قالب وردپرس درنا توس
Home / Tips and Tricks / How to Use Metasploit's WMAP Module to Scan Web Applications for Common Vulnerabilities «Null Byte :: WonderHowTo

How to Use Metasploit's WMAP Module to Scan Web Applications for Common Vulnerabilities «Null Byte :: WonderHowTo



An efficient workflow is an integral part of every craft, but it's especially important when it comes to scanning apps for vulnerabilities. While metasploit is considered the de facto standard for use, it also includes modules for other activities such as scanning. One example is WMAP, a web application scanner available within the Metasploit framework.

A web application scanner is a tool for identifying vulnerabilities in Web applications. WMAP makes it easy to maintain a smooth workflow because it can be loaded and executed while working in Metasploit. This guide will include DVWA (Damn Vulnerable Web Application) as the target and Kali Linux and Metasploit on the offensive.

Step 1
: Setting Up the Metasploit Database

The first thing we need to do, if it has not already been done, is to set up the Metasploit database, as this particular module needs it to run. Metasploit uses a PostgreSQL database system, which makes it extremely useful to track large amounts of information when performing penetration tests. This allows importing and exporting scan results from other tools, as well as storing discovered credentials, services, and other valuable data.

We can initiate the database with the command msfdb init in the terminal. This creates a default database and user to interact with Metasploit.

  msfdb init
[+] Database is started
[+] Database user & # 39; msf & # 39; create
[+] Databases & msmsf & # 39; msf & # 39; create
[+] Databases & msmsf_test & # 39; create
[+] Create the configuration file & # 39; /usr/share/metasploit-framework/config/database.yml'
[+] Create first database schema 

Next, start the PostgreSQL service with service postgresql start .

  service postgresql start 

Now we can Metasploit by entering msfconsole

  msfconsole 

Finally we can check with the command db_status if the database is loaded and working properly:

  msf> db_status
[*] postgresql connected to msf 

Step 2: Load WMAP

Loading the WMAP module with the command load wmap is easy

  msf> load wmap

.-.-.-..-.-.- .. --- ..---.
| | | || | | || | || | - & # 39;
`----- & # 39; - & # 39; - & # 39; - & # 39; `- ^ - & # 39; - & # 39;
[WMAP 1.5.1] === et [  ] metasploit.com 2012
[*] Successfully loaded plugin: wmap 

If we enter here to display the Help menu of Metasploit, the commands for WMAP and their descriptions should appear at the top of the menu.

  msf>?

wmap commands
=============

Command Description
------- -----------
wmap_modules Manages wmap modules
wmap_nodes Manage nodes
wmap_run test goals
Manage wmap_sites Websites
Manage wmap_targets goals
Show wmap_vulns Web vulns 

Step 3: Add Site to Scan

Enter one of the commands to display the available options. Let's start by managing sites we want to scan with wmap_sites .

  msf> wmap_sites
[*] Usage: wmap_sites [options]
-h Displays this help text
-a [url] Add page (vhost, url)
-d [ids] Delete pages (separate IDs with spaces)
-l Lists all available websites
-s [id] Show site structure (vhost, url | ids) (level) (unicode output true / false) 

To add a site, use wmap_sites with the – a flag followed by the address of the website

  msf> wmap_sites -a http://172.16.1.102
[*] Website created 

Now we can list the available sites using wmap_sites with the -l flag.

  msf> wmap_sites -l
[*] Available sites
==================

Id host host port proto # pages # forms
- ---- ----- ---- ----- ------- -------
0 172.16.1.102 172.16.1.102 80 http 0 0 

Step 4: Specify destination URL

Next, we need to set the specific destination URL that we want to scan using wmap_targets .

  msf> wmap_destinations
[*] Usage: wmap_targets [options]
-h Displays this help text
-t [urls] Defining landing pages (vhost1, url [space] vhost2, url)
-d [ids] Defining landing pages (id1, id2, id3 ...)
-c Delete landing page list
-l Lists All Target Sites 

We can define the target using wmap_targets with the flag -t followed by the URL.

  msf> wmap_targets -t http: / /172.16.1.102/dvwa/index.php

Use wmap_targets with the flag -l to list the defined targets.

  msf> wmap_targets -l
[*] Defined goals
==================

Id SSL path for the host port of the host
- ----- ---- ---- -----
0 172.16.1.102 172.16.1.102 80 false /dvwa/index.php

We should be fine now, so only the scanner remains in operation.

Step 5: Run Scanner

Type wmap_run at the command prompt to view the options for this command

  msf> wmap_run
[*] Usage: wmap_run [options]
-h Displays this help text
-t Displays all activated modules
-m [regex] Start only modules whose name matches the regular regex.
-p [regex] Only test path defined by regex.
-e [/path/to/profile] Start profile modules against all custom targets.
(No profile file executes all enabled modules.) 

We can use wmap_run with the flag -t to list all enabled modules before we scan the target.

  msf> wmap_run -t
[*] Test target:
[*] Site: 172.16.1.102 (172.16.1.102)
[*] Port: 80 SSL: wrong
============================================= =========
[*] The test was started. 2018-09-20 10:23:26 -0500
[*] loading wmap modules ...
[*] 39 wmap-enabled modules have been loaded.
[*]
= [ SSL testing ] =
============================================= =========
[*] Destination is not SSL. SSL modules disabled
[*]
= [ Web Server testing ] =
============================================= =========
[*] Module Auxiliary / Scanner / http / http_Version
[*] Module Auxiliary / Scanner / http / open_proxy
[*] Module auxiliary / admin / http / tomcat_administration
[*] Module auxiliary / admin / http / tomcat_utf8_traversal
[*] Module Auxiliary / Scanner / http / drupal_views_user_enum
[*] Module Auxiliary / Scanner / http / Frontpage_login
[*] Auxiliary / Scanner / http / Host_Header_Injection module
[*] Module Auxiliary / Scanner / http / Options
[*] Module Auxiliary / Scanner / http / robots_txt
[*] auxiliary module / scanner / http / scraper
[*] Module Auxiliary / Scanner / http / svn_scanner
[*] Module Auxiliary / Scanner / http / Trace
[*] Module Auxiliary / Scanner / http / vhost_scanner
[*] Module Auxiliary / Scanner / http / webdav_internal_ip
[*] Auxiliary / Scanner / http / webdav_scanner module
[*] Module Auxiliary / Scanner / http / webdav_website_content
[*]
= [ File/Dir testing ] =
============================================= =========
[*] Module Auxiliary / Scanner / http / backup_file
[*] Module Auxiliary / Scanner / http / Brute_Dirs
[*] Module Auxiliary / Scanner / http / copy_of_file
[*] Module Auxiliary / Scanner / http / dir_listing
[*] Module Auxiliary / Scanner / http / dir_scanner
[*] Module Auxiliary / Scanner / http / dir_webdav_unicode_bypass
[*] Module Auxiliary / Scanner / http / File_Same_Name_Dir
[*] Module Auxiliary / Scanner / http / files_dir
[*] Module Auxiliary / Scanner / http / http_put
[*] Module Auxiliary / Scanner / http / ms09_020_webdav_unicode_bypass
[*] Module Auxiliary / Scanner / http / prev_dir_same_name_file
[*] Module Auxiliary / Scanner / http / replace_ext
[*] Module Auxiliary / Scanner / http / soap_xml
[*] Module Auxiliary / Scanner / http / trace_axd
[*] Module Auxiliary / Scanner / http / verb_auth_bypass
[*]
= [ Unique Query testing ] =
============================================= =========
[*] Module Auxiliary / Scanner / http / blind_sql_query
[*] Helper / Scanner Module / http / error_sql_injection
[*] Module Auxiliary / Scanner / http / http_traversal
[*] Module Auxiliary / Scanner / http / rails_mass_assignment
[*] module exploit / multi / http / lcms_php_exec
[*]
= [ Query testing ] =
============================================= =========
[*]
= [ General testing ] =
============================================= =========
[*] Done 

There are several different categories of modules, including those for directory testing, query testing, web server testing, and SSL testing, though we see that our target does not use SSL, so these are modules with special needs. For a detailed description of a specific module, use the command info followed by the full path of the listed module. For example:

  msf> info auxiliary / scanner / http / http_version

Name: HTTP version detection
Module: Auxiliary / Scanner / http / http_Version
License: Metasploit Framework License (BSD)
Rank: Normal

Provided by:
hdm 

Basic options:
Name Current setting required Description
---- --------------- -------- -----------
Proxies no A proxy chain of the format type: host: port [,type:host:port][...]
    RHOSTS yes The destination address range or the CIDR identifier
RPORT 80 yes The destination port (TCP)
SSL false no Negotiate SSL / TLS for outgoing connections
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host

Description:
Show version information for each system 

Return to scanning. Let's start the scan with wmap_run with the flag -e where all modules are executed instead of just one. Depending on the destination and number of activated modules, the scan may take some time. Once it's done, the scan will tell you how long it took to get it done.

  msf> wmap_run -e
[*] Use all wmap-enabled modules.
[-] NO WMAP NODES DEFINED. Run local modules
[*] Test target:
[*] Site: 172.16.1.102 (172.16.1.102)
[*] Port: 80 SSL: wrong
============================================= =========
[*] The test was started. 2018-09-20 10:24:33 -0500
[*]
= [ SSL testing ] =
============================================= =========
[*] Destination is not SSL. SSL modules disabled
[*]
= [ Web Server testing ] =
============================================= =========
[*] Module Auxiliary / Scanner / http / http_Version

[+] 172.16.1.102:80 Apache / 2.2.8 (Ubuntu) DAV / 2 (Supported by PHP / 5.2.4-2ubuntu5.24)
[*] Module Auxiliary / Scanner / http / open_proxy
[*] Module auxiliary / admin / http / tomcat_administration
[*] Module auxiliary / admin / http / tomcat_utf8_traversal

...

= [ Unique Query testing ] =
============================================= =========
[*] Module Auxiliary / Scanner / http / blind_sql_query
[*] Helper / Scanner Module / http / error_sql_injection
[*] Module Auxiliary / Scanner / http / http_traversal
[*] Module Auxiliary / Scanner / http / rails_mass_assignment
[*] module exploit / multi / http / lcms_php_exec
[*]
= [ Query testing ] =
============================================= =========
[*]
= [ General testing ] =
============================================= =========
++++++++++++++++++++++++++++++++++++++++++ +++ ++++++++
Start completed in 337.37769508361816 seconds.
++++++++++++++++++++++++++++++++++++++++++ +++ ++++++++
[*] Done. 

Step 6: Interpret Results

Finally, we can enter the command wmap_vulns -l to view the results of the scan.

  msf> wmap_vulns -l
[*] + [172.16.1.102] (172.16.1.102): scraper /
[*] Scraper Scraper
[*] GET Metasploitable2 - Linux
[*] + [172.16.1.102] (172.16.1.102): directory / dav /
[*] Directory found.
[*] GET Res code: 200
[*] + [172.16.1.102] (172.16.1.102): directory / cgi-bin /
[*] Directory Directoy found.
[*] GET Res code: 403
[*] + [172.16.1.102] (172.16.1.102): directory / doc /
[*] Directory Directoy found.
[*] GET Res code: 200
[*] + [172.16.1.102] (172.16.1.102): Directory / Icons /
[*] Directory Directoy found.
[*] GET Res code: 200
[*] + [172.16.1.102] (172.16.1.102): directory / index /
[*] Directory Directoy found.
[*] GET Res code: 200
[*] + [172.16.1.102] (172.16.1.102): directory / phpMyAdmin /
[*] Directory Directoy found.
[*] GET Res code: 200

... 

We see that it has found some potentially interesting directories that are worth investigating further:

  • The / cgi-bin / directory allows you to run scripts and execute console-like functions directly on the server] The directory / phpMyAdmin / is an open source administration tool for MySQL database systems.
  • The / dav / directory allows users to collaborate and remotely execute web authoring activities.

WMAP may not yield as detailed results as the other Web application vulnerability scanners, but this information can be a useful starting point for exploring different types of attack. The fact that this scanner can be easily loaded and used from the Metasploit framework makes it a useful tool to know how to use it.

Wrapping Up

Metasploit is a powerful tool that can be used not only for exploitation but also for exploiting its many other modules that can be loaded and executed directly from the framework, making it an absolute powerhouse when it comes to penetration testing and ethical hacking.

In this tutorial, we learned how to quickly install Metasploit's database system and how to use the WMAP plugin to check a Web application for vulnerabilities. This is just one of many incredibly useful modules that are available as part of the Metasploit framework and are written more every day to satisfy the needs of white hats everywhere.


Source link