Skip to content
Related Articles

Related Articles

Improve Article
Save Article
Like Article

WPrecon – Vulnerability Recognition Tool In CMS WordPress

  • Last Updated : 23 Aug, 2021

A vulnerability is a flaw that could compromise an information system or Web Application’s confidentiality, integrity, or availability. Vulnerability identification involves the process of discovering vulnerabilities and documenting these into an inventory within the target environment. Vulnerability Recognition is the crucial step in penetration testing. So to perform this step, there are various methods. Wprecon is an automated script designed in the Golang language used to recognize the vulnerability in WordPress sites. However, it can work with Non-WordPress sites too. Wprecon (WordPress Recon) is a vulnerability recognition tool in CMS WordPress. Wprecon enumerates the usernames, enumerates the plugins, and performs brute-forcing to find out credentials on the target domain.

Note: As Wprecon is a Golang language-based tool, so you need to have a Golang environment on your system. So check this link to install Golang in your system. – Install Go language in Linux

Features of Wprecon Tool

  • Wprecon tool is used to find the vulnerability in WordPress CMS.
  • Wprecon tool is designed in the Golang language.
  • Wprecon enumerates usernames and plugins used on the site.
  • Wprecon performs brute-forcing of credentials.
  • Wprecon tool is open-source and free to use.
  • Wprecon tool performs Detection of WAF.
  • Wprecon tool has support to proxy.

Installation of Wprecon Tool on Kali Linux OS

Step 1: If you have downloaded Golang in your system, verify the installation by checking the version of Golang, use the following command.

go version

Step 2: Get the Wprecon repository or clone the Wprecon tool from Github, use the following command.



sudo go get github.com/blackbinn/wprecon

Step 3: Move the directory to the location where the Wprecon tool is cloned.

cd $(go env GOPATH)/src/github.com/blackbinn/wprecon

Step 4: List the contents of the directory using the following command

ls

Step 5: Build the tool for downloading additional Github repositories

sudo make build

Step 6: Check the help menu page to get a better understanding of the Wprecon tool, use the following command.



wprecon -h

Working with Wprecon Tool on Kali Linux OS

WordPress CMS Target 1 – geeksforgeeks.org

In this Example, We are performing WordPress Recon on WordPress Site i.e geeksforgeeks.org

Example 1: Enumerate WordPress Users

wprecon --url https://geeksforgeeks.org

1. In this Example, We are enumerating the users which are associated with the target domain geeksforgeeks.org. We have got the list of Users who are linked with geeksforgeeks.org

Example 2: Enumerate WordPress Plugins

wprecon --url https://geeksforgeeks.org

1. In this Example, We are enumerating WordPress Plugins used in the target domain.

Example 3: Fuzz sub-command WPrecon



wprecon fuzz -u “https://geeksforgeeks.org” –backup-file –random-agent

In this example, We will be fuzzing the back files if available on the target domain. In the below Screenshot, You can see that no Back-Up files are available on geeksforgeeks.org.

WordPress CMS Target 2 – secnhack.in

1. In this example, We will be targeting the domain which is designed using WordPress.

Example 1: Enumerate WordPress Users

wprecon --url https://secnhack.in

 In this Example, We are enumerating the users which are associated with the target domain secnhack.in. We have got the list of Users who are linked with secnhack.in

Example 2: Enumerate WordPress Plugins

wprecon --url https://secnhack.in

In this Example, We are enumerating WordPress Plugins used in the target domain.



Example 3: Set usernames attack passwords and Set wordlist attack passwords.

wprecon fuzz -u “https://secnhack.in” user -P /home/kali/Desktop/rockyou.txt

1. In this example, We will be using the Fuzz Subcommand for brute-forcing usernames and passwords credentials on the target domain. We have provided the rockyou.txt file which contains password words.

2. In the below Screenshot, We have displayed the rockyou.txt file contents which consist of possible password words.

More About Wprecon Tool (GUI Version)

No worries if any user feels complex or doesn’t know how to operate the Wprecon tool on Linux Operating System. There is a GUI version of this Wprecon tool which is based on a Web-based application. The link to the GUI-based version is listed below.

https://wprecon.com/

Let’s Use GUI Version of the Wprecon tool

1. Our target domain is geeksforgeeks.org.



2. In the below Screenshot, Packets are being sent to the target domain for getting the results.

3. In the below Screenshot, We have got the results of Passive Analysis, which includes WordPress Version, Server details, etc.

4. In the below Screenshot, We have got the details of the Plugins and themes used.

5. In the below Screenshot, We have got the details of Users and Directory Indexing.

6. In the below Screenshot, We have got the details of Linked Sites.

7. In the below Screenshot, We have got the details of JavaScript Resources.




My Personal Notes arrow_drop_up
Recommended Articles
Page :

Start Your Coding Journey Now!