wpbf - WordPress Brute Force @ GitHub

Remotely test password strength of WordPress bloging software

wpbf is a python script that helps you to remotely test and audit password strength of WordPress blogs. It currently supports threading, username detection/enumeration, logging and search content for keywords to increase password list.

wpbf will test quickly if your WordPress blog is hard to brutefoce or the passwords used are weak and need to be changed.

Features

Bruteforce using a dictionary file (a small one is provided)
Threads
HTTP Proxy Support
Username enumeration/detection (TALSOFT-2011-0526 with fallback to author's archive page and content parsing)
Fetch keywords from blog's content and use them in the wordlist
WordPress version fingerprint
Detection of known plugins (including Login LockDown, that will make the bruteforce useless)
Advanced logging (with it's own configuration file) using Python's logging library

Download

You can download this project in either zip or tar formats.

You can also clone the project with Git by running:

$ git clone git://github.com/atarantini/wpbf

Install

Uncompress the downloaded file into any directory, and execute it using ./wpbf

For full documentation see README in GitHub repository

Documentation and License

Full documentation and usage in the README file on GitHub repository

Repository of wpbf in gitHub

Dependencies Python 2.6+

License GPLv3

Author Andres Tarantini (atarantini@gmail.com)

Usage

Basic

In this example, wpbf will do a bruteforce test using the default settings (you can change the default settings in config.py). It will enumerate usernames, find keywords and use the static+generated wordlist to bruteforce each user

$ ./wpbf.py http://localhost/wordpress/
2011-09-30 17:19:15,985 - wpbf - INFO - Target URL: http://localhost/wordpress/
2011-09-30 17:19:16,034 - wpbf - INFO - Checking URL and username...
2011-09-30 17:19:16,035 - wpbf - INFO - Enumerating users...
2011-09-30 17:19:27,013 - wpbf - INFO - Usernames: admin
2011-09-30 17:19:28,671 - wpbf - INFO - 41 passwords will be tested
2011-09-30 17:19:28,680 - wpbf - INFO - Starting workers...
2011-09-30 17:19:28,685 - wpbf - INFO - WordPress version: 3.0
21 tasks left / 1.6 tasks per second / 0.22min left
2011-09-30 17:19:46,798 - wpbf - INFO - Password 'qawsed' found for username 'admin' on http://localhost/wordpress/wp-login.php

Username enumeration

The '-eu' or '--enumerateusers' parameter will only do username enumeration and list the usernames found

$ ./wpbf.py -eu http://www.mysite.com/blog/

Aggresive

You can spawn more threads to speed up the bruteforce process. Be aware that using a lot of threads can cause hangs in the server or denial of service. For this example we will spawn 23 threads:

$ ./wpbf.py -t 23 http://www.mysite.com/blog/

Custom

Using username 'john', not using keywords in the blog content for the wordlist and trough a local proxy:

$ ./wpbf.py --nokeywords -u john -p http://localhost:8008/ http://www.mysite.com/blog/

For full usage documentation run wpbf with '-h' or '--help' parameters or check the README file in GitHub repository

wpbf - WordPress BruteForceby atarantini