wpbf - WordPress Brute Force Tool

wpbf is a Python-based bruteforce tool for remotely testing password strength, username enumeration and plugin detection on a WordPress site.

How It Works

The script will try to login to the WordPress dashboard through the login form using a mixture of enumerated usernames, a wordlist and relevant keywords from the blog's content. If a single username is given, the script will not search for additional usernames.

When a correct username/password is found, it will be logged and shown in the standard output.

For faster results, you can spawn threads but BE CAREFUL not to flood/DoS the site. Default settings can be changed in "config.py" and "logging.conf" files.

The wordlist must have one entry per line, a small wordlist (wordlist.txt) and plugin list (plugins.txt) are provided for testing purposes.

Note: It requires Python 2.6+.

Features:

Username enumeration and detection (TALSOFT-2011-0526, Author's archive page, and content parsing)
Threads
Use keywords from blog's content in the wordlist
HTTP Proxy Support
Basic WordPress fingerprint (version and full path)
Advance plugins fingerprint (bruteforce, discovery and version/documentation)
Detection of Login LockDown plugin (this plugin makes the bruteforce useless)
Advanced logging using Python's logging library and logging configuration file

Usage:

wpbf.py [-h] [-w WORDLIST] [-u USERNAME] [-s SCRIPTPATH] [-t THREADS] [-p PROXY] 
 [-nk] [-eu] url
 
 wpbf will audit and bruteforce your WordPress installation to test password
 strength, server configuration, users and installed plugins. It Currently
 supports threads and HTTP proxy and provides a very small default wordlist (a
 dynamic wordlist is generated by default from the blog's content) and basic
 username detection.
 
 positional arguments:
   url                   base URL where WordPress is installed
 
 optional arguments:
   -h, --help            show this help message and exit
   -w WORDLIST, --wordlist WORDLIST
                         worldlist file (default: wordlist.txt)
   -nk, --nokeywords     don't search keywords in content and add them to the
                         wordlist
   -u USERNAME, --username USERNAME
                         username (default: None)
   -s SCRIPTPATH, --scriptpath SCRIPTPATH
                         path to the login form (default: wp-login.php)
   -t THREADS, --threads THREADS
                         how many threads the script will spawn (default: 5)
   -p PROXY, --proxy PROXY
                         http proxy (ex: http://localhost:8008/)
   -nf, --nofingerprint  don't fingerprint WordPress
   -eu, --enumerateusers
                         only enumerate users (withouth bruteforcing)
   -mu MAXUSERS, --maxusers MAXUSERS
                         maximum number of usernames to enumerate (default: no
                         limit)
   -eut ENUMERATETOLERANCE, --enumeratetolerance ENUMERATETOLERANCE
                         user ID gap tolerance to use in username enumeration
                         (default: 3)
   -nps, --nopluginscan  skip plugin bruteforce, enumeration and fingerprint
   -ds, --dontstop       don't stop when password is found, continue with all
                         pending tasks
   --test                run python doctests (you can use a dummy URL here)

Examples:

Basic

It will use the default settings (you can change the default settings in config.py file):

$ ./wpbf.py http://www.mysite.com/blog/

Custom

Using username 'john', not using keywords in the wordlist and through a local proxy:

$ ./wpbf.py --nokeywords -u john -p http://localhost:8008/ http://www.mysite.com/blog/

Aggressive

It will use default settings and spawn 23 threads:

$ ./wpbf.py -t 23 http://www.mysite.com/blog/

Username enumeration

Only perform a user enumeration:

$ ./wpbf.py -eu http://www.mysite.com/blog/

Download wpbf

Source: www.effecthacking.com

Hacking Reviews

wpbf - WordPress Brute Force Tool

How It Works

Features:

Usage:

Examples:

Most Popular

Blog Archive

Recommended