WPScan Lab

[toggle_content title="Transcript"] Hey Leo Dregier here I want to talk to you about utility called WordPress scanner. You can use this application in web application pen testing to get a basic idea of sort of a vulnerability scan with web applications particularly WordPress sites. So what we are going to do is i am going over to my Kali back track penetration testing and you can pull up this utility a couple of different ways. You can go into Kali Linux go over to web applications, go over to content management system identification and then choose WordPress scanner or you can go ahead and just type it from the command prompt. It is really easy you basically just type in WordPress scan hit enter and it will basically tell you some basic stuff. WordPress scanner, WordPress security scanner WP scan teen tells you the version of the tool. Who has sponsored the project and then some different examples. So ruby./ WPScan.org rb.tac.tac help or tac.tac URL and then in particular URL that you want or you can use a specific word list to do password to brute force attempts. You can do that specifically for admin and it will show you how you can incorporate a wordlist and there are many word list already included in the Kali penetration testing operating system and try to brute force to login information. How to enumerate installed plugins to see what is installed on it. How do you find out when themes are relevant to the WordPress site. How to enumerate what users is this? It is just the example enumerate tech u - how to look at installed thumb nails. How to look at http proxies, socs proxy which is a bit more rare. How to look for content directories of the default directory names like basic anything that UT whatever directory. Using custom plugins updating the database in itself. So that is easy that is Just literally you wanted to update this and you can just copy this and click update. That is easy enough to do - you can do a ruby./ wpskin.rb tech tech update and let the update run. And you are going to run this from the directory. It is a little bit easier if you are doing it that way - I have already updated it using a different directory here. You can take that out and get the actual update or the update run. I am not going to worry about that here and now. Actually just want to show you the skin, the URL and you are going to use the before //url and don't forget to include the http://linuxwarrior.com and basically just let that run and it will take a couple of minutes for it to enumerate the alpha because it is working in the background. So we want to talk freely here about it. Now when you are doing the application pen testing it is very, very similar of a life cycle to regular hacking and ethical hacking and penetration testing life cycles. You want to do your foot print your skin, your reconnaissance your enumeration and then of course the one at the top of glory the actual system hacks. So in this case this is what found as scanning or web application vulnerability scanning specifically. So it is not very much I mean normally the difference is penetration testing and ethical hacking and things like that. They normally are for networks or operating systems where web application vulnerability and penetration testing is more for web servers specifically. Similar life cycles except your targets are exclusively web targets as opposed to networks and operating systems. So what you can see here is the URL so great make sure you type that correctly. Your skin started here it will give you a little time stamp, the WordPress site defines a little readme.html file and you want to go ahead and open that. Specifically because if there is a readme sometimes these readme files can actually disclose the different versions of things in them. So we will just go ahead and open that up and in this case you can see a plauser version 3.9.3 and this is a standard WordPress readme file. So what I would always recommend doing is deleting this file of course I have got a test website here that I am testing all of this up. I own and I control so it has not been hardened but it also tells me the php version 5.2.4 mySQL so it is using the limp architecture php mySQL etc. mySQL is running at version 5 or higher and you would have to question if the mod_apache module is actually configured appropriately at this point. The mod_apache module what that does is that it changes your URLs and allows you to rewrite the extensions. So that you don't have .php and things like listed in your URL. Sometimes we call those search engine friendly URLs when you try to hide things Like aspX or php because then you can basically start guessing queries like ID=1 or something like that. So you would want to ultimately get rid of that. But it is clearly indicative of a WordPress site or somebody's taken a lot of effort to try to mimic a WordPress site which I would then in turn validate this by looking at the directory structure and if I see something like wpadmin and wpcontent or content or somebody like that. Then it is probably spot on but the impact is a word press site. So it has found the readme file - full path disclosure or fpd and you can see the wp include - rss functions. So that is disclosed - it has found that it was an apache webserver also found the interesting header that is powered by php5.3 and the readme file I believe we only knew that it was greater than 5.0 and found the XML RPC interface. So you would have to wonder if that is found the boom. The WordPress version is 393 - we got that out of the help me file. The WordPress theme in this case is actually knows that it is a 2014 theme. The name the location of the theme and any sort of content that you can find that is related to that and it is pretty indicative because you get the plus sign here and just dashes and this is all part of the same header if you will and the reason why these themes are good is because sometimes people use themes. They don't update the themes and there is vulnerability specifically related to them and you can exploit the system by going after the theme in itself. Enumerating plugins from passive detection, no plugins found which would not be a false positive because this tool cannot find them because there is plugins on this website. Then your skin finished - the date and time in which it finished. The memory that was used and the total time about two minute and thirty one seconds. So within a couple of minutes I can get a basic recon from a scanning utility which is a ruby script and get a basic idea of what my target is. So if we kind of go back to this and look at the help and again you can just do a wp scan here to give you the syntax. You can start looking at different options in here. There is more to it, it is not just doing a WordPress scanner and that is it. You can look for users - you can do http proxies look for themes and plugins and things like that - so if I wanted to really push the enumeration. I would just redo my skin and would just do enumerate-p which is the enumerate plugins. So that would be dash - dash enumerate p and that will check the syntax. it is just a p dash and then go ahead and run that again. And again the skinner will now look for that one specific sub model, so at first I would like to do this and run it as a complete - tell me everything you can find and then you can poke and prod and just look at some of the specifics but definitely look at the latest and greatest version. Throw it against your target - see what you get document all of this and if you wanted to document this I would just control C. So that is why we have got a bunch of airs here. If i want to document this I just want to redirect the output here to wp scan.txt and then all my output would be dumped right there. So if I just less file wp scan - you can see where the content would be – you got to get a couple of more minutes to run. But other than that - that is it - it is a great quick sand b check especially if you know the type of site that you are looking at and then you can and if it is WordPress then you can go into that detail specifically. So hope you enjoy the video my name is Leo Dregier. Don't forget to check this out on Cybrary Facebook, LinkedIn, Youtube, Twitter and connect share and the cool part of the Cybrary website is this is the network that you are building. You have to make this an awesome product. So I look forward to all the connection requests and sharing that is about to come. My Leo Dregier thank you for watching. [/toggle_content] This next lab in the Hacking Web Servers module introduces you to WPScan. WPScan stands for WordPress Scan. This lesson demonstrates how to do a vulnerability scan on web server applications to target WordPress sites. This lesson specifically uses WordPress (WP). You’ll learn the different target types you can execute such as password lists, user names, as well as site paths.  This direct application approach is key to helping you identify how tools work, particularly since that might vary from one web server application to another.  
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge



Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?