How to use WPScan to easily find your wordpress site vulnerabilities

29/12/2020
Chưa phân loại
More than 35% of the internet runs on WordPress. WordPress contributes to more than 60% to global CMS market with more than 10 million websites built already. Making a website and deploying it with WordPress is so easy and cost-less, that’s why WordPress is widely used. With the rise of wordpress market, its security is also a big concern. More than 8% of internet vulnerabilities are found in WordPress websites, making it a vulnerable target to hackers. There are numerous WordPress vulnerability scanners in the market like WordPress Security Scan, SUCURI, Detectify but WPScan is the scanner to scan your WordPress websites for vulnerable themes, plugins and security misconfigurations.WPScan is an all in one tool for scanning vulnerabilities in websites built using WordPress framework. It can be used to enumerate WordPress plugins and themes, brute-force logins and identify security misconfigurations. Currently. it is available only for Linux (Debian, Fedora, Arch, CentOS) and MacOSX, not for Windows. You can use Windows Subsystem for Linux (WSL) to install WPScan in Windows. In this tutorial, we’ll look at how to install and use WPScan to find security loopholes in your website.

Installation

WPScan comes pre-installed in Kali Linux. For other distros, installing WPScan is very easy, according to official documentation. Type

// To install prerequisites
[email protected]:~$ sudo apt install patch build-essential zlib1g-dev liblzma-dev ruby-dev
[email protected]:~$ gem install nokogiri
Then
[email protected]:~$ gem install wpscan
OR
[email protected]:~$ git clone https://github.com/wpscanteam/wpscan
[email protected]:~$ cd wpscan/
[email protected]:~$ bundle install && rake install

To update installed WPScan to the latest, type

[email protected]:~$ wpscan –update

OR

[email protected]:~$ gem update wpscan

OR in Kali Linux

[email protected]:~$ sudo apt update && sudo apt upgrade

Usage

Now we’ll learn how to perform quick scan of your wordpress website, themes and plugins. WordPress will scan your website with multiple scan options and will show you the vulnerabilities and their details on the terminal. WPScan will also tell you a lot about your wordpress installation details and versions of themes and plugins installed. It can also enumerate usernames registered and brute force them to find passwords.

To perform a scan of your website, type

[email protected]:~$ wpscan –url http://www.redacted.com –rua

[+][32m0m] URL: http://www.redacted.com/
[+][32m0m] Started: Fri Oct 18 20:58:54 2019

Interesting Finding(s):

[+][32m0m] http://www.redacted.com/
| Interesting Entry: Server: Apache
| Found By: Headers (Passive Detection)
| Confidence: 100%

[+][32m0m] http://www.redacted.com/xmlrpc.php
| Found By: Headers (Passive Detection)
| Confidence: 100%
| Confirmed By:
|  – Link Tag (Passive Detection), 30% confidence
|  – Direct Access (Aggressive Detection), 100% confidence
| References:
|  – http://codex.wordpress.org/XML-RPC_Pingback_API
|  – https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
|  – https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
|  – https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
|  – https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+][32m0m] http://www.redacted.com/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+][32m0m]Upload directory has listing enabled: http://www.redacted.com/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+][32m0m] http://www.redacted.com/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
|  – https://www.iplocation.net/defend-wordpress-from-ddos
|  – https://github.com/wpscanteam/wpscan/issues/1299

[+][32m0m] WordPress version 2.7.1 identified (Insecure, released on 2009-02-10).
| Detected By: Unique Fingerprinting (Aggressive Detection)
|- http://www.redacted.com/wp-admin/js/common.js md5sum is 4f0f9bdbe437f850430fae694ca046ba

[+][32m0m] WordPress theme in use: sliding-door
| Location: http://www.redacted.com/wp-content/themes/sliding-door/
| Last Updated: 2016-01-02T00:00:00.000Z
| Readme: http://www.redacted.com/wp-content/themes/sliding-door/README.txt
| [!][33m0m] The version is out of date, the latest version is 3.2.4
| Style URL: http://www.redacted.com/wp-content/themes/sliding-door/style.css
| Style Name: Sliding Door
| Style URI: http://mac-host.com/slidingdoor/
| Description: A template featuring sliding images in the menu, based on Samuel
Birch’s phatfusion image menu….

| Author: Wayne Connor
| Author URI: http://www.macintoshhowto.com/
|
| Detected By: Css Style (Passive Detection)
| Confirmed By: Urls In Homepage (Passive Detection)
|
| Version: 1.5 (80% confidence)
| Detected By: Style (Passive Detection)
|- http://www.redacted.com/wp-content/themes/sliding-door/style.css, Match: ‘Version: 1.5’

[i][34m0m] Plugin(s) Identified:

[+][32m0m] all-in-one-seo-pack
| Location: http://www.redacted.com/wp-content/plugins/all-in-one-seo-pack/
| Latest Version: 3.2.10
| Last Updated: 2019-10-17T15:07:00.000Z
|
| Detected By: Comment (Passive Detection)
|
| The version could not be determined.

[+][32m0m] google-analyticator
| Location: http://www.redacted.com/wp-content/plugins/google-analyticator/
| Last Updated: 2019-03-04T22:57:00.000Z
| [!][33m0m] The version is out of date, the latest version is 6.5.4
|
| Detected By: Urls In Homepage (Passive Detection)
|
| Version: 4.1.1 (80% confidence)
| Detected By: Readme – Stable Tag (Aggressive Detection)
|  – http://www.redacted.com/wp-content/plugins/google-analyticator/readme.txt

[+][32m0m] nextgen-gallery
| Location: http://www.redacted.com/wp-content/plugins/nextgen-gallery/
| Latest Version: 3.2.18
| Last Updated: 2019-09-18T16:02:00.000Z
|
| Detected By: Urls In Homepage (Passive Detection)
|
| The version could not be determined.

[+][32m0m] qtranslate
| Location: http://www.redacted.com/wp-content/plugins/qtranslate/
|
| Detected By: Urls In Homepage (Passive Detection)
|
| Version: 2.3.4 (80% confidence)
| Detected By: Readme – Stable Tag (Aggressive Detection)
|  – http://www.redacted.com/wp-content/plugins/qtranslate/readme.txt

[+][32m0m] wp-spamfree
| Location: http://www.redacted.com/wp-content/plugins/wp-spamfree/
| Last Updated: 2016-09-23T05:22:00.000Z
| [!][33m0m] The version is out of date, the latest version is 2.1.1.6
|
| Detected By: Urls In Homepage (Passive Detection)
| Confirmed By: Comment (Passive Detection)
|
| Version: 2.1 (60% confidence)
| Detected By: Comment (Passive Detection)
|  – http://www.redacted.com/, Match: ‘WP-SpamFree v2.1’

[i][34m0m] No Config Backups Found.

[!][33m0m] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!][33m0m] You can get a free API token with 50 daily requests by registering at
https://wpvulndb.com/users/sign_up.

[+][32m0m] Finished: Fri Oct 18 21:02:01 2019
[+][32m0m] Requests Done: 89
[+][32m0m] Cached Requests: 8
[+][32m0m] Data Sent: 45.16 KB
[+][32m0m] Data Received: 288.769 KB
[+][32m0m] Memory used: 133.965 MB
[+][32m0m] Elapsed time: 00:03:07

To check for vulnerable plugins

To check for vulnerable plugins, you can add an options ‘–enumerate vp’ to your command. WPScan will show all the plugins used by your WordPress website, highlighting the vulnerable ones along with other details. Type the following

// –rua or –random-user-agent is used to randomly select the user agent
//to list all plugins, use ‘ap’ instead of ‘vp’
[email protected]:~$ wpscan –url http://www.redacted.com –rua –enumerate vp -o
output-plugins.txt

To check for vulnerable Themes

To check for vulnerable plugins, add the option ‘–enumerate vt’ in your terminal command. WPScan will show you the vulnerabilities in your theme. Type the following

//To list all themes, use options ‘at’ instead of ‘vt’
[email protected]:~$ wpscan –url http://www.redacted.com –rua –enumerate vt

To enumerate users in WordPress site

When registered usernames in websites are found, it becomes easier for hackers to brute force their password and compromise the access. After compromising an admin or privileged account, it becomes more easy to gain access to the whole WordPress website. That’s why you should always disable username enumeration in your WordPress configuration.

WPScan can also enumerate registered users in your WordPress installation. Type the following to enumerate users using WPScan

// Using custom dictionary
[email protected]:~$ wpscan –url http://www.redacted.com –rua –enumerate
U /path/to/user-dictionary.txt
// Using default dictionary
[email protected]:~$ wpscan –url http://www.redacted.com –rua –enumerate u
…snip…
[i][34m0m] User(s) Identified:
[+][32m0m] Shani
| Detected By: Rss Generator (Passive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+][32m0m] InterSkill
| Detected By: Rss Generator (Passive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
…snip…

Brute forcing passwords using WPScan

After getting usernames from the above step, you can guess passwords for these users by brute forcing. Using this method, you can see which user of your website is using poor strength password.

WPScan will need a list of users and a password dictionary of commonly used passwords. Then it will try every combination of usernames and passwords for successful logins. You can download password dictionaries from github repositories but in this tutorial, we’re going to use “rockyou.txt” dictionary which is located by default in Kali Linux in “/usr/share/wordlists” directory.

To download dictionaries in your distro, type

[email protected]:~$ sudo apt install wordlists
[email protected]:~$ ls /usr/share/wordlists/
rockyou.txt.gz
[email protected]:~$ gzip -d rockyou.txt.gz
[email protected]:~$ ls -la /usr/share/wordlists/rockyou.txt
-rw-r–r– 1 root root 139921507 Jul 17 02:59 rockyou.txt

To run a brute force scan on website, type

[email protected]:~$ wpscan –url http://www.redacted.com –rua -P /usr/share/wordlists/rockyou.txt
-U ‘Shani’,’InterSkill’

Conclusion

WPScan is a fantastic tool to add to your security toolbox. Its free, powerful and easy to use utility to discover security vulnerabilities and misconfigurations. Anyone having zero technical knowledge of security can easily install and use it for enhanced security of their website.

Sandclock IDC thành lập vào năm 2012, là công ty chuyên nghiệp tại Việt Nam trong lĩnh vực cung cấp dịch vụ Hosting, VPS, máy chủ vật lý, dịch vụ Firewall Anti DDoS, SSL… Với 10 năm xây dựng và phát triển, ứng dụng nhiều công nghệ hiện đại, Sandclock IDC đã giúp hàng ngàn khách hàng tin tưởng lựa chọn, mang lại sự ổn định tuyệt đối cho website của khách hàng để thúc đẩy việc kinh doanh đạt được hiệu quả và thành công.
Bài viết liên quan

[KVM] Hướng dẫn sử dụng WebVirtCloud

Sau bài cài đặt, mình đã dành vài ngày để thử nghiệm các tính năng và cách sử dụng của WebVirtCloud....
30/12/2020

How to Detect if Your Linux System has been Hacked

When there is suspicion a system was hacked the only safe solution is to install everything from the beginning, especially...
29/12/2020

Advanced Linux Network Commands

The nslookup and host commands to query DNS records The dig command to query DNS records The traceroute command to diagnose...
29/12/2020
Bài Viết

Bài Viết Mới Cập Nhật

Hướng dẫn chuyển đổi windows server windows evaluation to standard và active windows server 2008 + 2012 + 2016 + 2019
26/10/2021

How to Update Ubuntu Linux
24/10/2021

Squid Proxy Manager cài đặt và quản lý Proxy Squid tự động trên ubuntu
20/10/2021

Hướng dẫn cài đặt Apache CloudStack 4.15.2.0
19/10/2021

Hướng dẫn ký file PDF bằng chữ ký số (chữ ký điện tử) và sửa lỗi mới nhất 2021 foxit reader
19/10/2021