» » » Penetration Test For Wordpress Websites
Monday, November 18, 2013




How to do Penetration Test for  WordPress Website :-
How-to-do-Penetration-Test-for--WordPress-Website

Penetration testing is process of evaluating the security of Computer system or network System by simulating an attack .In this article i am going to show you How to perform penetration test for WordPress website with Kali Linux.


Navigate to Applications > Kali Linux > Web Applications > CMS identification > select wpscan .
How-to-do-Penetration-Test-for--WordPress-Website1
or enter the following command on the Terminal root@kali:~#wpscan -h


How-to-do-Penetration-Test-for--WordPress-Website1


1. Check the Installed Plugins :-
Open the Terminal and enter the following command
root@Kali:~# ruby /user/bin/wpscan  - – url www.example.com –enumerate p
In this test, i performed this test on the one of the most popular computer education site to check the installed plugins. WP-Scan found the 15 active plugins.

How-to-do-Penetration-Test-for--WordPress-Website1

2. Check the Running WordPress version :-
Open the terminal and enter the following command
 root@Kali:~# ruby /user/bin/wpscan – - url www.yourtargetsite.com 
it detects the WordPress version running on a site is 3.6.1 .

How-to-do-Penetration-Test-for--WordPress-Website1

3. Finding Username :-
Open the Terminal and enter the following command to enumerate the Username of WordPress site.
root@Kali:~# ruby /user/bin/wpscan  - – url www.yourtargetsite.com - – enumerate u
As you seen in the below image, it,s find out two users on the WordPress site.

How-to-do-Penetration-Test-for--WordPress-Website1

4. Perform Brute-force attack on “admin ” User only :-
Open the terminal and enter the following command to perform Brute force attack on the admin user.
root@Kali:~# ruby /user/bin/wpscan  - – url www.yourtargetsite.com - -wordlist yourwordlist.txt – -username admin


5. Brute Force attack on Enumerated User :-
Open the terminal and enter the following command
root@Kali:~# ruby /user/bin/wpscan  - – url www.yourtargetsite.com - -wordlist yourwordlist.txt – -threads 50


6. Use HTTP and Socks 5 Proxy during Pen-testing :-
To use a HTTP Proxy enter the following command :-
root@Kali:~# ruby /user/bin/wpscan  - – url www.yourtargetsite.com - -proxy 17.0.0.1:8118
To use a Socks 5 proxy ( cURL >= v7.21.7 needed )
root@Kali:~# ruby /user/bin/wpscan  - – url www.yourtargetsite.com - -proxy socks5://127.0.0.1:9000

If you want to test other CMS application on your Local machine.
Open your web browser and visit the Turnkey Linux website at http://www.
turnkeylinux.org
There are many applications listed here, and I would recommend trying them all
so that you can find vulnerabilities and test your skills against these applications;
however, for this recipe, we will examine WordPress. In the Instant Search box,
type WordPress:-

How-to-do-Penetration-Test-for--WordPress-Website1
On the WordPress download page, select the ISO image and once the download
completes, follow the instructions in the Getting comfortable with VirtualBox recipe
to install the Turnkey Linux WordPress virtual machine:


How-to-do-Penetration-Test-for--WordPress-Website1


 Enjoy :)



Posted by at 9:57 PM
Labels: ,

0 comments :

Post a Comment

Subscribe to: Post Comments ( Atom )