WordPress Brute Force Tool

Following on from my previous post Patching WordPress Username Disclosure I got bored over the weekend and decided to implement Veronica Valeros's username disclosure technique into a WordPress password brute force tool.

It is nothing revolutionary or difficult to code, but it may come in handy one day on a pentest or web application assessment, mainly to automate the process.

Currently you can use the tool in 3 different ways.

Only the '--url' option:
Enumerate wordpress usernames.

The '--wordlist' option:
Enumerate wordpress usernames.
Start a dictionary attack on all usernames enumerated.

The '--username' option:
Specify a single username to start the dictionary attack on.

I won't be releasing the tool, not yet anyway, I may release it in future.

Here is a video of it in action:


The video of my tool seems to have raised lots of interest and questions.

Please understand that I think this this tool is quite trivial to code and I am very surprised that it got so much attention.

One question that was raised more than once, was, why did I not release the code?!

The reason I did not release it is because I was considering the ethicality of such a tool being released. I first wanted to guage the interest in such a tool and if interest was positive, expand the tool further.

I will go into further detail as the code base expands. I can confirm that I will be releasing the code as part of a bigger project called WPScan.