How To Use WPSCAN

WPScan – WordPress Security Scanner

What is WPScan?

WPScan is wonderful and super fast wordpress vulnerability scanner written in ruby language, sponsored by RandomStorm and hosted by Googlecode. It provides you an easy way to penetrate wordpress blogs using blackbox techniques.

How to use WPScan?

One more thing we need here; is to download keywords database which will be used for brute forcing.

wget http://static.hackersgarage.com/darkc0de.lst.gz
gunzip darkc0de.lst.gz

Example usage of this application :

Do ‘non-intrusive’ checks…
ruby ./wpscan.rb –url <URL>
-confirms use of wordpress-

Do wordlist password brute force on enumerated users using 50 threads…
ruby ./wpscan.rb –url <URL> –wordlist darkc0de.lst –threads 50

Do wordlist password brute force on the ‘admin’ username only…
ruby ./wpscan.rb –url <URL> –wordlist darkc0de.lst –username admin

Generate a new ‘most popular’ plugin list, up to 150 pages…
ruby ./wpscan.rb –generate_plugin_list 150

Enumerate instaled plugins…
ruby ./wpscan.rb –enumerate p

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s