Web Hacking Notes (WordPress, Recon, and Tools)

Reconnaissance and Information Gathering

• Nikto
  • Scans web servers for known vulnerabilities, outdated software, and misconfigurations.
  • Useful early in recon to quickly identify obvious issues.
• Google Dorking (Google Hacking)
  • Uses advanced search operators to find sensitive data indexed by search engines.
  • Can expose:
    • Backup files (.sql, .txt, .xml)
    • Open directories
    • Misconfigured endpoints
  • Common operators:
    • inurl:wp-content/uploads
    • intitle:"index of"
• Shodan
  • Finds exposed servers, services, and devices.
  • Can reveal:
    • Open ports
    • Running services
    • Server banners

WordPress Overview

• WordPress
  • Widely used CMS.
  • Common attack surface:
    • Plugins
    • Themes
  • Vulnerabilities often come from outdated or poorly maintained extensions.
• Identifying WordPress sites:
  • inurl:wp-content/uploads
  • Directory listing via index of

WordPress Enumeration and Scanning

• WPScan
  • Enumerates users, plugins, and themes.
  • Detects known vulnerabilities.
  • Workflow:
    1. Run without API token for basic enumeration
    2. Run with API token for vulnerability database results
• Useful option:
  • -random-user-agent
    • Rotates user agents to reduce detection patterns.

Network and Directory Enumeration

• Nmap
  • Identifies:
    • Open ports
    • Services and versions
  • Helps confirm what is actually running on the target server.
• Dirb
  • Performs directory brute forcing.
  • Finds hidden directories and files that are not linked publicly.

Brute Forcing and Authentication

• WordPress XML-RPC:
  • If enabled, it can be used for authentication attempts.
  • It does not use the standard login page, so some protections may not apply.