What is Brute Force:
In Turkish, Brute Force Attack; In its simplest terms, it is the attempt of a password list to the target system. For this, password lists consisting of millions of passwords can be prepared, these prepared password lists are called “word lists”. They can be integrated and produced specifically for the person and the system. In our previous articles, we have shown how to create a “world list” specific to the person or the system. These “word lists” can be tried in a serial way to log in to the systems. The simplest thing to do to protect against Brute Force Attack is to create passwords that are hard to guess and not to use common characters (for example: 123456) in passwords.
Now let’s come to our main topic, Brute Force WordPress Sites:
The tool we need is “WpScann”. The operating system, created for hackers and cybersecurity professionals, where you can easily perform penetration tests, comes pre-installed on Kali Linux.
WpScann is a special penetration testing program created for WordPerss sites. Of course, we show you to use it for educational purposes, as www.siberguvenlikblogu.com we are not responsible for its use for malicious purposes.
One of the things we need is Admin’s username, usually “admin”, but it won’t be the same for every WordPress site.
You can find the usernames on the target WordPress system with this command:
Now the code required to Brute Force Attack the found user:
wpscan –url target_url disable-tls-check –usernames target_user –passwords /usr/share/wordlists/rockyou.txt -t 3 –password-attack wp-login
To explain the parameters;
disable-tls-check: Required to bypass tls certificate check
–passwords: World List location
-t: threads 3 is our recommendation (you can make changes from site to site)
–password-attack: Parameter to Brute Force
wp-login: Admin Panel (this may not be the same on every site, but it’s like that for most WordPress sites)
It will automatically notify you of the password when the target logs into the system. You can login to the system with that username and password.
Finally, it should be noted that the WPScann Tool has a very complex structure and many parameters. There will be more detailed articles about WPScann in the future.