A brute force attack is a “trial and error” approach. There’s a list of high-probability passwords, and you try each one.
This type of technique is used in hacking, but it’s also used in penetration testing. In other words, it’s used to check the security of your own site.
Therefore, using it to check the security of your own site is fine, but using it on other sites may have legal issues, so absolutely do not do it.
This time, we’ll try using it to identify passwords on WordPress sites.
Identifying Usernames
First, you need to identify usernames. However, this is very simple.
wpscan -u sorerori.com —enumerate u
With just this command, usernames will be output in a list.
Identifying Passwords
Once you know the username, identify the password that has a hash relationship with it. This is where brute force attacks come in.
wpscan -u sorerori.com —username hoge —wordlist ~/dev.txt
If you wait a while after running this command, it will return the password if there is one, or blank if there isn’t.
■ Brute force attacks put a load on the server. Avoid doing it excessively.
The method in this article was referenced from: https://www.youtube.com/watch?v=9tLUbsdNX88