1
00:00:00,080 --> 00:00:07,880
If you were able to find that your target has a website, and this website uses WordPress as its content

2
00:00:07,880 --> 00:00:12,290
management system, then you can use a tool like WP scan.

3
00:00:12,650 --> 00:00:19,850
WP scan is a security scanner used by ethical hackers, penetration testers and security analysts,

4
00:00:20,270 --> 00:00:24,680
which is used to identify attack vectors of WordPress sites.

5
00:00:24,710 --> 00:00:30,800
You can expect finding information like plugins, names, themes, usernames, and more.

6
00:00:32,150 --> 00:00:38,990
So the first thing you want to do is to go to your Osint virtual machine and then run terminal as root.

7
00:00:38,990 --> 00:00:47,900
So I'm going to say Osint, and then I'm going to install the tool by typing apt install and then WP

8
00:00:47,960 --> 00:00:54,770
scan, and then hit enter and then type Y to continue and hit enter again.

9
00:00:55,670 --> 00:00:58,670
Now sometimes the installation is going to suck.

10
00:00:58,670 --> 00:01:05,440
So what I always like to do is just to hold the Ctrl and C keys to cancel the process, and then use

11
00:01:05,440 --> 00:01:08,620
the exact same command again, and then hit enter.

12
00:01:10,300 --> 00:01:12,190
And now it's going to continue.

13
00:01:12,640 --> 00:01:16,060
So now the tool is installed on our Linux machine.

14
00:01:16,090 --> 00:01:18,280
Now I'm going to run this tool.

15
00:01:18,280 --> 00:01:20,740
So using this tool is very simple.

16
00:01:20,740 --> 00:01:23,830
You just have to type WP scan like this.

17
00:01:23,830 --> 00:01:28,870
And then minus H to see all the options that you can use with this tool.

18
00:01:28,870 --> 00:01:32,620
And we can see that there are plenty of options that we can use.

19
00:01:33,130 --> 00:01:39,730
In my case, I always like to use the enumeration option, which will allow me to extract information

20
00:01:39,730 --> 00:01:41,890
from a WordPress website.

21
00:01:41,890 --> 00:01:49,300
And I always like to find the people who are running this website or who are using this website, because

22
00:01:49,300 --> 00:01:53,890
I might be able to find usernames and then use a website like what's My Name?

23
00:01:53,890 --> 00:02:00,690
Or a tool like Sherlock to identify whether this username has other accounts on the internet.

24
00:02:00,750 --> 00:02:05,100
So the main option that you always need to use is the URL.

25
00:02:06,960 --> 00:02:11,100
So I'm going to say AWP scan minus minus URL.

26
00:02:11,100 --> 00:02:14,100
And then I'm going to say cyber pseudo.org.

27
00:02:14,100 --> 00:02:18,030
So we are going to assume that your target has this website.

28
00:02:18,030 --> 00:02:21,720
And you would like to gather information from this website.

29
00:02:22,110 --> 00:02:24,300
So I'm going to hit enter.

30
00:02:26,430 --> 00:02:30,480
And now the scan is completed let's have a look at the information.

31
00:02:32,010 --> 00:02:35,430
So here we can see the plugins that are installed on this website.

32
00:02:35,430 --> 00:02:38,790
We can see a plugin called WP Security Hardening.

33
00:02:38,790 --> 00:02:41,280
And we can see that this tool is up to date.

34
00:02:41,370 --> 00:02:43,170
Now let me scroll up.

35
00:02:43,680 --> 00:02:46,980
We can see that there is another plugin called tutor.

36
00:02:46,980 --> 00:02:53,130
And you can always go to Google and search for these plugins to get more information about plugins that

37
00:02:53,130 --> 00:02:54,150
are installed.

38
00:02:54,960 --> 00:02:56,840
Now let me scroll up again.

39
00:02:56,840 --> 00:02:59,660
Here are all the plugins that are installed.

40
00:02:59,660 --> 00:03:06,980
We can also see when was the last time this plugin was updated, and sometimes you will see that a plugin

41
00:03:06,980 --> 00:03:12,110
is out of date, which might be an attack vector for a penetration tester.

42
00:03:12,710 --> 00:03:15,320
And here you can see the WordPress theme that I'm using.

43
00:03:15,320 --> 00:03:17,180
So it's called Sy ARP.

44
00:03:17,180 --> 00:03:19,730
And we can see the name of the author.

45
00:03:20,000 --> 00:03:26,660
We can also scroll up and see more information, like a URL to register on this website, which might

46
00:03:26,660 --> 00:03:30,050
reveal additional website if you were logged in to this website.

47
00:03:30,920 --> 00:03:37,940
Now, one of my favorite options that I always like to use with WordPress is an option called enumerate.

48
00:03:38,030 --> 00:03:45,590
And with this option you can find information about vulnerable plugins, popular plugins, time thumbs,

49
00:03:45,590 --> 00:03:48,800
config backups or user IDs.

50
00:03:48,800 --> 00:03:51,320
And for me this is very important.

51
00:03:51,320 --> 00:03:53,690
So let's try using this switch.

52
00:03:55,990 --> 00:04:02,740
So I'm going to use the exact same command that I've used before, and then add minus e and then U to

53
00:04:02,770 --> 00:04:08,230
find the users that are running this website or publishing on this website.

54
00:04:09,520 --> 00:04:15,040
And now the scan is completed and we can see that these users has been identified.

55
00:04:15,040 --> 00:04:17,710
So we can see a user name called Satyaraj.

56
00:04:17,710 --> 00:04:23,770
So what I can do with this information is that I can go to blackboard or what's my name, or use a tool

57
00:04:23,770 --> 00:04:28,870
like Sherlock to find whether this user name has been used online or not.

58
00:04:29,410 --> 00:04:34,090
We can also find the name Satyaraj in the RSS feed.

59
00:04:35,080 --> 00:04:41,560
Now, sometimes when you use this tool, you might get an error code, and the only way to bypass this

60
00:04:41,560 --> 00:04:48,850
is by using an option called random user agent, which will generate a new user agent for you and use

61
00:04:48,850 --> 00:04:53,050
it to gather information about a specific website.