Posted on

WordPress user enumeration with Metasploit

Good morning friends. Not all vulnerabilities are unauthenticated, sometimes we require credentials to exploit a vulnerability like the WordPress ajax loadmore Php upload exploit we saw in one of  previous howtos. But how do we get these credentials. Metasploit has an auxiliary module for WordPress user enumeration. Let’s see how this exploit works.

Start Metasploit and load the wordpress user enumeration exploit as shown below. Type command “show options” to see the options we can specify. We can see a variety of options. All the options are self explanatory but let us see some of the options.

The “BLANK_PASSWORDS” option if set will check if any of the users are without any password. The “VERBOSE”option will display more clearly what the module is doing. The “USERNAME” and “PASSWORD” option will check for single username and password respectively. The “USER_AS_PASS” option will check whether the username itself is being used as password. The USER_FILE and PASS_FILE are used to specify file for usernames and passwords to enumerate respectively. The VALIDATE_USERS option will first validate if user exists on the target even before trying to crack his password.

wpuserenum1 wpuserenum2

The “USER_PASS” file option allows us to specify the same file for username and password as shown below. Here I have specified a wordlist consisting of most common passwords as the USER_PASS file. When we execute the module, we can see that it will first validate all the usernames.

wpuserenum3 wpuserenum4

What if we know the username? The first question is how will we know the username. Just go through one of our previous howto : WordPress vulnerability assessment  with WPSCAN. The tool gave use a hint that username is “root”. Now we will set the username as root, specify a common password dictionary as password file as shown below.

wpuserenum5

When I run the script, it confirms that the username is valid and tries all words in the dictionary as password one by one.

wpuserenum6

After some time we can see that we successfully cracked the password for user “root” as “123456”.

wpuserenum7

HOW TO STAY SAFE:

Never use not only common passwords but also common usernames for your websites. Still most of the people tend to use common usernames like admin, administrator etc. and common passwords.