WPScan is a black box vulnerability scanner for WordPress site. WordPress is a popular open source content management system. A lot of people use WordPress. That’s why WPScan is necessary.
Now I will try to find the username and password of a WordPress site.
NOTE: This is a site that my father made, I already got permission to perform pentest on the site.
Run Kali Linux and open the terminal, then type wpscan
There are examples of commands of a specific objective.
First, I want to know the admin username of the site, then type
wpscan –url dpadmayacafe.com –enumerate-u
The censored word is the login admin username.
Next is to find the password. WPScan has a brute forcing option. So I try to brute-force the password. Since I already know the admin, I use the one that has –username
wpscan –url dpadmayacafe.com –wordlist ~text file location –username ….
Unfortunately, there is a warning after I try to execute the command
It seems that the WordPress site has a plugin than block WPScan. Try to use –random-agent at the end. In most cases, it supposes to work but it does not work on me.
In conclusion, I already got the username, but unable to work the bruteforce.