enumeration

1. Basic WordPress Identification

Perform initial checks to confirm if a website is running WordPress.

curl -s http://blog.inlanefreight.local/robots.txt  # Check for disallowed paths
curl -s http://blog.inlanefreight.local/wp-admin/  # Observe redirection behavior
curl -s http://blog.inlanefreight.local/wp-content/plugins/  # Check for plugin directory
curl -s http://blog.inlanefreight.local/wp-content/themes/  # Check for theme directory

2. WordPress Version and Theme Enumeration

Identify the WordPress version and active themes.

curl -s http://blog.inlanefreight.local | grep -i "WordPress"  # Check for version details
curl -s http://blog.inlanefreight.local/ | grep -i "themes"  # Identify themes
curl -s http://blog.inlanefreight.local/wp-content/themes/transport-gravity/style.css  # Check theme stylesheet
curl -s http://blog.inlanefreight.local/wp-content/themes/transport-gravity/readme.txt  # Check theme readme

3. Plugin Enumeration

Discover installed plugins which may have known vulnerabilities.

curl -s http://blog.inlanefreight.local/ | grep -i "plugins"
curl -s http://blog.inlanefreight.local/wp-content/plugins/mail-masta/readme.txt  # Check for version info
curl -s http://blog.inlanefreight.local/?p=1 | grep -i "plugins"  # Look for references in page content

4. User Enumeration (Manual)

Detect valid usernames using login response differences.

curl -s -I http://blog.inlanefreight.local/wp-login.php -d "log=admin&pwd=invalid"  # Check response for valid user
curl -s -I http://blog.inlanefreight.local/wp-login.php -d "log=invalid&pwd=invalid"  # Check response for invalid user

5. WPScan Enumeration

Use WPScan for automated WordPress enumeration.

sudo gem install wpscan
wpscan -h
sudo wpscan --url http://blog.inlanefreight.local --enumerate --api-token YOUR_API_TOKEN

WPScan Advanced Enumeration

sudo wpscan --url http://blog.inlanefreight.local --enumerate u,p,t  # Enumerate users, plugins, and themes

WPScan Brute-force Attack

sudo wpscan --url http://blog.inlanefreight.local --passwords /usr/share/wordlists/rockyou.txt --usernames admin,john

WPScan with Proxy

sudo wpscan --url http://blog.inlanefreight.local --proxy 127.0.0.1:8080

6. XML-RPC Checks

Check if XML-RPC is enabled, which can be exploited for brute-force attacks.

curl -i http://blog.inlanefreight.local/xmlrpc.php

XML-RPC Exploitation

Check if system.multicall can be used for brute-force attacks.

curl -X POST -d '<methodCall><methodName>system.listMethods</methodName></methodCall>' http://blog.inlanefreight.local/xmlrpc.php

7. Additional Security Checks

Robots.txt Insights

Identify restricted areas and test for misconfigurations.

curl -s http://blog.inlanefreight.local/robots.txt | grep "Disallow"

Test if restricted files are still accessible:

curl -s http://blog.inlanefreight.local/wp-config.php

Page Source Analysis

Extract useful information such as API keys and endpoints.

curl -s http://blog.inlanefreight.local | grep -Eo "(http|https)://[a-zA-Z0-9./?=_%:-]*"

Detect Open Directory Listings

curl -s http://blog.inlanefreight.local/wp-content/uploads/

Previousabuse Nextfinding

Last updated 1 day ago

hashtag1. Basic WordPress Identification

hashtag2. WordPress Version and Theme Enumeration

hashtag3. Plugin Enumeration

hashtag4. User Enumeration (Manual)

hashtag5. WPScan Enumeration

hashtagWPScan Advanced Enumeration

hashtagWPScan Brute-force Attack

hashtagWPScan with Proxy

hashtag6. XML-RPC Checks

hashtagXML-RPC Exploitation

hashtag7. Additional Security Checks

hashtagRobots.txt Insights

hashtagPage Source Analysis

hashtagDetect Open Directory Listings