One of my favorite apps in Backtrack Linux that I recently discovered is wpscan. There are a ton of WordPress sites in the wild and using wpscan is an excellent way to begin an audit on a WP site. There are a couple things that wpscan does that is really amazing such as enumerating logins from WordPress sites and enumerating WordPress plugins that are installed. Below are a couple examples of how wpscan can be useful for WordPress web site analysis.

Using wpscan To Audit WordPress Sites:

The wpscan application is built with Ruby and easily customizable if you wanted to expand its capabilities since the code is well documented and clean. The first example below is one of my favorites as it enumerates usernames from the WordPress site using a fairly old vulnerability that I am surprised has not been resolved in any of the recent WordPress releases.

**NOTE** I have modified the URL I used for testing but wanted to provide a real world example.

Enumerate WordPress Logins With wpscan & Then Bruteforce Those WordPress Logins:

root@bt:/pentest/web/wpscan# ruby wpscan.rb --url www.examplewordpress.com --wordlist wordlist --threads 10
____________________________________________________
 __          _______   _____
          / /  __  / ____|
     /  / /| |__) | (___   ___  __ _ _ __
    /  / / |  ___/ ___  / __|/ _` | '_ 
      /  /  | |     ____) | (__| (_| | | | |
     /  /   |_|    |_____/ ___|__,_|_| |_| v1.1

  WordPress Security Scanner by ethicalhack3r.co.uk
 Sponsored by the RandomStorm Open Source Initiative
_____________________________________________________

| URL: http://www.examplewordpress.com/
| Started on Thu Apr 12 06:07:51 2012

[!] The WordPress theme in use is called "ABC-2011".
[!] The WordPress "http://www.examplewordpress.com/readme.html" file exists.
[!] WordPress version 3.2.1 identified from meta generator.

[+] Enumerating usernames...

We found the following 9 username/s:

admin
joanne1
eviled
crblogger
admin2
hotness
charles
mrc
avagabe

[+] Starting the password brute forcer

Brute forcing user "avagore" with 9 passwords... 100% complete.e.e..
[+] Finished at Thu Apr 12 06:08:57 2012
root@bt:/pentest/web/wpscan#

Lets first start by explaining each portion of the command issued in the example above.

  • ruby wpscan.rb: Command to run wpscan
  • –url www.examplewordpress.com: Specifies the WordPress site URL
  • –wordlist wordlist: Not only does this specify the wordlist to use when bruteforcing the WP logins but it also tells wpscan to enumerate the WordPress logins, if the wordlist is not in the wpscan directory you must specify the full path
  • –threads 10: The amount of threads to use while bruteforcing WP logins

As you can see the switches for wpscan all make sense and function without issue. Currently the application only attempts to enumerate the first ten user id’s however that will likely change in the future. The above example included a tiny wordlist just to show how to use this function so there were not any successes in regards to obtaining a WordPress login on the example site. Other items to note in the above wpscan example include the fact that it is able to enumerate the theme name, the fact that the readme.html file exists, and the WordPress version all of which are very useful when auditing a WordPress site.

Enumerate WordPress Plugins With wpscan & Check Plugins Against Known Vulnerabilities:

root@bt:/pentest/web/wpscan# ruby wpscan.rb --url www.examplewordpress.com --enumerate p
____________________________________________________
 __          _______   _____
          / /  __  / ____|
     /  / /| |__) | (___   ___  __ _ _ __
    /  / / |  ___/ ___  / __|/ _` | '_ 
      /  /  | |     ____) | (__| (_| | | | |
     /  /   |_|    |_____/ ___|__,_|_| |_| v1.1

  WordPress Security Scanner by ethicalhack3r.co.uk
 Sponsored by the RandomStorm Open Source Initiative
_____________________________________________________

| URL: http://www.examplewordpress.com/
| Started on Thu Apr 12 06:05:37 2012

[!] The WordPress theme in use is called "ABC-2011".
[!] The WordPress "http://www.examplewordpress.com/readme.html" file exists.
[!] WordPress version 3.2.1 identified from meta generator.

[+] Enumerating installed plugins...

Checking for 2396 total plugins... 100% complete.

[+] We found 14 plugins:

Name: vipers-video-quicktags
Location: http://www.examplewordpress.com/wp-content/plugins/vipers-video-quicktags/
Directory listing enabled? No.

Name: jetpack
Location: http://www.examplewordpress.com/wp-content/plugins/jetpack/
Directory listing enabled? No.

Name: twitter-tools
Location: http://www.examplewordpress.com/wp-content/plugins/twitter-tools/
Directory listing enabled? No.

Name: statpress
Location: http://www.examplewordpress.com/wp-content/plugins/statpress/
Directory listing enabled? No.

Name: jf3-maintenance-mode
Location: http://www.examplewordpress.com/wp-content/plugins/jf3-maintenance-mode/
Directory listing enabled? No.

Name: bwp-google-xml-sitemaps
Location: http://www.examplewordpress.com/wp-content/plugins/bwp-google-xml-sitemaps/
Directory listing enabled? No.

Name: user-role-editor
Location: http://www.examplewordpress.com/wp-content/plugins/user-role-editor/
Directory listing enabled? No.

Name: role-scoper
Location: http://www.examplewordpress.com/wp-content/plugins/role-scoper/
Directory listing enabled? No.

Name: slickr-flickr
Location: http://www.examplewordpress.com/wp-content/plugins/slickr-flickr/
Directory listing enabled? No.

Name: more-fields
Location: http://www.examplewordpress.com/wp-content/plugins/more-fields/
Directory listing enabled? No.

Name: simple-google-sitemap-xml
Location: http://www.examplewordpress.com/wp-content/plugins/simple-google-sitemap-xml/
Directory listing enabled? No.

Name: fix-rss-feed
Location: http://www.examplewordpress.com/wp-content/plugins/fix-rss-feed/
Directory listing enabled? No.

Name: mycustomwidget
Location: http://www.examplewordpress.com/wp-content/plugins/mycustomwidget/
Directory listing enabled? No.

Name: redirection
Location: http://www.examplewordpress.com/wp-content/plugins/redirection/
Directory listing enabled? No.

[+] There were 1 vulnerabilities identified from the plugin names:

[!] ["WordPress jetpack plugin SQL Injection Vulnerability"]
* Reference: ["http://www.exploit-db.com/exploits/18126/"]

[+] Finished at Thu Apr 12 06:15:27 2012
root@bt:/pentest/web/wpscan#

The above example is much different than the first wpscan example as this time we enumerated WordPress plugins against a list of around 2800 of the most popular WP plugins. Not only does wpscan enumerate the installed plugins but it also checks those plugins against exploit-db.com to see if there are any known vulnerabilities as you can see this wpscan result turned up a known vulnerability with the Jetpack WordPress plugin. Outside of the plugin results this scan also returns the standard WordPress theme name, if the readme.html file is readable, and what the WordPress version is. So one more example below I wanted to add after talking with the wpscan developer.

Use wpscan To Enumerate WordPress Plugins, WordPress Timthumb Files, & WordPress Usernames:

root@bt:/pentest/web/wpscan# ruby wpscan.rb -u www.examplewordpress.com -e
____________________________________________________
 __          _______   _____
          / /  __  / ____|
     /  / /| |__) | (___   ___  __ _ _ __
    /  / / |  ___/ ___  / __|/ _` | '_ 
      /  /  | |     ____) | (__| (_| | | | |
     /  /   |_|    |_____/ ___|__,_|_| |_| v1.1

  WordPress Security Scanner by ethicalhack3r.co.uk
 Sponsored by the RandomStorm Open Source Initiative
_____________________________________________________

| URL: http://www.examplewordpress.com/
| Started on Thu Apr 12 06:54:26 2012

[!] The WordPress theme in use is called "ABC-2011".
[!] The WordPress "http://www.examplewordpress.com/readme.html" file exists.
[!] WordPress version 3.2.1 identified from meta generator.

[+] Enumerating installed plugins...

Checking for 191 total plugins... 100% complete.

[+] We found 1 plugins:

Name: jetpack
Location: http://www.examplewordpress.com/wp-content/plugins/jetpack/
Directory listing enabled? No.

[+] There were 1 vulnerabilities identified from the plugin names:

[!] ["WordPress jetpack plugin SQL Injection Vulnerability"]
* Reference: ["http://www.exploit-db.com/exploits/18126/"]

[+] Enumerating timthumb files...

Checking for 412 total timthumb files... 100% complete.
No timthumb files found :(

[+] Enumerating usernames...

We found the following 9 username/s:

admin
joanne1
eviled
crblogger
admin2
hotness
charles
mrc
avagabe

[+] Finished at Thu Apr 12 06:57:36 2012
root@bt:/pentest/web/wpscan#

In the above example I generated a small plugin list first by issuing “ruby wpscan.rb –generate_plugin_list 3″ which compiles a list of the first three pages of popular WordPress plugins which is why so many less plugins were enumerated. The main difference here is the fact that we are only enumerating data and we are enumerating three different items including WordPress plugins, WordPress timthumb files, and WordPress logins. The timthumb files are related to a PHP image resizer that had a well known exploit awhile back which allowed for remote code execution on web servers and there are still themes out there that use these files.

There you have the basics of wpscan which is a great tool for the start of a WordPress web site audit.

Metasploit: The Penetration Tester's Guide (Paperback)

By (author): David Kennedy, Jim O'Gorman, Devon Kearns, Mati Aharoni


List Price: $49.95 USD
New From: $26.90 USD In Stock
Used from: $26.70 USD In Stock

CSS: The Missing Manual (Missing Manuals) (Paperback)

By (author): David Sawyer McFarland


List Price: $34.99 USD
New From: $11.21 USD In Stock
Used from: $0.24 USD In Stock

DeliciousStumbleUponDiggTwitterFacebookRedditLinkedInEmail
Tags: , , , , , , , , , , , , , , ,
Leave a Reply

*Type the letter/number combination in the abvoe field before clicking submit.

*