Installation
WPScan comes pre-installed in Kali Linux. For other distros, installing WPScan is very easy, according to official documentation. Type
[email protected]:~$ sudo apt install patch build-essential zlib1g-dev liblzma-dev ruby-dev
[email protected]:~$ gem install nokogiri
Then
[email protected]:~$ gem install wpscan
OR
[email protected]:~$ git clone https://github.com/wpscanteam/wpscan
[email protected]:~$ cd wpscan/
[email protected]:~$ bundle install && rake install
To update installed WPScan to the latest, type
OR
OR in Kali Linux
Usage
Now we’ll learn how to perform quick scan of your wordpress website, themes and plugins. WordPress will scan your website with multiple scan options and will show you the vulnerabilities and their details on the terminal. WPScan will also tell you a lot about your wordpress installation details and versions of themes and plugins installed. It can also enumerate usernames registered and brute force them to find passwords.
To perform a scan of your website, type
[+][32m0m] Started: Fri Oct 18 20:58:54 2019
Interesting Finding(s):
[+][32m0m] http://www.redacted.com/
| Interesting Entry: Server: Apache
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+][32m0m] http://www.redacted.com/xmlrpc.php
| Found By: Headers (Passive Detection)
| Confidence: 100%
| Confirmed By:
| – Link Tag (Passive Detection), 30% confidence
| – Direct Access (Aggressive Detection), 100% confidence
| References:
| – http://codex.wordpress.org/XML-RPC_Pingback_API
| – https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| – https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| – https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| – https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+][32m0m] http://www.redacted.com/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+][32m0m]Upload directory has listing enabled: http://www.redacted.com/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+][32m0m] http://www.redacted.com/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| – https://www.iplocation.net/defend-wordpress-from-ddos
| – https://github.com/wpscanteam/wpscan/issues/1299
[+][32m0m] WordPress version 2.7.1 identified (Insecure, released on 2009-02-10).
| Detected By: Unique Fingerprinting (Aggressive Detection)
|- http://www.redacted.com/wp-admin/js/common.js md5sum is 4f0f9bdbe437f850430fae694ca046ba
[+][32m0m] WordPress theme in use: sliding-door
| Location: http://www.redacted.com/wp-content/themes/sliding-door/
| Last Updated: 2016-01-02T00:00:00.000Z
| Readme: http://www.redacted.com/wp-content/themes/sliding-door/README.txt
| [!][33m0m] The version is out of date, the latest version is 3.2.4
| Style URL: http://www.redacted.com/wp-content/themes/sliding-door/style.css
| Style Name: Sliding Door
| Style URI: http://mac-host.com/slidingdoor/
| Description: A template featuring sliding images in the menu, based on Samuel
Birch’s phatfusion image menu….
| Author: Wayne Connor
| Author URI: http://www.macintoshhowto.com/
|
| Detected By: Css Style (Passive Detection)
| Confirmed By: Urls In Homepage (Passive Detection)
|
| Version: 1.5 (80% confidence)
| Detected By: Style (Passive Detection)
|- http://www.redacted.com/wp-content/themes/sliding-door/style.css, Match: ‘Version: 1.5’
[i][34m0m] Plugin(s) Identified:
[+][32m0m] all-in-one-seo-pack
| Location: http://www.redacted.com/wp-content/plugins/all-in-one-seo-pack/
| Latest Version: 3.2.10
| Last Updated: 2019-10-17T15:07:00.000Z
|
| Detected By: Comment (Passive Detection)
|
| The version could not be determined.
[+][32m0m] google-analyticator
| Location: http://www.redacted.com/wp-content/plugins/google-analyticator/
| Last Updated: 2019-03-04T22:57:00.000Z
| [!][33m0m] The version is out of date, the latest version is 6.5.4
|
| Detected By: Urls In Homepage (Passive Detection)
|
| Version: 4.1.1 (80% confidence)
| Detected By: Readme – Stable Tag (Aggressive Detection)
| – http://www.redacted.com/wp-content/plugins/google-analyticator/readme.txt
[+][32m0m] nextgen-gallery
| Location: http://www.redacted.com/wp-content/plugins/nextgen-gallery/
| Latest Version: 3.2.18
| Last Updated: 2019-09-18T16:02:00.000Z
|
| Detected By: Urls In Homepage (Passive Detection)
|
| The version could not be determined.
[+][32m0m] qtranslate
| Location: http://www.redacted.com/wp-content/plugins/qtranslate/
|
| Detected By: Urls In Homepage (Passive Detection)
|
| Version: 2.3.4 (80% confidence)
| Detected By: Readme – Stable Tag (Aggressive Detection)
| – http://www.redacted.com/wp-content/plugins/qtranslate/readme.txt
[+][32m0m] wp-spamfree
| Location: http://www.redacted.com/wp-content/plugins/wp-spamfree/
| Last Updated: 2016-09-23T05:22:00.000Z
| [!][33m0m] The version is out of date, the latest version is 2.1.1.6
|
| Detected By: Urls In Homepage (Passive Detection)
| Confirmed By: Comment (Passive Detection)
|
| Version: 2.1 (60% confidence)
| Detected By: Comment (Passive Detection)
| – http://www.redacted.com/, Match: ‘WP-SpamFree v2.1’
[i][34m0m] No Config Backups Found.
[!][33m0m] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!][33m0m] You can get a free API token with 50 daily requests by registering at
https://wpvulndb.com/users/sign_up.
[+][32m0m] Finished: Fri Oct 18 21:02:01 2019
[+][32m0m] Requests Done: 89
[+][32m0m] Cached Requests: 8
[+][32m0m] Data Sent: 45.16 KB
[+][32m0m] Data Received: 288.769 KB
[+][32m0m] Memory used: 133.965 MB
[+][32m0m] Elapsed time: 00:03:07
To check for vulnerable plugins
To check for vulnerable plugins, you can add an options ‘–enumerate vp’ to your command. WPScan will show all the plugins used by your WordPress website, highlighting the vulnerable ones along with other details. Type the following
//to list all plugins, use ‘ap’ instead of ‘vp’
[email protected]:~$ wpscan –url http://www.redacted.com –rua –enumerate vp -o
output-plugins.txt
To check for vulnerable Themes
To check for vulnerable plugins, add the option ‘–enumerate vt’ in your terminal command. WPScan will show you the vulnerabilities in your theme. Type the following
[email protected]:~$ wpscan –url http://www.redacted.com –rua –enumerate vt
To enumerate users in WordPress site
When registered usernames in websites are found, it becomes easier for hackers to brute force their password and compromise the access. After compromising an admin or privileged account, it becomes more easy to gain access to the whole WordPress website. That’s why you should always disable username enumeration in your WordPress configuration.
WPScan can also enumerate registered users in your WordPress installation. Type the following to enumerate users using WPScan
[email protected]:~$ wpscan –url http://www.redacted.com –rua –enumerate
U /path/to/user-dictionary.txt
// Using default dictionary
[email protected]:~$ wpscan –url http://www.redacted.com –rua –enumerate u
…snip…
[i][34m0m] User(s) Identified:
[+][32m0m] Shani
| Detected By: Rss Generator (Passive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+][32m0m] InterSkill
| Detected By: Rss Generator (Passive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
…snip…
Brute forcing passwords using WPScan
After getting usernames from the above step, you can guess passwords for these users by brute forcing. Using this method, you can see which user of your website is using poor strength password.
WPScan will need a list of users and a password dictionary of commonly used passwords. Then it will try every combination of usernames and passwords for successful logins. You can download password dictionaries from github repositories but in this tutorial, we’re going to use “rockyou.txt” dictionary which is located by default in Kali Linux in “/usr/share/wordlists” directory.
To download dictionaries in your distro, type
[email protected]:~$ ls /usr/share/wordlists/
rockyou.txt.gz
[email protected]:~$ gzip -d rockyou.txt.gz
[email protected]:~$ ls -la /usr/share/wordlists/rockyou.txt
-rw-r–r– 1 root root 139921507 Jul 17 02:59 rockyou.txt
To run a brute force scan on website, type
-U ‘Shani’,’InterSkill’
Conclusion
WPScan is a fantastic tool to add to your security toolbox. Its free, powerful and easy to use utility to discover security vulnerabilities and misconfigurations. Anyone having zero technical knowledge of security can easily install and use it for enhanced security of their website.
