Previously, we talked about how to get started to use Nmap NSE scripts against own WordPress installation for checking vulnerability. There are other two important scanners, one is Nikto and the other is WPScan. WPScan is purely for WordPress whereas Nikto gives information. In this guide we will talk around how to use Nikto & WPScan WordPress vulnerability scanner. We are using Ubuntu server. For the other distributions, you need to look at their official resources.
How To Use WPScan WordPress Vulnerability Scanner
WPScan limited to identifying which plugins & themes are installed, enumerate user IDS and brute force passwords. First install the dependencies, also you need to update cURL version 7.21 or newer :
1 | sudo apt-get install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential libgmp-dev zlib1g-dev |
We can install with RVM, this is unsafe method, we are showing as root but theoretically you probably should install as a user other than root :
---
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | cd ~ curl -sSL https://rvm.io/mpapis.asc | gpg --import - gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 \curl -sSL https://get.rvm.io | bash -s stable --rails source /usr/local/rvm/scripts/rvm echo "source /usr/local/rvm/scripts/rvm" >> ~/.bashrc source ~/.bashrc rvm install 2.4.0 rvm use 2.4.0 --default echo "gem: --no-ri --no-rdoc" > ~/.gemrc git clone https://github.com/wpscanteam/wpscan.git cd wpscan gem install bundler bundle install --without test |
There should not be any problem with Ubuntu 16.04 LTS with the above commands. We tested it. Now test with your own URL, we used ours on our machine :
1 | ruby wpscan.rb --url https://thecustomizewindows.com |
You’ll get this prompt, download database and continue :
I got this report :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 | [+] URL: https://thecustomizewindows.com/ [+] Started: Sun May 21 05:05:51 2017 [+] robots.txt available under: 'https://thecustomizewindows.com/robots.txt' [+] Interesting header: ALTERNATE-PROTOCOL: 443:npn-http/2 [+] Interesting header: ALTERNATE-PROTOCOL: 443:npn-spdy/3 [+] Interesting header: EXPECT-CT: enforce; max-age=3600 [+] Interesting header: LINK: </wp-includes/js/jquery/jquery.js>; rel=preload; as=script [+] Interesting header: LINK: </wp-includes/js/jquery/jquery-migrate.min.js>; rel=preload; as=script [+] Interesting header: PUBLIC-KEY-PINS: pin-sha256="snqzW9Bwdb/++vjcA36+kbP/qaVMmnB9ckuI3qAkihQ="; pin-sha256="BJKSF/6L2QXz4xK6MVj2RTiyPlFzQx3NcpuxnuqdABk="; max-age=5184000; includeSubDomains [+] Interesting header: REFERRER-POLICY: origin [+] Interesting header: SERVER: nginx [+] Interesting header: STRICT-TRANSPORT-SECURITY: max-age=31536000; includeSubDomains; preload [+] Interesting header: X-CONTENT-TYPE-OPTIONS: nosniff [+] Interesting header: X-FRAME-OPTIONS: SAMEORIGIN [+] Interesting header: X-XSS-PROTECTION: 1; mode=block [+] This site has 'Must Use Plugins' (http://codex.wordpress.org/Must_Use_Plugins) [i] WordPress version can not be detected [+] Enumerating plugins from passive detection ... | 2 plugins found: [+] Name: contact-form-plugin - v4.0.0 | Last updated: 2017-04-14T09:45:00.000Z | Location: https://thecustomizewindows.com/wp-content/plugins/contact-form-plugin/ | Readme: https://thecustomizewindows.com/wp-content/plugins/contact-form-plugin/readme.txt [!] The version is out of date, the latest version is 4.0.6 [!] Title: Contact Form by BestWebSoft <= 4.0.1 - Stored Cross-Site Scripting (XSS) Reference: https://wpvulndb.com/vulnerabilities/8749 Reference: https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_contact_form_wordpress_plugin.html Reference: http://seclists.org/fulldisclosure/2017/Feb/100 [i] Fixed in: 4.0.2 [!] Title: Multiple BestWebSoft Plugins - Authenticated Reflected GET Cross-Site Scripting (XSS) Reference: https://wpvulndb.com/vulnerabilities/8796 Reference: http://www.defensecode.com/advisories/DC-2017-02-014_50_WordPress_plugins_by_BestWebSoft_Advisory.pdf Reference: http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2017-April/010860.html [i] Fixed in: 4.0.6 [+] Name: crayon-syntax-highlighter - v2.8.4 | Latest version: 2.8.4 (up to date) | Last updated: 2016-05-10T11:37:00.000Z | Location: https://thecustomizewindows.com/wp-content/plugins/crayon-syntax-highlighter/ | Readme: https://thecustomizewindows.com/wp-content/plugins/crayon-syntax-highlighter/readme.txt [+] Finished: Sun May 21 05:06:01 2017 [+] Requests Done: 91 [+] Memory used: 53.383 MB [+] Elapsed time: 00:00:09 |
You can see the shown vulnerabilities and fixes of two detected plugins. To get the help menu run :
1 | ruby wpscan.rb --help |
You’ll get more examples on GitHub :
1 | https://github.com/wpscanteam/wpscan |
How To Use Nikto To Scan WordPress Vulnerability
First install the requirements :
1 | apt-get install wget unzip libnet-ssleay-perl libwhisker2-perl openssl |
Then run these steps :
1 2 3 4 5 6 | cd ~ git clone https://github.com/sullo/nikto.git cd nikto ls cd program chmod +x nikto.pl |
In order to test your domain, you’ll run command in this way :
1 | perl nikto.pl -h thecustomizewindows.com |
Rest help you’ll get here :
1 | https://github.com/sullo/nikto |
