WPScan: Millions websites all over the world have been created by the well known CMS a tool called WordPress. If your website is one of them, do you know about its vulnerabilities and more specifically those related to WordPress? If you want to know how to keep your website safe from such attacks, keep reading.
The most popular WordPress related troubleshooting tool is called WPScan and is a . tool written in Ruby. You can use it to scan your webiste for vulnerabilities related to the core WordPress version, plugins but also the themes you use. You can also detect weak passwords, users, and configuration issues security. The database used by WPScan to find the above is at the well known site wpvulndb.com and is constantly updated.
How to install it?
WPScan is pre-installed on the following Linux distos:
Ubuntu Linux
To install in Ubuntu environment first install the necessary dependencies:
sudo apt install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev build-essential libgmp-dev zlib1g-dev |
Then - if it's not already installed - install git to clone it gps repository of WPScan:
sudo apt install git git clone https://github.com/wpscanteam/wpscan.git |
Complete the installation with the following commands:
cd wpscan sudo gem install bundler bundle install –without test development |
Linux Debian
In a debian environment, install the necessary dependencies, clone it gps repository of WPScan and then install it:
sudo apt install git ruby ruby-dev libcurl4-openssl-dev make zlib1g-dev git clone https://github.com/wpscanteam/wpscan.git cd wpscan sudo gem install bundler bundle install –without test development |
Windows
If you would like to install WPScan in a windows environment you should follow these steps:
- Install Ruby
- Download the zip file containing it installer of Ruby.
- Unzip the folder and run the file
- Choose the language you want and accept the License Agreement.
- Select the installation folder (ideally in path C: \ Ruby **)
- Install DevKit
- Download it DevKit for use with Ruby 2.0 and above.
- Unzip the folder and run the file (change the default path to C: \ DevKit)
- Open the command prompt with administrator permissions
- Navigate to the installation folder using the cd command C: \ DevKit, and then execute the following commands to complete DevKit binding with Ruby:
ruby dk.rb init install ruby dk.rb |
- Install cURL
- Download the cURL tool from here and run the installation wizard.
- Make sure you have C headers, lib and dll files installed during setup.
-
- Installation must be done in filepath C: \ Program Files (x86) \ cURL.
- Check that file libcurl.dll successfully installed here: C: \ Program Files (x86) \ cURL \ dlls
- Installing WPScan
- Download the zip file containing the installer from here.
- Unzip the folder and run the file
- Select the installation folder (C: \ wpscan)
- Extract the data.zip to the C: \ wpscan folder to create C: \ wpscan \ data
- Copy the libvurl.dll file to the filepath C: \ Ruby22 \ bin
- Install Ruby Gems
- Open the command prompt
- Browse to C: \ wpscan and
- Execute the following commands:
gem install bundler gem install typhoeus gem install rspec-its gem install ruby-progressbar gem install nokogiri gem install terminal-table gem install webmock gem install simplecov gem install rspec gem install xml-simple gem install yajl-ruby gem install bundler && bundle install –without test |
To start WPScan while in the C: \ wpscan folder, run the following command:
ruby wpscan.rb |
How to use it
Now let's look at some of the commands we can use with WPScan.
Initially we can see all the possible options we have running wpscan –help
root @ kali-elena: ~ # wpscan --help _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____ | \ \ / \ / / | | __) | (___ ___ __ _ _ __ (r) \ \ / \ / / | ___ / \ ___ \ / __ | / _` | '_ \ \ / \ / | | ____) | (__ | (_ | | | | \ / \ / | _ | _____ / \ ___ | \ __, _ | _ | | _ | WordPress Security Scanner by the WPScan Team Version 3.6.3 Sponsored by Sucuri - https: //sucuri.net @_WPScan_, @ ethicalhack3r, @erwan_lr, @_FireFart_ _______________________________________________________________ Usage: wpscan [options] --url URL The URL of the blog to scan Allowed Protocols: http, https Default Protocol if none provided: http This option is mandatory unless update or help or hh or version is / are supplied -h, --help Display the simple help and exit --hh Display the full help and exit --version Display the version and exit -v, --verboseVerbose mode - [no-] banner Whether or not to display the banner Default: true -o, --output FILE Output to FILE -f, --format FORMAT Output results in the format supplied Available choices: cli-no-color , cli-no-color, cli, json --detection-mode MODE Default: mixed Available choices: mixed, passive, aggressive --user-agent, --ua VALUE --random-user-agent, --rua Use a random user-agent for each scan --http-auth login: password -t, --max-threads VALUE The max threads to use Default: 5 --throttle MilliSeconds Milliseconds to wait before doing another web request. If used, the max threads will be set to 1. - request-timeout SECONDS The request timeout in seconds Default: 60 --connect-timeout SECONDS The connection timeout in seconds Default: 30 --disable-tls-checks Disables SSL / TLS certificate verification --proxy protocol: // IP: port Supported protocols depend on the cURL installed --proxy-auth login: password --cookie-string COOKIE Cookie string to use in requests, format: cookie1 = value1 [; cookie2 = value2] --cookie-jar FILE-PATH File to read and write cookies Default: /tmp/wpscan/cookie_jar.txt --force Do not check if the target is running WordPress - [no-] update Whether or not to update the Database --wp-content-dir DIR The wp-content directory if custom or not detected, such as "wp-content" --wp-plugins-dir DIR The plugins directory if custom or not detected, such as " wp-content / plugins "-e, --enumerate [OPTS] Enumeration Process Available Choices: vp Vulnerable plugins ap All plugins p Plugins vt Vulnerable themes at All themes t Themes tt Timthumbs cb Config backups dbe Db exports u User IDs range. eg: u1-5 Range separator to use: '-' Value if no argument supplied: 1-10 m Media IDs range. eg m1-15 Note: Permalink setting must be set to "Plain" for those to be detected Range separator to use: '-' Value if no argument supplied: 1-100 Separator to use between the values: ',' Default: All Plugins, Config Backups Value if no argument supplied: vp, vt, tt, cb, dbe, u, m Incompatible choices (only one of each group / s can be used): - vp, ap, p - vt, at, t --exclude-content-based REGEXP_OR_STRING Exclude all responses matching the Regexp (case insensitive) during parts of the enumeration. Both the headers and the body are checked. Regexp delimiters are not required. --plugins-detection MODE Use the supplied mode to enumerate Plugins, instead of the global (--detection-mode) mode. Default: passive Available choices: mixed, passive, aggressive --plugins-version-detection MODE Use the supplied mode to check plugins versions instead of the --detection-mode or --plugins-detection modes. Default: mixed Available choices: mixed, passive, aggressive --plugins-threshold THRESHOLD Raise an error when the number of detected plugins via known locations reaches the threshold. Set to 0 to ignore the threshold. Default: 100 --themes-threshold THRESHOLD Raise an error when the number of detected themes via known locations reaches the threshold. Set to 0 to ignore the threshold. Default: 20 -P, --passwords FILE-PATH List of passwords to use during the password attack. If no --username / s option is supplied, user enumeration will run. -U, --usernames LIST List of usernames to use during the password attack. Examples: 'a1', 'a1, a2, a3', '/tmp/a.txt' --multicall-max-passwords MAX_PWD Maximum number of passwords to send by request with XMLRPC multicall Default: 500 --password-attack ATTACK Force the supplied attack to be used rather than automatically determining one. |
The following command will allow us to scan our website for vulnerabilities
wpscan –url www.mysite.gr
If we want to test our site for a vulnerable plugin then we need to use the –enumerate vp parameter
wpscan –url www.mysite.gr –enumerate vp
We will see a lot of information from the results and in case there is a vulnerable plugin we will see it next to a red exclamation mark. In such a case we should proceed immediately Update.
If we want to check for sensitive themes, the -enumerate vt parameter will help.
wpscan –url www.mysite.gr –enumerate vt
We can also see the list of users and their permissions using the enumerate -u parameter
wpscan –url www.mysite.gr –enumerate u
We look forward to your feedback. How did you find WPScan? Will you use it?