Wp-brute is a small php application designed for testing security on your Wordpress based website.
It's core function is to try and gain access to a Wordpress administration account, using a "brute force" nature.
Currently, wp-brute only supports a dictionary based attack, however, the source code can be easily modified to suit other brute force types.
Some key features of wp-brute
- Pure SOCKS connectivity - no need for cURL or other libraries.
- Session logging
- Proxy support for TOR / other SOCKS4 proxy library.
- Timeout and retry support
- Wp-brute performs best on local servers, due to PHP's socket limitations. Always clone your Wordpress site to a local server for higher speeds.
- Remote connections can be dangerous. Some hosting providers will blacklist your IP for sending so many requests to login in a short burst.
- If you are running via proxy, you should manually resolve DNS entries in an anonymous fashion and add them to /etc/hosts (Or similar). SOCKS4 does not support remote name resolution, and thus, can compromise your identity.
wp-brute.php should be used primarily from the command line, meaning, you will require php5-cli.
Usage: wp-brute.php wp-loginurl username passlist [[/proxy] 127.0.0.1:9050]
wp-loginurl: Full url pointing to target wp-login.php
username: The Wordpress username to attack
passlist: Location of password dictionary file
/proxy: Connect via proxy
Here's a couple of examples
A local session with no proxy
php wp-brute.php http://localhost/blog/wp-login.php admin lib/passlist.txt
A remote session through a proxy.
php wp-brute.php http://site.com/wp-login.php admin lib/passlist.txt /proxy 127.0.0.1:9050
Questions should be pointed to [bitaurora [at] tormail [dot] org] 1