The next stage of the Web Enumeration room was to work through an enumeration of a website using WPScan, a scanner specifically designed to scan WordPress sites.

This one was really interesting to me, as I have used WordPress a lot over the years, so I was fascinated to see how this scan works and what information it was able to provide. I’d been the victim of an SQL injection attack on a WordPress site a few years ago, and looking through this tool gave me an idea of how the attacker found out which vulnerabilities they could target.

I actually also found out how easy it was to try and brute force a password using this tool – actually pretty scary. Although as usual with most of these attacks, it did take some time.

I also tried out WPScan on my own domains and it worked just as well. Now if I knew how to use exploits I would be really dangerous! Alas, there is a lot more to do and a lot more to learn before I would have any realistic chance of being able to hack anything.

Again though, my knowledge is increasing and I am enjoying this learning experience.