"Your WordPress site's best friend" - Nobody.
- Automatically enumerates WordPress usernames
- Scrapes email addresses
- Support for dynamic, site-specific values in passwords
- Checks email account credentials for performing password reset attack
- Multithreded
Requires python 3.9 or later.
Install with pip:
pip install wordsmash
Install from GitHub:
pip install git+https://github.com/TheArchivist01/wordsmash.git
--wordlist: List of sites to attempt accessing
--site-list: List of sites to attempt accessing
--dynamic-wordlist: Enable dynamic placeholder values in wordlist
--persist: Continue trying to find additional logins for a site after login success
--threads: Maximum number of sites to check in parallel
The dynamic wordlist feature allows you to use placeholder values in the wordlist. Currently a password can contain {username} or {domain}.
Example: Logging into examplesite.com as "admin"
{username}123 -> admin123
{domain}pass -> examplesitepass
{username}@{domain} -> admin@examplesite
@ph03n1x69 for helping with the wordpress login test.
WordSmasher is intended to be used for educational and research purposes.
The Archivist and other contributors are not responsible for damages caused by the use of this tool.
See the LICENSE file for more details.