How to Use WPScan, Nmap, and Nikto scan and check the security of a WordPress site
There is certainly a reason for introducing WordPress to millions of websites. WordPress is the most friendly to developers in many content management systems. In essence, you can use it to do anything. Unfortunately, every day, it is scary to report that a major website is hacked, or an important database is leaked.
In this article, I will introduce the wpscan installation process and how to use wpscan to locate plug-ins and themes that are known to make your site vulnerable. How to install and use nmap, a free security scanning software for network exploration and attacks. The following describes how to use nikto.
Use WPScan to test vulnerable WordPress plug-ins and themes
WPScan is a WordPress black box security scanning software written in Ruby. It is designed to find known WordPress vulnerabilities. It provides security experts and WordPress administrators with a way to evaluate their WordPress site. It is released under GPLv3 based on open source code.
Download and install WPScan
Before we start to install wpscan, it is very important to note that wpscan cannot work in Windows, so you need to use a Linux or OS X machine to complete the following tasks. If you only have a Windows system, you can download a Virtualbox and install any of your favorite Linux distributions on the VM.
The source code of WPScan is put on Github, so you need to install git first (LCTT Note: You can also download the packaged Source Code directly from Github without having to install git ).
sudo apt-get install git
After git is installed, We need to install the wpscan dependency package.
sudo apt-get install libcurl4-gnutls-dev libopenssl-ruby libxml2 libxml2-dev libxslt1-dev ruby-dev ruby1.9.3
Clone wpscan from github.
git clone https://github.com/wpscanteam/wpscan.git
Now we can go to the newly created wpscan directory and install necessary ruby packages through bundler.
cd wpscansudo gem install bundler && bundle install --without test development
Now that wpscan is installed, we can use it to search for potential vulnerable files on our WordPress site. The most important aspect of wpcan is that it can list not only plug-ins and themes, but also the features of users and thumbnails. WPScan can also be used to brute force crack WordPress-but this is not the content to be discussed in this article.
Update WPScan
ruby wpscan.rb --update
List plug-ins
To list all the plug-ins, add the "-- enumerate p" parameter, as shown in the following figure:
ruby wpscan.rb --url http(s)://www.yoursiteurl.com --enumerate p
Or just list the vulnerable plug-ins:
ruby wpscan.rb --url http(s)://www.yoursiteurl.com --enumerate vp
The following are some examples:
| Name: ukiscet| Location: http://********.com/wp-content/plugins/akismet/| Name: audio-player| Location: http://********.com/wp-content/plugins/audio-player/|| * Title: Audio Player - player.swf playerID Parameter XSS| * Reference: http://seclists.org/bugtraq/2013/Feb/35| * Reference: http://secunia.com/advisories/52083| * Reference: http://osvdb.org/89963| * Fixed in: 2.0.4.6| Name: bbpress - v2.3.2| Location: http://********.com/wp-content/plugins/bbpress/| Readme: http://********.com/wp-content/plugins/bbpress/readme.txt|| * Title: BBPress - Multiple Script Malformed Input Path Disclosure| * Reference: http://xforce.iss.net/xforce/xfdb/78244| * Reference: http://packetstormsecurity.com/files/116123/| * Reference: http://osvdb.org/86399| * Reference: http://www.exploit-db.com/exploits/22396/|| * Title: BBPress - forum.php page Parameter SQL Injection| * Reference: http://xforce.iss.net/xforce/xfdb/78244| * Reference: http://packetstormsecurity.com/files/116123/| * Reference: http://osvdb.org/86400| * Reference: http://www.exploit-db.com/exploits/22396/| Name: contact| Location: http://********.com/wp-content/plugins/contact/
List topics
The topic list is similar to the list plug-in. You only need to use "-- enumerate t.
ruby wpscan.rb --url http(s)://www.host-name.com --enumerate t
Or only list vulnerable topics:
ruby wpscan.rb --url http(s)://www.host-name.com --enumerate vt
Example output:
| Name: path| Location: http://********.com/wp-content/themes/path/| Style URL: http://********.com/wp-content/themes/path/style.css| Description: | Name: pub| Location: http://********.com/wp-content/themes/pub/| Style URL: http://********.com/wp-content/themes/pub/style.css| Description: | Name: rockstar| Location: http://********.com/wp-content/themes/rockstar/| Style URL: http://********.com/wp-content/themes/rockstar/style.css| Description: || * Title: WooThemes WooFramework Remote Unauthenticated Shortcode Execution| * Reference: https://gist.github.com/2523147| Name: twentyten| Location: http://********.com/wp-content/themes/twentyten/| Style URL: http://********.com/wp-content/themes/twentyten/style.css| Description:
List users
WPscan can also be used to list users and valid logon records of a WordPress site. Attackers often do this-in order to obtain a list of users for better brute-force cracking.
ruby wpscan.rb --url http(s)://www.host-name.com --enumerate u
List Timthumb files
For WPscan, the last feature I want to talk about is to list timthub (thumbnail) related files. In recent years, timthumb has become a common target for attackers, because countless vulnerabilities have been found and sent to forums, email lists, and other places. Use the following command to find the vulnerable timthub file through wpscan:
ruby wpscan.rb --url http(s)://www.host-name.com --enumerate tt