Introducing WPScan – WordPress Security Scanner
After creating the WordPress Brute Force Tool last weekend, I decided
to create a bigger project out of it, called WPScan.
WPScan is a black box WordPress Security Scanner written in Ruby which
attempts to find known security weaknesses within WordPress
installations. Its intended use it to be for security professionals or
WordPress administrators to asses the security posture of their
WordPress installations. The code base is Open Source and licensed
under the GPLv3.
Features include:
Username enumeration (from ?author)
Weak password cracking (multithreaded)
Version enumeration (from generator meta tag)
Vulnerability enumeration (based on version)
Plugin enumeration (todo)
Plugin vulnerability enumeration (based on version) (todo)
Other miscellaneous checks
Installation:
WPScan requires two non native Ruby gems, typhoeus and xml-simple. It
should work on both Ruby 1.8.x and 1.9.x.
sudo apt-get install libcurl4-gnutls-dev
sudo gem install –user-install typhoeus
sudo gem install –user-install xml-simple
(I developed WPScan on Backtrack5 Gnome 32bit, if installing on
another OS, you may not need the –user-install option when installing
the non native gems)
Download:
WPScan will be hosted on Google Code at http://code.google.com/p/wpscan/.
You can download and start running WPScan ALPHA by checking out the SVN trunk.
“svn checkout http://wpscan.googlecode.com/svn/trunk/ wpscan-read-only”
Example usage:
Examples:
ruby wpscan.rb –url www.example.com
ruby wpscan.rb –url www.example.com –wordlist darkc0de.lst –threads 50
ruby wpscan.rb –url www.example.com –wordlist darkc0de.lst –username admin
Contributions, feedback, comments are welcome.
Happy Hacking!
Ryan Dewhurst
blog www.ethicalhack3r.co.uk
projects www.dvwa.co.uk | www.webwordcount.com
twitter www.twitter.com/ethicalhack3r
I have started a wp scanner but lost the files before finishing and
never started again. It had three ways of identifying the version:
Generator meta tag
Readme file (you already download it, and the only valuable information
i see is the version number. Why not showing it?)
Downloading some javascript, css, images, etc. Then comparing the hashes
of these files against an array that was like [file][hash]=>version
Hope it's usefull
On 16/06/11 12:13, Ryan Dewhurst wrote:
After creating the WordPress Brute Force Tool last weekend, I decided
to create a bigger project out of it, called WPScan.
WPScan is a black box WordPress Security Scanner written in Ruby which
attempts to find known security weaknesses within WordPress
installations. Its intended use it to be for security professionals or
WordPress administrators to asses the security posture of their
WordPress installations. The code base is Open Source and licensed
under the GPLv3.
Features include:
Username enumeration (from ?author)
Weak password cracking (multithreaded)
Version enumeration (from generator meta tag)
Vulnerability enumeration (based on version)
Plugin enumeration (todo)
Plugin vulnerability enumeration (based on version) (todo)
Other miscellaneous checks
Installation:
WPScan requires two non native Ruby gems, typhoeus and xml-simple. It
should work on both Ruby 1.8.x and 1.9.x.
sudo apt-get install libcurl4-gnutls-dev
sudo gem install –user-install typhoeus
sudo gem install –user-install xml-simple
(I developed WPScan on Backtrack5 Gnome 32bit, if installing on
another OS, you may not need the –user-install option when installing
the non native gems)
Download:
WPScan will be hosted on Google Code at http://code.google.com/p/wpscan/.
You can download and start running WPScan ALPHA by checking out the SVN trunk.
“svn checkout http://wpscan.googlecode.com/svn/trunk/ wpscan-read-only”
Example usage:
Examples:
ruby wpscan.rb –url www.example.com
ruby wpscan.rb –url www.example.com –wordlist darkc0de.lst –threads 50
ruby wpscan.rb –url www.example.com –wordlist darkc0de.lst –username admin
Contributions, feedback, comments are welcome.
Happy Hacking!
Ryan Dewhurst
blog www.ethicalhack3r.co.uk
projects www.dvwa.co.uk | www.webwordcount.com
twitter www.twitter.com/ethicalhack3r
This list is sponsored by Cenzic
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
Ryan - I'm I correct that the two methods you use for identifying the WP
version are:
a) Parse the readme.html file for the version number
b) Parse the meta tag generator content for the WP version number
In the case where both of these failed, what do you do? Does Seth's plan of
comparing hashes of the js/css/other files sound like it would work?
-Chris
-----Original Message-----
From: websecurity-bounces@lists.webappsec.org
[mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of seth
Sent: Sunday, June 19, 2011 12:14 AM
To: ryandewhurst@gmail.com
Cc: webappsec@securityfocus.com; websecurity@webappsec.org
Subject: Re: [WEB SECURITY] Introducing WPScan - WordPress Security Scanner
I have started a wp scanner but lost the files before finishing and never
started again. It had three ways of identifying the version:
Generator meta tag
Readme file (you already download it, and the only valuable information i
see is the version number. Why not showing it?) Downloading some javascript,
css, images, etc. Then comparing the hashes of these files against an array
that was like [file][hash]=>version Hope it's usefull
Comparing the hashes of some js/css file is probably the most reliable
method, since lots of sites
hide their version from the generator and remove the readme file.
We wrote an article about it a while ago:
http://tools.sucuri.net/?page=docs&title=fingerprinting-web-apps
And we still use that on our scanner ( http://sitecheck.sucuri.net ) :)
Thanks,
On Mon, Jun 20, 2011 at 1:49 PM, Chris Weber chris@casabasecurity.com wrote:
Ryan - I'm I correct that the two methods you use for identifying the WP
version are:
a) Parse the readme.html file for the version number
b) Parse the meta tag generator content for the WP version number
In the case where both of these failed, what do you do? Does Seth's plan of
comparing hashes of the js/css/other files sound like it would work?
-Chris
-----Original Message-----
From: websecurity-bounces@lists.webappsec.org
[mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of seth
Sent: Sunday, June 19, 2011 12:14 AM
To: ryandewhurst@gmail.com
Cc: webappsec@securityfocus.com; websecurity@webappsec.org
Subject: Re: [WEB SECURITY] Introducing WPScan - WordPress Security Scanner
I have started a wp scanner but lost the files before finishing and never
started again. It had three ways of identifying the version:
Generator meta tag
Readme file (you already download it, and the only valuable information i
see is the version number. Why not showing it?) Downloading some javascript,
css, images, etc. Then comparing the hashes of these files against an array
that was like [file][hash]=>version Hope it's usefull
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
dd, have you open sourced any parts of your production code, such as the
fingerprinting data? Or do we each need to do that work independently?
And have you detected any edge cases - for example a Web server that
includes an extra newline character in the body?
-Chris
-----Original Message-----
From: sucurisec@gmail.com [mailto:sucurisec@gmail.com] On Behalf Of
dd@sucuri.net
Sent: Monday, June 20, 2011 9:58 AM
To: Chris Weber
Cc: seth; ryandewhurst@gmail.com; webappsec@securityfocus.com;
websecurity@webappsec.org
Subject: Re: [WEB SECURITY] Introducing WPScan - WordPress Security Scanner
Comparing the hashes of some js/css file is probably the most reliable
method, since lots of sites hide their version from the generator and remove
the readme file.
We wrote an article about it a while ago:
http://tools.sucuri.net/?page=docs&title=fingerprinting-web-apps
And we still use that on our scanner ( http://sitecheck.sucuri.net ) :)
Thanks,
The client side file hashing is something I became aware of after
writing the w3af wordpress version discovery plugin a few years back.
The w3af plugin just does string matching though, if string in file,
version is x. But the idea was put forward then by someone or multiple
people (can't remember) after completing it.
It is definitely something I will implement into WPScan in the future.
I find the readme file version isn't always reliable and the generator
tag is sometimes removed.
I also plan to implement plugin and plugin version detection along
with vulnerability matching (by version And some further username
enumeration techniques.
If any one would like to contribute and make a start on any of these,
it would be awesome!
The project is still in ALPHA and needs a fair bit of work, but I
believe it has the grounding to become a great tool!
Ryan
Ryan Dewhurst
blog www.ethicalhack3r.co.uk
projects www.dvwa.co.uk | www.webwordcount.com
twitter www.twitter.com/ethicalhack3r
On Mon, Jun 20, 2011 at 6:04 PM, Chris Weber chris@casabasecurity.com wrote:
dd, have you open sourced any parts of your production code, such as the
fingerprinting data? Or do we each need to do that work independently?
And have you detected any edge cases - for example a Web server that
includes an extra newline character in the body?
-Chris
-----Original Message-----
From: sucurisec@gmail.com [mailto:sucurisec@gmail.com] On Behalf Of
dd@sucuri.net
Sent: Monday, June 20, 2011 9:58 AM
To: Chris Weber
Cc: seth; ryandewhurst@gmail.com; webappsec@securityfocus.com;
websecurity@webappsec.org
Subject: Re: [WEB SECURITY] Introducing WPScan - WordPress Security Scanner
Comparing the hashes of some js/css file is probably the most reliable
method, since lots of sites hide their version from the generator and remove
the readme file.
We wrote an article about it a while ago:
http://tools.sucuri.net/?page=docs&title=fingerprinting-web-apps
And we still use that on our scanner ( http://sitecheck.sucuri.net ) :)
Thanks,
On a related note:
Google Now Warning WordPress Users They Need To Update
http://www.stateofsearch.com/google-now-warning-wordpress-users-they-need-to
-update/
If you own a WordPress website and you havent updated your WordPress
version lately you might be getting a warning soon. And no, this is not the
warning you get when you open the WordPress CMS, it is a warning from
Google.
Last week the first people started noticing that Google had sent them a
message within Google Webmaster Tools saying they should update their
WordPress versions. I myself today got an e-mail from GWT saying one of my
sites needs an update.
The e-mail or message in WMT tells you your site appears to be running an
older version of WordPress and that you should update because otherwise your
site may be vulnerable to hacking or malware.
Richard
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Ryan Dewhurst
Sent: Monday, June 20, 2011 2:40 PM
To: Chris Weber
Cc: dd@sucuri.net; seth; webappsec@securityfocus.com;
websecurity@webappsec.org
Subject: Re: [WEB SECURITY] Introducing WPScan - WordPress Security Scanner
The client side file hashing is something I became aware of after writing
the w3af wordpress version discovery plugin a few years back.
The w3af plugin just does string matching though, if string in file, version
is x. But the idea was put forward then by someone or multiple people (can't
remember) after completing it.
It is definitely something I will implement into WPScan in the future.
I find the readme file version isn't always reliable and the generator tag
is sometimes removed.
I also plan to implement plugin and plugin version detection along with
vulnerability matching (by version And some further username enumeration
techniques.
If any one would like to contribute and make a start on any of these, it
would be awesome!
The project is still in ALPHA and needs a fair bit of work, but I believe it
has the grounding to become a great tool!
Ryan
Ryan Dewhurst
blog www.ethicalhack3r.co.uk
projects www.dvwa.co.uk | www.webwordcount.com twitter
www.twitter.com/ethicalhack3r
On Mon, Jun 20, 2011 at 6:04 PM, Chris Weber chris@casabasecurity.com
wrote:
dd, have you open sourced any parts of your production code, such as
the fingerprinting data? Or do we each need to do that work
independently?
And have you detected any edge cases - for example a Web server that
includes an extra newline character in the body?
-Chris
-----Original Message-----
From: sucurisec@gmail.com [mailto:sucurisec@gmail.com] On Behalf Of
dd@sucuri.net
Sent: Monday, June 20, 2011 9:58 AM
To: Chris Weber
Cc: seth; ryandewhurst@gmail.com; webappsec@securityfocus.com;
websecurity@webappsec.org
Subject: Re: [WEB SECURITY] Introducing WPScan - WordPress Security
Scanner
Comparing the hashes of some js/css file is probably the most reliable
method, since lots of sites hide their version from the generator and
remove the readme file.
We wrote an article about it a while ago:
http://tools.sucuri.net/?page=docs&title=fingerprinting-web-apps
And we still use that on our scanner ( http://sitecheck.sucuri.net )
:)
Thanks,