WPScan was written in Perl and is a great tool for testing your WordPress security and the prevention of brute force attacks. This script is also included in the backtrack pen-testing Linux distribution.
Currently what this Perl script can do:
- Username enumeration (from author querystring and location header)
- Weak password cracking (multithreaded)
- Version enumeration (from generator meta tag and from client-side files)
- Vulnerability enumeration (based on version)
- Timbthumb file enumeration
- Plugin enumeration (2220 most popular by default)
- Plugin vulnerability enumeration (based on plugin name)
- Plugin enumeration list generation
- Other misc WordPress checks (theme name, dir listing, …)
Useful commands contained in the script:
Only the ‘–url’ option: Enumerate wordpress usernames. The ‘–wordlist’ option: Enumerate wordpress usernames. Start a dictionary attack on all usernames enumerated. The ‘–username’ option: Specify a single username to start the dictionary attack on.
A quick demonstration in backtrack:
I need a really really simple perl script or any automatic script you can code , Basically i need to have a .txt file where i can paste urls eg – http://www.domain.com/admin
And i need the script to automatically try username ” Admin ” and then my password list which is only a custom admin login dictionary.
So basically i’m scanning for admin logins with easy to guess passwords.
Can you do this, it is not illegal it is for pen-test purposes
I would like to run this script in Linux-Backtrack 5.
*** Similar to this script http://www.securitytube.net/video/4447 ***
But i need to add multiple URLS to the txt file and add my own password dictionary.txt