Open In App

WPrecon – Vulnerability Recognition Tool In CMS WordPress

Last Updated : 23 Aug, 2021
Improve
Improve
Like Article
Like
Save
Share
Report

A vulnerability is a flaw that could compromise an information system or Web Application’s confidentiality, integrity, or availability. Vulnerability identification involves the process of discovering vulnerabilities and documenting these into an inventory within the target environment. Vulnerability Recognition is the crucial step in penetration testing. So to perform this step, there are various methods. Wprecon is an automated script designed in the Golang language used to recognize the vulnerability in WordPress sites. However, it can work with Non-WordPress sites too. Wprecon (WordPress Recon) is a vulnerability recognition tool in CMS WordPress. Wprecon enumerates the usernames, enumerates the plugins, and performs brute-forcing to find out credentials on the target domain.

Note: As Wprecon is a Golang language-based tool, so you need to have a Golang environment on your system. So check this link to install Golang in your system. – Install Go language in Linux

Features of Wprecon Tool

  • Wprecon tool is used to find the vulnerability in WordPress CMS.
  • Wprecon tool is designed in the Golang language.
  • Wprecon enumerates usernames and plugins used on the site.
  • Wprecon performs brute-forcing of credentials.
  • Wprecon tool is open-source and free to use.
  • Wprecon tool performs Detection of WAF.
  • Wprecon tool has support to proxy.

Installation of Wprecon Tool on Kali Linux OS

Step 1: If you have downloaded Golang in your system, verify the installation by checking the version of Golang, use the following command.

go version

Step 2: Get the Wprecon repository or clone the Wprecon tool from Github, use the following command.

sudo go get github.com/blackbinn/wprecon

Step 3: Move the directory to the location where the Wprecon tool is cloned.

cd $(go env GOPATH)/src/github.com/blackbinn/wprecon

Step 4: List the contents of the directory using the following command

ls

Step 5: Build the tool for downloading additional Github repositories

sudo make build

Step 6: Check the help menu page to get a better understanding of the Wprecon tool, use the following command.

wprecon -h

Working with Wprecon Tool on Kali Linux OS

WordPress CMS Target 1 – geeksforgeeks.org

In this Example, We are performing WordPress Recon on WordPress Site i.e geeksforgeeks.org

Example 1: Enumerate WordPress Users

wprecon --url https://geeksforgeeks.org

1. In this Example, We are enumerating the users which are associated with the target domain geeksforgeeks.org. We have got the list of Users who are linked with geeksforgeeks.org

Example 2: Enumerate WordPress Plugins

wprecon --url https://geeksforgeeks.org

1. In this Example, We are enumerating WordPress Plugins used in the target domain.

Example 3: Fuzz sub-command WPrecon

wprecon fuzz -u “https://geeksforgeeks.org” –backup-file –random-agent

In this example, We will be fuzzing the back files if available on the target domain. In the below Screenshot, You can see that no Back-Up files are available on geeksforgeeks.org.

WordPress CMS Target 2 – secnhack.in

1. In this example, We will be targeting the domain which is designed using WordPress.

Example 1: Enumerate WordPress Users

wprecon --url https://secnhack.in

 In this Example, We are enumerating the users which are associated with the target domain secnhack.in. We have got the list of Users who are linked with secnhack.in

Example 2: Enumerate WordPress Plugins

wprecon --url https://secnhack.in

In this Example, We are enumerating WordPress Plugins used in the target domain.

Example 3: Set usernames attack passwords and Set wordlist attack passwords.

wprecon fuzz -u “https://secnhack.in” user -P /home/kali/Desktop/rockyou.txt

1. In this example, We will be using the Fuzz Subcommand for brute-forcing usernames and passwords credentials on the target domain. We have provided the rockyou.txt file which contains password words.

2. In the below Screenshot, We have displayed the rockyou.txt file contents which consist of possible password words.

More About Wprecon Tool (GUI Version)

No worries if any user feels complex or doesn’t know how to operate the Wprecon tool on Linux Operating System. There is a GUI version of this Wprecon tool which is based on a Web-based application. The link to the GUI-based version is listed below.

https://wprecon.com/

Let’s Use GUI Version of the Wprecon tool

1. Our target domain is geeksforgeeks.org.

2. In the below Screenshot, Packets are being sent to the target domain for getting the results.

3. In the below Screenshot, We have got the results of Passive Analysis, which includes WordPress Version, Server details, etc.

4. In the below Screenshot, We have got the details of the Plugins and themes used.

5. In the below Screenshot, We have got the details of Users and Directory Indexing.

6. In the below Screenshot, We have got the details of Linked Sites.

7. In the below Screenshot, We have got the details of JavaScript Resources.



Like Article
Suggest improvement
Previous
Detecting and Checking Rootkits with Chkrootkit and rkhunter Tool in Kali Linux
Next
Subjack - Subdomain Takeover Tool Written in Go
Share your thoughts in the comments

Similar Reads

VulnX – CMS And Vulnerability Detection
CMSsc4n - Tool to identify if a domain is a CMS
CMSeeK - CMS Detection and Exploitation Tool
Juumla - Tool Designed To Identify And Scan For Version, Config Files In The CMS Joomla
Auto Scanning to SSL Vulnerability - A2SV Tool in Kali Linux
Fuxploider - File Upload Vulnerability Scanner And Exploitation Tool
Red Hawk - Information Gathering and Vulnerability Scanning Tool in Kali Linux
JoomScan Vulnerability Scanner Tool in Kali Linux
PwnXSS - Automated XSS Vulnerability Scanner Tool in Kali Linux
RapidScan – The Multi-Tool Web Vulnerability Scanner in Kali Linux

G
gauravgandal
Article Tags :
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox