https://github.com/trixsec/brute-xmlrpc

A multi-threaded brute force tool for WordPress websites leveraging the `xmlrpc.php` and WP JSON API to identify valid credentials. This tool supports custom username and password lists, and provides real-time feedback on progress.
https://github.com/trixsec/brute-xmlrpc

brute-force cracking-password wordpress wp-bruteforce xmlrpc-bruteforcer

Last synced: 15 days ago
JSON representation

A multi-threaded brute force tool for WordPress websites leveraging the `xmlrpc.php` and WP JSON API to identify valid credentials. This tool supports custom username and password lists, and provides real-time feedback on progress.

• Host: GitHub
• URL: https://github.com/trixsec/brute-xmlrpc
• Owner: TrixSec
• License: gpl-3.0
• Created: 2025-01-21T04:15:58.000Z (15 days ago)
• Default Branch: main
• Last Pushed: 2025-01-21T04:45:10.000Z (15 days ago)
• Last Synced: 2025-01-21T05:25:13.607Z (15 days ago)
• Topics: brute-force, cracking-password, wordpress, wp-bruteforce, xmlrpc-bruteforcer
• Language: Python
• Homepage:
• Size: 108 KB
• Stars: 1
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
## Author

**Author**: Trix Cyrus  

**Copyright**: © 2025 Trixsec Org   

**Maintained**: Yes 

## Overview

**Brute-XMLRPC** is a Python-based tool designed to perform brute force attacks on WordPress sites through the `xmlrpc.php` endpoint. It can also enumerate users via the WordPress JSON API to enhance the attack surface.

## Features

- **Multi-threaded Brute Force**: Perform brute force attacks using multiple threads for efficiency.

- **IP Spoofing**: Generate random IP addresses for headers like `X-Forwarded-For` and `X-Real-IP` to enhance anonymity.

- **Custom Headers**: Use a variety of headers to mimic real-world browser requests.

- **User Enumeration**: Retrieve user information from the WordPress JSON API.

- **Interactive Input**: Easy-to-use prompts for user input and configuration.

- **Progress Display**: Real-time display of brute force attempts and progress.

## Requirements

- Python 3.x

- Required Python packages:

  - `requests`

  - `colorama`

  - `termcolor`

  - `concurrent.futures`

You can install the required packages using the following command:

```bash

pip install requests colorama termcolor

```

## Installation

1. Clone the repository:

    ```bash

    git clone https://github.com/TrixSec/Brute-XMLRPC.git

    cd Brute-XMLRPC

    ```

## Usage

1. Run the script:

    ```bash

    python brutecxmlrpc.py

    ```

2. Follow the prompts to:

   - Enter the target WordPress site URL.

   - Check for `xmlrpc.php` availability.

   - Choose to enumerate users via the WordPress JSON API.

   - Provide usernames and passwords manually or via files.

   - Set the number of threads for the brute force attack.

## Disclaimer

This tool is intended for educational purposes only. Unauthorized use of this tool to compromise or damage systems is illegal and unethical. The developers are not responsible for any misuse or damage caused by this tool.

**Repository Views** ![Views](https://profile-counter.glitch.me/Brutexmlrpc/count.svg)