wpbf - WordPress Brute Force @ GitHub

wpbf will test if your WordPress blog is hard to brutefoce or the passwords used are weak and need to be changed. Easy and quick, it let's you remotely audit your WordPress blogs and provide information about weak passwords, usernames and plugins.

Features

Bruteforce using a dictionary file (a small and effective one is provided)
Threading for speed boost of the bruteforce tasks
HTTP Proxy Support
Username enumeration/detection (TALSOFT-2011-0526 with fallback to author's archive page and content parsing)
Fetching keywords from blog's content and use them in the password list
WordPress version fingerprint
Detection of known and unknown plugins (including Login LockDown, that makes the bruteforce useless)
WordPress remote path detection
Advanced logging (with it's own configuration file) using Python's logging library

Download

You can download this project in either zip or tar formats or clone the project from our GitHub repository by running:

$ git clone git://github.com/atarantini/wpbf

Install

The only dependency needed to run wpbf is Python 2.6+, that comes already installed with most serious OS. Uncompress the downloaded file into any directory, and execute it using ./wpbf:

$ ./wpbf

Documentation and License

Full documentation and usage in the README file on GitHub repository

Repository of wpbf in GitHub

License GPLv3

Author Andres Tarantini (atarantini@gmail.com)

Usage

Basic

In this example, wpbf will do a bruteforce test using the default settings (you can change the default settings in config.py). It will enumerate usernames, find keywords and plugins, use the static+generated wordlist to bruteforce each user and try to guess remote path:

$ ./wpbf.py http://localhost/wordpress/
2012-02-26 14:26:18,793 - INFO - Target URL: http://localhost/wordpress/
2012-02-26 14:26:18,844 - INFO - Checking URL and username...
2012-02-26 14:26:18,845 - INFO - Enumerating users...
2012-02-26 14:26:52,027 - INFO - Usernames: admin, test, guest
2012-02-26 14:26:54,153 - INFO - 31 plugins will be tested
2012-02-26 14:26:55,311 - INFO - 215 passwords will be tested
2012-02-26 14:26:55,369 - INFO - Starting workers...
2012-02-26 14:26:56,685 - INFO - WordPress version: 3.0.1
2012-02-26 14:26:57,570 - INFO - WordPress path in server: /var/www/wordpress/
2012-02-26 14:27:08,624 - INFO - Plugin 'akismet' was found
2012-02-26 14:27:10,292 - INFO - Plugin 'akismet' version: 2.5.5 (more info @ http://localhost/wordpress/wp-content/plugins/akismet/readme.txt)
221 tasks left / 2.1 tasks per second / 1.76min left
199 tasks left / 2.2 tasks per second / 1.51min left
172 tasks left / 2.7 tasks per second / 1.06min left
21 tasks left / 1.6 tasks per second / 0.22min left
2012-02-26 14:57:23,245 - INFO - Password 'qawsed' found for username 'admin' on http://localhost/wordpress/wp-login.php

Username enumeration only

The '-eu' or '--enumerateusers' parameter will only do username enumeration and list the usernames found

$ ./wpbf.py -eu http://www.mysite.com/blog/

Aggresive

You can spawn more threads to speed up the bruteforce process. Be aware that using a lot of threads can cause hangs in the server or denial of service. For this example we will spawn 23 threads:

$ ./wpbf.py -t 23 http://www.mysite.com/blog/

Custom

Using username 'john', not using keywords in the blog content for the wordlist and trough a local proxy:

$ ./wpbf.py --nokeywords -u john -p http://localhost:8008/ http://www.mysite.com/blog/

For full usage documentation run wpbf with '-h' or '--help' parameters or check the README file in GitHub repository