Following on from my previous post Patching WordPress Username Disclosure I got bored over the weekend and decided to implement Veronica Valeros’s username disclosure technique into a WordPress password brute force tool.
It is nothing revolutionary or difficult to code, but it may come in handy one day on a pentest or web application assessment, mainly to automate the process.
Currently you can use the tool in 3 different ways.
Only the ‘–url’ option:
Enumerate wordpress usernames.The ‘–wordlist’ option:
Enumerate wordpress usernames.
Start a dictionary attack on all usernames enumerated.The ‘–username’ option:
Specify a single username to start the dictionary attack on.
I won’t be releasing the tool, not yet anyway, I may release it in future.
Here is a video of it in action:
UPDATE
The video of my tool seems to have raised lots of interest and questions.
Please understand that I think this this tool is quite trivial to code and I am very surprised that it got so much attention.
One question that was raised more than once, was, why did I not release the code?!
The reason I did not release it is because I was considering the ethicality of such a tool being released. I first wanted to guage the interest in such a tool and if interest was positive, expand the tool further.
I will go into further detail as the code base expands. I can confirm that I will be releasing the code as part of a bigger project called WPScan.
14 Responses
This looks very nice, I’ve pretty much standardized on WordPress for my sites, and like it quite a bit, but should hack its security a bit more. I think for version 2.8 or something they recommended not using the ‘admin’ handle, which is good advice anywhere :) shoot a ping out on twitter if you decide to release this tool, I need to get better with Ruby and this sounds like a good one to start with.
@fak3r
the tool works for all version of wordpress ?
regards
tumi kela koti mara
ok if you don’t want to publish so don’t fuck every one to see the video,asshole
@saeid
My code was published.
ax ad skf ael glejc n’wege0 j
who know what is this tool ?
[...] for Linux and essentially looks for any passwords that are only letters. Originally called “WordPress Brute Force Tool,” this is a great tool to use for consulting purposes. By no means should this be used for [...]
I think its best not to give out this code, you will end up with thousands of 13 year old
little kids fucking with a lot of sites.
Im now saying its better than some 30 year old but people that know how to make this kind of code dont use it often.
More so people with the brains to put this together understand what it means to have built something and how hard it can be to build a full site.
So at most they will rip off a few emails to blast or give there sites some links and call it good.
KIDs on the other hand will try to mess up the site and could really hurt someones income.
Just my $0.02
Release the code dude!
Hmmmmmm
Wanna download the code
Probably a bad idea to release this code (as much as I’d enjoy using it).
Too many people would fuck up too many site,
and then how long before there’s a fix for it and your code is useless.
Enjoy it for yourself.
[...] “Wpscan“. The creator of this tool is ethicalhack3r and this is another creation built from WordPress Brute Force Tool. This tool comes pre-installed on this following [...]