Disclaimer

I do not take any responsibility for any information, links or techniques written about in this article, this is for educational purposes only and is aimed at web developers who are interested in strengthening the security of their applications and websites, you are solely responsible for your own action if you choose to use this information maliciously, and if you do you are also a dick.

What is WPScan?

A few months ago I came across a tool called WPScan, which is a very nifty vulnerability scanner for WordPress that is coded in Ruby as far as I can gather from the website and the error codes it spewed at me when I tried to install it on a Lubuntu VM without Ruby installed.

The WPScan developer team got a little nifty site setup on WPScan.org where you can read the documentation on how to install the tool, dependencies and various other stuff, I recommend skimming through it before trying to install it by yourself, OR you can simply download the latest version of Kali Linux, which have WPScan and various other security tools pre-installed and working.

How Does WPScan Work?

WPScan has a “database” of vulnerable plugins and themes, I’m using the term database loosely here because there is no actual “database” but rather a few text files and config files with various fingerprints, anyways, it has a few “default vulnerable plugins and themes” saved in there that it will scan your website for, and see if the files and fingerprints that it has in it’s “database” matches any of the files and folders that you’ve got on your live site.

If it finds a match for a known vulnerable plugin, it will show up a few links to more information about the security vulnerability, these links are usually links to SecurityFocus’s CVE database, where you can read a lot of detailed information ( and sometimes not so detailed) about the vulnerability, usually with code samples and examples of how to exploit a vulnerability.

How do you use WPScan

Using WPScan is actually incredibly easy, there only thing you need to do to run WPScan in Kali is to type this in the terminal:

wpscan --url "http://yourwebsite.com" 1 2 3 wpscan --url "http://yourwebsite.com"

If you are using another linux distro or windows, you will probably have to install ruby and invoke the program like this ruby ./wpscan.rb --url "http://yourwebsite.com" although I have not tried it on anything other than Kali.

Here is the output of that command when scanning my own website:

_______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version v2.4.1 Sponsored by the RandomStorm Open Source Initiative @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_ _______________________________________________________________ [+] URL: https://helgesverre.com/blog/ [+] Started: Tue Sep 16 12:46:35 2014 [+] robots.txt available under: 'https://helgesverre.com/robots.txt' [+] Interesting entry from robots.txt: Disallow: /cgi-bin/ [+] Interesting entry from robots.txt: https://helgesverre.com/subdomains/ [+] Interesting entry from robots.txt: https://helgesverre.com/domains/ [+] Interesting entry from robots.txt: https://helgesverre.com/admin/ [!] The WordPress 'https://helgesverre.com/blog/readme.html' file exists [+] Interesting header: SERVER: LiteSpeed [+] Interesting header: X-POWERED-BY: PHP/5.3.28 [+] XML-RPC Interface available under: https://helgesverre.com/blog/xmlrpc.php [+] WordPress version 4.0 identified from meta generator [+] WordPress theme in use: sparkling - v1.5.0 [+] Name: sparkling - v1.5.0 | Location: https://helgesverre.com/blog/wp-content/themes/sparkling/ | Readme: https://helgesverre.com/blog/wp-content/themes/sparkling/readme.txt | Style URL: https://helgesverre.com/blog/wp-content/themes/sparkling/style.css | Theme Name: Sparkling | Theme URI: http://colorlib.com/wp/themes/sparkling | Description: Sparkling is a clean minimal and responsive WordPress theme well suited for travel, health, busin... | Author: Colorlib | Author URI: http://colorlib.com/ [+] Enumerating plugins from passive detection ... | 6 plugins found: [+] Name: author-hreview - v0.0.9.4 | Location: https://helgesverre.com/blog/wp-content/plugins/author-hreview/ | Readme: https://helgesverre.com/blog/wp-content/plugins/author-hreview/readme.txt [+] Name: contact-form-7 - v3.9.3 | Location: https://helgesverre.com/blog/wp-content/plugins/contact-form-7/ | Readme: https://helgesverre.com/blog/wp-content/plugins/contact-form-7/readme.txt [!] Directory listing is enabled: https://helgesverre.com/blog/wp-content/plugins/contact-form-7/ [!] Title: Contact Form 7 3.5.3 - Crafted File Extension Upload Remote Code Execution Reference: http://packetstormsecurity.com/files/125018/ Reference: http://seclists.org/fulldisclosure/2014/Feb/0 Reference: http://osvdb.org/102776 [+] Name: crayon-syntax-highlighter | Location: https://helgesverre.com/blog/wp-content/plugins/crayon-syntax-highlighter/ | Readme: https://helgesverre.com/blog/wp-content/plugins/crayon-syntax-highlighter/readme.txt [!] Directory listing is enabled: https://helgesverre.com/blog/wp-content/plugins/crayon-syntax-highlighter/ [!] Title: Crayon Syntax Highlighter - Remote File Inclusion Vulnerability Reference: http://ceriksen.com/2012/10/15/wordpress-crayon-syntax-highlighter-remote-file-inclusion-vulnerability/ Reference: http://secunia.com/advisories/50804 [i] Fixed in: 1.13 [+] Name: jetpack - v3.1.1 | Location: https://helgesverre.com/blog/wp-content/plugins/jetpack/ | Readme: https://helgesverre.com/blog/wp-content/plugins/jetpack/readme.txt [!] Directory listing is enabled: https://helgesverre.com/blog/wp-content/plugins/jetpack/ [+] Name: really-simple-popup - v1.0.9 | Location: https://helgesverre.com/blog/wp-content/plugins/really-simple-popup/ | Readme: https://helgesverre.com/blog/wp-content/plugins/really-simple-popup/readme.txt [!] Directory listing is enabled: https://helgesverre.com/blog/wp-content/plugins/really-simple-popup/ [+] Name: all-in-one-seo-pack - v2.2.3.1 | Location: https://helgesverre.com/blog/wp-content/plugins/all-in-one-seo-pack/ | Readme: https://helgesverre.com/blog/wp-content/plugins/all-in-one-seo-pack/readme.txt [!] Directory listing is enabled: https://helgesverre.com/blog/wp-content/plugins/all-in-one-seo-pack/ [+] Finished: Tue Sep 16 12:47:22 2014 [+] Memory used: 5.863 MB [+] Elapsed time: 00:00:46 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version v2.4.1 Sponsored by the RandomStorm Open Source Initiative @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_ _______________________________________________________________ [+] URL: https://helgesverre.com/blog/ [+] Started: Tue Sep 16 12:46:35 2014 [+] robots.txt available under: 'https://helgesverre.com/robots.txt' [+] Interesting entry from robots.txt: Disallow: /cgi-bin/ [+] Interesting entry from robots.txt: https://helgesverre.com/subdomains/ [+] Interesting entry from robots.txt: https://helgesverre.com/domains/ [+] Interesting entry from robots.txt: https://helgesverre.com/admin/ [!] The WordPress 'https://helgesverre.com/blog/readme.html' file exists [+] Interesting header: SERVER: LiteSpeed [+] Interesting header: X-POWERED-BY: PHP/5.3.28 [+] XML-RPC Interface available under: https://helgesverre.com/blog/xmlrpc.php [+] WordPress version 4.0 identified from meta generator [+] WordPress theme in use: sparkling - v1.5.0 [+] Name: sparkling - v1.5.0 | Location: https://helgesverre.com/blog/wp-content/themes/sparkling/ | Readme: https://helgesverre.com/blog/wp-content/themes/sparkling/readme.txt | Style URL: https://helgesverre.com/blog/wp-content/themes/sparkling/style.css | Theme Name: Sparkling | Theme URI: http://colorlib.com/wp/themes/sparkling | Description: Sparkling is a clean minimal and responsive WordPress theme well suited for travel, health, busin... | Author: Colorlib | Author URI: http://colorlib.com/ [+] Enumerating plugins from passive detection ... | 6 plugins found: [+] Name: author-hreview - v0.0.9.4 | Location: https://helgesverre.com/blog/wp-content/plugins/author-hreview/ | Readme: https://helgesverre.com/blog/wp-content/plugins/author-hreview/readme.txt [+] Name: contact-form-7 - v3.9.3 | Location: https://helgesverre.com/blog/wp-content/plugins/contact-form-7/ | Readme: https://helgesverre.com/blog/wp-content/plugins/contact-form-7/readme.txt [!] Directory listing is enabled: https://helgesverre.com/blog/wp-content/plugins/contact-form-7/ [!] Title: Contact Form 7 3.5.3 - Crafted File Extension Upload Remote Code Execution Reference: http://packetstormsecurity.com/files/125018/ Reference: http://seclists.org/fulldisclosure/2014/Feb/0 Reference: http://osvdb.org/102776 [+] Name: crayon-syntax-highlighter | Location: https://helgesverre.com/blog/wp-content/plugins/crayon-syntax-highlighter/ | Readme: https://helgesverre.com/blog/wp-content/plugins/crayon-syntax-highlighter/readme.txt [!] Directory listing is enabled: https://helgesverre.com/blog/wp-content/plugins/crayon-syntax-highlighter/ [!] Title: Crayon Syntax Highlighter - Remote File Inclusion Vulnerability Reference: http://ceriksen.com/2012/10/15/wordpress-crayon-syntax-highlighter-remote-file-inclusion-vulnerability/ Reference: http://secunia.com/advisories/50804 [i] Fixed in: 1.13 [+] Name: jetpack - v3.1.1 | Location: https://helgesverre.com/blog/wp-content/plugins/jetpack/ | Readme: https://helgesverre.com/blog/wp-content/plugins/jetpack/readme.txt [!] Directory listing is enabled: https://helgesverre.com/blog/wp-content/plugins/jetpack/ [+] Name: really-simple-popup - v1.0.9 | Location: https://helgesverre.com/blog/wp-content/plugins/really-simple-popup/ | Readme: https://helgesverre.com/blog/wp-content/plugins/really-simple-popup/readme.txt [!] Directory listing is enabled: https://helgesverre.com/blog/wp-content/plugins/really-simple-popup/ [+] Name: all-in-one-seo-pack - v2.2.3.1 | Location: https://helgesverre.com/blog/wp-content/plugins/all-in-one-seo-pack/ | Readme: https://helgesverre.com/blog/wp-content/plugins/all-in-one-seo-pack/readme.txt [!] Directory listing is enabled: https://helgesverre.com/blog/wp-content/plugins/all-in-one-seo-pack/ [+] Finished: Tue Sep 16 12:47:22 2014 [+] Memory used: 5.863 MB [+] Elapsed time: 00:00:46

As you can see it complains a little about a plugin I am using called Contact 7 (Line 55), if we look a little closer at the vulnerability that it is complaining about which you can read more about here, I have determined that there is no way to exploit it in my case due to me not using the file uploading feature on any of my contact forms.

Enumerating Vulnerable WordPress Plugins

Running the command above gives me various information about the installation of wordpress that I’ve got, information like version, plugins and the theme that is installed will be displayed to you, if you give the command

wpscan --url "http://website.com" --enumerate vp

WPScan will go through it’s list of vulnerable plugins and check them against your website, if it finds any of them on your site it will give you a list of CVE reference links, which will give you a lot more detailed information about the vulnerability.

By the way, CVE stands for Common Vulnerabilities and Exposures, and it’s basically just a way to “label and archive” exploits and vulnerabilities in various software, you can read up more on CVE on the Wikipedia article here.

Enumerating WordPress Users

It is generally a bad idea to name your admin account for “admin” or “administrator” as those are the two most common usernames for admin users on the web, this is important to you and your websites because “hackers” and criminals create and use software that is designed to try to login with common usernames and passwords, and these criminals go after the most widely used usernames to have a larger chance of breaking into a website.

To check what usernames have been used on a WordPress site, which could for example be an existing client website that you are hired to secure or optimize, you could easily run this command:

wpscan --url "http://website.com" --enumerate u 1 2 3 wpscan -- url "http://website.com" -- enumerate u

Enumerating WordPress Themes

It’s no secret that the web is filled with absolute shit coded WordPress Themes that might even bring its own heap of vulnerable with it, if you got a client that likes to mess around with themes and change them frequently it might be a smart idea to do a Theme enumeration with WPScan to see if they might have installed a malicious or vulnerable theme.

To make WPScan check a site for vulnerable themes, you would use this command:

wpscan --url "website.com" --enumerate t 1 2 3 wpscan -- url "website.com" -- enumerate t

Enumerating Multiple Things at the same time

If you prefer to do one single scan to get all of the information above, you can enumerate multiple things by specifying them in a comma seperated fashion like so:

wpscan --url "http://website.com" --enumerate u,vp,t 1 2 3 wpscan -- url "http://website.com" -- enumerate u , vp , t

whereas --enumerate u,vp,t will tell WPScan to enumerate all users, vulnerable plugins and vulnerable themes.

How to Bruteforce a Weak WordPress Password

WPScan has a slightly more aggressive ability built-in, it can “bruteforce” wordpress passwords for a list of users or for one particular user, this is can come in handy if your client has either forgotten their password, want to check their wordpress security or if you simply need something to test out an “anti-bruteforce plugin” that you or someone else have made.

To initiate a bruteforce attack on a user with the username “helge” you would simply type this command:

wpscan --url "website.com" --wordlist passwords.txt --username helge 1 2 3 wpscan -- url "website.com" -- wordlist passwords . txt -- username helge

You have to specify a word list to use as your passwords, WPScan will go through every line of this file and try out every word as the password for the particular user you specified, password lists are widely available on the internet, but I won’t link to any one particular list.

Multiple Threads

If you don’t specify a username for WPScan to use, it will grab the usernames from the abovementioned “–enumerate u” command, so in essence this command will try to login to every user on your WordPress site, since that might be kind of slow to do normally, WPScan gives you an option to specify how many threads to use with the --threads option.

You can think of this as “how many logins should I try at once”, setting this option to a value between 10 and 50 should be safe, although I have not stress-checked it myself:

wpscan --url "website.com" --wordlist passwords.txt --threads 10 1 2 3 wpscan -- url "website.com" -- wordlist passwords . txt -- threads 10

Securing the Site

Once you’ve scanned the site and looked over the reports, identified the vulnerable plugins and themes, it’s time to start securing the website.

This is done by simply disabling AND DELETING the vulnerable plugins and themes, and exchange them for alternative plugins with the same features or updating the plugin or theme if it has not already been updated to the latest version.

Further Reading about Web Application Security

I have had an interested in information security(infosec) and “hacking” since I was 15, when I saw some young dude in a movie break into the pentagon’s mainframe or some bullshit like that, I have although never been a fan of the way Media portrays people who have a genuine interest in security and wants to help people protect themselves against identity theft and wrongdoing, as criminals and dangerous individuals.

Anyways..

I could rant for hours on the subject, but I’d rather end with this closing statement:

Every web developer nowadays need to understand a little bit about how small programming mistakes like unfiltered user input and un-checked session variables might be used to exploit your web application and gain unauthorized access to stuff they should not have access to, the only way to know how to defend against these things, are honestly to understand how one would exploit them in the first place.

Therefore I highly suggest that you check out this book called “The Hacker Playbook: Practical Guide To Penetration Testing” and this awesome course on Web Application Security teached by Vivek Ramachandran, The course is part of a paid membership on PentesterAcademy, and includes practical exercises and “homework” which will help you learn more about web app security.

Highly recommended.

Thanks for reading,

hack the planet, do no harm.