Working with Wprecon Tool on Kali Linux OS
WordPress CMS Target 1 – w3wiki.org
In this Example, We are performing WordPress Recon on WordPress Site i.e w3wiki.org
Example 1: Enumerate WordPress Users
wprecon --url https://w3wiki.org
1. In this Example, We are enumerating the users which are associated with the target domain w3wiki.org. We have got the list of Users who are linked with w3wiki.org
Example 2: Enumerate WordPress Plugins
wprecon --url https://w3wiki.org
1. In this Example, We are enumerating WordPress Plugins used in the target domain.
Example 3: Fuzz sub-command WPrecon
wprecon fuzz -u “https://w3wiki.org” –backup-file –random-agent
In this example, We will be fuzzing the back files if available on the target domain. In the below Screenshot, You can see that no Back-Up files are available on w3wiki.org.
WordPress CMS Target 2 – secnhack.in
1. In this example, We will be targeting the domain which is designed using WordPress.
Example 1: Enumerate WordPress Users
wprecon --url https://secnhack.in
In this Example, We are enumerating the users which are associated with the target domain secnhack.in. We have got the list of Users who are linked with secnhack.in
Example 2: Enumerate WordPress Plugins
wprecon --url https://secnhack.in
In this Example, We are enumerating WordPress Plugins used in the target domain.
Example 3: Set usernames attack passwords and Set wordlist attack passwords.
wprecon fuzz -u “https://secnhack.in” user -P /home/kali/Desktop/rockyou.txt
1. In this example, We will be using the Fuzz Subcommand for brute-forcing usernames and passwords credentials on the target domain. We have provided the rockyou.txt file which contains password words.
2. In the below Screenshot, We have displayed the rockyou.txt file contents which consist of possible password words.
More About Wprecon Tool (GUI Version)
No worries if any user feels complex or doesn’t know how to operate the Wprecon tool on Linux Operating System. There is a GUI version of this Wprecon tool which is based on a Web-based application. The link to the GUI-based version is listed below.
https://wprecon.com/
Let’s Use GUI Version of the Wprecon tool
1. Our target domain is w3wiki.org.
2. In the below Screenshot, Packets are being sent to the target domain for getting the results.
3. In the below Screenshot, We have got the results of Passive Analysis, which includes WordPress Version, Server details, etc.
4. In the below Screenshot, We have got the details of the Plugins and themes used.
5. In the below Screenshot, We have got the details of Users and Directory Indexing.
6. In the below Screenshot, We have got the details of Linked Sites.
7. In the below Screenshot, We have got the details of JavaScript Resources.
WPrecon – Vulnerability Recognition Tool In CMS WordPress
A vulnerability is a flaw that could compromise an information system or Web Application’s confidentiality, integrity, or availability. Vulnerability identification involves the process of discovering vulnerabilities and documenting these into an inventory within the target environment. Vulnerability Recognition is the crucial step in penetration testing. So to perform this step, there are various methods. Wprecon is an automated script designed in the Golang language used to recognize the vulnerability in WordPress sites. However, it can work with Non-WordPress sites too. Wprecon (WordPress Recon) is a vulnerability recognition tool in CMS WordPress. Wprecon enumerates the usernames, enumerates the plugins, and performs brute-forcing to find out credentials on the target domain.
Note: As Wprecon is a Golang language-based tool, so you need to have a Golang environment on your system. So check this link to install Golang in your system. – Install Go language in Linux