Free Security Tools
Try xStorm
Online & On Demand
Unlimited perimeter scans for any number of IP addresses.
try it now. free 30 day trial Free TrialRandomStorm is the leading Software as a Service (SaaS) provider of security management solutions. Designed for all types of business our simple to use service and security appliances enable organisations to maintain a high level security posture.
WPScan WordPress Security Tool
19.07.2011 - v1.0
WPScan is a black box WordPress Security Scanner written in Ruby which attempts to find known security weaknesses within WordPress installations. Its intended use it to be for security professionals or WordPress administrators to asses the security posture of their WordPress installations.
Features include:
- Username enumeration (from author querystring and location header)
- Weak password cracking (multithreaded)
- Version enumeration (from generator meta tag)
- Vulnerability enumeration (based on version)
- Plugin enumeration (2220 most popular by default)
- Plugin vulnerability enumeration (based on version)
- Plugin enumeration list generation
- Other misc WordPress checks (theme name, dir listing, ...)
WPScan will be hosted on the WPScan Website at http://wpscan.org/.
Installation
WPScan requires two non native Ruby gems, typhoeus and xml-simple. It should work on both Ruby 1.8.x and 1.9.x.
Installing on Backtrack5 Gnome/KDE 32bit:
sudo apt-get install libcurl4-gnutls-dev
sudo gem install --user-install mime-types
sudo gem install --user-install typhoeus
sudo gem install --user-install xml-simple
Installing on Debian/Ubuntu:
sudo apt-get install libcurl4-gnutls-dev
sudo apt-get install libopenssl-ruby
sudo gem install typhoeus
sudo gem install xml-simple
Installing on other nix: (not tested)
sudo gem install typhoeus
sudo gem install xml-simple
Installing on Windows: (not tested)
gem install typhoeus
gem install xml-simple
Installing on Mac OSX: (not tested)
sudo gem install typhoeus
sudo gem install xml-simple
Usage
-h for further help.
Examples:
Do 'non-intrusive' checks...
ruby wpscan.rb --url www.example.com
Only do version enumeration...
ruby wpscan.rb --url www.example.com --version
Do wordlist password brute force on enumerated users using 50 threads...
ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50
Do wordlist password brute force on the 'admin' username only...
ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin
Generate a new 'most popular' plugin list, up to 150 pages...
ruby ./wpscan.rb --generate_plugin_list 150
Enumerate installed plugins...
ruby ./wpscan.rb --enumerate p
See README for further information.
Licence
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/>.
Version History
19.07.2011 - v1.0Initial release
About RandomStorm
RandomStorm is a UK based software development company focussed on providing enterprise level, proactive security management tools. The company's core products include an online vulnerability scanning service, xStorm and a network security appliance which enables in-depth scanning of the entire corporate network topology. The two core products are supported by a range of complementary monitoring, alerting and remediation services.
