WordPress auditing with WPScan
WPScan is a security scanner which checksĀ WordPress weaknesses using a black box method. The main features are, username enumeration, multithreaded password bruteforcing, WordPress Version enumeration and Plugin vulnerability enumeration. In this how to I’m going to show how to perform a security auditing on a WordPress installation in wich theĀ user ‘mike’ has a weak password and the blog uses a vulnerable plugin.
WPScan installation.
wget http://wpscan.googlecode.com/files/wpscan-1.0.zip unzip wpscan-1.0.zip sudo apt-get install libcurl4-gnutls-dev rubygems1.8 ruby sudo gem install typhoeus sudo gem install xml-simple
Non-intrusive method
Non-intrusive method will simply query the WP installation to obtain basic information about the WP theme in use, if the readme.html file exists and the WP version grabbed from the from meta generator.
#ruby wpscan.rb --url mysite.org/blog | URL: http://mysite.org/blog/ | Started on Wed Jul 20 21:17:37 2011 [+] The WordPress theme in use is called News [+] The WordPress http://mysite.org/blog/readme.html file exists. [+] WordPress version 3.2.1 identified from meta generator. [+] Finished at Wed Jul 20 21:17:41 2011
User enumeration
This test will enumerate the users that have access on the blog, this information is obtained from author querystring and location header.
#ruby wpscan.rb --url mysite.org/blog --enumerate u [+] Enumerating usernames... We found the following 1 username/s: mike
Wordlist password brute force on ‘mike’ username only
This test will try a brute force attack for the user ‘mike’ using a word list of common password. Below you can find some useful word lists.
http://packetstormsecurity.org/Crackers/wordlists/
http://www.isdpodcast.com/resources/62k-common-passwords/
#ruby ./wpscan.rb --url mysite.org/blog --wordlist mylist.lst --username mike [+] Starting the password brute forcer Brute forcing mike with 500 passwods... SUCCESS! Username:mike Password:trustno1 [+] Finished at Wed Jul 20 21:27:19 2011
Generate a new ‘most popular’ plugin list
This will fetch the latest WP plugins and store them in /data folder.
#ruby ./wpscan.rb --generate_plugin_list Number of pages not supplied, defaulting to 150 pages... [+] Generating new most popular plugin list New data/plugin.txt file created with 2220 entries.
Enumerate installed plugins
This test will enumerate all the WP installed plugins. Outdated or vulnerable plugins can be easily used as a way to compromise and exploit the WP installation.
#ruby ./wpscan.rb --url mysite.org/blog --enumerate p [+] Enumerating installed plugins... Checking for 2139 plugins... We found 1 plugins: wp-syntax [+] There were 1 vulnerabilities identified from the plugin names: * Title: WordPress Plugin WP-Syntax * Reference: http://www.exploit-db.com/exploits/9431/ Directory listing enabled: http://mysite.org/blog/wp-content/plugins/wp-syntax/ [+] Finished at Wed Jul 20 22:08:11 2011
Risk mitigation and countermeasure.
Remove the readme.html file from the WP root, this file contain the WP version.
Scridb filter
29/11/2011 at 4:57 am Permalink
Thanks phillip, i have been following you for a long time.
Long time ago i installed it from here. http://www.hackersgarage.com/wpscan-wordpress-security-scanner.html