lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 16 Jun 2011 16:13:46 +0100
From: Ryan Dewhurst <ryandewhurst@...il.com>
To: full-disclosure@...ts.grok.org.uk
Cc: owasp-london@...ts.owasp.org, webappsec@...urityfocus.com,
	owasp-leeds_uk@...ts.owasp.org, websecurity@...appsec.org
Subject: Introducing WPScan – WordPress Security Scanner

After creating the WordPress Brute Force Tool last weekend, I decided
to create a bigger project out of it, called WPScan.

WPScan is a black box WordPress Security Scanner written in Ruby which
attempts to find known security weaknesses within WordPress
installations. Its intended use it to be for security professionals or
WordPress administrators to asses the security posture of their
WordPress installations. The code base is Open Source and licensed
under the GPLv3.

Features include:

Username enumeration (from ?author)
Weak password cracking (multithreaded)
Version enumeration (from generator meta tag)
Vulnerability enumeration (based on version)
Plugin enumeration (todo)
Plugin vulnerability enumeration (based on version) (todo)
Other miscellaneous checks

Installation:

WPScan requires two non native Ruby gems, typhoeus and xml-simple. It
should work on both Ruby 1.8.x and 1.9.x.

sudo apt-get install libcurl4-gnutls-dev
sudo gem install –user-install typhoeus
sudo gem install –user-install xml-simple

(I developed WPScan on Backtrack5 Gnome 32bit, if installing on
another OS, you may not need the –user-install option when installing
the non native gems)

Download:

WPScan will be hosted on Google Code at http://code.google.com/p/wpscan/.

You can download and start running WPScan ALPHA by checking out the SVN trunk.
“svn checkout http://wpscan.googlecode.com/svn/trunk/ wpscan-read-only”

Example usage:

Examples:
ruby wpscan.rb –url www.example.com
ruby wpscan.rb –url www.example.com –wordlist darkc0de.lst –threads 50
ruby wpscan.rb –url www.example.com –wordlist darkc0de.lst –username admin

Contributions, feedback, comments are welcome.

Happy Hacking!

Ryan Dewhurst

blog www.ethicalhack3r.co.uk
projects www.dvwa.co.uk | www.webwordcount.com
twitter www.twitter.com/ethicalhack3r

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ