WPScan is a free, for non-commercial use, black box WordPress security scanner written for security professionals and blog maintainers to test the security of their sites.You can also find out if any weak passwords, users, and security configuration issues are present. The database at https://wpscan.com/ is used to check for vulnerable software and the WPScan team maintains the ever-growing list of vulnerabilities.
As you can find there is two type. One is WordPress plugin.The other is Linux based WordPress Security Scanner. Today we are going to look at how to use Linux based WordPress Security Scanner to exploring WordPress Vulnerabilities.
You can click here to get help to install WPScan to your Linux machine.
Once you have finished installing WPScan, you can use the wpscan --h command to confirm that your installation was successful as following image.
"WPScan --h" result |
You can now update WPScan database using the wpscan --update update command and the output will look like this.
Now we can start the scanning process for identification of WordPress vulnerable themes,plugins,users etc.This will let you know if your website has a high risk of becoming infected.
Example: wpscan --url http://techblog.domains.lk/
Result for above command looks like this.
We can also look for specific vulnerabilities by adding arguments to the end of this basic command.
The WPScan CLI tool uses the WPScan API
to retrieve WordPress vulnerability data in real time. For WPScan to
retrieve the vulnerability data an API token must be supplied via the --api-token
option, or via a configuration file. An API token can be obtained by registering an account on WPScan.
WPScan Enumeration Scan
When enumerating the WordPress version, installed plugins or installed themes, you can use three different "modes", which are:
- passive
- aggressive
- mixed
If you want the most results use the "mixed" mode. However, if you
are worried that the server may not be able to handle a large number of
requests, use the "passive" mode. The default mode is "mixed", with the
exception of plugin enumeration, which is "passive". You will need to
manually override the plugin detection mode, if you want to use anything
other than the default, with the --plugins-detection
option.
WPScan can enumerate various things from a remote WordPress
application, such as plugins, themes, usernames, backed up files
wp-config.php files, Timthumb files, database exports and more. To use
WPScan's enumeration capabilities supply the -e
option.
The following enumeration options exist:
-
vp
(Vulnerable plugins) -
ap
(All plugins) -
p
(Popular plugins) -
vt
(Vulnerable themes) -
at
(All themes) -
t
(Popular themes) -
tt
(Timthumbs) -
cb
(Config backups) -
dbe
(Db exports) -
u
(User IDs range. e.g: u1-5) -
m
(Media IDs range. e.g m1-15)
As a black box scanner WPScan does not have access to source code. It uses enumeration techniques just like a real attacker would to find information about a WordPress target. Some of the most commonly enumeration scans that WPScan does during a scan are:
- Detecting the versions of WordPress core, plugins and themes,
- Checks for publicly accessible wp-config.php backups, or other database exports,
- Enumeration of WordPress users.
- Checking for Vulnerable Plugins:-
wpscan --url http://techblog.domains.lk/ -e vp --api-token <your API Token> - Checking for Vulnerable Themes :-
wpscan --url http://techblog.domains.lk/ -e vt --api-token <your API Token> - Checking for User Enumeration :-
wpscan --url http://techblog.domains.lk/ -e u --api-token <your API Token>
Additionally, WPScan will also let you know if the version of WordPress you are running contains security vulnerabilities, in which case you would need to upgrade to the latest version of WordPress.
Next time we will be discussed more about WPScan search results and reporting methods.
References
[1] https://github.com/wpscanteam/wpscan
[2] https://github.com/wpscanteam/wpscan/wiki/WPScan-User-Documentation
0 Comments