Saturday, December 28, 2024
Google search engine
HomeGuest BlogsInstall and Use WPScan – WordPress security scanner

Install and Use WPScan – WordPress security scanner

WPScan, an acronym of WordPress security scanner is a free non-commercial, command-line tool and black box vulnerability scanner written in Ruby programming language. It was first released on the 16th of June 2011. This tool mainly helps security professionals and blog maintainers test any vulnerabilities on their WordPress sites. With WPScan you can see any vulnerabilities associated with:

  • WordPress plugins, themes
  • Username enumeration
  • Database dumps that may be publicly accessible
  • The version of WordPress installed and any associated vulnerabilities
  • If error logs are exposed by plugins
  • Users with weak passwords via password brute forcing
  • If WP-Cron is enabled
  • Full Path Disclose
  • Upload directory listing
  • Vulnerable Timthumb files
  • Media file enumeration
  • If user registration is enabled
  • Backed up and publicly accessible wp-config.php files e.t.c

This guide takes a deep dive into the installation and use of WPScan – WordPress security scanner.

Let’s dive in!

Install WPScan – WordPress security scanner

This guide demonstrates several methods one can use to install WPScan – WordPress security scanner. The methods include:

  • Using Ruby gem
  • Using Docker
  • Using APT(Kali Linux)

Method 1 – Install WPScan – WordPress security scanner using Ruby gem.

For this method, there are several dependencies required that include:

  • Ruby >= 2.5
  • Curl >= 7.72
  • RubyGems
  • Nokogiri

The dependencies can be installed s below.

Install cURL

##On Debian/Ubuntu
sudo apt update
sudo apt -y install curl

##On RHEL/CentOS/Rocky Linux/Alma Linux
sudo yum -y install curl

Check the installed curl version.

$ curl -V
curl 7.74.0 (x86_64-pc-linux-gnu) libcurl/7.74.0 OpenSSL/1.1.1k zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.9.0 nghttp2/1.43.0 librtmp/2.3
Release-Date: 2020-12-09
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: alt-svc AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets

Then import the GPG signing.

curl -sSL https://rvm.io/mpapis.asc | gpg --import -
curl -sSL https://rvm.io/pkuczynski.asc | gpg --import -

Install RVM on Linux

$ curl -L get.rvm.io | bash -s stable
.....
Installing RVM to /home/thor/.rvm/
    Adding rvm PATH line to /home/thor/.profile /home/thor/.mkshrc /home/thor/.bashrc /home/thor/.zshrc.
    Adding rvm loading line to /home/thor/.profile /home/thor/.bash_profile /home/thor/.zlogin.
Installation of RVM in /home/thor/.rvm/ is almost complete:

  * To start using RVM you need to run `source /home/thor/.rvm/scripts/rvm`
    in all your open shell windows, in rare cases you need to reopen all shell windows.
Thanks for installing RVM 🙏
Please consider donating to our open collective to help us maintain RVM.

👉  Donate: https://opencollective.com/rvm/donate

Remember to source the RVM PATH.

source /home/$USER/.rvm/scripts/rvm

Install Ruby 2.5 using RVM.

export RUBY_VER='2.5'
rvm install ${RUBY_VER}
rvm use ${RUBY_VER} --default

Check the installed Ruby version.

$ ruby -v
ruby 2.5.8p224 (2020-03-31 revision 67882) [x86_64-linux]

Install Nokogiri.

$ gem install nokogiri -v 1.12.5
Fetching nokogiri-1.12.5-x86_64-linux.gem
Successfully installed nokogiri-1.12.5-x86_64-linux
Parsing documentation for nokogiri-1.12.5-x86_64-linux
Installing ri documentation for nokogiri-1.12.5-x86_64-linux
Done installing documentation for nokogiri after 1 seconds
1 gem installed

Now install WPScan – WordPress security scanner using RubyGems.

$ gem install wpscan
Fetching ffi-1.15.5.gem
Fetching ethon-0.14.0.gem
Fetching addressable-2.8.0.gem
Fetching get_process_mem-0.2.7.gem
Fetching concurrent-ruby-1.1.9.gem
Fetching tzinfo-2.0.4.gem
Fetching i18n-1.8.11.gem
Fetching activesupport-6.1.4.4.gem
Fetching cms_scanner-0.13.6.gem
........
Installing ri documentation for wpscan-3.8.20
Done installing documentation for ffi, ethon, get_process_mem, concurrent-ruby, i18n, tzinfo, zeitwerk, activesupport, public_suffix, addressable, opt_parse_validator, ruby-progressbar, typhoeus, yajl-ruby, sys-proctable, cms_scanner, wpscan after 17 seconds
17 gems installed

WPScan can be updated using the command.

$ gem update wpscan
Updating installed gems
Nothing to update

Confirm successful installation:

$ wpscan --version
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.20

       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

Current Version: 3.8.20

Method 2 – Install WPScan – WordPress security scanner using Docker.

For this method, you need to have Docker installed on your system. This can be achieved using the dedicated guide below.

With Docker installed and running, add your user to the Docker group.

sudo usermod -aG docker $USER
newgrp docker

Pull the WPScan container image.

$ docker pull wpscanteam/wpscan
Using default tag: latest
latest: Pulling from wpscanteam/wpscan
97518928ae5f: Pull complete 
d879f3f43643: Pull complete 
f6e3e74a152d: Pull complete 
ab54e33b1bb3: Pull complete 
525c9e55fcc4: Pull complete 
1877cf82f07b: Pull complete 
47a93fc45dd9: Pull complete 
f981fa9ebc39: Pull complete 
bd98520f45e4: Pull complete 
Digest: sha256:981ef71ed54e77e5d6bef45dafa38957047dad7ac96bdaeaf8f83935407ce0e3
Status: Downloaded newer image for wpscanteam/wpscan:latest
docker.io/wpscanteam/wpscan:latest

Now you can run WPScan as below.

docker run -it --rm wpscanteam/wpscan [option]

Method 3 – Install WPScan – WordPress security scanner using APT

WPScan is available in the default Kali Linux APT repositories and can be installed using a simple APT command.

Update your APT package index.

sudo apt update

Now install WPScan.

sudo apt install wpscan

Dependency Tree:

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libdap27 libdapclient6v5 libdav1d4 libepsilon1 libgdal28 libgeos-3.9.1
  libgupnp-1.2-0 libidn11 libnetcdf18 libntfs-3g883 libomp-11-dev libomp5-11
  libproj19 liburcu6 libx265-192 libyara4 python3-editor
  python3-ipython-genutils python3-pylnk
Use 'sudo apt autoremove' to remove them.
The following packages will be upgraded:
  wpscan
1 upgraded, 0 newly installed, 0 to remove and 818 not upgraded.

Use WPScan – WordPress security scanner

Once installed using any of the methods above, WPScan can be used to scan vulnerabilities. Note that, the below scans should be performed against your own blog.

1. Scan the entire blog site

To scan the whole blog, run the command:

wpscan --url wordpress.example.com

For Docker:

docker run -it --rm wpscanteam/wpscan --url wordpress.example.com

Sample Output:

_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.20
                               
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.
........

By default, WPScan will scan HTTP, if you want HTTPS to be scanned, modify your URL as below.

wpscan --url https://wordpress.example.com -o scan-test

The -o flag can be used to output the scan results in a file.

There are 3 detection modes that can be run on a WordPress site i.e

  • aggressive mode – more intrusive scan by sending a thousand request to the server.
  • passive mode – send a few requests to the server. This is normally used to scan the homepage.
  • mixed(default) – uses both the aggressive and passive modes.

A given detection mode can be specified as below.

wpscan --url wordpress.example.com -o test --detection-mode aggressive

2. Scan Vulnerable Plugins.

To check for vulnerabilities in a plugin, the following argument is used:

-e/--enumerate [OPTS] option to the wpscan. The [OPTS] here can be ap for all plugins, vpfor vulnerable plugins and p for plugins.

For example, to scan vulnerable plugins use the command:

wpscan --url wordpress.example.com -e vp

3. Scan Vulnerable Themes

Similar to plugins, themes can be scanned using the -e/--enumerate [OPTS]command. But now, [OPTS] is replaced with vt (Vulnerable themes), at (All themes), or t (Themes).

For example, themes with known vulnerabilities can be scanned as below.

wpscan --url wordpress.example.com -e vt

4. Password Strength Testing.

To be able to know password strengths, you can try to brute force them. This process may be a bit slow depending on the number of passwords in the password file to be scanned -P, --passwords FILE-PATH, -t, --max-threads VALUE specifies the number of threads.

For example, to brute force the admin user, run the command:

wpscan --url wordpress.example.com -P password-file.txt -U admin -t 50

A number of users’ password strengths can be tested without specifying the username.

wpscan --url wordpress.example.com -P password-file.txt -t 50

5. Enumerate WordPress Users.

To know users who can log in to a site, use the -e/--enumerate u option. Here, u stands for the user IDs.

wpscan --url wordpress.example.com -e u

6. Scan WordPress in undetectable mode.

The above scans can as well be performed in stealth mode by adding the argument --stealthy

For example:

wpscan --url wordpress.example.com --stealthy

In case you need help when using WPScan, find help as below.

$ wpscan -h
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.20
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

Usage: wpscan [options]
        --url URL                                 The URL of the blog to scan
                                                  Allowed Protocols: http, https
                                                  Default Protocol if none provided: http
                                                  This option is mandatory unless update or help or hh or version is/are supplied
    -h, --help                                    Display the simple help and exit
        --hh                                      Display the full help and exit
        --version                                 Display the version and exit
    -v, --verbose                                 Verbose mode
        --[no-]banner                             Whether or not to display the banner
                                                  Default: true
    -o, --output FILE                             Output to FILE
    -f, --format FORMAT                           Output results in the format supplied
                                                  Available choices: cli-no-colour, cli-no-color, cli, json
        --detection-mode MODE                     Default: mixed
                                                  Available choices: mixed, passive, aggressive
        --user-agent, --ua VALUE
..........

That is it!

We have successfully gone through how to install and use WPScan – WordPress security scanner. I hope this article was helpful.

Check more guides on this page:

RELATED ARTICLES

Most Popular

Recent Comments