root@kali:~# wpscan --help
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.6
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
Help :
Some values are settable in a config file, see the example.conf.json
--update Update to the database to the latest version.
--url | -u <target url> The WordPress URL/domain to scan.
--force | -f Forces WPScan to not check if the remote site is running WordPress.
--enumerate | -e [option(s)] Enumeration.
option :
u usernames from id 1 to 10
u[10-20] usernames from id 10 to 20 (you must write [] chars)
p plugins
vp only vulnerable plugins
ap all plugins (can take a long time)
tt timthumbs
t themes
vt only vulnerable themes
at all themes (can take a long time)
Multiple values are allowed : "-e tt,p" will enumerate timthumbs and plugins
If no option is supplied, the default is "vt,tt,u,vp"
--exclude-content-based "<regexp or string>"
Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied.
You do not need to provide the regexp delimiters, but you must write the quotes (simple or double).
--config-file | -c <config file> Use the specified config file, see the example.conf.json.
--user-agent | -a <User-Agent> Use the specified User-Agent.
--cookie <String> String to read cookies from.
--random-agent | -r Use a random User-Agent.
--follow-redirection If the target url has a redirection, it will be followed without asking if you wanted to do so or not
--batch Never ask for user input, use the default behaviour.
--no-color Do not use colors in the output.
--wp-content-dir <wp content dir> WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it.
Subdirectories are allowed.
--wp-plugins-dir <wp plugins dir> Same thing than --wp-content-dir but for the plugins directory.
If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed
--proxy <[protocol://]host:port> Supply a proxy. HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported.
If no protocol is given (format host:port), HTTP will be used.
--proxy-auth <username:password> Supply the proxy login credentials.
--basic-auth <username:password> Set the HTTP Basic authentication.
--wordlist | -w <wordlist> Supply a wordlist for the password brute forcer.
--username | -U <username> Only brute force the supplied username.
--usernames <path-to-file> Only brute force the usernames from the file.
--threads | -t <number of threads> The number of threads to use when multi-threading requests.
--cache-ttl <cache-ttl> Typhoeus cache TTL.
--request-timeout <request-timeout> Request Timeout.
--connect-timeout <connect-timeout> Connect Timeout.
--max-threads <max-threads> Maximum Threads.
--help | -h This help screen.
--verbose | -v Verbose output.
--version Output the current version and exit.
Examples :
-Further help ...
ruby ./wpscan.rb --help
-Do 'non-intrusive' checks ...
ruby ./wpscan.rb --url www.example.com
-Do wordlist password brute force on enumerated users using 50 threads ...
ruby ./wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50
-Do wordlist password brute force on the 'admin' username only ...
ruby ./wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin
-Enumerate installed plugins ...
ruby ./wpscan.rb --url www.example.com --enumerate p
-Enumerate installed themes ...
ruby ./wpscan.rb --url www.example.com --enumerate t
-Enumerate users ...
ruby ./wpscan.rb --url www.example.com --enumerate u
-Enumerate installed timthumbs ...
ruby ./wpscan.rb --url www.example.com --enumerate tt
-Use a HTTP proxy ...
ruby ./wpscan.rb --url www.example.com --proxy 127.0.0.1:8118
-Use a SOCKS5 proxy ... (cURL >= v7.21.7 needed)
ruby ./wpscan.rb --url www.example.com --proxy socks5://127.0.0.1:9000
-Use custom content directory ...
ruby ./wpscan.rb -u www.example.com --wp-content-dir custom-content
-Use custom plugins directory ...
ruby ./wpscan.rb -u www.example.com --wp-plugins-dir wp-content/custom-plugins
-Update the DB ...
ruby ./wpscan.rb --update
-Debug output ...
ruby ./wpscan.rb --url www.example.com --debug-output 2>debug.log
See README for further information.
WPSCAN(1) User Commands WPSCAN(1)
NAME
wpscan - WordPress Security Scanner
SYNOPSIS
wpscan [options]
DESCRIPTION
WordPress Security Scanner by the WPScan Team
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
OPTIONS
--url URL
The URL of the blog to scan Allowed Protocols: http, https Default Pro‐
tocol if none provided: http This option is mandatory unless update or
help or hh or version is/are supplied
-h, --help
Display the simple help and exit
--hh Display the full help and exit
--version
Display the version and exit
-v, --verbose
Verbose mode
--[no-]banner
Whether or not to display the banner Default: true
-o, --output FILE
Output to FILE
-f, --format FORMAT
Output results in the format supplied Available choices: cli-no-colour,
cli-no-color, json, cli
--detection-mode MODE
Default: mixed Available choices: mixed, passive, aggressive
--user-agent, --ua VALUE
--random-user-agent, --rua
Use a random user-agent for each scan
--http-auth login:password
-t, --max-threads VALUE
The max threads to use Default: 5
--throttle MilliSeconds
Milliseconds to wait before doing another web request. If used, the max
threads will be set to 1.
--request-timeout SECONDS
The request timeout in seconds Default: 60
--connect-timeout SECONDS
The connection timeout in seconds Default: 30
--disable-tls-checks
Disables SSL/TLS certificate verification
--proxy protocol://IP:port
Supported protocols depend on the cURL installed
--proxy-auth login:password
--cookie-string COOKIE
Cookie string to use in requests, format: cookie1=value1[;
cookie2=value2]
--cookie-jar FILE-PATH
File to read and write cookies Default: /tmp/wpscan/cookie_jar.txt
--force
Do not check if the target is running WordPress
--[no-]update
Whether or not to update the Database
--wp-content-dir DIR
--wp-plugins-dir DIR
-e, --enumerate [OPTS]
Enumeration Process Available Choices:
vp Vulnerable plugins
ap All plugins
p Plugins
vt Vulnerable themes
at All themes
t Themes
tt Timthumbs
cb Config backups
dbe Db exports
u User IDs range. e.g: u1-5 Range separator to use: '-' Value if no ar‐
gument supplied: 1-10
m Media IDs range. e.g m1-15 Note: Permalink setting must be set to
"Plain" for those to be detected Range separator to use: '-' Value if
no argument supplied: 1-100
Separator to use between the values: ',' Default: All Plugins, Config
Backups Value if no argument supplied: vp,vt,tt,cb,dbe,u,m Incompatible
choices (only one of each group/s can be used):
- vp, ap, p - vt, at, t
--exclude-content-based REGEXP_OR_STRING
Exclude all responses matching the Regexp (case insensitive) during
parts of the enumeration. Both the headers and body are checked. Reg‐
exp delimiters are not required.
--plugins-detection MODE
Use the supplied mode to enumerate Plugins, instead of the global
(--detection-mode) mode. Default: passive Available choices: mixed,
passive, aggressive
--plugins-version-detection MODE
Use the supplied mode to check plugins versions instead of the --detec‐
tion-mode or --plugins-detection modes. Default: mixed Available
choices: mixed, passive, aggressive
-P, --passwords FILE-PATH
List of passwords to use during the password attack. If no --user‐
name/s option supplied, user enumeration will be run.
-U, --usernames LIST
List of usernames to use during the password attack. Examples: 'a1',
'a1,a2,a3', '/tmp/a.txt'
--multicall-max-passwords MAX_PWD
Maximum number of passwords to send by request with XMLRPC multicall
Default: 500
--password-attack ATTACK
Force the supplied attack to be used rather than automatically deter‐
mining one. Available choices: wp-login, xmlrpc, xmlrpc-multicall
--stealthy
Alias for --random-user-agent --detection-mode passive --plugins-ver‐
sion-detection passive
To see full list of options use --hh.
wpscan March 2019 WPSCAN(1)