Welcome to WebmasterWorld Guest from 107.22.97.23

Forum Moderators: rogerd & travelin cat

Featured Home Page Discussion

WPScan, WPSeku Vulnerability Scanners

WPScan,WPSeku,penetration testing

     
6:39 pm on Jul 21, 2017 (gmt 0)

Junior Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 135
votes: 9


I'm just learning to use these two vulnerability scanners. WPScan [wpscan.org] is Ruby-based and WPSeku [github.com] is python-based. They will scan a WP install for vulnerabilities in core, plugins, themes. WPScan will also provide a list of usernames for the site. Both vul scanners have options to brute force break into the site, using a password list of your choice. I've not tested this as I have no need. This info can then be used with Metasploit [metasploit.com] to possibly find a server vulnerability.

WPScan is from Sucuri and is not open source. It used the WP Vulnerability database [wpvulndb.com], again not open source. WPSeku is open source.

Does anyone have any experience with this. While these tools can be used for black hat, they are pretty useful for pen testing, WP hardening and general white hatting.

Pen testing does not mean you need not look at your logs. On the contrary and especially for hack-prone WP, your log will lead you to how you can further protect your site.
12:13 am on July 22, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:9255
votes: 443


Sorry TorontoBoy, no experience with either of those tools, or WP either really :)

But curious about what UAs look like. From your logs, could you post the entire UA string for each one please.
12:31 am on July 22, 2017 (gmt 0)

Junior Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 135
votes: 9


It would be interesting to see the UAs from the log. I was ding some pen testing today, so I'll look at tomorrow's log. These tools are pretty common on Kali Linux, a hacker's Linux distribution. Lots of youtube videos showing how to crack sites and computers.
3:52 am on July 22, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:9255
votes: 443


Great, post them here then we can document them in the Search Engine Spider & User Agent ID Forum [webmasterworld.com]
5:12 pm on July 22, 2017 (gmt 0)

Junior Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 135
votes: 9


These tools are available in the Kali Linux distribution, a hacker specific version of Linux. They are, therefore pretty common and well used.

Both these can collect usernames used in Wordpress. Once they have a list of usernames, they can follow with a brute force attack using a file of common passwords, all available on the internet. If you see WPScan in your log you should monitor it carefully, as someone might want to try to break in.

Both these tools also look for WP core, plugin and theme vulnerabilities. They cross reference these with the Sucuri WP Vulnerability database at [wpvulndb.com...] Once a vulnerability is detected. a hacker can correlate the vulnerability with a database in Metaspoloit, yet another hacker tool common in Kali, but also available for download.

Metasploit has a vulnerability scanner as well as a database of payloads, and does much more than just Wordpress. These payloads are used to break into the web site, pc or server. Once an exploit is successful a piece of software called meterpreter, within Metasploit, is used to get into the server/computer, where it has options to view files, start a dos terminal session, start a shell, delete, upload or download files, take a web cam snap (I have not done this yet. I've done most of the rest on test machines), keystroke logging or even turn off the target machine.

WPScan has a UA of "WPScan v2.9.3 (http://wpscan.org)". It does not vary at all. The UA correlates with the version I installed and used.

WPSeku has a more anonymous UA of "Mozilla/5.0", and does not vary.

Both try to break Wordpress by attacking the wp-config.php file, or find an old copy. Here is the list from WPScan:
GET /subdir/.wp-config.php.swp HTTP/1.1
GET /subdir/%23wp-config.php%23 HTTP/1.1
GET /subdir/wp-config.bak HTTP/1.1
GET /subdir/wp-config.old HTTP/1.1
GET /subdir/wp-config.orig HTTP/1.1
GET /subdir/wp-config.original HTTP/1.1
GET /subdir/wp-config.php_bak HTTP/1.1
GET /subdir/wp-config.php.bak HTTP/1.1
GET /subdir/wp-config.php.old HTTP/1.1
GET /subdir/wp-config.php.orig HTTP/1.1
GET /subdir/wp-config.php.original HTTP/1.1
GET /subdir/wp-config.php.save HTTP/1.1
GET /subdir/wp-config.php.swo HTTP/1.1
GET /subdir/wp-config.php.swp HTTP/1.1
GET /subdir/wp-config.php%7E HTTP/1.1
GET /subdir/wp-config.save HTTP/1.1
GET /subdir/wp-config.txt HTTP/1.1


Here's the list from WPSeku:
GET /wp-config-sample.php HTTP/1.1
GET /wp-config.backup HTTP/1.1
GET /wp-config.bak HTTP/1.1
GET /wp-config.bck HTTP/1.1
GET /wp-config.old HTTP/1.1
GET /wp-config.php~ HTTP/1.1
GET /wp-config.save HTTP/1.1
GET /wp-config.back HTTP/1.1
GET /wp-config.copy HTTP/1.1
GET /wp-config.dat HTTP/1.1
GET /wp-config.db HTTP/1.1
GET /wp-config.tar.gz HTTP/1.1
GET /wp-config.tmp HTTP/1.1
GET /wp-config.txt HTTP/1.1
GET /wp-config.zip HTTP/1.1


Both tools are really entertaining to use for pen testing and hardening Wordpress, but the dark side is only a keystroke command away, already built into the tool.
5:53 pm on July 22, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:9255
votes: 443


Thanks Torontoboy, could you post the range as well?





[fix typo]

[edited by: keyplyr at 6:27 pm (utc) on Jul 22, 2017]

6:04 pm on July 22, 2017 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:3399
votes: 171


Many of those files would produce a 404 on most sites. The files that do exist, many/most of those are files that should have permissions settings to prevent access. Part of "Hardening WP 101". Do many people save .old, .original, .bak files online?
6:30 pm on July 22, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:9255
votes: 443


@not2easy - I think many WP users just never update from the amount of malicious vulnerability scans I've seen over the years.
11:37 pm on July 22, 2017 (gmt 0)

Junior Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 135
votes: 9


Thanks Torontoboy, could you post the range as well?


There is really no range. Anyone in the world with a linux box can download these packages and run them from the comfort of their homes against any site in the world. The data goes back to the listening linux box.

You could install WPScan on your laptop and launch a scan from your house. Your house IP will be registered in the site's log.
6:22 am on July 25, 2017 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 19, 2003
posts: 4415
votes: 9


Long time I did not build any WP but I am actually doing it again.
How will you harden your WP config?
11:40 am on July 25, 2017 (gmt 0)

Junior Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 135
votes: 9


Add this into your htaccess. Also ensure wp-config has strict permissions. I also have moved my wp-config to my root directory, as my WP install is in a subdirectory, but you cannot do this for all WP installs. Here's the Codex [codex.wordpress.org] for WP hardening.

<files wp-config.php>
order allow,deny
deny from all
</files>

The most important security feature I implemented is 2 factor authentication 2FA, done from your htaccess. When you try to login, you get an Apache authentication first with an ID and password challenge. If you cannot get by this then you cannot get to he Wordpress login. This is excellent protection against brute force attacks.
4:46 pm on July 25, 2017 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 19, 2003
posts: 4415
votes: 9


Thanks so much
I suppose I will be able on my server to move my config.
didn't do that for 3 or 4 years :)
7:47 pm on July 25, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member bwnbwn is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 25, 2005
posts:3547
votes: 19


Problem moving the file is if you have more than one WP install on the server you can't move but 1.
10:01 pm on July 25, 2017 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14664
votes: 99


All you need to do is block them in .htaccess file and they're gone


These would never touch my server in the first place for most of my sites as I only allow things that are or at least pretend to be the major browsers
1:50 pm on July 26, 2017 (gmt 0)

New User

Top Contributors Of The Month

joined:July 12, 2017
posts:25
votes: 0


Thank you for the info and the feedback! I don't have experience with WPScan and I haven't heard about WPSeku. I tried WordPress Security Scan and wploop.com and I was pretty satisfied.
2:19 pm on July 26, 2017 (gmt 0)

Junior Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 135
votes: 9


I tried WordPress Security Scan and wploop.com and I was pretty satisfied.

Never heard of Wordpress Security Scan, so looked them up and tried it. It is different in that it does a "Linked Sites" check, basically safety checking links that you link to. It would be bad if one of your links to another site was a safety risk. I don't remember seeing this in any of the other vulnerability scanners. Good to know.
Google Safe browse checks have been performed on each of the linked sites. Links with poor reputation could be a threat to users of the site. Hosting and location are also included in the results.

I could not find a tool on wploop.