How to Use wpscan in Kali Linux?
Last Updated :
08 Sep, 2022
Wpscan is a vulnerability scanning tool, which comes pre-installed in Kali Linux. This scanner tool scans for vulnerabilities in websites that run WordPress web engines. The wpscan tool itself isn’t a malicious tool, as it is only for reconnaissance against a particular site. However, a skilled hacker could use the information obtained from this tool to exploit your websites. Another feature of this tool is that it can, for instance, perform brute force attacks on the supplied URL thus, it is highly recommended to not use the tool (if you are trying to exploit a WordPress running website) on a site, you do not own or have authorization to pentesting.
Usage of Tool:
Firstly, check whether wpscan is installed on your Kali Linux or not. If not, then refer to this article on how to install wpscan on Kali. Then open a terminal by pressing CTRL+ALT+T. The basic syntax of the wpscan command is given below:
wpscan --url <https://recon_site.com>
The wpscan works for both HTTP and HTTPS sites. If not provided, it takes HTTP by default.
Features and Utilities:
- Checking the version of WordPress used and associated vulnerabilities for that version.
- Checks for database dumps that may be openly accessible.
- Checks for the WordPress README file.
- Brute force usernames and passwords if possible.
- Checks for publicly available or backed up wp-config.php files
- Checks for themes and plugins used on the site and possible vulnerabilities for them.
- Performs media file enumeration as well.
- Checks for exposed error log files, if available.
- Also, enumerates possible directory lists.
Options of wpscan:
| Options |
Description |
| –url URL |
It is a mandatory argument that supplies the URL of the blog to be enumerated. |
| -o FILE |
saves the output to a given file. |
| -hh |
displays the full help |
| -detection-mode MODE |
sets the mode of enumeration. Available modes are:
- mixed: performs a medium level of enumeration.
- passive: scans only a few vulnerabilities
- aggressive: performs deep rigorous scan of the website.
|
| –force |
does not check if the URL supplied uses WordPress or not. |
| –api-token API |
without this option, wpscan does not display enumerated vulnerabilities. |
API Token:
The –api-token option takes an API token which tells the wpscan tool to display the found vulnerabilities. Without this, wpscan will not show vulnerabilities but, only the versions and other info about the URL supplied.
wpscan --url https://abc.com --api-token API
The output should be like
This option also tells you the number of API tokens consumed and the remaining.
Examples:
wpscan --url https://abc.com -o ./Desktop/wordpress.txt
wpscan --hh
Without the –force option, wpscan can sometimes give a message that the remote site is not up or does not use WordPress.
However, if you happen to know for a fact that the site does use WordPress then, you can use the –force option, as shown below, to avoid the check for WordPress and scan it anyway.
wpscan --url https://abc.com/ --force
In some cases, it is possible that the site owner has prevented the site from being enumerated,a and even with the –force option, you cannot enumerate it and will get an error like the following. So, either try some other tools or let it be.
Like Article
Suggest improvement
Share your thoughts in the comments
Please Login to comment...