Tool Documentation:
Scan a target WordPress URL and enumerate any plugins that are installed:
[email protected]:~# wpscan --url http://wordpress.local --enumerate p _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 2.6 Sponsored by Sucuri - https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_ _______________________________________________________________ [+] URL: http://wordpress.local/ [+] Started: Mon Jan 12 14:07:40 2015 [+] robots.txt available under: 'http://wordpress.local/robots.txt' [+] Interesting entry from robots.txt: http://wordpress.local/search [+] Interesting entry from robots.txt: http://wordpress.local/support/search.php [+] Interesting entry from robots.txt: http://wordpress.local/extend/plugins/search.php [+] Interesting entry from robots.txt: http://wordpress.local/plugins/search.php [+] Interesting entry from robots.txt: http://wordpress.local/extend/themes/search.php [+] Interesting entry from robots.txt: http://wordpress.local/themes/search.php [+] Interesting entry from robots.txt: http://wordpress.local/support/rss [+] Interesting entry from robots.txt: http://wordpress.local/archive/ [+] Interesting header: SERVER: nginx [+] Interesting header: X-FRAME-OPTIONS: SAMEORIGIN [+] Interesting header: X-NC: HIT lax 249 [+] XML-RPC Interface available under: http://wordpress.local/xmlrpc.php [+] WordPress version 4.2-alpha-31168 identified from rss generator [+] Enumerating installed plugins . Time: 00:00:35 (2166 / 2166) 100.00% Time: 00:00:35 [+] We found 2166 plugins: [. ]
Packages and Binaries:
wpscan
WPScan scans remote WordPress installations to find security issues.
Installed size: 394 KB
How to install: sudo apt install wpscan
wpscan
WordPress Security Scanner
[email protected]:~# wpscan -h _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.22 @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ Usage: wpscan [options] --url URL The URL of the blog to scan Allowed Protocols: http, https Default Protocol if none provided: http This option is mandatory unless update or help or hh or version is/are supplied -h, --help Display the simple help and exit --hh Display the full help and exit --version Display the version and exit -v, --verbose Verbose mode --[no-]banner Whether or not to display the banner Default: true -o, --output FILE Output to FILE -f, --format FORMAT Output results in the format supplied Available choices: cli-no-colour, cli-no-color, json, cli --detection-mode MODE Default: mixed Available choices: mixed, passive, aggressive --user-agent, --ua VALUE --random-user-agent, --rua Use a random user-agent for each scan --http-auth login:password -t, --max-threads VALUE The max threads to use Default: 5 --throttle MilliSeconds Milliseconds to wait before doing another web request. If used, the max threads will be set to 1. --request-timeout SECONDS The request timeout in seconds Default: 60 --connect-timeout SECONDS The connection timeout in seconds Default: 30 --disable-tls-checks Disables SSL/TLS certificate verification, and downgrade to TLS1.0+ (requires cURL 7.66 for the latter) --proxy protocol://IP:port Supported protocols depend on the cURL installed --proxy-auth login:password --cookie-string COOKIE Cookie string to use in requests, format: cookie1=value1[; cookie2=value2] --cookie-jar FILE-PATH File to read and write cookies Default: /tmp/wpscan/cookie_jar.txt --force Do not check if the target is running WordPress or returns a 403 --[no-]update Whether or not to update the Database --api-token TOKEN The WPScan API Token to display vulnerability data, available at https://wpscan.com/profile --wp-content-dir DIR The wp-content directory if custom or not detected, such as "wp-content" --wp-plugins-dir DIR The plugins directory if custom or not detected, such as "wp-content/plugins" -e, --enumerate [OPTS] Enumeration Process Available Choices: vp Vulnerable plugins ap All plugins p Popular plugins vt Vulnerable themes at All themes t Popular themes tt Timthumbs cb Config backups dbe Db exports u User IDs range. e.g: u1-5 Range separator to use: '-' Value if no argument supplied: 1-10 m Media IDs range. e.g m1-15 Note: Permalink setting must be set to "Plain" for those to be detected Range separator to use: '-' Value if no argument supplied: 1-100 Separator to use between the values: ',' Default: All Plugins, Config Backups Value if no argument supplied: vp,vt,tt,cb,dbe,u,m Incompatible choices (only one of each group/s can be used): - vp, ap, p - vt, at, t --exclude-content-based REGEXP_OR_STRING Exclude all responses matching the Regexp (case insensitive) during parts of the enumeration. Both the headers and body are checked. Regexp delimiters are not required. --plugins-detection MODE Use the supplied mode to enumerate Plugins. Default: passive Available choices: mixed, passive, aggressive --plugins-version-detection MODE Use the supplied mode to check plugins' versions. Default: mixed Available choices: mixed, passive, aggressive --exclude-usernames REGEXP_OR_STRING Exclude usernames matching the Regexp/string (case insensitive). Regexp delimiters are not required. -P, --passwords FILE-PATH List of passwords to use during the password attack. If no --username/s option supplied, user enumeration will be run. -U, --usernames LIST List of usernames to use during the password attack. Examples: 'a1', 'a1,a2,a3', '/tmp/a.txt' --multicall-max-passwords MAX_PWD Maximum number of passwords to send by request with XMLRPC multicall Default: 500 --password-attack ATTACK Force the supplied attack to be used rather than automatically determining one. Available choices: wp-login, xmlrpc, xmlrpc-multicall --login-uri URI The URI of the login page if different from /wp-login.php --stealthy Alias for --random-user-agent --detection-mode passive --plugins-version-detection passive [!] To see full list of options use --hh.
Installing WPScan
WPScan is a free, for non-commercial use, black box WordPress security scanner written for security professionals and blog maintainers to test the security of their sites.
WPScan is written in the Ruby programming language. The first version of WPScan was released on the 16th of June 2011.
What can WPScan check for?
- The version of WordPress installed and any associated vulnerabilities
- What plugins are installed and any associated vulnerabilities
- What themes are installed and any associated vulnerabilities
- Username enumeration
- Users with weak passwords via password brute forcing
- Backed up and publicly accessible wp-config.php files
- Database dumps that may be publicly accessible
- If error logs are exposed by plugins
- Media file enumeration
- Vulnerable Timthumb files
- If the WordPress readme file is present
- If WP-Cron is enabled
- If user registration is enabled
- Full Path Disclose
- Upload directory listing
- And much more…
License
WPScan is not Open Source software. WPScan is licensed with a custom license that requires a fee to be paid if used commercially. Please find the full license terms here.
Installation
Ruby Gem
WPScan is shipped as a Ruby gem, and can be installed with the following command:
Docker
We also support Docker. Pull the repo with:
docker pull wpscanteam/wpscan
Example Docker command to enumerate usernames:
docker run -it —rm wpscanteam/wpscan —url https://example.com/ —enumerate u
Homebrew (macOS)
Updating
WPScan
To update the WPScan software:
Kali Linux
To update WPScan in Kali Linux:
apt-get update && apt-get upgrade
Metadata Data
WPScan keeps a local database of metadata that is used to output useful information, such as the latest version of a plugin. The local database can be updated with the following command:
Please note that this data does not include the vulnerability data. See Vulnerability Database for information on the vulnerability data.
Enumeration Modes
When enumerating the WordPress version, installed plugins or installed themes, you can use three different “modes”, which are:
If you want the most results use the “mixed” mode. However, if you are worried that the server may not be able to handle a large number of requests, use the “passive” mode. The default mode is “mixed”, with the exception of plugin enumeration, which is “passive”. You will need to manually override the plugin detection mode, if you want to use anything other than the default, with the —plugins-detection option.
Enumeration Options
WPScan can enumerate various things from a remote WordPress application, such as plugins, themes, usernames, backed up files wp-config.php files, Timthumb files, database exports and more. To use WPScan’s enumeration capabilities supply the -e option.
The following enumeration options exist:
- vp (Vulnerable plugins)
- ap (All plugins)
- p (Popular plugins)
- vt (Vulnerable themes)
- at (All themes)
- t (Popular themes)
- tt (Timthumbs)
- cb (Config backups)
- dbe (Db exports)
- u (User IDs range. e.g: u1-5)
- m (Media IDs range. e.g m1-15)
If no option is supplied to the -e flag, then the default will be: vp,vt,tt,cb,dbe,u,m
Cheat Sheet
Here we have put together a bunch of common commands that will help you get started quickly.
NOTE: Get your API token from wpvulndb.com if you also want the vulnerabilities associated with the detected plugin displaying.
wpscan —url example.com -e vp —plugins-detection mixed —api-token YOUR_TOKEN
wpscan —url example.com -e ap —plugins-detection mixed —api-token YOUR_TOKEN
wpscan —url example.com -e u —passwords /path/to/password_file.txt
Docker Cheat Sheet
docker pull wpscanteam/wpscan
docker run -it —rm wpscanteam/wpscan —url https://target.tld/ —enumerate u
- When using —output flag along with the WPScan Docker image, a bind mount must be used. Otherwise, the file is written inside the Docker container, which is then thrown away.
mkdir ~/docker-bind docker run --rm --mount type=bind,source=$HOME/docker-bind,target=/output wpscanteam/wpscan:latest -o /output/wpscan-output.txt --url 'https://example.com'
The wpscan-output.txt file now exists on the host machine at ~/docker-bind/wpscan-output.txt .
Vulnerability Database
WPScan uses the WordPress Vulnerability Database API in real time to retrieve known vulnerabilities that affect WordPress core, plugins and themes.
For the vulnerability information to be shown within WPScan you will need to supply an API token with the —api-token YOUR_TOKEN option. Alternatively, you can supply the API token from a WPScan configuration file.
A free API token is available, as well as paid plans, depending on your usage needs.
If you do not supply an API token, WPScan will work as normal, with the exception that when a WordPress version, plugin or theme is detected, the associated known vulnerabilities will not be displayed.
Bypassing Simple WAFs
To bypass some simple WAFs you can try the —random-user-agent option.
Troubleshooting
If WPScan is not working as expected, you can use the —proxy option, and use a web proxy to inspect WPScan’s HTTP requests, and the remote server’s HTTP responses. This is useful when you do not know why you are getting false positives, or false negatives.