Wordpress

Manual enumeration

Enumerate users by reviewing the archives and taking note of authors of blog posts
If you identify a login page, attempt to login with common credentials (admin, password, etc.).
- Pay attention to errors produced through failed logins

wpscan

wpscan is an open source scanner included with Kali.

If you use another distro you can download it here: https://github.com/wpscanteam/wpscan

Documentation here: https://github.com/wpscanteam/wpscan/wiki/WPScan-User-Documentation

Enumerating users

wpscan --url https://target.tld/ --enumerate u
wpscan --url example.com -e u
wpscan --url https://target.tld/ --enumerate u1-100

Brute force

wpscan --url example.com -e u --passwords /path/to/password_file.txt

wpscan --url example.com --passwords /usr/share/wordlists/rockyou.txt --usernames admin --max-threads 50

Scanning plugins

wpscan --url example.com -e vp --plugins-detection mixed --api-token YOUR_TOKEN

Enumeration modes

To enumerate version, plugins or themes, select from three modes: passive, aggressive, mixed. The default is mixed for most items, and passive for plugin detection. To override the default use the--plugins-detection option.

Mixed - provides the most results
Passive - useful when server overload is a concern
Aggressive - most aggressive

Other enumeration options

The following enumeration options are available and should be preceded by the -e flag. If no additional options are provided the default is: vp,vt,tt,cb,dbe,u,m

vp (Vulnerable plugins)
ap (All plugins)
p (Popular plugins)
vt (Vulnerable themes)
at (All themes)
t (Popular themes)
tt (Timthumbs)
cb (Config backups)
dbe (Db exports)
u (User IDs range. e.g: u1-5)
m (Media IDs range. e.g m1-15

Previous161 (UDP) - SNMP NextFinger (Solaris)

Last updated 5 years ago