wpUsers.sh: Countering Disinformation With a Simple Bash Script

by Greg "Dial Tone" Norcie  (gnorcie@protonmail.ch)

As I sit down to type up this article, it's Election Day here in the so called "Paris of Appalachia" and once again I'm sitting in the back corner of the same combination coffee shop and bookstore abusing the Wi-Fi like it owes me money.

Anyways... disinformation.  We've all been there.  Someone... possibly a PAC funded with untraceable dark money... possibly literally the KGB or whatever has stood up some weird ass website causing trouble in the neighborhood - these sites can be about anything but, most commonly, they focus on health and politics: China COVID-19 denial, spreading rumors about candidates, or just spewing straight up cuckoo for Cocoa Puffs word salad.

These dastardly disinformation agents have not heard about the joys of static sites, and tend to favor WordPress.  Due to the rise of WHOIS privacy, it can be difficult to figure out who created a given site... or at least, that used to be the case.

One of the techniques we learned about when I was taking a Bellingcat certification to cover up a resumé gap was to navigate to /wp-json/wp/v2/users, where a very hard to visually parse file contains a list of users.

This list of users can then be compared with other WordPress sites and other OSINT sources (LinkedIn, personal websites, obscure comedy forums, etc.) to figure out who created the website.

This is a tedious, manual process - if you want to speed up that process, run the following code on pretty much any Linux-y system to spit out a clean list of usernames:

#!/bin/bash # # Check an argument was given then list out the users if WordPress # install is leaking them. if [ ! -z "$1" ] then curl -s https://$1/wp-json/wp/v2/users | jq . | grep name | cut -d ":" -f2 | cut -d '"' -f2 else echo "Enter a TLD (ex: wordpress.org) next time buddy!" echo "(No www, no https, no trailing slash)" fi

$ ./wpScan.sh wordpress.org Adam Wood Joen Asmussen Kelly Choyce-Dwan Pablo Postigo WordPress.org

Since jq, the tool that does the heavy lifting of parsing the JSON, is open-source...  I hereby release wpScan.sh into the public domain.

If you're a researcher who was previously manually eyeballing JSONs, this will greatly speed up your analysis, and if you know a bit of programming I'm sure you can think of ways to expand on this technique to automate scans of multiple sites... but hey, I'm not your personal army, I'm just one guy, so this is the best I can do for now.  (There's also no error handling - I'll leave it to the reader to figure out how you know a website is running WordPress.)

Also: I'm not a lawyer (just a guy who's coauthored a few law review articles, lectured at Stanford, and worked at a prominent NGO), but it's my understanding that making a single Curl request of a publicly facing WordPress website is not illegal.  But as always - you alone are responsible for what you do with The Computer - I'd recommend only using this tool on systems you have the authority or the legal right to scan - the latter is where it gets gray and I am not responsible for how you use The Tool.

Big thanks to 2600, the Binary Revolution forums that formed me in my teens, Sean "Vile Rat" Smith (RIP), Dan Kaminsky (RIP), Kelly "Aloria" Lum (RIP), and all the others who have helped me in my hacker journey.  Slava Ukraini and Glory to Hong Kong - go forth, young hackers and document your reality, never forgetting that in a land like America where truth is an absolute defense against libel, the most powerful propaganda is the selective telling of truths.

Code: wpScan.sh