use of wpscan

[bmike1]

WPScan – WordPress Security Scanner (from http://www.hackersgarage.com/wpscan-...y-scanner.html)

by Syed Alam

What is WPScan?

WPScan is wonderful and super fast wordpress vulnerability scanner written in ruby language, sponsored by RandomStorm and hosted by Googlecode. It provides you an easy way to penetrate wordpress blogs using blackbox techniques.


How to use WPScan?

One more thing we need here; is to download keywords database which will be used for brute forcing.

wget http://static.hackersgarage.com/darkc0de.lst.gz
gunzip darkc0de.lst.gz

Example usage of this application :

Do ‘non-intrusive’ checks…
ruby ./wpscan.rb --url <URL>
-confirms use of wordpress-

Do wordlist password brute force on enumerated users using 50 threads…
ruby ./wpscan.rb --url <URL> --wordlist darkc0de.lst --threads 50

Do wordlist password brute force on the ‘admin’ username only…
ruby ./wpscan.rb --url <URL> --wordlist darkc0de.lst --username admin

Generate a new ‘most popular’ plugin list, up to 150 pages…
ruby ./wpscan.rb --generate_plugin_list 150

Enumerate instaled plugins…
ruby ./wpscan.rb --enumerate p

[g0tmi1k]

You can also find darkc0de.lst here:

Code:

/pentest/passwords/wordlists/darkc0de.lst