Script http-wordpress-brute

Script types: portrule
Categories: intrusive, brute
Download: https://svn.nmap.org/nmap/scripts/http-wordpress-brute.nse

Script Summary

performs brute force password auditing against Wordpress CMS/blog installations.

This script uses the unpwdb and brute libraries to perform password guessing. Any successful guesses are stored using the credentials library.

Wordpress default uri and form names:

• Default uri:wp-login.php
• Default uservar: log
• Default passvar: pwd

See also:

• http-form-brute.nse

Script Arguments

http-wordpress-brute.threads

sets the number of threads. Default: 3

Other useful arguments when using this script are:

• http.useragent = String - User Agent used in HTTP requests
• brute.firstonly = Boolean - Stop attack when the first credentials are found
• brute.mode = user/creds/pass - Username password iterator
• passdb = String - Path to password list
• userdb = String - Path to user list

http-wordpress-brute.uri

points to the file 'wp-login.php'. Default /wp-login.php

http-wordpress-brute.uservar

sets the http-variable name that holds the username used to authenticate. Default: log

http-wordpress-brute.hostname

sets the host header in case of virtual hosting

http-wordpress-brute.passvar

sets the http-variable name that holds the password used to authenticate. Default: pwd

creds.[service], creds.global

See the documentation for the creds library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.

brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass

See the documentation for the brute library.

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

Example Usage

nmap -sV --script http-wordpress-brute <target>
nmap -sV --script http-wordpress-brute
  --script-args 'userdb=users.txt,passdb=passwds.txt,http-wordpress-brute.hostname=domain.com,
                 http-wordpress-brute.threads=3,brute.firstonly=true' <target>

Script Output

PORT     STATE SERVICE REASON
80/tcp   open  http    syn-ack
| http-wordpress-brute:
|   Accounts
|     0xdeadb33f:god => Login correct
|   Statistics
|_    Perfomed 103 guesses in 17 seconds, average tps: 6

Requires

• brute
• creds
• http
• shortport
• stdnse

---

Author:

• Paulino Calderon <calderon@websec.mx>

License: Same as Nmap--See https://nmap.org/book/man-legal.html

action

action (host, port)

MAIN

Parameters

host

 

port