Open in app

Sign in

Write

Sign in

Web Enumeration -WPScan

Rajan Kshedal
6 min readNov 4, 2022

--

This is the second blog of web enumeration basics and today i will write about WPScan which is also an automated tool for web enumeration. By the end of this blog you will know the basics of WPscan, how to install it, different modes of it and how to use it.

Introduction:
WPScan was first released in 2011 and it has survived the time and stood out as a vital tool that every pentester should have in their toolkit.

The WPScan framework is capable of enumerating & researching a few security vulnerability categories present in WordPress sites — including — but not limited to:

  • Sensitive Information Disclosure (Plugin & Theme installation versions for disclosed vulnerabilities or CVE’s)
  • Path Discovery (Looking for misconfigured file permissions i.e. wp-config.php)
  • Weak Password Policies (Password bruteforcing)
  • Presence of Default Installation (Looking for default files)
  • Testing Web Application Firewalls (Common WAF plugins)

Installation:
Thankfully WPScan comes preinstalled in latest version of Kali Linux and Parrot os. If you are using older version of Kali then you can simply install it from the following command in your terminal.

sudo apt update && sudo apt install wpscan

If you are using different os and other distros you can check out the developer’s document and lean how to install it in your machine.

WPScan’s Database:
WPScan uses information within a local database as a primary reference point when enumerating for themes and plugins. Before using WPScan, it is highly recommended that you update this database before performing any scans.
To update your wpscan database, simply run this command in your terminal

wpscan --update

Enumerating Themes:
WPScan have few ways of determining the installed theme in the site. Basically it first uses a technique that we can manually do it too. Simply we can look at the assets of web browser loads and then looks for the location of the installed theme on webserver. Using “Network” tab in your web browser you can see what files are loading when you visit that site.

Above we can see a screenshot where a lot of files have loaded and while checking them i found this url

http://www.anywordpressintalledsite.com/wp-content/themes/twentynineteen

By looking at this url we can be sure that the installed theme is twentynineteen.
Now let’s automate our work, shall we? let’s use our wpscan to find out what exact theme is running by typing following comman

wpscan --url http://www.anywordpressintalledsite.com/ --enumerate t

and here is the result:

The other best thing about wpscan is it tells you how it found out that result .

Enumerating Plugins:
A very common feature of webserver is directory listing it’s just like ls command in linux. It lists the files and directories listed in that webserver. “Directory Listing” occurs when there is no file present that the webserver has been told to process. A very common file is “index.html” and “index.php”. As these files aren’t present in /a/directory, the contents are instead displayed:

wpscan can leverage this feature to find out what plugins are installed. Since they will all be located in /wp-content/plugins/pluginname, WPScan can enumerate for common/known plugins. we can use following command to enumerate plugins.

wpscan --url http://www.anywordpressintalledsite.com/ --enumerate p

Reading through WordPress’ developer documentation, we can learn about “Plugin Readme’s” to figure out how WPScan determined the version number. Simply, plugins must have a “README.txt” file. This file contains meta-information such as the plugin name, the versions of WordPress it is compatible with and a description.

Enumerating Users:
After reading this much i think you will get the hint how powerful this tool is. So now if i tell you we can actually enumerate users too using this tool won’t surprise you haha. Ok let’s learn how this tool actually do this awesome enumeration. The way how WPScan enumerates for users is interestingly simple. WordPress sites use authors for posts. Authors are in fact a type of user.

Let’s use our wpscan to scan users and how we exactly we can do that? simple by following given command haha

wpscan --url http://www.anywordpressintalledsite.com/ --enumerate u

Above we can see that it found user but it is saying something brute forcing ? yes, it can do that too. wpscan can bruteforce using a worldlist. Then after that it says login error? yes, it tried logging in with that username and found out that the user is real.

The “Vulnerable” flag:
So far we have only enumerated themes, plugins and users and after this we will visit sites like MITRE, NVD and CVEDetails to look up the names of these plugins and the version numbers to determine any vulnerabilities. Which is quite time consuming and boring. That is why wpscan have a specific flag to do our boring work and that flag is -v. To check if any installed plugins are vulnerable or not we can type this simple command and find out

wpscan --url http://www.anywordpressintalledsite.com/ --enumerate vp

Above i said -v flag but i typed vp did i do a mistake? No, that p means plugin so that it can tell wpscan to check plugins if they are vulnerable or not.

We got our results in just seconds and found out that the plugins are not vulnerable.

Password Attack:
After determining a list of possible usernames on the WordPress install, we can use WPScan to perform a bruteforcing technique against the username we specify and a password list that we provide. Simply, we use the output of our username enumeration to build a command like so:

wpscan --url http://www.anywordpressintalledsite.com/ –-passwords rockyou.txt –-usernames Phreakazoid

Adjusting WPScan’s Aggressiveness (WAF):
Unless specified, WPScan will try to be as least “noisy” as possible. Lots of requests to a web server can trigger things such as firewalls and ultimately result in you being blocked by the server.

This means that some plugins and themes may be missed by our WPScan. Luckily, we can use arguments such as --plugins-detection and an aggressiveness profile (passive/aggressive) to specify this. For example: --plugins-detection aggressive

Summary — Cheatsheet:

Flag    Description                   Full Example
p       Enumerate Plugins             --enumerate p
t       Enumerate Themes              --enumerate t
u       Enumerate Usernames           --enumerate -u
v       check if plugin is vulnerable --enumerate vp
aggressive adjust aggressiveness      --plugins-detection aggressive

Thank you for reading this much and i hope you learned a thing or two from this blog. Share this with someone who is interested in cybersec or bug bounty. I will write again so make sure you guys follow me hai and if you have any queries google it. Till then keep hacking ❤

Web Enumeration
Bug Bounty
Cybersecurity
Infosec
Wpscan

--

--

Rajan Kshedal

Written by Rajan Kshedal

283 Followers

Cybersecurity enthusiast, noob programmer and after joining medium probably a writer too HAHAHA

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams