WPScan: Detect vulnerabilities of a WordPress site

WPScan is a vulnerability scanner for WordPress written in ruby. It is able to find vulnerabilities in a WordPress website to list used plugins and give you related to security the flaws. You can also do the brute force of the administration interface.

It is intended both for security professionals to administrators WordPress sites.





The main features of WPscan

Enumeration of users,
cracking passwords by brute force multithreaded,
Detection version of WordPress,
detection and enumeration of vulnerable plugins.

Installing WPscan

WPscan only works on Linux, if you have a Windows computer I suggest you use a virtual machine running Backtrack 5. Just download a VMware image and Backtrack 5 R1. WPScan is already pre-installed on it.

If not install it on a different distribution, see this page: https://github.com/wpscanteam/wpscan

  How to use WPscan?

After instalation we'll get down to business, the most interesting part!

Easy to use:

To know the version of WordPress and the name of the pavilion used, open a terminal as root and type:

# ruby ./wpscan.rb --url www.example.com

List users:

To list all users who access the blog, based on the author of the articles.

# ruby wpscan.rb --url www.example.com --enumerate u 

List vulnerable plugins

To list the plugins used on a site and view the related security vulnerabilities, run the following command:

# Ruby ./wpscan.rb --url www.example.com --enumerate p


You can see on the image wpscan has detected a vulnerable plugin (how-rating) with a link to the SQL injection vulnerability, the flaw can use it to have total control of FunInformatique given base. Do not worry I disable. 😀

 Crack the administrator's password

To get the password of adminitrateur we will use brute force on the administration interface.

For this, no doubt that we will need what is called a dictionary. In the case of an attack by bruteforce, the dictionary present the list of possibilities that the generator will attempt to use to break into the remote system. In summary this is the list of words tested assists.

Under BT5, by default, a list exists but feel free to add other words. The dictionary present on backtrack by default is located under:

/pentest/passwords/wordlists/darkc0de.lst

If you have a different distribution Backtrack 5, You can download the dictionary here .

Anyway here is the command that uses the dictionary in order to have the password of the administrator wordpress:

# Ruby ./wpscan.rb --url www.example.com --wordlist

/pentest/passwords/wordlists/darkc0de.lst --username admin



Solutions:

To counter all these techniques, you must delete the readme.html in the root of WordPress, WordPress maintain and update plugins, and use a long password with a multitude of different characters. We can also install a plugin like User Locker which limits the number of authentication attempts.

Remember that the best support for this blog is to like and share our articles!
Previous
Next Post »