{"id":3149,"date":"2021-04-21T13:21:37","date_gmt":"2021-04-21T18:21:37","guid":{"rendered":"https:\/\/microsoftgeek.com\/?p=3149"},"modified":"2021-04-21T13:22:34","modified_gmt":"2021-04-21T18:22:34","slug":"wpscan-a-black-box-wordpress-vulnerability-scanner","status":"publish","type":"post","link":"https:\/\/microsoftgeek.com\/?p=3149","title":{"rendered":"WPScan \u2013 A Black Box WordPress Vulnerability Scanner"},"content":{"rendered":"\n

WordPress<\/strong> is all over the web; it\u2019s the most popular and most used content management system (CMS<\/strong>) out there. Is your website or blog is powered by WordPress<\/strong>? Did you know that malicious hackers are always attacking WordPress sites every minute? If you didn\u2019t, now you know.<\/p>\n\n\n\n

The first step towards securing your website or blog is to perform a vulnerability assessment. This is simply an operation to identify common security loopholes (known to the public), within your site or its underlying architecture.<\/p>\n\n\n\n

How to Install WPScan in Linux Systems<\/h3>\n\n\n\n

The recommended way of installing and running\u00a0WPScan<\/strong>\u00a0is to use the official Docker image, this will help you do away with installation problems (typically dependency issues).<\/p>\n\n\n\n

<\/p>\n\n\n\n

You should have\u00a0Docker installed and running on your system, otherwise start by installing it using the following, which will use the\u00a0cURL program to download\u00a0and run a shell script that will add the Docker repository to your system and install the needed packages.<\/p>\n\n\n\n

$ sudo curl -fsSL https:\/\/get.docker.com | sh\n<\/pre>\n\n\n\n
Once the Docker<\/strong> is successfully installed, start the service, enable it to auto-start at system boot time and check if it\u2019s up and running as follows.<\/p>\n\n\n\n
# sudo systemctl start docker\n# sudo systemctl enable docker\n# sudo systemctl status docker\n<\/pre>\n\n\n\n
Next, pull the WPScan Docker<\/strong> image using the following command.<\/p>\n\n\n\n
$ docker pull wpscanteam\/wpscan\n<\/pre>\n\n\n\n
\"Download
Download WPScan Docker Image<\/figcaption><\/figure>\n\n\n\n
Once WPScan Docker<\/strong> image downloaded, you can list the Docker images on your system using following command.<\/p>\n\n\n\n
$ docker images\n<\/pre>\n\n\n\n
\"List
List Docker Images<\/figcaption><\/figure>\n\n\n\n
Looking at the output from the following screesnhot, the WPScan repository image is wpscanteam\/wpscan<\/strong> which you will use in the next section.<\/p>\n\n\n\n
How to Perform WordPress Vulnerability Scan Using WPScan<\/h3>\n\n\n\n
The simplest way of performing a vulnerability scan using WPScan<\/strong> is to provide your WordPress website\u2019s URL as shown (replace www.example.com<\/strong> with your site\u2019s URL).<\/p>\n\n\n\n
$ docker run wpscanteam\/wpscan --url www.example.com\n<\/pre>\n\n\n\n
WPScan will try to find interesting HTTP headers such as SERVER<\/strong> (web server type and version) and X-POWERED-BY<\/strong> (PHP version); it will also look for any exposed APIs, RSS feed link and users.<\/p>\n\n\n\n
Then it will go on to enumerate the WordPress version and checks if it is up to date or if there are any vulnerabilities associated with the detected version number. In addition, it will try to detect the theme as well as installed plugins to find it they are up to date.<\/p>\n\n\n\n
\"Scan
Scan WordPress for Vulnerabilities<\/figcaption><\/figure>\n\n\n\n
You can perform a wordlist password brute force on enumerated users using 30<\/strong> threads using the followin command. The --wordlist<\/code> and --threads<\/code> flags to specify the wordlist and set the number of threads receptively.<\/p>\n\n\n\n
$ docker run wpscanteam\/wpscan --url www.example.com --wordlist wordlist_file.txt --threads 30\n<\/pre>\n\n\n\n
To carry out a wordlist password brute force on the \u201cadmin\u201d<\/strong> username only, run the following command.<\/p>\n\n\n\n
$ docker run wpscanteam\/wpscan --url www.example.com --wordlist wordlist_file.txt --username admin\n<\/pre>\n\n\n\n
Alternatively, you can mount a local wordlist on your system to the docker container and start a bruteforce attack for user admin.<\/p>\n\n\n\n
$ docker run -it --rm -v ~\/wordlists:\/wordlists wpscanteam\/wpscan --url www.example.com --wordlist \/wordlists\/wordlist_file.txt --username admin\n<\/pre>\n\n\n\n
To enumerate installed plugins, run the following command.<\/p>\n\n\n\n
$ docker run wpscanteam\/wpscan --url www.example.com --enumerate p\n<\/pre>\n\n\n\n
If enumerating installed plugins is not be enough, you can run all enumeration tools as shown.<\/p>\n\n\n\n
$ docker run wpscanteam\/wpscan --url www.example.com --enumerate\n<\/pre>\n\n\n\n
To enable output debugging, use the --debug-ouput<\/code> flag, and redirect the output into a file for later analysis.<\/p>\n\n\n\n
$ docker run wpscanteam\/wpscan --url www.example.com --debug-output 2>debug.log\n<\/pre>\n\n\n\n
Last but not least, you can update WPScan\u2019s database to the latest version by executing the following command.<\/p>\n\n\n\n
$ docker run wpscanteam\/wpscan --update\n<\/pre>\n\n\n\n
You can view the Docker<\/strong> and WPScan<\/strong> help messages with these commands.<\/p>\n\n\n\n
$ docker -h  \n$ docker run wpscanteam\/wpscan -h\n<\/pre>\n\n\n\n
WPScan Github repository: https:\/\/github.com\/wpscanteam\/wpscan<\/a><\/p>\n\n\n\n
That\u2019s all for now! WPScan<\/strong> is a powerful black box WordPress vulnerability scanner that you should have in your arsenal of web security tools.<\/p>\n","protected":false},"excerpt":{"rendered":"
WordPress is all over the web; it\u2019s the most popular and most used content management system (CMS) out there. Is your website or blog is powered by WordPress? Did you know that malicious hackers are always attacking WordPress sites every minute? If you didn\u2019t, now you know. The first step towards securing your website or blog is […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[78,33,82],"tags":[],"class_list":["post-3149","post","type-post","status-publish","format-standard","hentry","category-containers","category-sec-secops","category-docker"],"_links":{"self":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3149","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3149"}],"version-history":[{"count":2,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3149\/revisions"}],"predecessor-version":[{"id":3151,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3149\/revisions\/3151"}],"wp:attachment":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3149"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3149"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3149"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}