-->

  • admin panel brute force attack

    wpbf


    wpbf will test if your WordPress blog is hard to brutefoce or the passwords used are weak and need to be changed. Easy and quick, it let's you remotely audit your WordPress blogs and provide information about weak passwords, usernames and plugins.


    Features
    Bruteforce using a dictionary file (a small and effective one is provided)
    Threading for speed boost of the bruteforce tasks
    HTTP Proxy Support
    Username enumeration/detection (TALSOFT-2011-0526 with fallback to author's archive page and content parsing)
    Fetching keywords from blog's content and use them in the password list
    WordPress version fingerprint
    Detection of known and unknown plugins (including Login LockDown, that makes the bruteforce useless)
    WordPress remote path detection
    Advanced logging (with it's own configuration file) using Python's logging library


    Download

    You can download this project in either zip or tar formats or clone the project from our GitHub repository by running:
    Link Copy ðŸ‘‡ðŸ‘‡


    $ git clone git://github.com/atarantini/wpbf

    Install

    The only dependency needed to run wpbf is Python 2.6+, that comes already installed with most serious OS. Uncompress the downloaded file into any directory, and execute it using ./wpbf:
    $ ./wpbf

    Usage


    Basic
    In this example, wpbf will do a bruteforce test using the default settings (you can change the default settings in config.py). It will enumerate usernames, find keywords and plugins, use the static+generated wordlist to bruteforce each user and try to guess remote path:
    $ ./wpbf.py http://localhost/wordpress/
    2012-02-26 14:26:18,793 - INFO - Target URL: http://localhost/wordpress/
    2012-02-26 14:26:18,844 - INFO - Checking URL and username...
    2012-02-26 14:26:18,845 - INFO - Enumerating users...
    2012-02-26 14:26:52,027 - INFO - Usernames: admin, test, guest
    2012-02-26 14:26:54,153 - INFO - 31 plugins will be tested
    2012-02-26 14:26:55,311 - INFO - 215 passwords will be tested
    2012-02-26 14:26:55,369 - INFO - Starting workers...
    2012-02-26 14:26:56,685 - INFO - WordPress version: 3.0.1
    2012-02-26 14:26:57,570 - INFO - WordPress path in server: /var/www/wordpress/
    2012-02-26 14:27:08,624 - INFO - Plugin 'akismet' was found
    2012-02-26 14:27:10,292 - INFO - Plugin 'akismet' version: 2.5.5 (more info @ http://localhost/wordpress/wp-content/plugins/akismet/readme.txt)
    221 tasks left / 2.1 tasks per second / 1.76min left
    199 tasks left / 2.2 tasks per second / 1.51min left
    172 tasks left / 2.7 tasks per second / 1.06min left
    21 tasks left / 1.6 tasks per second / 0.22min left
    2012-02-26 14:57:23,245 - INFO - Password 'qawsed' found for username 'admin' on http://localhost/wordpress/wp-login.php
    Username enume

    • 1 comment:

    1. Unknown3 January 2021 at 20:28

      Great Article Cyber Security Projects projects for cse Networking Security Projects JavaScript Training in Chennai JavaScript Training in Chennai The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

      ReplyDelete

    For Any Tech Updates, Hacking News, Internet, Computer, Technology and related to IT Field Articles Follow Our Blog.