WordPress Brute Force Tool
Following on from my previous post Patching WordPress Username Disclosure I got bored over the weekend and decided to implement Veronica Valeros’s username disclosure technique into a WordPress password brute force tool.
It is nothing revolutionary or difficult to code, but it may come in handy one day on a pentest or web application assessment, mainly to automate the process.
Currently you can use the tool in 3 different ways.
Patching WordPress Username Disclosure
On May 26th Veronica Valero of Talsoft S.R.L. posted a security advisory on the Full Disclosure mailing list outlining a username disclosure vulnerability via a Direct Object Reference.
This is a problem in itself, however, what was more interesting to me was Zerial’s reply to the advisory;
“Also you can “enumerate” wordpress users using the wp-login.php. Whenyou enter a non-existent user wordpress returns “Invalid username” andwhen you enter a valid user with any random/dummie password, wordpressreturns “Invalid Password”. Now you can use brute-force to enumerate allvalid users using, for example, a name&username dictionary.”
Ethical Hacking Degrees – the good, the bad, the ugly
I often get emails (yes, people actually email me) around September time from young students who have come across this blog wanting to know more about doing Ethical Hacking at university level. I am writing this blog post in part to prevent myself from asking these young people for money for my time in replying to all of their questions. Also there seems to be a lot of misinformation about doing degrees related to computer/information security within the community.
Now, you maybe thinking… Ryan has invested countless thousands of pounds and four years of his life to his Ethical Hacking degree so he is bound to be biased. Well, I guess if I wasn’t a little biased then I wouldn’t be human, but I am going to try to be as honest as possible.
DO NOT CLICK!
So I was listening to the latest PaulDotCom security weekly podcast episode 232 via my SecurityPodcasts Boxee app where Mike Murr or Murray or both?! were talking about effective Phishing and how to be 110% successful.
My phishing experience is minimal so I decided to find out for myself how easy it was to get people to click on ‘malicious’ hyperlinks. I did this by tweeting the following from my ethicalhack3r Twitter account.
“DO NOT CLICK => http://bit.ly/eIC1Y2″
As you can see I tweeted the words “DO NOT CLICK =>” followed by a shortened bit.ly hyperlink. I suspect that most of my (at the time of writing) 3000 followers are in some way interested in information security and are all well aware of the potential risks of clicking unknown shortened hyperlinks. Or so you would think.
