Web Penetration Testing Part 5 WPScan to scan WordPress website.
WPScan:-
This tool is the same as Nikto it also scans website but it is specifically meant to scan Wordpress Sites to check vulnerabilities in Wordpress hosted sites. This tool comes with preinstalled into the Kali Linux.
To update this tool you can type:-
root@kali:~# wpscan --update
to scan your target url
root@kali:~# wpscan --url [target url]
Let's take a deep look into WPscan:-
1. enumerate vp
wpscan --url yourtargeturl.com --enumerate vp
this will scan for vulnerable plugins or it will check that the plugins which are included are vulnerable or not.
2. enumerate vt
wpscan --url yourtargeturl.com --enumerate vt
this will scan for vulnerability in the theme, yes themes are also vulnerable some times.
3. enumerate u
wpscan --url yourtargeturl.com --enumerate u
this command is used to find usernames on the target website if you get username then you can perform a brute force attack to find out the password.
To perform a brute force password attack on the target site then you can use a custom wordlist and can directly use wpscan to perform a brute force attack for you.
wpscan --url yourtargeturl.com --wordlist passwords.txt threads 50
here --wordlist is used to specify the location of the wordlist it could be --wordlist /Desktop/password.txt threads 50
the speed of that attack will totally depend upon your internet speed and on your device performance.
If you are a website owner so its good opportunity to scan your website using this wpscan.
But if you didn't want someone to scan your website using WPScan then you can install some plugin to stop WPScan to scan your website or you can use Website FireWall to stop WPScan to scan your Website.
That's all about WPscan
I hope that you have understood what is WPScan.
If you have any doubts regarding the above content then feel free to ask in the comment section.
No comments: