Plecost tutorial

This is a basic plecost tutorial. Plecost is a commandline utility that will scan your wordpress host and identify lots of information leaks that could potentially help crackers breaking in to your site.

There is some information at iniqua labs, but its a little difficult to get to grips with.

Here is a dump of the help:

// Plecost - WordPress finger printer Tool (with threads support) 0.2.2-9-beta
// Developed by:
//        Francisco Jesus Gomez aka (
//        Daniel Garcia Garcia (
// Info:
// Bug report:
Usage: /usr/bin/plecost [options] [ URL | [-l num] -G]

Google search options:
    -l num    : Limit number of results for each plugin in google.
    -G        : Google search mode
    -n        : Number of plugins to use (Default all - more than 7000).
    -c        : Check plugins only with CVE associated.
    -R file   : Reload plugin list. Use -n option to control the size (This take several minutes)
    -o file   : Output file. (Default "output.txt")
    -i file   : Input plugin list. (Need to start the program)
    -s time   : Min sleep time between two probes. Time in seconds. (Default 10)
    -M time   : Max sleep time between two probes. Time in seconds. (Default 20)
    -t num    : Number of threads. (Default 1)
    -h        : Display help. (More info: 


  * Reload first 5 plugins list:
    	plecost -R plugins.txt -n 5
  * Search vulnerable sites for first 5 plugins:
        plecost -n 5 -G -i plugins.txt
  * Search plugins with 20 threads, sleep time between 12 and 30 seconds for
        plecost -i plugin_list.txt -s 12 -M 30 -t 20 -o results.txt   

Plecost is a little strange: you MUST specify a plugin file (a list of plugins for plecost to scan). Plecost has to scan the wordpress plugins directory and generate a file to use during the actual scanning process. To generate the plugin list you have to run:

plecost -R ~/name_of_file_to_store_plugin_list.txt

This will take a while (I have been running the plugin list generation since I started making this tutorial, and it still hasn’t finished yet). if you use -n X you can limit the number of plugins that plecost will scan for (eg -n 50).

Luckily Kali linux comes with one already

plecost -n 50 -c -i /usr/share/plecost/wp_plugin_list.txt

Leave a Reply