Today we’re gonna learn how to brute force wordpress sites using 5 different ways. let’s get started!

  1. WPScan
  2. Burp Suite
  3. OWASP ZAP
  4. Nmap
  5. Metasploit

Large Password Lists

Brute Force WordPress Site Using WPScan

WPScan is a WordPress security scanner which is pre-installed in kali linux and scans for vulnerabilities and gather information about plugins and themes etc.

For brute forcing you need to have a good wordlist. If you’re doing CTF’s you can use the famous wordlist rockyou.txt.

Brute Force WordPress Site Using Burp Suite

If you have free version of burp suite then it will only use 1 thread and will take ages to complete. However you have to upgrade to premium subscription in order to fully use it’s features.

Let’s get started.

You have to setup burp suite proxy with the browser in order to capture POST data you can do that by going to Settings > Preferences > Advanced > Network.

Now, select Manual proxy Configuration type your localhost address in HTTP proxy tab and set port to 8080. Click OK

When you turn on the interception then type any password of your predictions so that the burp suite can capture it. Look at image please notice the last line in fetched data it is show that I tried to login by type admin:admin as username and password respectively.

Send the captured material to the intruder by right clicking on the space and choosing Send to Intruder option or simply press ctrl + i

Now go to Positions Tab.

Here you have to select all your POST data and click on clear first.

Here you have to click on admin:admin and click add to at positions for our username and password payloads.

After doing that change attack type to cluster bomb.

So now that we have added our positions for payload and changed our attack type to cluster bomb. Now we’re gonna click on Payloads tab.

Payload set: 1

This payload is for username you can add your custom wordlist for your username as well if you don’t know the targeted site username and by clicking on load you can load wordlist from its path.

Payload set: 2

This payload is for password and you can add your custom words as a new item or you can load your custom wordlist through clicking on load.

Now that we’re done with payloads and we’re gonna start our attack by clicking “Start Attack” button.

Brute Force WordPress Site Using OWASP ZAP

We have to install OWASP ZAP since it doesn’t comes pre-installed on Kali Linux.

To get started with OWASP ZAP just like we setup the proxy for burp suite we do that for OWASP ZAP as well.

Now we’re gonna capture some POST data.

Now we’re gonna click on pwd=admin “admin” and click on fuzz this will open a new window.

When you click on fuzz a new window ‘fuzzer’ will get open, now you have to click on add button on left of frame it will open a new window add payload. Click on select and choose your dictionary for attack.

Again click on add button and then click on start fuzzer.

When attack will finished you would get the sure credential by checking state and size response header which would be different from rest of combination.

For username: admin we found our password: admin *Reflected

Brute Force WordPress Site Using Nmap

Nmap also do brute forcing for us along with scanning of a network.

Let’s get into it.

If you are targeting a popular application, remember to check whether there are any NSE scripts specialized on attacking them. For example, WordPress installations can be audited with the script http-wordpress-brute:

To set the number of threads, use the script argument http-wordpress-brute.threads:

If the server has virtual hosting, set the host field using the argument http-wordpress-brute.hostname:

Brute Force WordPress Site Using Metasploit

Metasploit is a great tool which can be used for many things such as exploiting, vulnerability scanning, fuzzing and auxiliary scanning and lot more.