These 10 enumeration techniques are a very fast way to identify users of a WordPress installation. With valid usernames effective brute force attacks can be attempted to guess the password of the user accounts.

Introduction to WordPress Security

There are many common attack vectors that hackers use to attack a WordPress website. In this article we expose many of the common avenues for attack. By revealing these, you can help build your website’s defenses against WordPress attacks.

There are some great guides available on securing a WordPress installation, this article is not intended to repeat those. To get started with securing a WordPress installation, try the excellent guide on wordpress.org or the comprehensive guide on the OWASP site.

It is noteworthy that in a managed WordPress hosting service, some of the attacks (and mitigation) listed below will be the responsibility of the hosting provider. If you are self hosting then security and maintenance is your responsibility. Ready to start? Grab our hoodie and start hacking!

In this article we are going to discuss several ways to identify the valid usernames of any WordPress website.

Table Of Contents:

1.Usernames enumerating through the Author Archives

2.WordPress Enumeration via JSON API

3.WordPress Enumeration via the Login Form

4.Enumerating WordPress Core Version

5.WordPress Plugin (and version) Enumeration

6. WordPress Theme Enumeration

7.Directory Indexing

8.Server Vulnerability Testing

9.WP Scan

10.Nmap NSE Scripts for WordPress

1.Enumerate Usernames Through the Author Archives :

In many WordPress installations, it is possible to enumerate WordPress usernames through the author archives, including the admin username. To access the author archives, we just need to add author=n (where n equals any integer) as a parameter to the WordPress home page, as shown below:

http://example.com/?author=1

The request will be automatically redirected by WordPress to its counterparts:

http://example.com/author/admin/

Using this method, we will be able to identify all the usernames by fuzzing the author parameter.

2.WordPress Enumeration via JSON API :

Using a json endpoint, it may be possible to get a list of users on the site. This was restricted in version 4.7.1 that shows only the user that has published a post and the user that has been configured. Prior to this version, all the users were shown by default.

https://wordpressexample.com/wp-json/wp/v2/users

User Enumeration via the JSON user Endpoint

3.WordPress Enumeration via the Login Form :

You must confirm valid users with the login form. Brute forcing the user name is possible using the login form as the response is different for a valid as opposed to an invalid account. Using a tool such as Burp Intruder in Burp Suite, we would load a list of possible usernames and cycle through HTTP POST requests to the WordPress login form, examining the response in each case.

A HTTP response that matches “invalid password” indicates that the username is valid. We could then move on to attacking the password using the same process with a common password list.

4.Enumerating WordPress Core Version :

Three simple methods can be used to determine the core version of WordPress.

4.1 Meta Generator

Check the HTML source of the page for a meta generator tag in the HEAD section of the HTML source. This example is taken from the source of a default WP install of the version 3.5.2 and of twenty twelve theme. From the source HTML:

<meta name="generator" content="WordPress 3.5.2" />

4.2 Version in readme.html

If the meta tag has been disabled, check for the presence of /readme.html from root of the install. Early versions of WordPress had the version right there at the top of the Read Me file. But the newer versions of WordPress have removed the version from the ReadMe file.

Version in HTML source of site.

In the HTML source, the version is often appended as a parameter on links to javascript and css resources that the page is loading. Depending on the plugin, this will not always be the case and sites that have minified js and css may not have all this information leaks present.

4.3 Security Vulnerabilities in WordPress Core

If an attacker finds a site with an older WordPress Core version, this may be directly exploitable via a security vulnerability in the WordPress core, In addition, it is a clear indication that the site is not well maintained. In a poorly managed site, other components (plugins / themes) may not have been updated; in this case, the chance of a successful attack has increased considerably.

5.WordPress Plugin (and version) Enumeration :

During WordPress Plugin Enumeration, we attempt to find as many installed plugins as we can (even those that are disabled). The knowledge of the installed WordPress plugins may allow us to identify the version and research whether it is vulnerable to known exploits.

Passive analysis: It can be used to find plugins through regular HTTP requests to the WordPress site.
Active enumeration: It is more aggressive and usually involves using a script or tool to perform hundreds or even thousands of mostly invalid HTTP requests.

Reading through the HTML source of the WordPress site can reveal installed plugins through javascript links, comments and resources, such as CSS that are loaded into the page. These are the easiest plugins to discover and require no aggressive testing of the target site. Even the HTTP headers can reveal information such as the X-Powered-By header that reveals the presence of the W3-Total-Cache plugin. Some plugins do not leave traces in the HTML source; to find all the installed plugins you have to be more aggressive. A number of tools can brute force known plugin lists from the path /wp-content/plugins/ * plugin to test * /. The web server response will usually reveal valid directories (often with HTTP 403) as opposed to unknown directories on the web server with its HTTP response code.

Once you have a list of plugins that are present on the site, your WordPress scanner or manual requests can be used to determine the version of the plugin. In the readme.txt, we can see the version of the plugin. Compare this against known exploits and we can get a good idea if the site is vulnerable without actually throwing the exploit.

6. WordPress Theme Enumeration :

WordPress themes can contain vulnerabilities that might expose the site to compromise. Themes are collections of PHP code with HTML and CSS resources. More complex themes have more included components and are more likely to introduce security vulnerabilities. The enumeration of the theme is similar to the detection of plugins. The theme path is often visible in the HTML of the page source. The CSS file getting loaded from the theme will often reveal the path. With the path we have the theme name, and we can load the readme.txt to confirm the theme in use and its version.

curl http://examplewp.com/wp-content/themes/Avada/readme.txt

An important consideration when testing for vulnerable WordPress Themes (and plugins) is that a theme that is installed yet not active may still have code that is accessible and vulnerable. This is why brute force testing for theme paths is an important step when assessing an unknown WordPress installation.

7.Directory Indexing :

Directory indexing enabled on plugins directory. Directory indexing is a function of the web server that allows you to view the contents of a directory in the web accessible path. Viewing the contents of a directory allows an attacker to gather valuable information about the installation such as installed plugins and themes without the need to brute force the paths.

To check for directory indexing, you can browse to folder locations and see if you get a response that includes “Index Of” and a list of folders / files. Common locations to check would be:

/wp-content/
/wp-content/plugins/
/wp-content/themes/
/uploads/
/images/

8.Server Vulnerability Testing :

In this phase, we move into testing network services rather than direct testing of the WordPress installation. Port scanning is the standard technique for the discovery of network services running on the server.

Services that might be present on a WordPress host:

MySQL Server Remotely Accessible (port 3306)
CPANEL administration login portal (port 2082 / 2083)
Webmin administration (port 10000)
FTP service for file system access
SSH for remote control
Other web services with admin or other sites (port 8080 / 8888 etc)

Any of the above services may allow access to or control of the server through either a security vulnerability or a compromised password. Port scanning can be conducted using the excellent Nmap Port Scanner or an alternative security tool. Carrying on from our enumeration of network services using the port scanner, we could run vulnerability scans against the discovered services to identify exploitable services or other items of interest.

8.1 Nikto Vulnerability Scanner

Nikto is another vulnerability scanner that focuses on the discovery of known vulnerable scripts, configuration mistakes and other web server items of interest. The Nikto tool has been around for many years yet still finds a place in the penetration testers toolbox. Tools such as this throw tens of thousands of tests against the target in an attempt to discover known vulnerabilities and other low hanging fruits. It is a noisy process filling the target system logs with 404’s and other errors. Not recommended if you are going after a target ninja style (pentest / red team).

9.WPScan :

WPScan is a popular WordPress security testing tool that ties many of these simple enumeration techniques together, enabling users to quickly enumerate a WordPress installation. It has a commercial license that restricts the use for personal testing of WordPress sites and non-commercial usage.It attempts to identify users, plugins, and themes, depending on the selected command line options, and also show vulnerabilities for each of the discovered plugins.

https://github.com/wpscanteam/wpscan

10.Nmap NSE Scripts for WordPress :

Nmap comes bundled with NSE scripts that extend the functionality of this popular port scanner. A few of the Nmap NSE scripts are particularly helpful for enumerating WordPress users, plugins, and themes using the same techniques we have previously discussed. The best thing about this option is that if you have Nmap installed, you already have these scripts ready to go.

┌─[root@Dasagreeva]─[/usr/share/nmap/scripts]
└──╼ #ls -lha |grep wordpress
-rw-r--r-- 1 root root 5.0K Nov 26 14:51 http-wordpress-brute.nse
-rw-r--r-- 1 root root 11K Nov 26 14:51 http-wordpress-enum.nse
-rw-r--r-- 1 root root 4.6K Nov 26 14:51 http-wordpress-users.nse

The post WordPress Enumeration appeared first on Armour Infosec.

Keep in mind that this cheat sheet merely touches the surface of the available options. The Nmap Documentation portal is your reference for digging deeper into the options available.

Nmap in a nutshell

• Target Specification
• Host Discovery
• Port Specification
• Service Discovery / Version Detection
• Operating System Version Detection
• Firewall / IDS Evasion and Spoofing
• Time and Performance based Scan
• Output of Scan
• Vulnerability / Exploit Detection, using Nmap Scripts (NSE)

Target Specification

Scan a single IP

nmap 192.168.1.1

Scan specific IPs

nmap 192.168.1.1 192.168.1.5

Scan a Range

nmap 192.168.1.1-254

Scan a Domain / Host

nmap nmap scanme.nmap.org

Scan Targets from a File

namp -iL targets.txt

Exclude the Listed Host from the Target Range

nmap --exclude 192.168.1.5 192.168.1.1-10

Host Discovery

To List given targets only, no Scan

nmap -sL 192.168.1.1-3

To Disable Port Scanning, Host Discovery only

nmap -sn 192.168.1.1/24

To Disable Host Discovery. Port scan only

nmap -Pn 192.168.1.1-5

TCP SYN discovery on given port

nmap -PS 80,21 192.168.1.1

TCP ACK discovery on given port

nmap -PA 80,21 192.168.1.1

UDP discovery on given port

nmap -PU 53 192.168.1.1

Port Specification

Scan a given Port (i.e 21 here)

nmap -p 21 192.168.1.1

Scan the given Port Range

nmap -p 21-100 192.168.1.1

Scan the multiple TCP and UDP ports

nmap -p U:53,T:21-25,80 192.168.1.1

Scan all 65535 ports

nmap -p- 192.168.1.1

Scans the given Service Name

nmap -p http,https 192.168.1.1

Scans the Top 100 ports

nmap -F 192.168.1.1

Service Discovery / Version Detection

Detect Version of the Running Services

nmap -sV 192.168.1.1

To set intensity range between 0 to 9. Higher number increases possibility of correctness

nmap -sV --version-intensity 5 192.168.1.1

To enable the light mode(intensity =2). It is faster but have less possibility of correctness

nmap  -sV --version-light 192.168.1.1

To enables the intense mode(intensity =9). It is slower but have more possibility of correctness

nmap -sV --version-all 192.168.1.1

Operating System Version Detection

Detect the Operating system

nmap -sV 192.168.1.1

Aggressive mode i.e OS, Service Version, Trace route.

nmap -A 192.168.1.1

Firewall / IDS Evasion and Spoofing

Use tiny fragmented IP packets. Its harder for packet filters

nmap -f 192.168.1.1

Used to set our own offset size

nmap --mtu 32 192.168.1.1

Use the Spoofed IP to scan

nmap -D decoy-ip1,decoy-ip2, your-own-ip remote-host-ip

Scans target.com from example.com (Domain Name Spoofing)

nmap -S example.com target.com

Uses the given port as a source

nmap -g 53 192.168.1.1

Appends random data to sent packets

nmap --data-length 200 192.168.1.1

Time and Performance based Scan

Slow scan

nmap -T0 192.168.1.1

Sneaky scan

nmap -T1 192.168.1.1

Timely scan

nmap -T2 192.168.1.1

Default scan

nmap -T3 192.168.1.1

Aggressive scan

nmap -T4 192.168.1.1

Very Aggressive scan

nmap -T5 192.168.1.1

Output of Scan

To scan in the Verbose mode (-vv for greater effect)

nmap -v 192.168.1.1

Save the scan results to the scan.file

nmap 192.168.1.1 -oN scan.file

Save the results in xml.file

nmap 192.168.1.1 -oX xml.file

Save the results in grep.file

nmap 192.168.1.1 -oG grep.file

Saves the Output in the three major formats at once

nmap 192.168.1.1 -oA result

To scan in the debug mode (-dd for greater effect)

nmap 192.168.1.1 -d

To see all the packets sent and received

nmap 192.168.1.1 -T4 --packet-trace

Vulnerability / Exploit Detection, using Nmap Scripts (NSE)

Scan with default NSE Scripts

nmap 192.168.1.1 -sC

Scan with given NSE Script ( Example: nmap.nse )

nmap 192.168.1.1 --script=nmap.nse

Use script with arguments

nmap 192.168.1.1 –script=nmap.nse --script-args user=admin

The post Nmap Cheat Sheet appeared first on Armour Infosec.

Stop Tracking ( Disconnect )

Stop tracking with “Disconnect”
– open source and
– loads pages 44% faster.
– save upto 39% of bandwidth
– stops tracking more than 2,000+ third-party sites
– keeps your searches private
– was named the best privacy tool by the New York Times (2016),

https://addons.mozilla.org/en-US/firefox/addon/disconnect/

Cookie Quick Manager

This add-on helps you perform various operations on cookies like viewing, searching, creating, and even editing them.
https://addons.mozilla.org/en-US/firefox/addon/cookie-quick-manager/

HackBar Quantum

Unlike the previous version of Hackbar, this one is compatible with firefox quantum also. This tool helps in testing sql injections, XSS holes and site security.

https://addons.mozilla.org/en-US/firefox/addon/hackbar-quantum/?src=recommended

HTTPS Everywhere

Encrypt the web! With this tool as your add-on, you can apply HTTPS ecryption automatically on all the sites even on those where https: prefix is omitted.

https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/

Greasemonkey

Allows you to customize the way a web page displays or behaves, by using small bits of JavaScript.

https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/

Injector

Its a lightweight web app bug finder. With the provision of custom injection lists, one can intercept and replay web requests.

https://addons.mozilla.org/en-US/firefox/addon/injector/

User-Agent Switcher and Manager

This is among the coolest ones. You can spoof your user-agent so that it becomes impossible for websites to know specific details about our browser , thus protecting your identity and it also unlocks other utilities like some websites can be made to load much faster if you spoof your user-agent with a mobile device.

https://addons.mozilla.org/en-US/firefox/addon/user-agent-string-switcher/

Easy XSS

Its a simple to use plugin. It provides you with a menu of various xss payloads. With just one click it gets copied to clipboard and now all we have to do is to paste it in the desired input tag.

https://addons.mozilla.org/en-US/firefox/addon/easy-xss/

Wappalyzer

While doing web app pentesting, its necessary to know the technologies and the software used in building the app and of course the version also. With wappalyzer, it can all be done with single click.

https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/

BuiltWith

Its used in finding the technologies used behind a Web application. If Wappalyzer, misses something out, it can be verified with Buildwith.

https://addons.mozilla.org/en-US/firefox/addon/builtwith/

Web developer

It provides an interface to inspect the HTML, CSS , script code for the web page. You can also edit the code and it will display the current output.

https://addons.mozilla.org/en-US/firefox/addon/web-developer/?src=search

Tor browser

Thats the first thing which pops up in mind when we are talking about online privacy,anonymity and encryption. It’s a modified version of Firefox and it comes with pre-installed privacy add-ons, encryption and an advanced proxy.

https://www.torproject.org/

Tamper Data for FF Quantum

– Monitor live requests
– Edit headers on live requests
– Cancel live requests
– Redirect live requests

Usage: Click the blue cloud in the toolbar to start tampering. When you’re done, click it again to stop.

https://addons.mozilla.org/en-US/firefox/addon/tamper-data-for-ff-quantum/

uBlock Origin

An efficient blocker which at the same time is soft on CPU and memory. It can load and enforce thousands more filters than other popular blockers out there.
Usage: The big power button in the popup is to permanently disable/enable uBlock for the current web site. It applies to the current web site only, it is not a global power button.

https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/

NoScript Security Suite

This tool allows potentially malicious web content to run only from sites trusted by you. This tool also protects you from attacks like XSS and other web exploits. Its more of defensive rather than offensive tool, still worth trying.

https://addons.mozilla.org/en-US/firefox/addon/noscript/

anonymoX

AnonymoX is an initiative for anonymization on the internet. The aim is to restore the users right of anonymity in the web. Most websites monitor the behaviour of their users, giving the websites hosts the ability to analyze the general users behaviour and create detailed user profiles, which are frequently sold to third parties.

A threat for freedom of speech on the internet manifests in the repression through federal or private organizations. More and more governments censor websites with the excuse of child safety, copyright infringement or the fight against terrorism and thereby limit the freedom of speech.

Easy anonymous web browsing.

– Change your IP-Address and country

– Visit blocked or censored websites.

– Delete cookies, show your public ip, and more

https://addons.mozilla.org/En-us/firefox/addon/anonymox/?src=collection&collection_id=0ec8ac59-73ee-422b-9828-1002ac75369f

The post Best Firefox Addons for Hacking appeared first on Armour Infosec.

http://www.yougetsignal.com/tools/web-sites-on-web-server

The port forwarding tester is a utility used to identify your external IP address and detect open ports on your connection. This tool is useful for finding out if your port forwarding is setup correctly or if your server applications are being blocked by a firewall

http://www.yougetsignal.com/tools/open-ports

The reverse e-mail lookup allows you to quickly find where an e-mail originated from.

http://www.yougetsignal.com/tools/reverse-email-lookup

This tool performs a WHOIS lookup on a remote address. A WHOIS lookup can help determine the owner of a domain name or an IP address on the Internet.

http://www.yougetsignal.com/tools/whois-lookup

The complete free set of network troubleshooting domain testing tools that just work.

DNS Tools:- DNS Lookup, DNS Traversal, DNS Tracer (DNS Traceroute), DNS Blacklist Check (arbl), DNS Recon, Reverse DNS Lookup / Scan, DNS Server Fingerprint.

Network / Internet Tools:- Port Scan (nmap), Trace Route, Tracepath, NetBIOS Scan/Check, Wake On Lan, CIDR/Netmask Calculator, NTP Server Test, MX Records Retriever

Web / HTTP Tools:- SSL Certificate Info, HTTP Header Retrieval, Plain Text WEB/URL Browser, HTTPRecon (HTTP Fingerprinting), Meta Tags Retriever, URL Encode / Decode, RAW URL Encode / Decode, Base64 Encode / Decode

Database Lookups:- RFC Lookup, MAC Address Lookup, Default Password Lookup, Abuse Contact Lookup, IP/Host Locater, WhoIS Lookup

Ping Tools:- Ping, PathPing, TCPing, Ping-Row

https://w3dt.net/

intoDNS checks the health and configuration of DNS and mail servers.

http://www.intodns.com/

Web technology information profiler tool. Find out what a website is built with.

http://builtwith.com/

Domain information, whois & dns report

http://www.domaincrawler.com/

Research domain ownership with Whois Lookup: Get ownership info, IP address history, rank, traffic, SEO & more. Find available domains & domains for sale.

http://www.domaintools.com/

Find information on any domain name or website. Large database of whois information, DNS, domain names, name servers, IPs, and tools for searching and monitoring domain names

http://www.who.is/

Secure Domain Name Searches, Registration & Availability. Use Our Free Whois Lookup Database to Search for & Reserve

https://www.whois.net/

online tools for the daily administration of networks.

http://en.dnstools.ch/

Free online network tools, including traceroute, nslookup, dig, whois, ping, and our own Domain Dossier and Email Dossier. Works with IPv6. Some source code included.

http://centralops.net/co

DNS tools, Network tools, Email tools, DNS reporting and IP information gathering. Explore monitoring products and free DNS tools at DNSstuff.

http://www.dnsstuff.com/

Research domain ownership with Whois Lookup: Get ownership info, IP address history, rank, traffic, SEO & more. Find available domains & domains for sale.

http://whois.domaintools.com/

View IP information

https://geoiptool.com/

Internet Archive is a non-profit digital library offering free universal access to books, movies & music, as well as 436 billion archived web pages.

https://archive.org/index.php

The most comprehensive people search on the web. Pipl finds high-quality results in pages that cannot be found on regular search engines. Free People Search.

https://pipl.com/

Find people free with Zabasearch directory engine that includes free people search, reverse phone number lookup, address lookup, and more.

http://www.zabasearch.com/

TinEye is a reverse image search engine. Search by image: Give it an image and it will tell you where the image appears on the web.

https://www.tineye.com/

Find search engines from the UK, USA, and many other countries.

http://www.searchenginecolossus.com/

Zuula is an innovative Internet search service that gives its users quick access to web, image, news blog and job search results from all the major search engines.With Zuula, users have the ability to get search results from their favorite search engine, such as Google or Yahoo!, but they also have one-click access to search results from a number of other search engines.

http://zuula.com/

Reverse IP Lookup & Domain Check DNS Tool by myIPneighbors to find all domains hosted on an IP address by domain or IP address.

http://www.myipneighbors.com/

The post Online Information Gathering Tools appeared first on Armour Infosec.