WEBVTT 00:01.510 --> 00:09.130 WP scan is a very important tool that will discover lots of information about the WordPress platform 00:09.480 --> 00:11.230 you're targeting. 00:11.230 --> 00:18.190 It will give you information about the version installed the theme used the vulnerable component employed. 00:18.370 --> 00:26.540 You can as well enumerate the users and WS can give you the ability to brute force into these accounts. 00:26.710 --> 00:33.160 If you use it together with the NIC to application you will be able to assess your web server in a very 00:33.160 --> 00:34.240 good way. 00:34.240 --> 00:43.330 I went to turnkey Linux dot org to download a wordpress virtual machine box so just go here. 00:43.420 --> 00:49.180 Download this virtual machine that is compatible with them where install it and follow the wizard in 00:49.180 --> 00:52.890 order to set it up it's very easy and straightforward. 00:53.020 --> 00:57.650 So the IP of the machine here is 1 dot 1 0 4. 00:58.540 --> 01:00.210 I'll go to my Kelly machine here. 01:00.250 --> 01:12.460 Open the terminal Let me zoom in and use the command and WP scan hyphen hyphen update. 01:14.990 --> 01:19.560 It will update the database which is a prerequisite to start using the application. 01:19.580 --> 01:28.250 Now the trivial comment is to use WP scan hyphen hyphen you are L then you specify the URL the domain 01:28.250 --> 01:30.590 name or the IP that you want to attack. 01:30.650 --> 01:36.310 In this case it's 1 9 2 1 6 8 1 2 1 0 4. 01:36.320 --> 01:39.290 Just hit enter and wait for the results. 01:41.020 --> 01:46.770 So as you can see here it gave us important information about the server type. 01:46.780 --> 01:56.470 It gave us as well information about let us see the name of the theme so very important. 01:56.490 --> 02:11.550 Your LS and it told us there are no plugins installed and no config backups found we can append this 02:11.550 --> 02:23.260 command by using the e switch which is enumerate and we can tell it to enumerate you which means users. 02:23.260 --> 02:33.110 So now the scanner will start over and it will attempt to enumerate the users as you can see here. 02:33.190 --> 02:38.080 It has identified one user which is the admin user. 02:38.080 --> 02:41.380 Now let me show you what can w peace can enumerate 02:49.210 --> 02:57.800 if you search here for the E which it can enumerate vulnerable plugins vulnerable themes DBA exports 02:58.610 --> 03:01.550 and users. 03:01.550 --> 03:07.400 So with the use of different switches you'll be able to get more information about that. 03:07.430 --> 03:12.100 Now we have a very important piece of information which is the admin username. 03:12.110 --> 03:19.950 Now we will try to brute force this admin username for this case I've created a simple word lists here. 03:19.950 --> 03:28.850 Its word lists the key XY but in your case if you're doing a real world attack you can go here to WP 03:28.970 --> 03:30.860 white security dot com. 03:30.860 --> 03:40.100 Go to this thing here and download the zip file which has over a million password related to WordPress 03:42.010 --> 03:43.000 still click on that. 03:44.510 --> 03:46.070 Millions of passwords. 03:46.130 --> 03:48.170 Which is very useful. 03:48.170 --> 04:00.020 You can as well use the Q word list and the door code word lists as well which has more than 40 million 04:00.230 --> 04:01.020 password. 04:01.250 --> 04:07.700 Now using this wordless password that I've created I'll just append my command here. 04:07.700 --> 04:12.760 I'll use the switch B and specify the word list. 04:17.020 --> 04:17.680 Location. 04:20.140 --> 04:22.050 And then I use the switch. 04:22.360 --> 04:27.790 You can specify the user name which is Evan. 04:27.950 --> 04:35.460 You can as well said the number of threads which are parallel attempts to try to brute force unto the 04:35.460 --> 04:39.840 I can press enter and wait for the magic 04:43.210 --> 04:50.770 as you can see here the reforming password attacks it has identified the password which is the complex 04:50.770 --> 04:52.870 password for the user admin 04:57.040 --> 05:05.980 in order to prevent against users in simulation try or avoid using usernames as nicknames because this 05:05.980 --> 05:06.960 w piece can. 05:07.030 --> 05:12.700 It identifies user names from the user ls use and in order to prevent against password. 05:12.700 --> 05:13.800 Brute force attacks. 05:13.810 --> 05:19.960 Just tried to use some secure plugins that will limit logging attempts for certain user names and IP 05:19.960 --> 05:21.080 addresses. 05:21.100 --> 05:25.230 Also make sure to set out password lock out or the account lock out time. 05:25.240 --> 05:27.920 Now let's do a scanning for it real web. 05:28.000 --> 05:37.560 Using Wordpress which is out there tried to enumerate the users and let me check this out here. 05:41.680 --> 05:48.000 So this is a real upside that is hosted on the Internet. 05:48.230 --> 05:55.300 We just want to show you that it doesn't only work for the default installation for wordpress but this 05:55.300 --> 06:03.560 tool is very powerful and it can work on any work person installation engine X is the server the location 06:03.560 --> 06:07.250 to the robots that DST file some your. 06:07.640 --> 06:10.610 And this site has most use plugins. 06:10.610 --> 06:17.630 This is the link to the plugins the website users upload directly has listening enabled so if you go 06:17.630 --> 06:22.010 to this link here you'll be able to browse files. 06:22.010 --> 06:25.190 The version sold is four point nine point eight. 06:25.190 --> 06:33.080 Here is some information about the wordpress theme used and here is the information about the uses that 06:33.080 --> 06:42.250 in fact it has identified one user which is not the admin default user and the time taken is one minute 06:42.540 --> 06:43.960 now that you have this username. 06:43.960 --> 06:50.500 You can try to brute force it but I don't advise you to do that on websites that you don't own. 06:50.500 --> 06:52.930 Just try to keep this ethical.