Reputation: 37
nmap wordpress script scan not return result
I am trying to use following nmap script http-wordpress-enum.nse http-wordpress-plugins.nse scan one wordpress website.
To access this wordpress website you have to go following link : http://192.168.0.1/wp/
I am having trouble to run these nmap script against that host. when you do
nmap -p80 --script http-wordpress-plugins.nse 192.168.0.1
no result returned, even though I know there is plugin installed. is that because nmap scanned web address is http://192.168.0.1 rather than ://192.168.0.1/wp/ ? so nmap just see there is no actual word press website there and terminated the scan? anyone have suggestion how to fix this?
Thank you in advance
Upvotes: 0
Views: 2393
Answers (1)
Reputation: 3163
You should use the http-wordpress-plugins.root script argumentto specify your "/wp/" path. In your case, something like:
nmap -p80 --script http-wordpress-plugins.nse --script-args http-wordpress-plugins.root="/wp/" 192.168.0.1
Quoting the source code of the http-wordpress-plugins.nse script (/usr/share/nmap/scripts/http-wordpress-plugins.nse):
description = [[
Tries to obtain a list of installed WordPress plugins by brute force
testing for known plugins.
The script will brute force the /wp-content/plugins/ folder with a dictionary
of 14K (and counting) known WP plugins. Anything but a 404 means that a given
plugin directory probably exists, so the plugin probably also does.
The available plugins for Wordpress is huge and despite the efforts of Nmap to
parallelize the queries, a whole search could take an hour or so. That's why
the plugin list is sorted by popularity and by default the script will only
check the first 100 ones. Users can tweak this with an option (see below).
]]
---
-- @args http-wordpress-plugins.root If set, points to the blog root directory on the website. If not, the script will try to find a WP directory installation or fall back to root.
-- @args http-wordpress-plugins.search As the plugins list contains tens of thousand of plugins, this script will only search the 100 most popular ones by default.
-- Use this option with a number or "all" as an argument for a more comprehensive brute force.
--
-- @usage
-- nmap --script=http-wordpress-plugins --script-args http-wordpress-plugins.root="/blog/",http-wordpress-plugins.search=500 <targets>
--
--@output
-- Interesting ports on my.woot.blog (123.123.123.123):
-- PORT STATE SERVICE REASON
-- 80/tcp open http syn-ack
-- | http-wordpress-plugins:
-- | search amongst the 500 most popular plugins
-- | akismet
-- | wp-db-backup
-- | all-in-one-seo-pack
-- | stats
-- |_ wp-to-twitter
Be warned, though, that nmap does its best using a mix of heuristic methods, known vulnerabilties and brute force. A negative result does not mean that "something is not there, 100% sure". It just mean that "nmap could not find it", and it's possibly because the host is well protected (ex the service is wisely configured, firewall, IDS...)
Upvotes: 0
Related Questions
- "permission denied error" but script works perfectly
- Python Script to run a basic scan throws print error
- Nmap Error when using the "–script" arg
- try to save nmap result to txt file
- How to use Nmap in PHP exec
- Why is Nmap Scripting Engine returning an error?
- Bad nmap grepable output
- Error in Bash scripting nmap nse scan
- Nmap scan range output file problem
- nmap slow when called from bash script