WPSeku – WordPress Security Scanner

WPSekuWordPress Security Scanner.

En un anterior articulo, vimos una fabulosa herramienta que analizaba la seguridad de nuestras aplicaciones web, WAScan.

Hoy… y de la mano del mismo desarrollador (m4ll0k), te presento el security scanner que a creado, WPSeku.

WPSeku es una variante de WAScan, pero orientado exclusivamente a comprobar la seguridad de un entorno o sitio web que trabaje bajo WordPress. Tiene la ventaja de que podemos escanear nuestras instalaciones remotas de WordPress e identificar sus problemas de seguridad.

Su instalación y uso es simple, lo vemos.

WPSeku - Wordpress Security Scanner 1

 

Instalar WPSeku – WordPress Security Scanner

Clonamos el repo.

git clone https://github.com/m4ll0k/WPSeku.git wpseku

Vamos al directorio.
cd wpseku

Instalamos.
pip3 install -r requirements.txt

Si aparece un mensaje similar a este…

You are using pip version 9.0.1, however version 9.0.3 is available.

actualiza el pip.

pip install --upgrade pip

Como ves su instalación es rápida, vamos a su uso.

WPSeku - Wordpress Security Scanner 2

 

Uso de WPSeku – WordPress Security Scanner

El comando de ejecución base es:

python3 wpseku.py

Pero claro… el anterior comando no escanea ninguna url, así que aplicamos opciones para que investigue un sitio web.

Debo decirte que en este ejemplo, el comando no es excesivamente intrusivo y no aplicara Brute Force.

python3 wpseku.py --url https://www.tusitio.com --verbose

WPSeku - Wordpress Security Scanner 3

 

Ejemplo de salida…

—————————————-
_ _ _ ___ ___ ___| |_ _ _
| | | | . |_ -| -_| ‘_| | |
|_____| _|___|___|_,_|___|
|_| v0.4.0

WPSeku – WordPress Security Scanner
by Momo Outaadi (m4ll0k)
—————————————-

[ + ] Target: https://www.tusitioweb.com
[ + ] Starting: 10:38:47

[ + ] Server: nginx
[ + ] Uncommon header «content-type» found, with contents: text/html; charset=UTF-8
[ + ] Uncommon header «date» found, with contents: Thu, 05 Apr 2018 07:38:47 GMT
[ + ] Uncommon header «connection» found, with contents: keep-alive
[ + ] Uncommon header «last-modified» found, with contents: Tue, 03 Apr 2018 10:14:30 GMT
[ + ] Uncommon header «x-powered-by» found, with contents: PHP/7.2.4
[ + ] Uncommon header «content-length» found, with contents: 10038
[ + ] Uncommon header «keep-alive» found, with contents: timeout=60
[ + ] Uncommon header «server» found, with contents: nginx
[ + ] Uncommon header «cache-control» found, with contents: max-age=0
[ + ] Uncommon header «content-encoding» found, with contents: gzip
[ + ] Uncommon header «expires» found, with contents: Thu, 05 Apr 2018 07:38:47 GMT
[ + ] Uncommon header «vary» found, with contents: Accept-Encoding

etc…….etc………..

 

También puedes comprobar la fortaleza de tu contraseña, aplicando un archivo wordlist.

python3 wpseku.py --url https://www.tusitio.com --brute --user prueba --wordlist wl.txt --verbose

WPSeku - Wordpress Security Scanner 4

 

Ahora comprobamos el código de wordpress, los plugins y templates.

python3 wpseku.py --scan <dir/file> --verbose

Como puedes observar tienes infinidad de posibilidades, y para ayudarte a ello puedes usar estos argumentos:
--update                            Update the database to the latest version.
--url       | -u <target url>       The WordPress URL/domain to scan.
--force     | -f                    Forces WPScan to not check if the remote site is running WordPress.
--enumerate | -e [option(s)]        Enumeration.
  option :
    u        usernames from id 1 to 10
    u[10-20] usernames from id 10 to 20 (you must write [] chars)
    p        plugins
    vp       only vulnerable plugins
    ap       all plugins (can take a long time)
    tt       timthumbs
    t        themes
    vt       only vulnerable themes
    at       all themes (can take a long time)
  Multiple values are allowed : "-e tt,p" will enumerate timthumbs and plugins
  If no option is supplied, the default is "vt,tt,u,vp"

--exclude-content-based "<regexp or string>"
                                    Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied.
                                    You do not need to provide the regexp delimiters, but you must write the quotes (simple or double).
--config-file  | -c <config file>   Use the specified config file, see the example.conf.json.
--user-agent   | -a <User-Agent>    Use the specified User-Agent.
--cookie <string>                   String to read cookies from.
--random-agent | -r                 Use a random User-Agent.
--follow-redirection                If the target url has a redirection, it will be followed without asking if you wanted to do so or not
--batch                             Never ask for user input, use the default behaviour.
--no-color                          Do not use colors in the output.
--log [filename]                    Creates a log.txt file with WPScan's output if no filename is supplied. Otherwise the filename is used for logging.
--no-banner                         Prevents the WPScan banner from being displayed.
--disable-accept-header             Prevents WPScan sending the Accept HTTP header.
--disable-referer                   Prevents setting the Referer header.
--disable-tls-checks                Disables SSL/TLS certificate verification.
--wp-content-dir <wp content dir>   WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specify it.
                                    Subdirectories are allowed.
--wp-plugins-dir <wp plugins dir>   Same thing than --wp-content-dir but for the plugins directory.
                                    If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed
--proxy <[protocol://]host:port>    Supply a proxy. HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported.
                                    If no protocol is given (format host:port), HTTP will be used.
--proxy-auth <username:password>    Supply the proxy login credentials.
--basic-auth <username:password>    Set the HTTP Basic authentication.
--wordlist | -w <wordlist>          Supply a wordlist for the password brute forcer.
                                    If the "-" option is supplied, the wordlist is expected via STDIN.
--username | -U <username>          Only brute force the supplied username.
--usernames     <path-to-file>      Only brute force the usernames from the file.
--cache-dir       <cache-directory> Set the cache directory.
--cache-ttl       <cache-ttl>       Typhoeus cache TTL.
--request-timeout <request-timeout> Request Timeout.
--connect-timeout <connect-timeout> Connect Timeout.
--threads  | -t <number of threads> The number of threads to use when multi-threading requests.
--throttle        <milliseconds>    Milliseconds to wait before doing another web request. If used, the --threads should be set to 1.
--help     | -h                     This help screen.
--verbose  | -v                     Verbose output.
--version                           Output the current version and exit.

 

Te recomiendo que visites está pagina, donde podrás estar al día de todas las vulnerabilidades que se localizan en wordpres, así como en sus plugins y templates.

Recuerda que este «Security Scanner«, es de uso privado y sobre tu propio sistema.

Agregar comentario