Hello. While practicing how to use wpscan for testing wp site safety, I noticed any regularly updated wordpress site will be immune to password brute forcing. I expected to find more complaints about this issue (especially because net is filled with how-to-hack-password-with-wpscan tutorials aimed for novices), but failed to find any usefull info on this. Failed pass brute-forcing is usually announced by wpscan with message about plugin called better-wp-security being found (and in one case login-security-solution), and I doubt this security is installed by wp admins, more likely by updates.
All I found was this info on wp-better-security vulnerability https://github.com/wpscanteam/wpscan/issues/251 and more about vulnerability here http://www.securityfocus.com/archive.../30/0/threaded , but understanding and applying this exploit is a bit out of my reach atm (and I can't manage to make burp suite proxy server work). I am more interested in safety of wordpress sites against simple brute-forcing, and if finding a pass this way is still somehow possible (with some additional relatively simple steps) or is wpscan password cracker rendered useless by any updated wordpress site?
Wpscan password brute-forcing problem description:
(threads reduced to 1 to test if that'll work, it didn't ofc)Code:wpscan --url somewpsite.com --threads 1 --wordlist /usr/share/wordlists/wfuzz/fuzzdb/wordlists-user-passwd/passwds/phpbb.txt --username username
That line will usually end up with this:
And for example this after each word in dictionary attemptCode:The plugin login-security-solution has been detected. It might record the IP and timestamp of every failed login and/or prevent brute forcing altogether. Not a good idea for brute forcing! [?] Do you want to start the brute force anyway ? [y/n]
or this (in case of wp-better-security)Code:ERROR: We received an unknown response for 1234...
Upgrading wpscan didn't help, I still get stuff like this:Code:ERROR: Request timed out.
Btw, why does path to passwords file (line 2) start with "downloads.skullsecurity.org", that file is stored on my hdd. Also that URL is invalid, is this wpscan bug or that login-security-solution plugin messing with wpscan?Code:Brute Forcing 'admin' Time: 00:00:00 < > (1 / 184390) 0.00% ETA: 00:00:00 ERROR: We received an unknown response for # from http://downloads.skullsecurity.org/passwords/phpbb.txt... Brute Forcing 'admin' Time: 00:00:00 < > (2 / 184390) 0.00% ETA: 00:00:00 ERROR: We received an unknown response for 123456... Brute Forcing 'admin' Time: 00:00:01 < > (3 / 184390) 0.00% ETA: 17:43:43 ERROR: We received an unknown response for password...
