Skip to main content

No project description provided

Project description

Wordpress Two-Factor Authentication Brute-forcer

Travis CI Requirements Status Python Versions

Features

This utility brute-forces two-factor protected Wordpress dashboards by iterating through every possible 6-digit Google Authenticator TOTP token.

WPBiff is meant to be used together with Main-in-the-Middle based attacks against NTP.

Supported Plugins

WPBiff is able to brute-force Wordpress login pages protected by the following two-factor authentication plugins:

Installing WPBiff

The latest package is available on PyPI

$ pip install wpbiff

Requirements

This utility runs on Python 2.6 and 2.7

Usage Instructions

In order to carry out successful attack against a two-factor protected Wordpress blog, you must satisfy the following two pre-requisites.

Pre-requisites

The first requirement is that you must have the login username and password to the Wordpress dashboard on /wp-admin. The credentials can be acquired by phishing, key logging or password reuse.

Secondly, you must be able to control the internal clock of the target server. I recommend Delorean to fixate the server time to a certain point. You must fixate an arbitrary date with the -d flag with Delorean and use the very same time stamp with WPBiff in parallel.

For more information on remote clock tampering, please refer to this blog entry (coming soon).

Options

The following section explains the basic usage of WPBiff. You can also use the -h switch any time to get help.

-d, --date DATE

Pinned date (Format: “YYYY-MM-DD hh:mm”) [required]

-u, --username USER

Wordpress username [required]

-p, --password PASS

Wordpress password [required]

-a, --user-agent

HTTP User-Agent header (default: Firefox)

-t, --token TOKEN

Initial value of token (default: 000000)

-m, --max-token TOKEN

Maximum token value (default: 999999)

Use the --plugin switch to choose between the Wordpress plugin type providing two-factor authentication for the target. Choose ga for Google Authenticator and wpga for WP Google Authenticator.

Examples

Assume NTP traffic can be intercepted between your target and the upstream NTP server. By tampering with this traffic, you can “pin” the target’s clock to a certain time and date.

Launch Delorean NTP server to serve a fixed time and date

$ ./delorean.py -d "2015-10-30 11:22"

Redirect NTP traffic from your target to the fake NTP server.

Finally launch WPBiff as the following

$ wpbiff -u admin -p admin -d "2015-10-30 11:22" --plugin ga "http://www.example.com"

This session will brute force Wordpress on www.example.com with the login username admin and password admin.

Once the process finishes, WPBiff dumps the valid token and the session cookies for accessing the Wordpress dashboard.

Contributors

Credits

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

wpbiff-0.1.0.tar.gz (8.1 kB view hashes)

Uploaded Source

Built Distribution

wpbiff-0.1.0-py2-none-any.whl (12.7 kB view hashes)

Uploaded Python 2

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page