Visit Center City Security for WordPress Penetration Testing and Security services.

I took another crack, pun intended, at brute forcing my WordPress password using WPScan. Unlike when I tried it the other day, this time I used Tor and set up a SOCKs proxy to make use of a false IP address. My thinking was that my web host might black list my IP after a certain number of failed attempts, so by using Tor I could simply switch IP addresses once the blacklist went into effect.

I am happy to say the proxy worked and the following command worked as expected:

sudo wpscan --url technicalagain.com --wordlist darkc0de.txt --username [redacted] --proxy socks5://127.0.0.1:9050 -v

The behavior of my web host did not match what I expected. Instead of blacklisting the IP, as soon as the 38th incorrect password was entered, the web host put up a 406 error and stopped allowing log in attempts for five minutes. Why does it allow 38 password attempts? Good question. So, to work around this I would have to enter 37 passwords, then wait five minutes, then enter the next 37 passwords, then wait five minutes, and slowly work through the entire dictionary list. At 37 passwords per five minutes it would take 121 days to exhaust the list of passwords on darkc0de.txt. Suffice it to say that this password policy control in place by the web host is a satisfactory deterrent for 99.99% of attackers that are not going to wait up to half a year just in hopes that my password is on the darkc0de list. It isn’t.

Visit Center City Security for WordPress Penetration Testing and Security services.

I scanned my own WordPress sites for vulnerabilites using a powerful command-line utility, WPScan. WPScan is a black box vulnerability scanner specifically for WordPress. It is a stark reminder why it is so important to minimize the number of plugins you use, delete the ones you have deactivated, and make sure you are keeping your software up-to-date. One simple little command: sudo wpscan example.com -u will list all the WordPress usernames, plugins installed, whether active or not, as well as all published vulnerabilities for the plugins, whether they have been fixed, as well as how to exploit them.

WPScan also peeks at the robots.txt file to discover “interesting” content that the author wants hidden from search engines. I made this mistake when I wrote about rolling my own password manager. Errantly thinking that it would be a good idea to list the directories I don’t want indexed in the robots.txt file, I have since deleted this content.

I used WPScan to search for TimThumb (tt) files and used WPScan to brute force password attempts against the usernames I discovered when enumerating the site.

TimThumb is a tool used by WordPress themes and plugins to resize images. Old versions of TimThumb have a security vulnerability that lets attackers upload malicious (“bad”) files from another website. The first bad file then lets the attacker upload more malicious files to the hosting account.

Great utility, powerful, and simple to use.

Next Steps

It would be a good idea to install a WordPress plugin that forces users to use sufficiently complex passwords and blacklists IP addresses after a certain number of failed login attempts–essentially nullifying the efficacy of bruteforce attacks.

It would also be a good idea to install the Tor proxy so the web host cannot block the IP using WPScan–just a simple technique to hide footprints.