File http-wordpress-plugins
Script types:
portrule
Categories:
discovery, intrusive
Download: http://nmap.org/svn/scripts/http-wordpress-plugins.nse
User Summary
Tries to obtain a list of installed WordPress plugins by brute force testing for known plugins.
The script will brute force the /wp-content/plugins/ folder with a dictionnary of 14K (and counting) known WP plugins. Anything but a 404 means that a given plugin directory probably exists, so the plugin probably also does.
The available plugins for Wordpress is huge and despite the efforts of Nmap to parallelize the queries, a whole search could take an hour or so. That's why the plugin list is sorted by popularity and by default the script will only check the first 100 ones. Users can tweak this with an option (see below).
Script Arguments
http-wordpress-plugins.root
If set, points to the blog root directory on the website. If not, the script will try to find a WP directory installation or fall back to root.
http-wordpress-plugins.search
As the plugins list contains tens of thousand of plugins, this script will only search the 100 most popular ones by default. Use this option with a number or "all" as an argument for a more comprehensive brute force.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent
See the documentation for the http library.Example Usage
nmap --script=http-wordpress-plugins --script-args http-wordpress-plugins.root="/blog/",http-wordpress-plugins.search=500 <targets>
Script Output
Interesting ports on my.woot.blog (123.123.123.123): PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-wordpress-plugins: | search amongst the 500 most popular plugins | akismet | wp-db-backup | all-in-one-seo-pack | stats |_ wp-to-twitter
Requires
Author: Ange Gutek
License: Same as Nmap--See http://nmap.org/book/man-legal.html