wpbf is a Python-based bruteforce tool for remotely testing password strength, username enumeration and plugin detection on a WordPress site.
How It Works
The script will try to login to the WordPress dashboard through the login form using a mixture of enumerated usernames, a wordlist and relevant keywords from the blog’s content. If a single username is given, the script will not search for additional usernames.
When a correct username/password is found, it will be logged and shown in the standard output.
For faster results, you can spawn threads but BE CAREFUL not to flood/DoS the site. Default settings can be changed in “config.py” and “logging.conf” files.
The wordlist must have one entry per line, a small wordlist (wordlist.txt) and plugin list (plugins.txt) are provided for testing purposes.
Note: It requires Python 2.6+.
Features:
- Username enumeration and detection (TALSOFT-2011-0526, Author’s archive page, and content parsing)
- Threads
- Use keywords from blog’s content in the wordlist
- HTTP Proxy Support
- Basic WordPress fingerprint (version and full path)
- Advance plugins fingerprint (bruteforce, discovery and version/documentation)
- Detection of Login LockDown plugin (this plugin makes the bruteforce useless)
- Advanced logging using Python’s logging library and logging configuration file
Usage:
wpbf.py [-h] [-w WORDLIST] [-u USERNAME] [-s SCRIPTPATH] [-t THREADS] [-p PROXY]
[-nk] [-eu] url
wpbf will audit and bruteforce your WordPress installation to test password
strength, server configuration, users and installed plugins. It Currently
supports threads and HTTP proxy and provides a very small default wordlist (a
dynamic wordlist is generated by default from the blog's content) and basic
username detection.
positional arguments:
url base URL where WordPress is installed
optional arguments:
-h, --help show this help message and exit
-w WORDLIST, --wordlist WORDLIST
worldlist file (default: wordlist.txt)
-nk, --nokeywords don't search keywords in content and add them to the
wordlist
-u USERNAME, --username USERNAME
username (default: None)
-s SCRIPTPATH, --scriptpath SCRIPTPATH
path to the login form (default: wp-login.php)
-t THREADS, --threads THREADS
how many threads the script will spawn (default: 5)
-p PROXY, --proxy PROXY
http proxy (ex: http://localhost:8008/)
-nf, --nofingerprint don't fingerprint WordPress
-eu, --enumerateusers
only enumerate users (withouth bruteforcing)
-mu MAXUSERS, --maxusers MAXUSERS
maximum number of usernames to enumerate (default: no
limit)
-eut ENUMERATETOLERANCE, --enumeratetolerance ENUMERATETOLERANCE
user ID gap tolerance to use in username enumeration
(default: 3)
-nps, --nopluginscan skip plugin bruteforce, enumeration and fingerprint
-ds, --dontstop don't stop when password is found, continue with all
pending tasks
--test run python doctests (you can use a dummy URL here)
Examples:
- Basic
It will use the default settings (you can change the default settings in config.py file):
$ ./wpbf.py http://www.mysite.com/blog/
- Custom
Using username ‘john’, not using keywords in the wordlist and through a local proxy:
$ ./wpbf.py --nokeywords -u john -p http://localhost:8008/ http://www.mysite.com/blog/
- Aggressive
It will use default settings and spawn 23 threads:
$ ./wpbf.py -t 23 http://www.mysite.com/blog/
- Username enumeration
Only perform a user enumeration:
$ ./wpbf.py -eu http://www.mysite.com/blog/
