What is WPScan?
WPScan is described as a ‘black box’ WordPress vulnerability checker and is free to use. It took me a couple of hours fiddling around, so I thought I’d help you get this installed by showing you some of the problems and providing the files and sources I used to get it working.
What you need to know…
WPScan is a command line utility, so you will need to know a little bit about the command prompt environment and the PATH variable. It isn’t hugely tricky to use, just don’t expect a fancy user interface. You’ll be telling the executable what to run and how to run via the command prompt.
Installation requires:
- Ruby (version 2.2.X is the one I’m using, but 2.3.X may be OK too)
- DevKit (to add Ruby Gems. Gems are extensions to Ruby, and the DevKit helps to provide a sane environment on Windows when adding them)
- libcurl.dll (a dynamic link library to help make internet requests using cURL)
- WPScan (the software itself)
The steps are:
Install Ruby
Download a RubyInstaller .zip file from http://rubyinstaller.org/downloads/
Unzip the file and execute it – you will be prompted as follows:
a) Select setup language
b) Ruby License agreement
c) Installation directory
– check all the additional boxes to help with environment setup (you may not need Tcl/Tk, but if space is no issue, just do it anyway)
– installs in the root of C:\
drive
Install the DevKit
Download a DevKit for use with Ruby 2.0 and above (32bit version) from http://rubyinstaller.org/downloads/
Download here: DevKit-mingw64-32-4.7.2-20130224-1151-sfx.exe
Unzip the file and execute it
a) Edit the extraction path to change from the default user to the root C:\DevKit
location as follows:
b) Extraction can take a while, be patient. It looks like it gets stuck at 17% and 35% on my machine…
c) Open a command prompt (right click on the windows icon in the bottom left and choose Command Prompt (Admin) from the context menu)
d) Go to the installation directory using ‘cd’ cd C:\DevKit
e) Type ruby dk.rb init
to initialise the DevKit, ready for binding
f) Type ruby dk.rb install
to bind the DevKit to the ruby installation(s) in your path
Install cURL (or just use the libcurl.dll provided)
Download ‘curl-7.46.0-win32.exe’ from http://www.confusedbycode.com/curl/#downloads Download here: curl-7-46-0-win32
Download here: libcurl.dll
Run the installation wizard and follow these steps:
a) Ensure that the option to install ‘C headers, lib files and dlls’ is selected
b) cURL should be installed here: C:\Program Files (x86)\cURL
c) Check that the libcurl.dll has been installed here: C:\Program Files (x86)\cURL\dlls
as you will need to copy this file later to the Ruby22 binary directory.
Install WPScan
Download WPScan zipfile ‘wpscanteam-wpscan-2.9.1-58-g89c0b8d.zip’ from: https://wpscan.org/
Download here: wpscanteam-wpscan-2.9.1-58-g89c0b8d.zip
Unzip and run the installer
a) Install to C:\wpscan
(for simplicity of navigating using the command prompt)
b) Unzip the sample data.zip
file into the C:\wpscan
directory to create C:\wpscan\data
c) Copy the libcurl.dll file from the cURL installation to the following directory C:\Ruby22\bin
Install Ruby Gems
It should now be possible to issue the following commands, to install components required by WPScan:
From the command prompt, cd to C:\wpscan
and type the following instructions:
gem install bundler
gem install typhoeus
gem install rspec-its
gem install ruby-progressbar
gem install nokogiri
gem install terminal-table
gem install webmock
gem install simplecov
gem install rspec
gem install xml-simple
gem install yajl-ruby
gem install bundler && bundle install --without test
If you receive an error message about SSL when installing (and can’t fix it), then use the following command to add a non SSL source:
gem sources --add http://rubygems.org
Then try to add the gem packages above again.
Try to run WPScan…
Staying in the C:\wpscan
folder:
a) Type ruby wpscan.rb
at the command prompt
If you see the following error message, check that you have copied libcurl.dll to the C:\Ruby22\bin
directory.
Download here: libcurl.dll
b) Once you have started WPScan successfully, you may be prompted to update the database. Select Y when asked.
If you see the following error message, there is a work around – turning off SSL verification:
To fix this issue, I found and edited the db_updater.rb
file located here: C:\wpscan\lib\common
Change the code as follows by editing the ssl_verifypeer paramter and setting it to false:
It’s working when you see this:
Congratulations!
You can now use WPScan to analyse WordPress installations for vulnerabilities.