WPScan
WPScan Description
WPScan is a black box WordPress vulnerability scanner.
Homepage: https://wpscan.org/
Author: WPScan Team
License: dual-licensed
WPScan Help
Usage:
wpscan [options]
Options:
--url URL The URL of the blog to scan Allowed Protocols: http, https Default Protocol if none provided: http This option is mandatory unless update or help or version is/are supplied -h, --help Display the help and exit --version Display the version and exit --ignore-main-redirect Ignore the main redirect (if any) and scan the target url -v, --verbose Verbose mode --[no-]banner Whether or not to display the banner Default: true -o, --output FILE Output to FILE -f, --format FORMAT Output results in the format supplied Available choices: cli-no-colour, cli-no-color, json, cli --detection-mode MODE Default: mixed Available choices: mixed, passive, aggressive --scope DOMAINS Comma separated (sub-)domains to consider in scope. Wildcard(s) allowed in the trd of valid domains, e.g: *.target.tld Separator to use between the values: ',' --user-agent, --ua VALUE --headers HEADERS Additional headers to append in requests Separator to use between the headers: '; ' Examples: 'X-Forwarded-For: 127.0.0.1', 'X-Forwarded-For: 127.0.0.1; Another: aaa' --vhost VALUE The virtual host (Host header) to use in requests --random-user-agent, --rua Use a random user-agent for each scan --user-agents-list FILE-PATH List of agents to use with --random-user-agent --http-auth login:password -t, --max-threads VALUE The max threads to use Default: 5 --throttle MilliSeconds Milliseconds to wait before doing another web request. If used, the max threads will be set to 1. --request-timeout SECONDS The request timeout in seconds Default: 60 --connect-timeout SECONDS The connection timeout in seconds Default: 30 --disable-tls-checks Disables SSL/TLS certificate verification --proxy protocol://IP:port Supported protocols depend on the cURL installed --proxy-auth login:password --cookie-string COOKIE Cookie string to use in requests, format: cookie1=value1[; cookie2=value2] --cookie-jar FILE-PATH File to read and write cookies Default: /tmp/wpscan/cookie_jar.txt --cache-ttl TIME_TO_LIVE The cache time to live in seconds Default: 600 --clear-cache Clear the cache before the scan --cache-dir PATH Default: /tmp/wpscan/cache --server SERVER Force the supplied server module to be loaded Available choices: apache, iis, nginx --force Do not check if the target is running WordPress --[no-]update Wether or not to update the Database This option is mandatory unless url or help or version is/are supplied --wp-content-dir DIR --wp-plugins-dir DIR --interesting-findings-detection MODE Use the supplied mode for the interesting findings detection. Available choices: mixed, passive, aggressive --wp-version-all Check all the version locations --wp-version-detection MODE Use the supplied mode for the WordPress version detection, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive --main-theme-detection MODE Use the supplied mode for the Main theme detection, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive -e, --enumerate [OPTS] Enumeration Process Available Choices: vp Vulnerable plugins ap All plugins p Plugins vt Vulnerable themes at All themes t Themes tt Timthumbs cb Config backups dbe Db exports u User IDs range. e.g: u1-5 Range separator to use: '-' Value if no argument supplied: 1-10 m Media IDs range. e.g m1-15 Range separator to use: '-' Value if no argument supplied: 1-100 Separator to use between the values: ',' Default: All Plugins, Config Backups Value if no argument supplied: vp,vt,tt,cb,dbe,u,m Incompatible choices (only one of each group/s can be used): - vp, ap, p - vt, at, t --exclude-content-based REGEXP_OR_STRING Exclude all responses matching the Regexp (case insensitive) during parts of the enumeration. Both the headers and body are checked. Regexp delimiters are not required. --plugins-list LIST List of plugins to enumerate Examples: 'a1', 'a1,a2,a3', '/tmp/a.txt' --plugins-detection MODE Use the supplied mode to enumerate Plugins, instead of the global (--detection-mode) mode. Default: passive Available choices: mixed, passive, aggressive --plugins-version-all Check all the plugins version locations according to the choosen mode (--detection-mode, --plugins-detection and --plugins-version-detection) --plugins-version-detection MODE Use the supplied mode to check plugins versions instead of the --detection-mode or --plugins-detection modes. Default: mixed Available choices: mixed, passive, aggressive --themes-list LIST List of themes to enumerate Examples: 'a1', 'a1,a2,a3', '/tmp/a.txt' --themes-detection MODE Use the supplied mode to enumerate Themes, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive --themes-version-all Check all the themes version locations according to the choosen mode (--detection-mode, --themes-detection and --themes-version-detection) --themes-version-detection MODE Use the supplied mode to check themes versions instead of the --detection-mode or --themes-detection modes. Available choices: mixed, passive, aggressive --timthumbs-list FILE-PATH List of timthumbs' location to use Default: /home/mial/.wpscan/db/timthumbs-v3.txt --timthumbs-detection MODE Use the supplied mode to enumerate Timthumbs, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive --config-backups-list FILE-PATH List of config backups' filenames to use Default: /home/mial/.wpscan/db/config_backups.txt --config-backups-detection MODE Use the supplied mode to enumerate Config Backups, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive --db-exports-list FILE-PATH List of DB exports' paths to use Default: /home/mial/.wpscan/db/db_exports.txt --db-exports-detection MODE Use the supplied mode to enumerate DB Exports, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive --medias-detection MODE Use the supplied mode to enumerate Medias, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive --users-list LIST List of users to check during the users enumeration from the Login Error Messages Examples: 'a1', 'a1,a2,a3', '/tmp/a.txt' --users-detection MODE Use the supplied mode to enumerate Users, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive -P, --passwords FILE-PATH List of passwords to use during the password attack. If no --username/s option supplied, user enumeration will be run. -U, --usernames LIST List of usernames to use during the password attack. Examples: 'a1', 'a1,a2,a3', '/tmp/a.txt' --multicall-max-passwords MAX_PWD Maximum number of passwords to send by request with XMLRPC multicall Default: 500 --password-attack ATTACK Force the supplied attack to be used rather than automatically determining one. Available choices: wp-login, xmlrpc, xmlrpc-multicall --stealthy Alias for --random-user-agent --detection-mode passive --plugins-version-detection passive
WPScan Usage Example
Do 'non-intrusive' checks…
ruby wpscan.rb --url www.example.com
Do wordlist password brute force on enumerated users using 50 threads…
ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50
Do wordlist password brute force on the 'admin' username only…
ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin
Enumerate installed plugins…
ruby wpscan.rb --url www.example.com --enumerate p
Run all enumeration tools…
ruby wpscan.rb --url www.example.com --enumerate
Use custom content directory…
ruby wpscan.rb -u www.example.com --wp-content-dir custom-content
Update WPScan's databases…
ruby wpscan.rb --update
Debug output…
ruby wpscan.rb --url www.example.com --debug-output 2>debug.log
How to install WPScan
The program is pre-installed on Kali Linux.
WPScan comes pre-installed on the following Linux distributions:
Windows is not supported
Prerequisites
- Ruby >= 2.1.9 - Recommended: 2.3.3
- Curl >= 7.21 - Recommended: latest - FYI the 7.29 has a segfault
- RubyGems - Recommended: latest
- Git
Installing on Ubuntu, Linux Mint:
sudo apt-get install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential libgmp-dev zlib1g-dev git git clone https://github.com/wpscanteam/wpscan.git cd wpscan sudo gem install bundler && sudo bundle install --without test ./wpscan.rb --help
Installing on Debian:
sudo apt-get install gcc git ruby ruby-dev libcurl4-openssl-dev make zlib1g-dev git clone https://github.com/wpscanteam/wpscan.git cd wpscan sudo gem install bundler sudo bundle install --without test --path vendor/bundle ./wpscan.rb --help
Installing on Fedora:
sudo dnf install gcc ruby-devel libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel patch rpm-build git clone https://github.com/wpscanteam/wpscan.git cd wpscan sudo gem install bundler && sudo bundle install --without test ./wpscan.rb --help
Installing on Arch Linux:
pacman -Syu ruby pacman -Syu libyaml git clone https://github.com/wpscanteam/wpscan.git cd wpscan sudo gem install bundler && sudo bundle install --without test gem install typhoeus gem install nokogiri ./wpscan.rb --help
Installing dependencies on Mac OSX
Apple Xcode, Command Line Tools and the libffi are needed (to be able to install the FFI gem), See http://stackoverflow.com/questions/17775115/cant-setup-ruby-environment-installing-fii-gem-error
git clone https://github.com/wpscanteam/wpscan.git cd wpscan sudo gem install bundler && sudo bundle install --without test ./wpscan.rb --help
Installing with RVM:
cd ~ curl -sSL https://rvm.io/mpapis.asc | gpg --import - curl -sSL https://get.rvm.io | bash -s stable source ~/.rvm/scripts/rvm echo "source ~/.rvm/scripts/rvm" >> ~/.bashrc rvm install 2.3.3 rvm use 2.3.3 --default echo "gem: --no-ri --no-rdoc" > ~/.gemrc gem install bundler git clone https://github.com/wpscanteam/wpscan.git cd wpscan gem install bundler bundle install --without test
WPScan Screenshots
WPScan Tutorials
- How to check WordPress sites for vulnerabilities
- Anonymous scanning through Tor with Nmap, sqlmap or WPScan
- 5 free and simple steps to secure WordPress web sites
- Free online WordPress vulnerability scanner
- Free online WordPress vulnerability scanner (mirror)
- How to Install and Run WPScan on Windows
Comments are Closed