There are a lot of WordPress security tools out there such as the WPScan, vulnerability scanner. Now, there is an addition – WPForce, which I consider is a more offensive tool that performs brute force attempts against a targeted WordPress installation.
What is WPForce?
WPForce is an open source, multi-threaded suite of WordPress Attack tools, which brute forces logins via the XML-RPC API, and Yertle which uploads shells once admin credentials have been found. WordPress has it’s custom implementation of the XML-RPC API that allows you to post content to your blog. This functionality is enabled by default since WordPress 3.5!
Functions of WPForce:
- Brute Force via XML-RPC API, bypassing some forms of protection.
- Can automatically upload an interactive shell.
- Can be used to spawn a full featured reverse shell.
- Dumps WordPress password hashes.
- Can backdoor authentication function for plaintext password collection.
- Inject BeEF hook into all pages.
- Pivot to meterpreter if needed.
The advantages of this tool over other such brute force tools is that there are no CAPTCHAs to be broke and there is less rate limiting. If your credentials work, WPForce lets you know and uploads a shell for you to control! If it does not, it continues and tries another credential. This is where the companion script – Yertle can be used to upload a backdoor onto the WordPress server and execute a number of post exploitation modules. These are the currently supported modules:
- beef – Injects a BeEF hook into website
- exit – Terminate the session
- hashdump – Dumps all WordPress password hashes
- keylogger – Patches WordPress core to log plaintext credentials
- keylog – Displays keylog file
- meterpreter – Executes a PHP meterpreter stager to connect to metasploit
- shell – Sends a TCP reverse shell to a netcat listener
- stealth – Hides Yertle from the plugins page
In addition to these, there are the help and quit modules. Since all of this is open source and written in an easy to understand Python code, you surely can understand and use.
WPForce & Yertle can be downloaded here.