wpbf is a Python-based bruteforce tool for remotely testing password strength, username enumeration and plugin detection on a WordPress site.
How It Works
Features:
- Username enumeration and detection (TALSOFT-2011-0526, Author’s archive page, and content parsing)
- Threads
- Use keywords from blog’s content in the wordlist
- HTTP Proxy Support
- Basic WordPress fingerprint (version and full path)
- Advance plugins fingerprint (bruteforce, discovery and version/documentation)
- Detection of Login LockDown plugin (this plugin makes the bruteforce useless)
- Advanced logging using Python’s logging library and logging configuration file
Usage:
wpbf.py [-h] [-w WORDLIST] [-u USERNAME] [-s SCRIPTPATH] [-t THREADS] [-p PROXY] [-nk] [-eu] url wpbf will audit and bruteforce your WordPress installation to test password strength, server configuration, users and installed plugins. It Currently supports threads and HTTP proxy and provides a very small default wordlist (a dynamic wordlist is generated by default from the blog's content) and basic username detection. positional arguments: url base URL where WordPress is installed optional arguments: -h, --help show this help message and exit -w WORDLIST, --wordlist WORDLIST worldlist file (default: wordlist.txt) -nk, --nokeywords don't search keywords in content and add them to the wordlist -u USERNAME, --username USERNAME username (default: None) -s SCRIPTPATH, --scriptpath SCRIPTPATH path to the login form (default: wp-login.php) -t THREADS, --threads THREADS how many threads the script will spawn (default: 5) -p PROXY, --proxy PROXY http proxy (ex: http://localhost:8008/) -nf, --nofingerprint don't fingerprint WordPress -eu, --enumerateusers only enumerate users (withouth bruteforcing) -mu MAXUSERS, --maxusers MAXUSERS maximum number of usernames to enumerate (default: no limit) -eut ENUMERATETOLERANCE, --enumeratetolerance ENUMERATETOLERANCE user ID gap tolerance to use in username enumeration (default: 3) -nps, --nopluginscan skip plugin bruteforce, enumeration and fingerprint -ds, --dontstop don't stop when password is found, continue with all pending tasks --test run python doctests (you can use a dummy URL here)
Examples:
- Basic
$ ./wpbf.py http://www.mysite.com/blog/
- Custom
Using username ‘john’, not using keywords in the wordlist and through a local proxy:
$ ./wpbf.py --nokeywords -u john -p http://localhost:8008/ http://www.mysite.com/blog/
- Aggressive
It will use default settings and spawn 23 threads:
$ ./wpbf.py -t 23 http://www.mysite.com/blog/
- Username enumeration
Only perform a user enumeration:
$ ./wpbf.py -eu http://www.mysite.com/blog/