You are here: Home » Web Applications » WPScan

WPScan

WPScan Description

WPScan is a black box WordPress vulnerability scanner.

Homepage: https://wpscan.org/

Author: WPScan Team

License: dual-licensed

WPScan Help

Usage:

wpscan [options]

Options:

        --url URL                                 The URL of the blog to scan
                                                  Allowed Protocols: http, https
                                                  Default Protocol if none provided: http
                                                  This option is mandatory unless update or help or version is/are supplied
    -h, --help                                    Display the help and exit
        --version                                 Display the version and exit
        --ignore-main-redirect                    Ignore the main redirect (if any) and scan the target url
    -v, --verbose                                 Verbose mode
        --[no-]banner                             Whether or not to display the banner
                                                  Default: true
    -o, --output FILE                             Output to FILE
    -f, --format FORMAT                           Output results in the format supplied
                                                  Available choices: cli-no-colour, cli-no-color, json, cli
        --detection-mode MODE                     Default: mixed
                                                  Available choices: mixed, passive, aggressive
        --scope DOMAINS                           Comma separated (sub-)domains to consider in scope. 
                                                  Wildcard(s) allowed in the trd of valid domains, e.g: *.target.tld
                                                  Separator to use between the values: ','
        --user-agent, --ua VALUE
        --headers HEADERS                         Additional headers to append in requests
                                                  Separator to use between the headers: '; '
                                                  Examples: 'X-Forwarded-For: 127.0.0.1', 'X-Forwarded-For: 127.0.0.1; Another: aaa'
        --vhost VALUE                             The virtual host (Host header) to use in requests
        --random-user-agent, --rua                Use a random user-agent for each scan
        --user-agents-list FILE-PATH              List of agents to use with --random-user-agent
        --http-auth login:password
    -t, --max-threads VALUE                       The max threads to use
                                                  Default: 5
        --throttle MilliSeconds                   Milliseconds to wait before doing another web request. If used, the max threads will be set to 1.
        --request-timeout SECONDS                 The request timeout in seconds
                                                  Default: 60
        --connect-timeout SECONDS                 The connection timeout in seconds
                                                  Default: 30
        --disable-tls-checks                      Disables SSL/TLS certificate verification
        --proxy protocol://IP:port                Supported protocols depend on the cURL installed
        --proxy-auth login:password
        --cookie-string COOKIE                    Cookie string to use in requests, format: cookie1=value1[; cookie2=value2]
        --cookie-jar FILE-PATH                    File to read and write cookies
                                                  Default: /tmp/wpscan/cookie_jar.txt
        --cache-ttl TIME_TO_LIVE                  The cache time to live in seconds
                                                  Default: 600
        --clear-cache                             Clear the cache before the scan
        --cache-dir PATH                          Default: /tmp/wpscan/cache
        --server SERVER                           Force the supplied server module to be loaded
                                                  Available choices: apache, iis, nginx
        --force                                   Do not check if the target is running WordPress
        --[no-]update                             Wether or not to update the Database
                                                  This option is mandatory unless url or help or version is/are supplied
        --wp-content-dir DIR
        --wp-plugins-dir DIR
        --interesting-findings-detection MODE     Use the supplied mode for the interesting findings detection. 
                                                  Available choices: mixed, passive, aggressive
        --wp-version-all                          Check all the version locations
        --wp-version-detection MODE               Use the supplied mode for the WordPress version detection, instead of the global (--detection-mode) mode.
                                                  Available choices: mixed, passive, aggressive
        --main-theme-detection MODE               Use the supplied mode for the Main theme detection, instead of the global (--detection-mode) mode.
                                                  Available choices: mixed, passive, aggressive
    -e, --enumerate [OPTS]                        Enumeration Process
                                                  Available Choices:
                                                   vp   Vulnerable plugins
                                                   ap   All plugins
                                                   p    Plugins
                                                   vt   Vulnerable themes
                                                   at   All themes
                                                   t    Themes
                                                   tt   Timthumbs
                                                   cb   Config backups
                                                   dbe  Db exports
                                                   u    User IDs range. e.g: u1-5
                                                        Range separator to use: '-'
                                                        Value if no argument supplied: 1-10
                                                   m    Media IDs range. e.g m1-15
                                                        Range separator to use: '-'
                                                        Value if no argument supplied: 1-100
                                                  Separator to use between the values: ','
                                                  Default: All Plugins, Config Backups
                                                  Value if no argument supplied: vp,vt,tt,cb,dbe,u,m
                                                  Incompatible choices (only one of each group/s can be used):
                                                   - vp, ap, p
                                                   - vt, at, t
        --exclude-content-based REGEXP_OR_STRING  Exclude all responses matching the Regexp (case insensitive) during parts of the enumeration.
                                                  Both the headers and body are checked. Regexp delimiters are not required.
        --plugins-list LIST                       List of plugins to enumerate
                                                  Examples: 'a1', 'a1,a2,a3', '/tmp/a.txt'
        --plugins-detection MODE                  Use the supplied mode to enumerate Plugins, instead of the global (--detection-mode) mode.
                                                  Default: passive
                                                  Available choices: mixed, passive, aggressive
        --plugins-version-all                     Check all the plugins version locations according to the choosen mode (--detection-mode, --plugins-detection and --plugins-version-detection)
        --plugins-version-detection MODE          Use the supplied mode to check plugins versions instead of the --detection-mode or --plugins-detection modes.
                                                  Default: mixed
                                                  Available choices: mixed, passive, aggressive
        --themes-list LIST                        List of themes to enumerate
                                                  Examples: 'a1', 'a1,a2,a3', '/tmp/a.txt'
        --themes-detection MODE                   Use the supplied mode to enumerate Themes, instead of the global (--detection-mode) mode.
                                                  Available choices: mixed, passive, aggressive
        --themes-version-all                      Check all the themes version locations according to the choosen mode (--detection-mode, --themes-detection and --themes-version-detection)
        --themes-version-detection MODE           Use the supplied mode to check themes versions instead of the --detection-mode or --themes-detection modes.
                                                  Available choices: mixed, passive, aggressive
        --timthumbs-list FILE-PATH                List of timthumbs' location to use
                                                  Default: /home/mial/.wpscan/db/timthumbs-v3.txt
        --timthumbs-detection MODE                Use the supplied mode to enumerate Timthumbs, instead of the global (--detection-mode) mode.
                                                  Available choices: mixed, passive, aggressive
        --config-backups-list FILE-PATH           List of config backups' filenames to use
                                                  Default: /home/mial/.wpscan/db/config_backups.txt
        --config-backups-detection MODE           Use the supplied mode to enumerate Config Backups, instead of the global (--detection-mode) mode.
                                                  Available choices: mixed, passive, aggressive
        --db-exports-list FILE-PATH               List of DB exports' paths to use
                                                  Default: /home/mial/.wpscan/db/db_exports.txt
        --db-exports-detection MODE               Use the supplied mode to enumerate DB Exports, instead of the global (--detection-mode) mode.
                                                  Available choices: mixed, passive, aggressive
        --medias-detection MODE                   Use the supplied mode to enumerate Medias, instead of the global (--detection-mode) mode.
                                                  Available choices: mixed, passive, aggressive
        --users-list LIST                         List of users to check during the users enumeration from the Login Error Messages
                                                  Examples: 'a1', 'a1,a2,a3', '/tmp/a.txt'
        --users-detection MODE                    Use the supplied mode to enumerate Users, instead of the global (--detection-mode) mode.
                                                  Available choices: mixed, passive, aggressive
    -P, --passwords FILE-PATH                     List of passwords to use during the password attack.
                                                  If no --username/s option supplied, user enumeration will be run.
    -U, --usernames LIST                          List of usernames to use during the password attack.
                                                  Examples: 'a1', 'a1,a2,a3', '/tmp/a.txt'
        --multicall-max-passwords MAX_PWD         Maximum number of passwords to send by request with XMLRPC multicall
                                                  Default: 500
        --password-attack ATTACK                  Force the supplied attack to be used rather than automatically determining one.
                                                  Available choices: wp-login, xmlrpc, xmlrpc-multicall
        --stealthy                                Alias for --random-user-agent --detection-mode passive --plugins-version-detection passive

WPScan Usage Example

Do 'non-intrusive' checks…

ruby wpscan.rb --url www.example.com

Do wordlist password brute force on enumerated users using 50 threads…

ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50

Do wordlist password brute force on the 'admin' username only…

ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin

Enumerate installed plugins…

ruby wpscan.rb --url www.example.com --enumerate p

Run all enumeration tools…

ruby wpscan.rb --url www.example.com --enumerate

Use custom content directory…

ruby wpscan.rb -u www.example.com --wp-content-dir custom-content

Update WPScan's databases…

ruby wpscan.rb --update

Debug output…

ruby wpscan.rb --url www.example.com --debug-output 2>debug.log

How to install WPScan

The program is pre-installed on Kali Linux.

WPScan comes pre-installed on the following Linux distributions:

Windows is not supported

Prerequisites

  • Ruby >= 2.1.9 – Recommended: 2.3.3
  • Curl >= 7.21 – Recommended: latest – FYI the 7.29 has a segfault
  • RubyGems – Recommended: latest
  • Git

Installing on Ubuntu, Linux Mint:

sudo apt-get install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential libgmp-dev zlib1g-dev git
git clone https://github.com/wpscanteam/wpscan.git
cd wpscan
sudo gem install bundler && sudo bundle install --without test
./wpscan.rb --help

Installing on Debian:

sudo apt-get install gcc git ruby ruby-dev libcurl4-openssl-dev make zlib1g-dev
git clone https://github.com/wpscanteam/wpscan.git
cd wpscan
sudo gem install bundler
sudo bundle install --without test --path vendor/bundle
./wpscan.rb --help

Installing on Fedora:

sudo dnf install gcc ruby-devel libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel patch rpm-build
git clone https://github.com/wpscanteam/wpscan.git
cd wpscan
sudo gem install bundler && sudo bundle install --without test
./wpscan.rb --help

Installing on Arch Linux:

pacman -Syu ruby
pacman -Syu libyaml
git clone https://github.com/wpscanteam/wpscan.git
cd wpscan
sudo gem install bundler && sudo bundle install --without test
gem install typhoeus
gem install nokogiri
./wpscan.rb --help

Installing dependencies on Mac OSX

Apple Xcode, Command Line Tools and the libffi are needed (to be able to install the FFI gem), See http://stackoverflow.com/questions/17775115/cant-setup-ruby-environment-installing-fii-gem-error

git clone https://github.com/wpscanteam/wpscan.git
cd wpscan
sudo gem install bundler && sudo bundle install --without test
./wpscan.rb --help

Installing with RVM:

cd ~
curl -sSL https://rvm.io/mpapis.asc | gpg --import -
curl -sSL https://get.rvm.io | bash -s stable
source ~/.rvm/scripts/rvm
echo "source ~/.rvm/scripts/rvm" >> ~/.bashrc
rvm install 2.3.3
rvm use 2.3.3 --default
echo "gem: --no-ri --no-rdoc" > ~/.gemrc
gem install bundler
git clone https://github.com/wpscanteam/wpscan.git
cd wpscan
gem install bundler
bundle install --without test

WPScan Screenshots

WPScan Tutorials

Related tools

Also recommended: