Install WPScan on Ubuntu 20.04

This tutorial will take you through how to install WPScan on Ubuntu 20.04. WPScan is a WordPress security scanner which enables security professionals and wordpress sites owners to scan their WordPress sites to try and find any security loopholes.

Installing WPScan on Ubuntu 20.04

Prerequisites

Run System Update

Before you can start to install WPScan, ensure that your package cache is up-to-date.

apt update
apt upgrade

Install Required Package Dependencies

Run the command below to install all package dependencies for WPScan.

apt install curl git libcurl4-openssl-dev make zlib1g-dev \
gawk g++ gcc libreadline6-dev libssl-dev libyaml-dev \
liblzma-dev autoconf libgdbm-dev libncurses5-dev automake \
libtool bison pkg-config ruby ruby-bundler ruby-dev libsqlite3-dev sqlite3 -y

Install Ruby Version Manager

gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB

\curl -sSL https://get.rvm.io | bash -s stable --ruby

Install Nogiri, an is an HTML, XML, SAX, and Reader parser.

gem install nokogiri

Installing WPScan on Ubuntu 20.04

There are multiple ways in which you can install WPScan;

1. Install WPScan From RubyGems
2. Install WPScan from Sources – this method is not recommended

Install WPScan From RubyGems on Ubuntu 20.04

Installing from RubyGems is the recommended method of installing WPScan. Once you have all the requirements above in place, simply execute the command below to install WPScan from RubyGems;

gem install wpscan

To uninstall it, simply execute;

gem uninstall wpscan

Install WPScan From Sources

Installation of WPScan from sources is not recommended. If you want to go this route, then to install WPScan from sources, clone its Github repository.

git clone https://github.com/wpscanteam/wpscan

Next, navigate to WPScan directory and run the commands below to do the installation.

cd wpscan/

bundle install

rake install

It may take some few mins to complete the installation. If the installation is successful, you should see an output similar to;

...
Finished in 58.84 seconds (files took 31.06 seconds to load)
6928 examples, 0 failures, 46 pending

Coverage report generated for RSpec to /root/wpscan/coverage. 1961 / 2295 LOC (85.45%) covered.
wpscan 3.8.1 built to pkg/wpscan-3.8.1.gem.
wpscan (3.8.1) installed.

Installation of WPScan on Ubuntu 20.04 is done;

wpscan --version

_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.1
                               
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

Current Version: 3.8.1

Using WPScan to scan WordPress Sites

You can simply run scans using WPScan command, wpscan. To obtain a description of various command line options used with WPScan, run wpscan command with -h/--help option;

wpscan -h

A few example usage of wpscan has been provided in this guide on how to perform WordPress blog vulnerability scanning. Note that it is illegal to scan other people’s sites. Be sure to scan your own site.

Scan the whole WordPress blog

For example, to scan our demo site, wp.kifarunix-demo.com,

wpscan --url wp.kifarunix-demo.com

...
[i] Updating the Database ...
[i] Update completed.

[+] URL: http://wp.kifarunix-demo.com/ [192.168.2.144]
[+] Started: Thu Apr 30 19:00:41 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://wp.kifarunix-demo.com/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
...
[+] Finished: Thu Apr 30 19:00:45 2020
[+] Requests Done: 66
[+] Cached Requests: 5
[+] Data Sent: 14.158 KB
[+] Data Received: 14.945 MB
[+] Memory used: 201.273 MB
[+] Elapsed time: 00:00:03

WPScan can scan both http and https protocols. If not specified, it will scan http by default.

Note that current versions of WPScan do not display site vulnerabilities. To be able to get vulnerability data, you need to sign up at https://wpvulndb.com.

Once you register, you will get an API token which you can use during scanning. Replace the API_KEY with your API token key.

wpscan --url http://wp.kifarunix-demo.com --api-token API_KEY

If you want to save the scanner output results in a file, use the -o/--output option.

wpscan --url http://wp.kifarunix-demo.com -o scan-test --api-token API_KEY

There are three detection modes in which wpscan can run against a WordPress site; passive, aggressive, mixed(default).

• The passive mode runs a non-intrusive detection i.e it sents a few requests to the server. It commonly scans the home page for any vulnerability. The passive mode is less likely to be detected by IDS/IPS solutions.
• The aggressive mode on the other hand performs a more intrusive scan as it sents a thousand request to the server. It tries all the possible plugins even if the plugin has no known vulnerabilities linked to it. This may result in an increased load on the target server.
• The mixed(default) mode uses a mixture of both aggressive and passive.

To specify detection mode;

wpscan --url wp.kifarunix-demo.com -o scan-results --detection-mode aggressive --api-token API_KEY

Check for Vulnerable Plugins

To scan for vulnerable plugins on your WordPress blog, pass the -e/--enumerate [OPTS] option to the wpscan command where [OPTS] can be; vp (vulnerable plugins), ap (all plugins), p (plugins). For example to scan for every plugin which has vulnerabilities linked to it,

wpscan --url wp.kifarunix-demo.com -e vp --api-token API_KEY

Check for Vulnerable Themes

Just like we used the -e/--enumerate [OPTS] option to check for vulnerable plugins, the same can be done when checking for vulnerable themes with the [OPTS] being any of the following; vt (Vulnerable themes), at (All themes), t (Themes). For example to scan for themes with known vulnerabilities;

wpscan --url wp.kifarunix-demo.com -e vt --api-token API_KEY

Enumerate WordPress Users

To find out the users that can login to WordPress site, you would pass the -e/--enumerate u option to wpscan where u basically means the user IDs.

wpscan --url wp.kifarunix-demo.com -e u --api-token API_KEY

Test for Password Strength/Bruteforce Attack against a WordPress User

Once you have enumerated the usernames, you can try to perform a brute-force attack again them as shown below. This process may be a bit slower depending on the number of passwords specified in the password file (-P, --passwords FILE-PATH) and number of threads (-t, --max-threads VALUE) you are using. For example to brute-force an admin,

wpscan --url wp.kifarunix-demo.com -P password-file.txt -U admin -t 50 --api-token API_KEY

To test for password strength for multiple users, you would use the same command above this time round without the specific username specified.

wpscan --url wp.kifarunix-demo.com -P password-file.txt -t 50

Run WordPress scan in undetectable mode

To run wpscan in a stealthy mode which basically means (--random-user-agent --detection-mode passive --plugins-version-detection passive), specify the --stealthy option.

wpscan --url wp.kifarunix-demo.com --stealthy

That is all about how to install WPScan. Feel free to explore this useful tool.

You can read more on their Github page.

Relates Tutorials

Install latest WordPress with LAMP Stack on Ubuntu 20.04

Install and Setup GVM 11 on Ubuntu 20.04

Install and Setup DVWA on CentOS 8