PRESS-ENUM
When doing a penetration test not each engagement is going to be the same. Each penetration test would require some sort of re adjustment on how you approach the target compared to the previous one.
I have encountered many web applications that make use of WordPress as a choice of CMS. WordPress is a very good CMS, but it comes with its drawbacks when it comes to security which cybercriminals tend to try to exploit and one of the major issues is the CMS allows user enumeration if not properly configured.
There are two methods on which an attacker can decide to use when trying to enumerate for usernames on WordPress sites like
- Manual enumeration
- Use of tools like CMS Scan and Wpscan
A lot of attackers prefer using tools due to the time it saves them. But tools like Wpscan unfortunately comes with its draw backs like being flagged by web applications that have a WAF in place that is properly configured.
Due to this, I decided to create press-enum which aims to enumerate for usernames using various methods like
- Through the rest API
- Through the author archive
- Through the feeds
- Through the sitemap XML
The problem that I am trying to solve is the fact that Wpscan which is the most used tool when it comes to the enumeration of WordPress CMS can get flagged by a properly configured firewall which can lead to the assumption that the CMS is not vulnerable while it is, it’s just that the firewall in place keeps on dropping the traffic from this tool from reaching the target web application.
The user will be prompted for the URL of the target web application, the URL is the passed to the different end points of the rest API to enumerate for users, then the tool tries to enumerate for users through the author archive, then it goes and check if there are any feeds available on the sites which it then looks for users on the feeds file and finally the tool tries to access the sitemap XML and see if it is accessible If it is then it will go to the path of authors and then collects the usernames from them.
PROOF OF CONCEPT
Before running the tool first of all you are supposed to download figlet by typing “apt-get install figlet”, once done you can change mode of the script and make it executable if its not by typing “chmod + x press-enum.sh”. once done is when you run the tool and you will be asked to enter the URL of the website you want to scan.
The tool will start to scan for usernames using the first rest API endpoint as shown below
Then it will enumerate for usernames again through the second rest API endpoint
Then the tool will go and enumerate for usernames through the author archive, feeds and finally the sitemap XML. On this PoC user enumeration via the feeds is empty because the site has no feeds file.
