Join the community today
Become a Member

Wordpress How to install WPScan Vulnerability Scanner for Wordpress

Discussion in 'Blogs & CMS usage' started by eva2000, Jan 6, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    28,923
    6,565
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,742
    Local Time:
    11:26 PM
    Nginx 1.13.x
    MariaDB 5.5
    How to install WPScan vulnerability scanner guide for Centmin Mod LEMP stack users who use Wordpress. Please read and re-read the following links for general overview of install and usage steps and note the 2 different methods below for CentOS 6.x and CentOS 7.x install due to Ruby version requirements

    Installing WPScan on CentOS 7.2



    This was tested on CentOS 7.2, so not sure if it works on CentOS 6.x so do test on test server first. Looks like CentOS 6.7 doesn't mean Ruby 1.9.2+ requirements
    Code:
    Prerequisites:
    
    Ruby >= 1.9.2 - Recommended: 2.3.0
    Curl >= 7.21 - Recommended: latest - FYI the 7.29 has a segfault
    RubyGems - Recommended: latest
    Git
    I usually setup a dedicated directory for my tools at /root/tools, you can use whatever directory you want. The guide will install wpscan.rb to /root/tools/wpscan/wpscan.rb.
    Code:
    yum -y install gcc ruby-devel rubygem-bundler libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel patch git
    mkdir -p /root/tools
    cd /root/tools
    git clone https://github.com/wpscanteam/wpscan.git
    cd wpscan
    gem install bundler && bundle install --without test
    

    WPScan install on CentOS 6.x



    CentOS 6.x uses Ruby 1.8.7 which is too old for WPScan which requires Ruby 1.9.2+ and higher, so we can use rvm tool to manage and install more recent Ruby 2.3.0

    Code:
    curl -sSL https://rvm.io/mpapis.asc | gpg -v --import -
    curl -L https://get.rvm.io | bash -s stable
    source /etc/profile.d/rvm.sh
    echo '[[ -s "/etc/profile.d/rvm.sh" ]] && source "/etc/profile.d/rvm.sh"  # This loads RVM into a shell session.' >> ~/.bashrc
    echo $PATH
    rvm requirements
    type rvm | head -1
    RUBYVER=2.3.1
    rvm install ${RUBYVER}
    rvm use ${RUBYVER} --default
    rvm rubygems current
    ruby -v
    Verify ruby version
    Code:
    ruby -v
    ruby 2.3.1p112 (2016-04-26 revision 54768) [x86_64-linux]
    
    Then install WPScan

    Code:
    yum -y install gcc ruby-devel rubygem-bundler libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel patch git
    mkdir -p /root/tools
    cd /root/tools
    git clone https://github.com/wpscanteam/wpscan.git
    cd wpscan
    gem install bundler && bundle install --without test

    Updating WPScan on CentOS



    To update easy as changing into /root/tools/wpscan directory and running commands:
    Code:
    cd /root/tools/wpscan
    git pull
    ruby wpscan.rb --update
    example
    Code:
    cd /root/tools/wpscan
    git pull
    Already up-to-date.
    
    ruby wpscan.rb --update
    _______________________________________________________________
            __          _______   _____       
            \ \        / /  __ \ / ____|      
             \ \  /\  / /| |__) | (___   ___  __ _ _ __
              \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
               \  /\  /  | |     ____) | (__| (_| | | | |
                \/  \/   |_|    |_____/ \___|\__,_|_| |_|
    
            WordPress Security Scanner by the WPScan Team
                           Version 2.9
              Sponsored by Sucuri - https://sucuri.net
       @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
    _______________________________________________________________
    
    [i] Updating the Database ...
    [i] Update completed.

    Using WPScan on CentOS



    As per article outlined above, there's various wpscan scanning options you can run. I ran centmin.sh menu option 22 to auto install a Wordpress blog on dummy domain = domain1.com so will scan that domain1.com for below examples.

    Quick scan
    Code:
    cd /root/tools/wpscan
    ruby wpscan.rb --url http://domain1.com
    _______________________________________________________________
            __          _______   _____       
            \ \        / /  __ \ / ____|      
             \ \  /\  / /| |__) | (___   ___  __ _ _ __
              \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
               \  /\  /  | |     ____) | (__| (_| | | | |
                \/  \/   |_|    |_____/ \___|\__,_|_| |_|
    
            WordPress Security Scanner by the WPScan Team
                           Version 2.9
              Sponsored by Sucuri - https://sucuri.net
       @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
    _______________________________________________________________
    
    [+] URL: http://domain1.com/
    [+] Started: Tue Jan  5 20:36:38 2016
    
    [+] Interesting header: SERVER: nginx centminmod
    [+] Interesting header: X-POWERED-BY: centminmod
    [+] XML-RPC Interface available under: http://domain1.com/xmlrpc.php
    
    [+] WordPress version 4.4 identified from advanced fingerprinting
    
    [+] WordPress theme in use: responsive - v1.9.7.7
    
    [+] Name: responsive - v1.9.7.7
    |  Latest version: 1.9.7.7 (up to date)
    |  Location: http://domain1.com/wp-content/themes/responsive/
    |  Readme: http://domain1.com/wp-content/themes/responsive/readme.txt
    |  Changelog: http://domain1.com/wp-content/themes/responsive/changelog.txt
    |  Style URL: http://domain1.com/wp-content/themes/responsive/style.css
    |  Referenced style.css: http://domain1.com/wp-content/themes/responsive/core/css/style.css
    |  Theme Name: Responsive
    |  Theme URI: http://cyberchimps.com/responsive-theme/
    |  Description: Responsive Theme is a flexible foundation with fluid grid system that adapts your website to mobi...
    |  Author: CyberChimps.com
    |  Author URI: http://cyberchimps.com
    
    [+] Enumerating plugins from passive detection ...
    [+] No plugins found
    
    [+] Finished: Tue Jan  5 20:36:39 2016
    [+] Requests Done: 41
    [+] Memory used: 8.738 MB
    [+] Elapsed time: 00:00:00
    Vulnerable Wordpress Plugin Scan
    Code:
    cd /root/tools/wpscan
    ruby wpscan.rb --url http://domain1.com --enumerate vp
    _______________________________________________________________
            __          _______   _____       
            \ \        / /  __ \ / ____|      
             \ \  /\  / /| |__) | (___   ___  __ _ _ __
              \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
               \  /\  /  | |     ____) | (__| (_| | | | |
                \/  \/   |_|    |_____/ \___|\__,_|_| |_|
    
            WordPress Security Scanner by the WPScan Team
                           Version 2.9
              Sponsored by Sucuri - https://sucuri.net
       @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
    _______________________________________________________________
    
    [+] URL: http://domain1.com/
    [+] Started: Tue Jan  5 20:37:24 2016
    
    [+] Interesting header: SERVER: nginx centminmod
    [+] Interesting header: X-POWERED-BY: centminmod
    [+] XML-RPC Interface available under: http://domain1.com/xmlrpc.php
    
    [+] WordPress version 4.4 identified from advanced fingerprinting
    
    [+] WordPress theme in use: responsive - v1.9.7.7
    
    [+] Name: responsive - v1.9.7.7
    |  Latest version: 1.9.7.7 (up to date)
    |  Location: http://domain1.com/wp-content/themes/responsive/
    |  Readme: http://domain1.com/wp-content/themes/responsive/readme.txt
    |  Changelog: http://domain1.com/wp-content/themes/responsive/changelog.txt
    |  Style URL: http://domain1.com/wp-content/themes/responsive/style.css
    |  Referenced style.css: http://domain1.com/wp-content/themes/responsive/core/css/style.css
    |  Theme Name: Responsive
    |  Theme URI: http://cyberchimps.com/responsive-theme/
    |  Description: Responsive Theme is a flexible foundation with fluid grid system that adapts your website to mobi...
    |  Author: CyberChimps.com
    |  Author URI: http://cyberchimps.com
    
    [+] Enumerating installed plugins (only ones with known vulnerabilities) ...
    
       Time: 00:00:14 <=================================================================================================================================================================================================> (1253 / 1253) 100.00% Time: 00:00:14
    
    [+] No plugins found
    
    [+] Finished: Tue Jan  5 20:37:42 2016
    [+] Requests Done: 1298
    [+] Memory used: 74.742 MB
    [+] Elapsed time: 00:00:17
    Wordpress user scan by WPScan
    Code:
    cd /root/tools/wpscan
    ruby wpscan.rb --url http://domain1.com --enumerate u
    _______________________________________________________________
            __          _______   _____       
            \ \        / /  __ \ / ____|      
             \ \  /\  / /| |__) | (___   ___  __ _ _ __
              \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
               \  /\  /  | |     ____) | (__| (_| | | | |
                \/  \/   |_|    |_____/ \___|\__,_|_| |_|
    
            WordPress Security Scanner by the WPScan Team
                           Version 2.9
              Sponsored by Sucuri - https://sucuri.net
       @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
    _______________________________________________________________
    
    [+] URL: http://domain1.com/
    [+] Started: Tue Jan  5 20:38:20 2016
    
    [+] Interesting header: SERVER: nginx centminmod
    [+] Interesting header: X-POWERED-BY: centminmod
    [+] XML-RPC Interface available under: http://domain1.com/xmlrpc.php
    
    [+] WordPress version 4.4 identified from advanced fingerprinting
    
    [+] WordPress theme in use: responsive - v1.9.7.7
    
    [+] Name: responsive - v1.9.7.7
    |  Latest version: 1.9.7.7 (up to date)
    |  Location: http://domain1.com/wp-content/themes/responsive/
    |  Readme: http://domain1.com/wp-content/themes/responsive/readme.txt
    |  Changelog: http://domain1.com/wp-content/themes/responsive/changelog.txt
    |  Style URL: http://domain1.com/wp-content/themes/responsive/style.css
    |  Referenced style.css: http://domain1.com/wp-content/themes/responsive/core/css/style.css
    |  Theme Name: Responsive
    |  Theme URI: http://cyberchimps.com/responsive-theme/
    |  Description: Responsive Theme is a flexible foundation with fluid grid system that adapts your website to mobi...
    |  Author: CyberChimps.com
    |  Author URI: http://cyberchimps.com
    
    [+] Enumerating plugins from passive detection ...
    [+] No plugins found
    
    [+] Enumerating usernames ...
    [+] Identified the following 1 user/s:
        +----+--------------------------+--------------------------+
        | Id | Login                    | Name                     |
        +----+--------------------------+--------------------------+
        | 1  | zbllcpiceb8jco0cm8wp1800 | zBlLcPIceb8JcO0cM8wp1800 |
        +----+--------------------------+--------------------------+
    
    [+] Finished: Tue Jan  5 20:38:21 2016
    [+] Requests Done: 55
    [+] Memory used: 9.969 MB
    [+] Elapsed time: 00:00:00

    WPScan Help Options



    Code:
    ruby wpscan.rb --help
    _______________________________________________________________
            __          _______   _____           
            \ \        / /  __ \ / ____|          
             \ \  /\  / /| |__) | (___   ___  __ _ _ __
              \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
               \  /\  /  | |     ____) | (__| (_| | | | |
                \/  \/   |_|    |_____/ \___|\__,_|_| |_|
    
            WordPress Security Scanner by the WPScan Team
                           Version 2.9
              Sponsored by Sucuri - https://sucuri.net
       @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
    _______________________________________________________________
    
    Help :
    
    Some values are settable in a config file, see the example.conf.json
    
    --update                            Update the database to the latest version.
    --url       | -u <target url>       The WordPress URL/domain to scan.
    --force     | -f                    Forces WPScan to not check if the remote site is running WordPress.
    --enumerate | -e [option(s)]        Enumeration.
      option :
        u        usernames from id 1 to 10
        u[10-20] usernames from id 10 to 20 (you must write [] chars)
        p        plugins
        vp       only vulnerable plugins
        ap       all plugins (can take a long time)
        tt       timthumbs
        t        themes
        vt       only vulnerable themes
        at       all themes (can take a long time)
      Multiple values are allowed : "-e tt,p" will enumerate timthumbs and plugins
      If no option is supplied, the default is "vt,tt,u,vp"
    
    --exclude-content-based "<regexp or string>"
                                        Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied.
                                        You do not need to provide the regexp delimiters, but you must write the quotes (simple or double).
    --config-file  | -c <config file>   Use the specified config file, see the example.conf.json.
    --user-agent   | -a <User-Agent>    Use the specified User-Agent.
    --cookie <String>                   String to read cookies from.
    --random-agent | -r                 Use a random User-Agent.
    --follow-redirection                If the target url has a redirection, it will be followed without asking if you wanted to do so or not
    --batch                             Never ask for user input, use the default behaviour.
    --no-color                          Do not use colors in the output.
    --wp-content-dir <wp content dir>   WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it.
                                        Subdirectories are allowed.
    --wp-plugins-dir <wp plugins dir>   Same thing than --wp-content-dir but for the plugins directory.
                                        If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed
    --proxy <[protocol://]host:port>    Supply a proxy. HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported.
                                        If no protocol is given (format host:port), HTTP will be used.
    --proxy-auth <username:password>    Supply the proxy login credentials.
    --basic-auth <username:password>    Set the HTTP Basic authentication.
    --wordlist | -w <wordlist>          Supply a wordlist for the password brute forcer.
    --username | -U <username>          Only brute force the supplied username.
    --usernames     <path-to-file>      Only brute force the usernames from the file.
    --threads  | -t <number of threads> The number of threads to use when multi-threading requests.
    --cache-ttl       <cache-ttl>       Typhoeus cache TTL.
    --request-timeout <request-timeout> Request Timeout.
    --connect-timeout <connect-timeout> Connect Timeout.
    --max-threads     <max-threads>     Maximum Threads.
    --throttle        <milliseconds>    Milliseconds to wait before doing another web request. If used, the --threads should be set to 1.
    --help     | -h                     This help screen.
    --verbose  | -v                     Verbose output.
    --version                           Output the current version and exit.
    
    
    Examples :
    
    -Further help ...
    ruby wpscan.rb --help
    
    -Do 'non-intrusive' checks ...
    ruby wpscan.rb --url www.example.com
    
    -Do wordlist password brute force on enumerated users using 50 threads ...
    ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50
    
    -Do wordlist password brute force on the 'admin' username only ...
    ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin
    
    -Enumerate installed plugins ...
    ruby wpscan.rb --url www.example.com --enumerate p
    
    -Enumerate installed themes ...
    ruby wpscan.rb --url www.example.com --enumerate t
    
    -Enumerate users ...
    ruby wpscan.rb --url www.example.com --enumerate u
    
    -Enumerate installed timthumbs ...
    ruby wpscan.rb --url www.example.com --enumerate tt
    
    -Use a HTTP proxy ...
    ruby wpscan.rb --url www.example.com --proxy 127.0.0.1:8118
    
    -Use a SOCKS5 proxy ... (cURL >= v7.21.7 needed)
    ruby wpscan.rb --url www.example.com --proxy socks5://127.0.0.1:9000
    
    -Use custom content directory ...
    ruby wpscan.rb -u www.example.com --wp-content-dir custom-content
    
    -Use custom plugins directory ...
    ruby wpscan.rb -u www.example.com --wp-plugins-dir wp-content/custom-plugins
    
    -Update the DB ...
    ruby wpscan.rb --update
    
    -Debug output ...
    ruby wpscan.rb --url www.example.com --debug-output 2>debug.log
    
    See README for further information.
     
    Last edited: Jun 29, 2016
    • Like Like x 1
  2. eva2000

    eva2000 Administrator Staff Member

    28,923
    6,565
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,742
    Local Time:
    11:26 PM
    Nginx 1.13.x
    MariaDB 5.5
    Not sure how accurate the vulnerability plugin report is as I found on some WP installs they are reporting outdated WP plugin versions, but when I check the actual WP install, the WP plugins are using latest versions ?

    Ah i overlooked this message which suggests if version of plugin is not detectable it will print out all vulnerabilities for plugins it finds

    Code:
    [!] We could not determine a version so all vulnerabilities are printed out
     
    Last edited: Jan 6, 2016
  3. Matt Williams

    Matt Williams WordPress Fanatic

    468
    90
    28
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +135
    Local Time:
    9:26 AM
    latest
    10
    Excellent! Bookmarked! Been looking to install this for awhile! Thank you! (y)

    Maybe make this a new Menu item? Possible?
     
    Last edited by a moderator: Jan 6, 2016
    • Like Like x 1
  4. eva2000

    eva2000 Administrator Staff Member

    28,923
    6,565
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,742
    Local Time:
    11:26 PM
    Nginx 1.13.x
    MariaDB 5.5
    Possiblely another one for the official addons vault eventually at centminmod.com/addons.html :)
     
    • Agree Agree x 1
  5. Matt Williams

    Matt Williams WordPress Fanatic

    468
    90
    28
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +135
    Local Time:
    9:26 AM
    latest
    10
    wow - I tested a site with the code:
    and it shot the CPU load to 100% on the vps with the site installed and the WPScanner is on a different VPS then the site. - that's a downfall.
     
  6. eva2000

    eva2000 Administrator Staff Member

    28,923
    6,565
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,742
    Local Time:
    11:26 PM
    Nginx 1.13.x
    MariaDB 5.5
    try passing the thread flag -t XX to lower number of threads used
    Code:
    --threads  | -t <number of threads> The number of threads to use when multi-threading requests.
    i think.. not sure the WPScan by default uses as many threads as the cpu threads it can detect. So if WPScan server has 8 threads and target WP only has 2 threads you may overload it ???
     
  7. eva2000

    eva2000 Administrator Staff Member

    28,923
    6,565
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,742
    Local Time:
    11:26 PM
    Nginx 1.13.x
    MariaDB 5.5
    Now to the other side of WPScan adventures, blocking other folks from scanning your Wordpress blogs and only allowing specified IP addresses to scan your WP blogs.

    Setup a nginx map against user agent variable to blacklist user agents. However, WPScan has a flag to change that user agent id so limited usefulness.

    The default WPScan user agent
    Code:
    "WPScan v2.9 (http://wpscan.org)"
    Using nginx map and nginx geoip module (installed out of box for Centmin Mod LEMP nginx server)

    in nginx.conf http{} context add a new include file called /usr/local/nginx/conf/wpscan.conf. The final mapping's 3 digit combinations may need tweaking for your needs
    Code:
        include /usr/local/nginx/conf/wpscan.conf;
    
    and add to /usr/local/nginx/conf/wpscan.conf the following map and geo mappings
    Code:
       map $http_user_agent $wpscan_bot {
            default                 0;
            "~*WPScan"              1;
       }
    
       map $geoip_country_code $allow_cc {
            default                 0;
            AU                      1;
       }
    
       geo $allow_myips {
            default                 0;
            127.0.0.1               1;
            1.2.3.4                 1;
       }
    
       map $wpscan_bot$allow_cc$allow_myips $allow_wpscan {
            default                 0;
            001                     0;
            011                     0;
            010                     0;
            100                     1;  # block WPScan user agent
            111                     0;  # WPScan from specific country and ip address
            101                     0;  # WPScan from specific ip address
       }
    
    so 111 combo allows WPScan from AU = Australia + specific defined IP address like 127.0.0.1 or 1.2.3.4

    in nginx vhost domain.com.conf in appropriate location contexts for your setup and/or wordpress /usr/local/nginx/conf/wpsecure_${vhostname}.conf (123.08stable) or /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf (123.09beta01+ and higher) include file where ${vhostname} is your site domain name
    Code:
        if ($allow_wpscan = 1) {
            return 444
        }
    
    or in wpsecure_${vhostname}.conf include file
    Code:
            location ~* /wp-content/ {
              if ($allow_wpscan = 1) {
                 return 444;
              }
            }
    
    I implemented the latter via the wpsecure_${vhostname}.conf include file and at very bottom of wpsecure_${vhostname}.conf include file placed the above CODE

    Then I did a test WPScan and checked access.log for domain1.com and you will see 444 status errors
    Code:
    wpscanip - - [06/Jan/2016:08:37:27 +0000] "GET /wp-content/plugins/wp-super-cache/README.txt HTTP/1.1" 444 0 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:37:27 +0000] "GET /wp-content/plugins/wp-super-cache/Readme.txt HTTP/1.1" 444 0 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:37:27 +0000] "GET /wp-content/plugins/wp-super-cache/ReadMe.txt HTTP/1.1" 444 0 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:37:27 +0000] "GET /wp-content/plugins/wp-super-cache/README.TXT HTTP/1.1" 444 0 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:37:27 +0000] "GET /wp-content/plugins/wp-super-cache/changelog.txt HTTP/1.1" 444 0 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:37:27 +0000] "GET /wp-content/plugins/wp-super-cache/ HTTP/1.1" 444 0 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:37:27 +0000] "GET /wp-content/plugins/wp-super-cache/error_log HTTP/1.1" 444 0 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    
    looks like 403 code better than 444 in terms of not allowing WPScan determining the actual plugins installed, 444 still reports the plugin names.

    in nginx vhost domain.com.conf in appropriate location contexts for your setup and/or wordpress /usr/local/nginx/conf/wpsecure_${vhostname}.conf include file where ${vhostname} is your site domain name
    Code:
        if ($allow_wpscan = 1) {
            return 403
        }
    
    or in wpsecure_${vhostname}.conf include file
    Code:
            location ~* /wp-content/ {
              if ($allow_wpscan = 1) {
                 return 403;
              }
            }
    
    Code:
    wpscanip - - [06/Jan/2016:08:51:25 +0000] "GET /wp-content/plugins/wp-limit-login-attempts/readme.txt HTTP/1.1" 403 162 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:51:25 +0000] "GET /wp-content/plugins/wp-limit-login-attempts/README.txt HTTP/1.1" 403 162 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:51:25 +0000] "GET /wp-content/plugins/wp-limit-login-attempts/Readme.txt HTTP/1.1" 403 162 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:51:25 +0000] "GET /wp-content/plugins/wp-limit-login-attempts/ReadMe.txt HTTP/1.1" 403 162 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:51:25 +0000] "GET /wp-content/plugins/wp-limit-login-attempts/README.TXT HTTP/1.1" 403 162 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:51:25 +0000] "GET /wp-content/plugins/wp-limit-login-attempts/readme.TXT HTTP/1.1" 403 162 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    Looks like that configuration only blocks wp-content access for WPScan vulnerable plugin scan flag not the basic quick test !

    Quick test still hits other urls and reports WP plugin detected list of vulnerabilities even if can not determine the version
    Code:
    ruby wpscan.rb --url http://domain1.com
    some with 200 and 302 status and others 403 or 444
    Code:
    wpscanip - - [06/Jan/2016:08:54:04 +0000] "GET / HTTP/1.1" 200 18931 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:04 +0000] "GET /wp-content/plugins HTTP/1.1" 403 162 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:04 +0000] "GET /readme.html HTTP/1.1" 403 162 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:04 +0000] "GET /wp-includes/rss-functions.php HTTP/1.1" 500 5 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:04 +0000] "GET /wp-content/debug.log HTTP/1.1" 403 162 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:04 +0000] "GET /wp-config.php.save HTTP/1.1" 403 162 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:04 +0000] "GET /.wp-config.php.swp HTTP/1.1" 403 162 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:04 +0000] "GET /%23wp-config.php%23 HTTP/1.1" 444 0 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:04 +0000] "GET /wp-config.php_bak HTTP/1.1" 444 0 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:04 +0000] "GET /wp-config.php~ HTTP/1.1" 403 162 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:04 +0000] "GET /wp-config.php.swp HTTP/1.1" 403 162 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:04 +0000] "GET /wp-config.txt HTTP/1.1" 403 162 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:04 +0000] "GET /wp-config.php.swo HTTP/1.1" 403 162 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:04 +0000] "GET /wp-config.php.old HTTP/1.1" 403 162 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:04 +0000] "GET /wp-config.php.bak HTTP/1.1" 403 162 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:04 +0000] "GET /wp-config.bak HTTP/1.1" 444 0 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:04 +0000] "GET /wp-config.php.orig HTTP/1.1" 403 162 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:04 +0000] "GET /wp-config.original HTTP/1.1" 404 6193 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:05 +0000] "GET /wp-config.orig HTTP/1.1" 404 6193 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:05 +0000] "GET /wp-config.old HTTP/1.1" 404 6193 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:05 +0000] "GET /wp-config.save HTTP/1.1" 404 6193 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:05 +0000] "GET /searchreplacedb2.php HTTP/1.1" 404 162 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:05 +0000] "GET /wp-signup.php HTTP/1.1" 302 198 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:05 +0000] "GET /wp-content/mu-plugins/ HTTP/1.1" 403 162 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:05 +0000] "GET /wp-login.php?action=register HTTP/1.1" 403 162 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:05 +0000] "GET /wp-content/uploads/ HTTP/1.1" 403 162 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:06 +0000] "GET /feed/ HTTP/1.1" 200 69302 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    Some 404s filenames you should be careful not to save as or place such files
    Code:
    wpscanip - - [06/Jan/2016:08:54:04 +0000] "GET /wp-config.original HTTP/1.1" 404 6193 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:05 +0000] "GET /wp-config.orig HTTP/1.1" 404 6193 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:05 +0000] "GET /wp-config.old HTTP/1.1" 404 6193 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:05 +0000] "GET /wp-config.save HTTP/1.1" 404 6193 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [06/Jan/2016:08:54:05 +0000] "GET /searchreplacedb2.php HTTP/1.1" 404 162 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    Quick test with custom useragent = customscan
    Code:
    ruby wpscan.rb --url http://domain1.com -a customscan
    This still reported WP Super Cache as installed maybe due to 200 status for request /wp-content/plugins/wp-super-cache/readme.txt and custom user agent bypassing the nginx 403 block
    Code:
    wpscanip - - [06/Jan/2016:09:10:19 +0000] "GET /wp-config.old HTTP/1.1" 404 6193 "http://domain1.com/" "customscan"
    wpscanip - - [06/Jan/2016:09:10:19 +0000] "GET /searchreplacedb2.php HTTP/1.1" 404 162 "http://domain1.com/" "customscan"
    wpscanip - - [06/Jan/2016:09:10:19 +0000] "GET /wp-signup.php HTTP/1.1" 302 198 "http://domain1.com/" "customscan"
    wpscanip - - [06/Jan/2016:09:10:19 +0000] "GET /wp-content/mu-plugins/ HTTP/1.1" 403 162 "http://domain1.com/" "customscan"
    wpscanip - - [06/Jan/2016:09:10:19 +0000] "GET /wp-login.php?action=register HTTP/1.1" 403 162 "http://domain1.com/" "customscan"
    wpscanip - - [06/Jan/2016:09:10:20 +0000] "GET /xmlrpc.php HTTP/1.1" 405 240 "http://domain1.com/" "customscan"
    wpscanip - - [06/Jan/2016:09:10:20 +0000] "GET /wp-content/uploads/ HTTP/1.1" 403 162 "http://domain1.com/" "customscan"
    wpscanip - - [06/Jan/2016:09:10:20 +0000] "GET /feed/ HTTP/1.1" 200 69302 "http://domain1.com/" "customscan"
    wpscanip - - [06/Jan/2016:09:10:20 +0000] "GET /feed/rdf/ HTTP/1.1" 200 70485 "http://domain1.com/" "customscan"
    wpscanip - - [06/Jan/2016:09:10:21 +0000] "GET /feed/atom/ HTTP/1.1" 200 70830 "http://domain1.com/" "customscan"
    wpscanip - - [06/Jan/2016:09:10:21 +0000] "GET /wp-content/plugins/wp-super-cache/readme.txt HTTP/1.1" 200 49548 "http://domain1.com/" "customscan"
    wpscanip - - [06/Jan/2016:09:10:21 +0000] "GET /wp-content/plugins/wp-super-cache/changelog.txt HTTP/1.1" 404 162 "http://domain1.com/" "customscan"
    wpscanip - - [06/Jan/2016:09:10:22 +0000] "GET /wp-content/plugins/wp-super-cache/ HTTP/1.1" 403 162 "http://domain1.com/" "customscan"
    wpscanip - - [06/Jan/2016:09:10:22 +0000] "GET /wp-content/plugins/wp-super-cache/error_log HTTP/1.1" 404 162 "http://domain1.com/" "customscan"
    edit: updated 123.08stable and 123.09beta01 branch code for default wordpress auto installer's include file /usr/local/nginx/conf/wpsecure_${vhostname}.conf template to make sure denied files are case insensitive update inc/wpsetup.inc and tools/nvwp.sh · centminmod/centminmod@aa86765 · GitHub

    edit: not sure but with return 403 on -e vp scans it returns 1000s of wp plugins installed which are not installed but if I use 444 return code for -e vp scans, then it just returns installed wp plugins but without version number detectable

    Code:
            location ~* /wp-content/ {
              if ($allow_wpscan = 1) {
                 return 444;
              }
            }
    Code:
    [+] WordPress version 4.4.1 identified from advanced fingerprinting
    
    [+] Enumerating installed plugins (only ones with known vulnerabilities) ...
    
       Time: 00:00:05 <========================================================================> (1253 / 1253) 100.00% Time: 00:00:05
    
    [+] We found 8 plugins:
    
    [+] Name: akismet
    |  Latest version: 3.1.7
    |  Location: http://domain1.com/wp-content/plugins/akismet/
    
    [!] We could not determine a version so all vulnerabilities are printed out
    
    [!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
        Reference: https://wpvulndb.com/vulnerabilities/8215
        Reference: http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
        Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
    [i] Fixed in: 3.1.5
    Code:
    grep akismet access.log | tail -10
    wpscanip - - [07/Jan/2016:00:29:17 +0000] "GET /wp-content/plugins/akismet/ HTTP/1.1" 444 0 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [07/Jan/2016:00:31:12 +0000] "GET /wp-content/plugins/akismet/ HTTP/1.1" 200 26 "http://domain1.com/" "customscan"
    wpscanip - - [07/Jan/2016:00:31:17 +0000] "GET /wp-content/plugins/akismet/readme.txt HTTP/1.1" 403 162 "http://domain1.com/" "customscan"
    wpscanip - - [07/Jan/2016:00:31:17 +0000] "GET /wp-content/plugins/akismet/README.txt HTTP/1.1" 403 162 "http://domain1.com/" "customscan"
    wpscanip - - [07/Jan/2016:00:31:17 +0000] "GET /wp-content/plugins/akismet/Readme.txt HTTP/1.1" 403 162 "http://domain1.com/" "customscan"
    wpscanip - - [07/Jan/2016:00:31:17 +0000] "GET /wp-content/plugins/akismet/ReadMe.txt HTTP/1.1" 403 162 "http://domain1.com/" "customscan"
    wpscanip - - [07/Jan/2016:00:31:17 +0000] "GET /wp-content/plugins/akismet/README.TXT HTTP/1.1" 403 162 "http://domain1.com/" "customscan"
    wpscanip - - [07/Jan/2016:00:31:17 +0000] "GET /wp-content/plugins/akismet/readme.TXT HTTP/1.1" 403 162 "http://domain1.com/" "customscan"
    wpscanip - - [07/Jan/2016:00:31:17 +0000] "GET /wp-content/plugins/akismet/changelog.txt HTTP/1.1" 403 162 "http://domain1.com/" "customscan"
    wpscanip - - [07/Jan/2016:00:31:17 +0000] "GET /wp-content/plugins/akismet/error_log HTTP/1.1" 404 162 "http://domain1.com/" "customscan"
    
     
    Last edited: Jun 29, 2016
  8. eva2000

    eva2000 Administrator Staff Member

    28,923
    6,565
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,742
    Local Time:
    11:26 PM
    Nginx 1.13.x
    MariaDB 5.5
    Ah looks like WPScan deems the following as valid return HTTP status codes wpscan/wp_target.rb at master · wpscanteam/wpscan · GitHub so return 403 isn't ideal versus 444

    Code:
      # Valid HTTP return codes
      def self.valid_response_codes
        [200, 301, 302, 401, 403, 500, 400]
      end
    
    readmes seem to return valid if HTTP status code is not 404 wpscan/wp_readme.rb at master · wpscanteam/wpscan · GitHub
    Code:
          unless response.code == 404
            return response.body =~ %r{wordpress}i ? true : false
          end
    so if i set return to 444 instead of 403 but still WPScan reports the plugins just can't find or detect the version (with custom useragent to bypass nginx blocking)

    Code:
    [+] WordPress version 4.4.1 identified from advanced fingerprinting
    
    [+] Enumerating installed plugins (only ones with known vulnerabilities) ...
    
       Time: 00:00:05 <=================================================================================================================================================================================================> (1253 / 1253) 100.00% Time: 00:00:05
    
    [+] We found 8 plugins:
    
    [+] Name: akismet
    |  Latest version: 3.1.7
    |  Location: http://domain1.com/wp-content/plugins/akismet/
    
    [!] We could not determine a version so all vulnerabilities are printed out
    
    [!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
        Reference: https://wpvulndb.com/vulnerabilities/8215
        Reference: http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
        Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
    [i] Fixed in: 3.1.5
    Code:
    grep akismet access.log | tail -10
    wpscanip - - [07/Jan/2016:01:04:28 +0000] "GET /wp-content/plugins/akismet/readme.TXT HTTP/1.1" 444 0 "http://domain1.com/" "customscan"
    wpscanip - - [07/Jan/2016:03:30:28 +0000] "GET /wp-content/plugins/akismet/ HTTP/1.1" 200 26 "http://domain1.com/" "customscan"
    wpscanip - - [07/Jan/2016:03:30:32 +0000] "GET /wp-content/plugins/akismet/readme.txt HTTP/1.1" 444 0 "http://domain1.com/" "customscan"
    wpscanip - - [07/Jan/2016:03:30:33 +0000] "GET /wp-content/plugins/akismet/readme.TXT HTTP/1.1" 444 0 "http://domain1.com/" "customscan"
    wpscanip - - [07/Jan/2016:03:30:34 +0000] "GET /wp-content/plugins/akismet/changelog.txt HTTP/1.1" 444 0 "http://domain1.com/" "customscan"
    wpscanip - - [07/Jan/2016:03:30:33 +0000] "GET /wp-content/plugins/akismet/README.txt HTTP/1.1" 444 0 "http://domain1.com/" "customscan"
    wpscanip - - [07/Jan/2016:03:30:33 +0000] "GET /wp-content/plugins/akismet/Readme.txt HTTP/1.1" 444 0 "http://domain1.com/" "customscan"
    wpscanip - - [07/Jan/2016:03:30:33 +0000] "GET /wp-content/plugins/akismet/ReadMe.txt HTTP/1.1" 444 0 "http://domain1.com/" "customscan"
    wpscanip - - [07/Jan/2016:03:30:33 +0000] "GET /wp-content/plugins/akismet/README.TXT HTTP/1.1" 444 0 "http://domain1.com/" "customscan"
    wpscanip - - [07/Jan/2016:03:30:34 +0000] "GET /wp-content/plugins/akismet/error_log HTTP/1.1" 404 162 "http://domain1.com/" "customscan"
    looks like it's possibly due to the status 200 returned for the directory itself
    Code:
    wpscanip - - [07/Jan/2016:03:30:28 +0000] "GET /wp-content/plugins/akismet/ HTTP/1.1" 200 26 "http://domain1.com/" "customscan"
    with default blocked WPScan useragent, WP Super Cache is detected all other WP Plugins aren't detected
    Code:
    [+] WordPress version 4.4.1 identified from advanced fingerprinting
    
    [+] Enumerating installed plugins (only ones with known vulnerabilities) ...
    
       Time: 00:00:05 <=================================================================================================================================================================================================> (1253 / 1253) 100.00% Time: 00:00:05
    
    [+] We found 1 plugins:
    
    [+] Name: wp-super-cache
    |  Latest version: 1.4.7
    |  Location: http://domain1/wp-content/plugins/wp-super-cache/
    
    [!] We could not determine a version so all vulnerabilities are printed out
    
    [!] Title: WP-Super-Cache 1.3 - Remote Code Execution
        Reference: https://wpvulndb.com/vulnerabilities/6623
        Reference: http://www.acunetix.com/blog/web-security-zone/wp-plugins-remote-code-execution/
        Reference: http://wordpress.org/support/topic/pwn3d
        Reference: http://blog.sucuri.net/2013/04/update-wp-super-cache-and-w3tc-immediately-remote-code-execution-vulnerability-disclosed.html
    [i] Fixed in: 1.3.1
    Code:
    tail -200 access.log | grep super-cache
    wpscanip - - [07/Jan/2016:03:37:40 +0000] "GET /wp-content/plugins/wp-super-cache/ReadMe.txt HTTP/1.1" 444 0 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [07/Jan/2016:03:37:40 +0000] "GET /wp-content/plugins/wp-super-cache/README.TXT HTTP/1.1" 444 0 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [07/Jan/2016:03:37:41 +0000] "GET /wp-content/plugins/wp-super-cache/changelog.txt HTTP/1.1" 444 0 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [07/Jan/2016:03:37:41 +0000] "GET /wp-content/plugins/wp-super-cache/ HTTP/1.1" 444 0 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
    wpscanip - - [07/Jan/2016:03:37:41 +0000] "GET /wp-content/plugins/wp-super-cache/error_log HTTP/1.1" 444 0 "http://domain1.com/" "WPScan v2.9 (http://wpscan.org)"
     
    Last edited: Jan 7, 2016
  9. BigIron

    BigIron Member

    49
    10
    8
    Sep 18, 2015
    Ratings:
    +13
    Local Time:
    6:26 AM
    I keep getting this error. As far as I can tell typhoeus is installed properly.

    Code:
    Bundler::GemspecError: Could not read gem at /usr/local/rvm/gems/ruby-2.3.0@wpscan/cache/typhoeus-0.8.0.gem. It may be corrupted.
    An error occurred while installing typhoeus (0.8.0), and Bundler cannot continue.
    Make sure that `gem install typhoeus -v '0.8.0'` succeeds before bundling.
    
     
  10. eva2000

    eva2000 Administrator Staff Member

    28,923
    6,565
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,742
    Local Time:
    11:26 PM
    Nginx 1.13.x
    MariaDB 5.5
    might need to ask WPScan folks at Issues · wpscanteam/wpscan · GitHub
     
  11. BigIron

    BigIron Member

    49
    10
    8
    Sep 18, 2015
    Ratings:
    +13
    Local Time:
    6:26 AM
    On a hunch I simply rm'd typhoeus-0.8.0.gem, ran gem install typhoeus, then re-ran the bundle install and it worked :)
     
    • Informative Informative x 1
  12. John

    John New Member

    5
    1
    3
    Nov 17, 2016
    Ratings:
    +1
    Local Time:
    9:26 PM
    1.10.2
    MariaDB 10.0.28
    thank you boss for this tutorial of how to install WPScan
    working on my CentOS 6
     
    Last edited: Dec 15, 2016
    • Like Like x 1