• Home »
  • Security »
  • Backtrack 5 : Information Gathering : Web Application Analysis : CMS Identification : wpscan

Backtrack 5 : Information Gathering : Web Application Analysis : CMS Identification : wpscan

One of my favorite apps in Backtrack Linux that I recently discovered is wpscan. There are a ton of WordPress sites in the wild and using wpscan is an excellent way to begin an audit on a WP site. There are a couple things that wpscan does that is really amazing such as enumerating logins from WordPress sites and enumerating WordPress plugins that are installed. Below are a couple examples of how wpscan can be useful for WordPress web site analysis.

Using wpscan To Audit WordPress Sites:

The wpscan application is built with Ruby and easily customizable if you wanted to expand its capabilities since the code is well documented and clean. The first example below is one of my favorites as it enumerates usernames from the WordPress site using a fairly old vulnerability that I am surprised has not been resolved in any of the recent WordPress releases.

**NOTE** I have modified the URL I used for testing but wanted to provide a real world example.

Enumerate WordPress Logins With wpscan & Then Bruteforce Those WordPress Logins:

bash

  1. root@bt:/pentest/web/wpscan# ruby wpscan.rb --url www.examplewordpress.com --wordlist wordlist --threads 10
  2. ____________________________________________________
  3.  __          _______   _____
  4.  \ \        / /  __ \ / ____|
  5.   \ \  /\  / /| |__) | (___   ___  __ _ _ __
  6.    \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
  7.    \  /\  /  | |     ____) | (__| (_| | | | |
  8.     \/  \/   |_|    |_____/ \___|\__,_|_| |_| v1.1
  9.  
  10.  WordPress Security Scanner by ethicalhack3r.co.uk
  11. Sponsored by the RandomStorm Open Source Initiative
  12. _____________________________________________________
  13.  
  14. | URL: http://www.examplewordpress.com/
  15. | Started on Thu Apr 12 06:07:51 2012
  16.  
  17. [!] The WordPress theme in use is called "ABC-2011".
  18. [!] The WordPress "http://www.examplewordpress.com/readme.html" file exists.
  19. [!] WordPress version 3.2.1 identified from meta generator.
  20.  
  21. [+] Enumerating usernames...
  22.  
  23. We found the following 9 username/s:
  24.  
  25. admin
  26. joanne1
  27. eviled
  28. crblogger
  29. admin2
  30. hotness
  31. charles
  32. mrc
  33. avagabe
  34.  
  35. [+] Starting the password brute forcer
  36.  
  37. Brute forcing user "avagore" with 9 passwords... 100% complete.e.e..
  38. [+] Finished at Thu Apr 12 06:08:57 2012
  39. root@bt:/pentest/web/wpscan#

Lets first start by explaining each portion of the command issued in the example above.

  • ruby wpscan.rb: Command to run wpscan
  • –url www.examplewordpress.com: Specifies the WordPress site URL
  • –wordlist wordlist: Not only does this specify the wordlist to use when bruteforcing the WP logins but it also tells wpscan to enumerate the WordPress logins, if the wordlist is not in the wpscan directory you must specify the full path
  • –threads 10: The amount of threads to use while bruteforcing WP logins

As you can see the switches for wpscan all make sense and function without issue. Currently the application only attempts to enumerate the first ten user id’s however that will likely change in the future. The above example included a tiny wordlist just to show how to use this function so there were not any successes in regards to obtaining a WordPress login on the example site. Other items to note in the above wpscan example include the fact that it is able to enumerate the theme name, the fact that the readme.html file exists, and the WordPress version all of which are very useful when auditing a WordPress site.

Enumerate WordPress Plugins With wpscan & Check Plugins Against Known Vulnerabilities:

bash

  1. root@bt:/pentest/web/wpscan# ruby wpscan.rb --url www.examplewordpress.com --enumerate p
  2. ____________________________________________________
  3.  __          _______   _____
  4.  \ \        / /  __ \ / ____|
  5.   \ \  /\  / /| |__) | (___   ___  __ _ _ __
  6.    \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
  7.    \  /\  /  | |     ____) | (__| (_| | | | |
  8.     \/  \/   |_|    |_____/ \___|\__,_|_| |_| v1.1
  9.  
  10.  WordPress Security Scanner by ethicalhack3r.co.uk
  11. Sponsored by the RandomStorm Open Source Initiative
  12. _____________________________________________________
  13.  
  14. | URL: http://www.examplewordpress.com/
  15. | Started on Thu Apr 12 06:05:37 2012
  16.  
  17. [!] The WordPress theme in use is called "ABC-2011".
  18. [!] The WordPress "http://www.examplewordpress.com/readme.html" file exists.
  19. [!] WordPress version 3.2.1 identified from meta generator.
  20.  
  21. [+] Enumerating installed plugins...
  22.  
  23. Checking for 2396 total plugins... 100% complete.
  24.  
  25. [+] We found 14 plugins:
  26.  
  27. Name: vipers-video-quicktags
  28. Location: http://www.examplewordpress.com/wp-content/plugins/vipers-video-quicktags/
  29. Directory listing enabled? No.
  30.  
  31. Name: jetpack
  32. Location: http://www.examplewordpress.com/wp-content/plugins/jetpack/
  33. Directory listing enabled? No.
  34.  
  35. Name: twitter-tools
  36. Location: http://www.examplewordpress.com/wp-content/plugins/twitter-tools/
  37. Directory listing enabled? No.
  38.  
  39. Name: statpress
  40. Location: http://www.examplewordpress.com/wp-content/plugins/statpress/
  41. Directory listing enabled? No.
  42.  
  43. Name: jf3-maintenance-mode
  44. Location: http://www.examplewordpress.com/wp-content/plugins/jf3-maintenance-mode/
  45. Directory listing enabled? No.
  46.  
  47. Name: bwp-google-xml-sitemaps
  48. Location: http://www.examplewordpress.com/wp-content/plugins/bwp-google-xml-sitemaps/
  49. Directory listing enabled? No.
  50.  
  51. Name: user-role-editor
  52. Location: http://www.examplewordpress.com/wp-content/plugins/user-role-editor/
  53. Directory listing enabled? No.
  54.  
  55. Name: role-scoper
  56. Location: http://www.examplewordpress.com/wp-content/plugins/role-scoper/
  57. Directory listing enabled? No.
  58.  
  59. Name: slickr-flickr
  60. Location: http://www.examplewordpress.com/wp-content/plugins/slickr-flickr/
  61. Directory listing enabled? No.
  62.  
  63. Name: more-fields
  64. Location: http://www.examplewordpress.com/wp-content/plugins/more-fields/
  65. Directory listing enabled? No.
  66.  
  67. Name: simple-google-sitemap-xml
  68. Location: http://www.examplewordpress.com/wp-content/plugins/simple-google-sitemap-xml/
  69. Directory listing enabled? No.
  70.  
  71. Name: fix-rss-feed
  72. Location: http://www.examplewordpress.com/wp-content/plugins/fix-rss-feed/
  73. Directory listing enabled? No.
  74.  
  75. Name: mycustomwidget
  76. Location: http://www.examplewordpress.com/wp-content/plugins/mycustomwidget/
  77. Directory listing enabled? No.
  78.  
  79. Name: redirection
  80. Location: http://www.examplewordpress.com/wp-content/plugins/redirection/
  81. Directory listing enabled? No.
  82.  
  83. [+] There were 1 vulnerabilities identified from the plugin names:
  84.  
  85. [!] ["WordPress jetpack plugin SQL Injection Vulnerability"]
  86. * Reference: ["http://www.exploit-db.com/exploits/18126/"]
  87.  
  88. [+] Finished at Thu Apr 12 06:15:27 2012
  89. root@bt:/pentest/web/wpscan#

The above example is much different than the first wpscan example as this time we enumerated WordPress plugins against a list of around 2800 of the most popular WP plugins. Not only does wpscan enumerate the installed plugins but it also checks those plugins against exploit-db.com to see if there are any known vulnerabilities as you can see this wpscan result turned up a known vulnerability with the Jetpack WordPress plugin. Outside of the plugin results this scan also returns the standard WordPress theme name, if the readme.html file is readable, and what the WordPress version is. So one more example below I wanted to add after talking with the wpscan developer.

Use wpscan To Enumerate WordPress Plugins, WordPress Timthumb Files, & WordPress Usernames:

bash

  1. root@bt:/pentest/web/wpscan# ruby wpscan.rb -u www.examplewordpress.com -e
  2. ____________________________________________________
  3.  __          _______   _____
  4.  \ \        / /  __ \ / ____|
  5.   \ \  /\  / /| |__) | (___   ___  __ _ _ __
  6.    \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
  7.    \  /\  /  | |     ____) | (__| (_| | | | |
  8.     \/  \/   |_|    |_____/ \___|\__,_|_| |_| v1.1
  9.  
  10.  WordPress Security Scanner by ethicalhack3r.co.uk
  11. Sponsored by the RandomStorm Open Source Initiative
  12. _____________________________________________________
  13.  
  14. | URL: http://www.examplewordpress.com/
  15. | Started on Thu Apr 12 06:54:26 2012
  16.  
  17. [!] The WordPress theme in use is called "ABC-2011".
  18. [!] The WordPress "http://www.examplewordpress.com/readme.html" file exists.
  19. [!] WordPress version 3.2.1 identified from meta generator.
  20.  
  21. [+] Enumerating installed plugins...
  22.  
  23. Checking for 191 total plugins... 100% complete.
  24.  
  25. [+] We found 1 plugins:
  26.  
  27. Name: jetpack
  28. Location: http://www.examplewordpress.com/wp-content/plugins/jetpack/
  29. Directory listing enabled? No.
  30.  
  31. [+] There were 1 vulnerabilities identified from the plugin names:
  32.  
  33. [!] ["WordPress jetpack plugin SQL Injection Vulnerability"]
  34. * Reference: ["http://www.exploit-db.com/exploits/18126/"]
  35.  
  36. [+] Enumerating timthumb files...
  37.  
  38. Checking for 412 total timthumb files... 100% complete.
  39. No timthumb files found :(
  40.  
  41. [+] Enumerating usernames...
  42.  
  43. We found the following 9 username/s:
  44.  
  45. admin
  46. joanne1
  47. eviled
  48. crblogger
  49. admin2
  50. hotness
  51. charles
  52. mrc
  53. avagabe
  54.  
  55. [+] Finished at Thu Apr 12 06:57:36 2012
  56. root@bt:/pentest/web/wpscan#

In the above example I generated a small plugin list first by issuing “ruby wpscan.rb –generate_plugin_list 3” which compiles a list of the first three pages of popular WordPress plugins which is why so many less plugins were enumerated. The main difference here is the fact that we are only enumerating data and we are enumerating three different items including WordPress plugins, WordPress timthumb files, and WordPress logins. The timthumb files are related to a PHP image resizer that had a well known exploit awhile back which allowed for remote code execution on web servers and there are still themes out there that use these files.

There you have the basics of wpscan which is a great tool for the start of a WordPress web site audit.

Metasploit: The Penetration Tester’s Guide (Paperback)


List Price: $49.95 USD
New From: $25.56 USD In Stock
Used from: $25.56 USD In Stock

CSS: The Missing Manual (Missing Manuals) (Paperback)


List Price: $34.99
New From: $1.89 USD In Stock
Used from: $0.01 USD In Stock

Share