Having an efficient workflow is an integral part of any craft, but it's especially important when it comes to probing apps for vulnerabilities. While Metasploit is considered the de facto standard when it comes to exploitation, it also contains modules for other activities, such as scanning. Case in point, WMAP, a web application scanner available for use from within the Metasploit framework.
A web application scanner is a tool used to identify vulnerabilities that are present in web applications. WMAP makes it easy to retain a smooth workflow since it can be loaded and run while working inside Metasploit. This guide will feature DVWA (Damn Vulnerable Web Application) as the target and Kali Linux and Metasploit on the offensive.
Step 1: Set Up Metasploit Database
The first thing we need to do, if it's not done already, is set up the Metasploit database, since this particular module needs it in order to run. Metasploit utilizes a PostgreSQL database system, making it extremely useful to keep track of large amounts of information when conducting penetration tests. This allows for the import and export of scan results from other tools, as well as storage of discovered credentials, services, and other valuable data.
We can initialize the database with the msfdb init command in the terminal. This will create a default database and user for Metasploit to interact with.
msfdb init
[+] Starting database
[+] Creating database user 'msf'
[+] Creating databases 'msf'
[+] Creating databases 'msf_test'
[+] Creating configuration file '/usr/share/metasploit-framework/config/database.yml'
[+] Creating initial database schema
Next, start the PostgreSQL service with service postgresql start.
service postgresql start
Now we can fire up Metasploit by typing msfconsole.
msfconsole
Finally, we can check that database is loaded and working properly by using the db_status command:
msf > db_status
[*] postgresql connected to msf
Step 2: Load WMAP
It's easy to load the WMAP module with the load wmap command.
msf > load wmap
.-.-.-..-.-.-..---..---.
| | | || | | || | || |-'
`-----'`-'-'-'`-^-'`-'
[WMAP 1.5.1] === et [ ] metasploit.com 2012
[*] Successfully loaded plugin: wmap
From here, if we type ? to display Metasploit's help menu, we should see the commands for WMAP and their descriptions at the top of the menu.
msf > ?
wmap Commands
=============
Command Description
------- -----------
wmap_modules Manage wmap modules
wmap_nodes Manage nodes
wmap_run Test targets
wmap_sites Manage sites
wmap_targets Manage targets
wmap_vulns Display web vulns
Step 3: Add Site to Scan
Type any of the commands to display their available options; Let's start by managing sites we wish to scan using wmap_sites.
msf > wmap_sites
[*] Usage: wmap_sites [options]
-h Display this help text
-a [url] Add site (vhost,url)
-d [ids] Delete sites (separate ids with space)
-l List all available sites
-s [id] Display site structure (vhost,url|ids) (level) (unicode output true/false)
To add a site, use wmap_sites with the -a flag followed by the site address.
msf > wmap_sites -a http://172.16.1.102
[*] Site created.
Now we can list the available sites using wmap_sites with the -l flag.
msf > wmap_sites -l
[*] Available sites
===============
Id Host Vhost Port Proto # Pages # Forms
-- ---- ----- ---- ----- ------- -------
0 172.16.1.102 172.16.1.102 80 http 0 0
Step 4: Specify Target URL
Next, we need to set the specific target URL we want to scan using wmap_targets.
msf > wmap_targets
[*] Usage: wmap_targets [options]
-h Display this help text
-t [urls] Define target sites (vhost1,url[space]vhost2,url)
-d [ids] Define target sites (id1, id2, id3 ...)
-c Clean target sites list
-l List all target sites
We can define the target using wmap_targets with the -t flag, followed by the URL.
msf > wmap_targets -t http://172.16.1.102/dvwa/index.php
And use wmap_targets with the -l flag to list the defined targets.
msf > wmap_targets -l
[*] Defined targets
===============
Id Vhost Host Port SSL Path
-- ----- ---- ---- --- ----
0 172.16.1.102 172.16.1.102 80 false /dvwa/index.php
We should be good to go at this point, so the only thing left to do is to actually run the scanner.
Step 5: Run Scanner
Type wmap_run at the prompt to view the options for this command.
msf > wmap_run
[*] Usage: wmap_run [options]
-h Display this help text
-t Show all enabled modules
-m [regex] Launch only modules that name match provided regex.
-p [regex] Only test path defined by regex.
-e [/path/to/profile] Launch profile modules against all matched targets.
(No profile file runs all enabled modules.)
We can use wmap_run with the -t flag to list all the enabled modules before we scan the target.
msf > wmap_run -t
[*] Testing target:
[*] Site: 172.16.1.102 (172.16.1.102)
[*] Port: 80 SSL: false
============================================================
[*] Testing started. 2018-09-20 10:23:26 -0500
[*] Loading wmap modules...
[*] 39 wmap enabled modules loaded.
[*]
=[ SSL testing ]=
============================================================
[*] Target is not SSL. SSL modules disabled.
[*]
=[ Web Server testing ]=
============================================================
[*] Module auxiliary/scanner/http/http_version
[*] Module auxiliary/scanner/http/open_proxy
[*] Module auxiliary/admin/http/tomcat_administration
[*] Module auxiliary/admin/http/tomcat_utf8_traversal
[*] Module auxiliary/scanner/http/drupal_views_user_enum
[*] Module auxiliary/scanner/http/frontpage_login
[*] Module auxiliary/scanner/http/host_header_injection
[*] Module auxiliary/scanner/http/options
[*] Module auxiliary/scanner/http/robots_txt
[*] Module auxiliary/scanner/http/scraper
[*] Module auxiliary/scanner/http/svn_scanner
[*] Module auxiliary/scanner/http/trace
[*] Module auxiliary/scanner/http/vhost_scanner
[*] Module auxiliary/scanner/http/webdav_internal_ip
[*] Module auxiliary/scanner/http/webdav_scanner
[*] Module auxiliary/scanner/http/webdav_website_content
[*]
=[ File/Dir testing ]=
============================================================
[*] Module auxiliary/scanner/http/backup_file
[*] Module auxiliary/scanner/http/brute_dirs
[*] Module auxiliary/scanner/http/copy_of_file
[*] Module auxiliary/scanner/http/dir_listing
[*] Module auxiliary/scanner/http/dir_scanner
[*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass
[*] Module auxiliary/scanner/http/file_same_name_dir
[*] Module auxiliary/scanner/http/files_dir
[*] Module auxiliary/scanner/http/http_put
[*] Module auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
[*] Module auxiliary/scanner/http/prev_dir_same_name_file
[*] Module auxiliary/scanner/http/replace_ext
[*] Module auxiliary/scanner/http/soap_xml
[*] Module auxiliary/scanner/http/trace_axd
[*] Module auxiliary/scanner/http/verb_auth_bypass
[*]
=[ Unique Query testing ]=
============================================================
[*] Module auxiliary/scanner/http/blind_sql_query
[*] Module auxiliary/scanner/http/error_sql_injection
[*] Module auxiliary/scanner/http/http_traversal
[*] Module auxiliary/scanner/http/rails_mass_assignment
[*] Module exploit/multi/http/lcms_php_exec
[*]
=[ Query testing ]=
============================================================
[*]
=[ General testing ]=
============================================================
[*] Done.
There are a few different categories of modules including ones for directory testing, query testing, web server testing, and SSL testing, although we can see that our target doesn't employ SSL, so these modules are disabled. To get a detailed description of any given module, use the info command followed by the full path of the module that's listed. For example:
msf > info auxiliary/scanner/http/http_version
Name: HTTP Version Detection
Module: auxiliary/scanner/http/http_version
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
hdm <x@hdm.io>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
Description:
Display version information about each system.
Back to scanning. Let's begin the scan by using wmap_run with the -e flag, which will run all of the modules instead of just a specified one. Depending on the target site and the number of enabled modules, the scan can take quite some time to finish. Once it's done, the scan will show how long it took to complete.
msf > wmap_run -e
[*] Using ALL wmap enabled modules.
[-] NO WMAP NODES DEFINED. Executing local modules
[*] Testing target:
[*] Site: 172.16.1.102 (172.16.1.102)
[*] Port: 80 SSL: false
============================================================
[*] Testing started. 2018-09-20 10:24:33 -0500
[*]
=[ SSL testing ]=
============================================================
[*] Target is not SSL. SSL modules disabled.
[*]
=[ Web Server testing ]=
============================================================
[*] Module auxiliary/scanner/http/http_version
[+] 172.16.1.102:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.24 )
[*] Module auxiliary/scanner/http/open_proxy
[*] Module auxiliary/admin/http/tomcat_administration
[*] Module auxiliary/admin/http/tomcat_utf8_traversal
...
=[ Unique Query testing ]=
============================================================
[*] Module auxiliary/scanner/http/blind_sql_query
[*] Module auxiliary/scanner/http/error_sql_injection
[*] Module auxiliary/scanner/http/http_traversal
[*] Module auxiliary/scanner/http/rails_mass_assignment
[*] Module exploit/multi/http/lcms_php_exec
[*]
=[ Query testing ]=
============================================================
[*]
=[ General testing ]=
============================================================
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Launch completed in 337.37769508361816 seconds.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[*] Done.
Step 6: Interpret Results
Finally, we can type the wmap_vulns -l command to display the results of the scan.
msf > wmap_vulns -l
[*] + [172.16.1.102] (172.16.1.102): scraper /
[*] scraper Scraper
[*] GET Metasploitable2 - Linux
[*] + [172.16.1.102] (172.16.1.102): directory /dav/
[*] directory Directory found.
[*] GET Res code: 200
[*] + [172.16.1.102] (172.16.1.102): directory /cgi-bin/
[*] directory Directoy found.
[*] GET Res code: 403
[*] + [172.16.1.102] (172.16.1.102): directory /doc/
[*] directory Directoy found.
[*] GET Res code: 200
[*] + [172.16.1.102] (172.16.1.102): directory /icons/
[*] directory Directoy found.
[*] GET Res code: 200
[*] + [172.16.1.102] (172.16.1.102): directory /index/
[*] directory Directoy found.
[*] GET Res code: 200
[*] + [172.16.1.102] (172.16.1.102): directory /phpMyAdmin/
[*] directory Directoy found.
[*] GET Res code: 200
...
We can see it found some potentially interesting directories that could be worth investigating further:
- The /cgi-bin/ directory allows scripts to be executed and perform console-like functions directly on the server.
- The /phpMyAdmin/ directory is an open-source administration tool for MySQL database systems.
- The /dav/ directory allows users to collaborate and perform web authoring activities remotely.
WMAP might not return as detailed results as other web application vulnerability scanners, but this information can be a useful jumping off point to explore different avenues of attack. The fact that this scanner can be easily loaded and utilized from within the Metasploit Framework makes it a useful tool to know how to use.
Wrapping Up
Metasploit is a powerful tool which can not only be used for exploitation but also features tons of other modules that can be loaded and ran from directly within the framework, making it an absolute powerhouse when it comes to penetration testing and ethical hacking.
In this tutorial, we learned how to quickly get Metasploit's database system up and running, as well as how to use the WMAP plugin to scan a web application for vulnerabilities. This is just one of many incredibly useful modules available as part of the Metasploit Framework, with more being written each day to satisfy the needs of white hats everywhere.
- Follow Null Byte on Twitter, Flipboard, and YouTube
- Sign up for Null Byte's weekly newsletter
- Follow WonderHowTo on Facebook, Twitter, Pinterest, and Flipboard
Cover image by TBIT/Pixabay; Screenshots by drd_/Null Byte
Comments
No Comments Exist
Be the first, drop a comment!