wpscan - Wordpress Security Scanner
Installation
Preinstalled in kali.
See the repo: https://github.com/wpscanteam/wpscan.
WPScan keeps a local database of metadata that is used to output useful information, such as the latest version of a plugin. The local database can be updated with the following command:
Basic commands
# Enumerate users
wpscan --url https://target.tld/domain --enumerate u
wpscan --url https://target.tld/ -eu
# Enumerate a range of users 1-100
wpscan --url https://target.tld/ --enumerate u1-100
wpscan --url http://46.101.13.204:31822 --plugins-detection passive
# Brute force attack on login page with passwords:
wpscan --url HOST/domain -usernames admin, webadmin --password-attack wp-login -passwords filename.txt
# -usernames: those users that you are going to brute force
# --password-attack: your URI target (different in the case of the WP api
# -passwords: path/to/dictionary.txt
# Brute force attack on xmlrpc with passwords:
wpscan --password-attack xmlrpc -t 20 -U username1, username2 -P PATH/TO/passwords.txt --url http://<TARGET>
# Enumerate plugins on pasive mode
wpscan --url https://target.tld/ --plugins-detection passive
# Modes: -mixed (default), -passive or -active
# Common flags
# vp (Vulnerable plugins)
# ap (All plugins)
# p (Popular plugins)
# vt (Vulnerable themes)
# at (All themes)
# t (Popular themes)
# tt (Timthumbs)
# cb (Config backups)
# dbe (Db exports)
# u (User IDs range. e.g: u1-5)
# m (Media IDs range. e.g m1-15)
# Ignore HTTPS Certificate
--disable-tls-checks
Examples from labs:
# Raven 1 machine
wpscan --url http://192.168.56.104/wordpress --enumerate u --force --wp-content-dir wp-content