WPScan is an automated tool used to scan and enumerate WordPress sites. It identifies outdated or vulnerable plugins, themes, and core files, helping assess potential security risks. It can use an API token from WPVulnDB to enhance scans with vulnerability and exploit PoC data.
INSTALLATION
#install pre-requisites
root@oco:~$ sudo apt update
root@oco:~$ sudo apt install ruby ruby-dev libcurl4-openssl-dev make gcc -y
root@oco:~$ gem install wpscan
root@oco:~$ wpscan --version
root@oco:~$ wpscan --hh
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.1
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
Usage: wpscan [options]
--url URL The URL of the blog to scan
Allowed Protocols: http, https
Default Protocol if none provided: http
This option is mandatory unless update or help or hh or version is/are supplied
-h, --help Display the simple help and exit
--hh Display the full help and exit
--version Display the version and exit
--ignore-main-redirect Ignore the main redirect (if any) and scan the target url
-v, --verbose Verbose mode
--[no-]banner Whether or not to display the banner
Default: true
--max-scan-duration SECONDS Abort the scan if it exceeds the time provided in seconds
-o, --output FILE Output to FILE
-f, --format FORMAT Output results in the format supplied
Available choices: cli-no-colour, cli-no-color, json, cli
<SNIP>
ENUMERATION
root@oco:~$ wpscan --url {targetSite:port} --enumerate --api-token {apiToken}
* the --enumerate flag is used to enumerate various components of the WordPress
application such as plugins, themes, and users. by default, WPScan enumerates
vulnerable plugins, themes, users, media, and backups.
- specific arguments can be supplied to restrict enumeration to specific components.
- the --enumerate ap will specifically enumerate all plugins
* the default number of threads used when scanning is 5
- use the "-t" flag to increase the scanning thread
BRUTE FORCE
WPScan can brute force WordPress usernames and passwords using two methods: wp-login and xmlrpc. The wp-login method targets the standard login page, while the xmlrpc method uses the WordPress API via /xmlrpc.php, which is faster and generally preferred.
root@oco:~$ BROWSER > https://wpscan.com/my-account
* create an account and get your API token
#Set it as an environment variable
root@oco:~$ export WPSCAN_API_TOKEN='{apiToken}'
* use environment variables in scripts to avoid exposing your token in command history.
- add it to your shell profile (~/.bashrc, ~/.zshrc) if you use WPScan regularly.
root@oco:~$ wpscan --url {targetSite:port} --api-token {apiToken}
