WMAP is a feature-rich web vulnerability scanner that was originally created from a tool named SQLMap. This tool is integrated with Metasploit and allows us to conduct webapp scanning from within the Framework. BackTrack team begin by first creating a new database to store our scan results in, load the
"wmap" plugin, and run
"help" to see what new commands are available to us.
msf > db_connect -y /opt/framework/config/database.yml or you can type
msf > db_status
[*] postgresql connected to msf3dev
msf > load wmap
[*] [WMAP 1.0] === et [ ] metasploit.com 2011
[*] Successfully loaded plugin: wmap
msf > help
Wmap Commands
=============
Command Description
------- -----------
wmap_run Test targets
wmap_sites Manage sites
wmap_targets Manage targets
...snip...
Prior to running a scan, we first need to add a new target URL by passing the
"-a" switch to
"wmap_sites". Afterwards, running
"wmap_sites -l" will print out the available targets.
msf > wmap_sites -h
[*] Usage: wmap_targets [options]
-h Display this help text
-a [url] Add site (vhost,url)
-l List all available sites
-s [urls] (level) Display site structure (vhost,url)
msf > wmap_sites -a http://192.168.1.100
[*] Site created.
msf > wmap_sites -l
[*] Available sites
===============
Id Host Vhost Port # Pages # Forms
-- ---- ----- ---- ------- -------
0 192.168.1.100 192.168.1.100 80 0 0
msf >
Next, we add the site as a target with
"wmap_targets".
msf > wmap_targets -t http://192.168.1.100
Using the
"wmap_run" command will scan the target system.
msf > wmap_run -h
[*] Usage: wmap_run [options]
-h Display this help text
-t Show all enabled modules
-m [regex] Launch only modules that name match provided regex.
-e [/path/to/profile] Launch profile modules against all matched targets.
No file runs all enabled modules.
We first using the
"-t" switch to list the modules that will be used to scan the remote system.
msf > wmap_run -t
[*] Testing target:
[*] Site: 192.168.1.100 (192.168.1.100)
[*] Port: 80 SSL: false
[*] ============================================================
[*] Testing started. 2012-01-16 15:46:42 -0500
[*]
=[ SSL testing ]=
[*] ============================================================
[*] Target is not SSL. SSL modules disabled.
[*]
=[ Web Server testing ]=
[*] ============================================================
[*] Loaded auxiliary/admin/http/contentkeeper_fileaccess ...
[*] Loaded auxiliary/admin/http/tomcat_administration ...
[*] Loaded auxiliary/admin/http/tomcat_utf8_traversal ...
[*] Loaded auxiliary/admin/http/trendmicro_dlp_traversal ...
..snip...
msf >
All that remains now is to actually run the scan against our target URL.
msf > wmap_run -e
[*] Using ALL wmap enabled modules.
[*] Testing target:
[*] Site: 172.16.2.207 (172.16.2.207)
[*] Port: 80 SSL: false
[*] ============================================================
[*] Testing started. 2012-01-16 15:57:51 -0500
..snip...
Once the scan has finished executing, we take a look at the database to see if wmap found anything of interest.
msf > hosts -c address,svcs,vulns
Hosts
=====
address svcs vulns
------- ---- -----
192.168.1.100 1 1
msf >
Looking at the above output, we can see that wmap has reported on 1 vulnerability. Running
"vulns" will list the details for us.
msf > vulns
[*] Time: 2012-01-16 20:58:49 UTC Vuln: host=172.16.2.207 port=80 proto=tcp name=auxiliary/scanner/http/options refs=CVE-2005-3398,
CVE-2005-3498,OSVDB-877,BID-11604,BID-9506,BID-9561
msf >
We can now use this information to gather further information on the reported vulnerability. As pentesters, we would want to investigate each finding further and identify if there are potential methods for attack.