Goal:
- To use WPscan to do brute force password attack in WordPress website
Tools :
- WPscan
WPscan is one of the most used tools for wordpress website. In here, we will do 2 things which is to use WPscan to enumerate user and do bruteforce for the password.
- We can start with opening wpscan and check the Help with “wpscan -h” command. with this command, we can see all the service that are provided by wpscan and how to use it
2. Now we can see all the option and how to use it. first, we will do enumerate user as we will need the user name for bruteforce. For the command, we use “wpscan –url <domain name/ Ip adress > -e u”
3. After we enter the command, we need to wait for awhile. The result will look like this
4. After we enumerate the user, we will now do the brute force. we need to have a word list for it. we can get it from CUPP or other tools to make the word list. For the command, we use this command “wpscan -url <domain/ IP address> -P <word list file name> -U <username>”
5. Wait again for a while for to get the result. the process will look like this
and the result will look like this
because there is no password found, then there is no matching password. if there are, it will be shown.