Password CrackingPenetration Testing

5 Best Ways To Brute Force WordPress Sites

Today we’re gonna learn how to brute force WordPress sites using 5 different ways. let’s get started!

  1. WPScan
  2. Burp Suite
  4. Nmap
  5. Metasploit

Large Password Lists

Brute Force WordPress Site Using WPScan

WPScan is a WordPress security scanner that is pre-installed in Kali Linux and scans for vulnerabilities and gathers information about plugins and themes etc.

To brute force, you need to have a good wordlist. If you’re doing CTF you can use the famous wordlist rockyou.txt.

wpscan --url http://internal.thm/blog/ --passwords /usr/share/wordlists/rockyou.txt --usernames admin -v random-user-agent
--max-threads 50 --proxy socks5://

Brute Force WordPress Site Using Burp Suite

If you have a free version of the burp suite then it will only use 1 thread and will take ages to complete. However, you have to upgrade to a premium subscription in order to fully use its features.

Let’s get started.

You have to setup burp suite proxy with the browser in order to capture POST data you can do that by going to Settings > Preferences > Advanced > Network.

Now, select Manual proxy Configuration type your localhost address in the HTTP proxy tab, and set port to 8080. Click OK

When you turn on the interception then type any password of your predictions so that the burp suite can capture it. Look at the image please notice the last line in the fetched data it is shown that I tried to login by typing admin:admin as username and password respectively.

Send the captured material to the intruder by right-clicking on the space and choosing the Send to Intruder option or simply press ctrl + i

Now go to Positions Tab.

Here you have to select all your POST data and click on clear first.

Here you have to click on admin:admin and click add to at positions for our username and password payloads.

After doing that change the attack type to cluster bomb.

So now that we have added our positions for payload and changed our attack type to cluster bomb. Now we’re gonna click on the Payloads tab.

Payload set: 1

This payload is for the username you can add your custom wordlist for your username as well if you don’t know the targeted site username and by clicking on the load you can load the wordlist from its path.

Payload set: 2

This payload is for passwords and you can add your custom words as a new item or you can load your custom wordlist by clicking on load.

Now that we’re done with payloads and we’re gonna start our attack by clicking the “Start Attack” button.

Brute Force WordPress Site Using OWASP ZAP

We have to install OWASP ZAP since it doesn’t come pre-installed on Kali Linux.

To get started with OWASP ZAP just like we set up the proxy for the burp suite we do that for OWASP ZAP as well.

Now we’re gonna capture some POST data.

Now we’re gonna click on pwd=admin “admin” and click on fuzz this will open a new window.

When you click on fuzz a new window ‘fuzzer’ will get open, now you have to click on the add button on the left of the frame it will open a new window and add a payload. Click on select and choose your dictionary for the attack.

Again click on the add button and then click on start fuzzer.

When the attack will finish you would get the correct credential by checking the state and size response header which would be different from the rest of the combination.

For username: admin we found our password: admin *Reflected

Brute Force WordPress Site Using Nmap

Nmap also does brute-forcing for us along with scanning of a network.

Let’s get into it.

If you are targeting a popular application, remember to check whether there are any NSE scripts specialized in attacking them. For example, WordPress installations can be audited with the script http-wordpress-brute:

$ nmap -p80 --script http-wordpress-brute <target>

To set the number of threads, use the script argument http-wordpress-brute.threads:

$ nmap -p80 --script http-wordpress-brute --script-args http-wordpress-brute.threads=5 <target>

If the server has virtual hosting, set the host field using the argument http-wordpress-brute.hostname:

$ nmap -p80 --script http-wordpress-brute --script-args http-wordpress-brute.hostname="" <target>

Brute Force WordPress Site Using Metasploit

Metasploit is a great tool that can be used for many things such as exploiting, vulnerability scanning, fuzzing, auxiliary scanning, and a lot more.

msf > use auxiliary/scanner/http/wordpress_login_enum
msf auxiliary(wordpress_login_enum) > set rhosts
msf auxiliary(wordpress_login_enum) > set rport 80
msf auxiliary(wordpress_login_enum) > set user_file /root/Desktop/user.txt
msf auxiliary(wordpress_login_enum) > set pass_file /usr/share/wordlists/rockyou.txt
msf auxiliary(wordpress_login_enum) > exploit
 WordPress brute force successful for login user:bitnami  as username and password.

Noor Qureshi

Experienced Founder with a demonstrated history of working in the computer software industry. Skilled in Network Security and Information Security.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button