Once we are done enumerating the info from the site that we want we can next either do some investigations on exploit-db to see if any known vulnerabilities in any of the plugins or we can try to bruteforce the login. We simply point the script at the site, set the wordlist and thread-count and then instruct it which username to work against. It does the rest J
COMMAND: ./wbscan.rb --url www.site.com --wordlist /path/to/list.txt --threads 50 --username <username>
This runs the bruteforce tool at WP login page, limiting attack to the username provided (will try all user accounts if no username provided). If you are on Linux you can set the thread count as high as you like (50 works well for me) but if you are on Winblows keep the thread count at 10 for best results.
NOTE: it runs through the wordlist in the order you have it so keep your wordlist optimized for quickest path to successful results
If you want to increase the verbosity of a scan/attack in process then simply add the "-v" flag like any other tool you have used before. If you want some added security on your end you can run the scans through a proxy by adding the "--proxy host:port" flag or you can use "--tor" as an alternative and it will use the default TOR settings (localhost:9050) to route all requests through the TOR network.
That is all there is to it!
It is not a game changer but it can uncover some low hanging fruit sometimes and the bruteforce/dictionary attacks on the WordPress login panel work very well and quick thanks to the multi-threaded design (and the lack of a lock-out policy in WordPress installs which makes this all possible). I hope you found this one enjoyable enough, for those that need a little more – here is a quick video I made to outline how simple it is to use. I should note that for video this is a brand new install and the enumeration failed to find the correct username but I supplied it so you can see the full functionality of it (I also used a small wordlist to keep the video within time constraints). Hopefully this drives it home for everyone. If you use WordPress, keep up to date and always use secure passwords for all users.
Until next time, Enjoy!