How to Install WPScan on Windows

May 25, 2021
Security Hacking WPScan

What is WPScan?

WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues. If you want to know more about WPScan, check out our blog post WPScan - Vulnerability Scanner for WordPress Powered Sites.

Step 1: Install Ruby

To install WPScan on Windows, you need first install Ruby on your machine.

Navigate to > https://rubyinstaller.org/downloads/ and select Ruby+Devkit (x64) (if you don't know which version you need). It provides the largest number of compatible gem (Ruby packages) and installs MSYS2-Devkit along with Ruby, so gem with C-extensions can be compiled immediately after installation.

Install WPScan

First, open Windows PowerShell and search WPScan among the gem packages:

gem search wpscan

WPScan powershell windows

Found WPScan (3.8.17) package, which is the latest version of WPScan. Now you can install WPScan, just type:

gem install wpscan

Now you need to update the WPScan database with information about plugins and WordPress themes:

wpscan --update --disable-tls-checks

If you get error “Could not open library 'libcurl.dll', 'libcurl.so.4', 'libcurl.so.4.dll'”, you need to download latest curl version for windows. https://curl.se/download.html#Win64.

After you have downloaded curl, check the bin folder, and find the file libcurl-x64.dll, unzip it and rename it to libcurl.dll. Move that file to the bin folder where you installed Ruby. Example: C:\Ruby26\bin\

How to Use WPScan

Open Windows PowerShell and run this command:

wpscan --url https://YOUR-SITE-DOMAIN.COM --random-user-agent --disable-tls-checks

WPScan Does Not Show Vulnerabilities

WPScan only shows versions of WordPress, plugins, themes and some extra information, but does not display vulnerabilities. Go to https://wpscan.com/register and signup so you can get free token yourself.

Then add the --api-token to the previous command:


wpscan --url https://YOUR-SITE-DOMAIN.COM --random-user-agent --disable-tls-checks --api-token API_KEY

If you like this blog post and it was useful to you, please follow us on Twitter and Facebook.


Related articles

Sources:

Post a Comment

0 Comments