Metasploit for website pentest

Metasploit for website pentest using wmap. This is a short tutorial on using the wmap module inside metasploit. Wmap is a web application scanner that runs within metasploit. We can use wmap to get an outline of the application we are probing.

If you enjoy this tutorial, please check out my metasploit tutorials below

Start dvwa inside vagrant

In this tutorial I’ll be using the excellent dvwa in vagrant as my lab-based target as not to harm any real machines (and also because it can be started when I need it and stopped when I don’t – meaning that I don’t run a vulnerable system on my network if I don’t need to)

If you dont have dvwa setup inside vagrant [or running on a box on your network, eg through proxmox or opencloud or even bare metal] yet, follow the link above to go to my tutorial, otherwise

cd /path/to/vagrantfile
vagrant up

Start metasploit

Following the start of my metasploit tutorial for beginners, before starting the metasploit console, we will start the database service and set up the metasploit database if not already done:

service postgreqsql start

if this is the first time you are running metasploit, run the following command to create the database schema for you:

msfdb init

if it is not your first time, start your postgesql service as you will already have the database schema in place.

service postgresql start

Then you can start metasploit using the msfconsole command from a regular terminal

msfconsole

Once msfconsole has started and loaded all the modules and dependancies, you will meet with a splash screen in your terminal – the splash screens are random, so don’t worry if you see a different one when yours starts up:

Metasploit for website pentest
Metasploit for website pentest

This is msfconsole. Msfconsole is the main command line interface to MetaSploit. There are other interfaces available – GUI interfaces (armitage), and a web interface too (websploit). With msfconsole you can launch exploits, create listeners, configure payloads etc – its always useful to learn the commandline version as its the quickest way to assemble a database of targets for later analysis.

The module we are interested in for our web app vulnerability scanning is called wmap. We load the wmap module with the following command

load wmap

At any point inside msfconsole, we can bring up help commands with the question-mark command ?

There are a lot of commands shown, but at the top of the list will be the current module, in our case, wmap

msf > ?

wmap Commands
=============

    Command       Description
    -------       -----------
    wmap_modules  Manage wmap modules
    wmap_nodes    Manage nodes
    wmap_run      Test targets
    wmap_sites    Manage sites
    wmap_targets  Manage targets
    wmap_vulns    Display web vulns

You can type any of the wmap commands shown above and you will get a list of the required parameters, eg typing wmap_vulns gives you all the options available:

Metasploit for website pentest – Selecting a site to scan

Now that we have the wmap module loaded the next step is to get wmap to scan an actual site (ot target in metasploit terminology), we have to add the target to our wmap module configuration – we do this with the wmap_sites command

msf > ? wmap_sites
[*] Usage: wmap_sites [options]
    -h        Display this help text
    -a [url]  Add site (vhost,url)
    -d [ids]  Delete sites (separate ids with space)
    -l        List all available sites
    -s [id]   Display site structure (vhost,url|ids) (level) (unicode output true/false)

To actually add the site to the module configuration, we can see that we have to use the -a flag and specify the url (we must include the protocol too)

wmap_sites -a http://192.168.x.x

There is not a limit on the number of sites that you can add to wmap, so you could add multiple domains, subdomains or protocols to perform a scan across multiple domains (or a single domain in http and https) in one fell swoop, a word of warning though, it may take a very long time to perform the actual scan if you load up a large number of sites.

wmap_sites -a https://192.168.x.x

The -l flag is used to show all the sites in the queue

msf > wmap_sites -l
[*] Available sites
===============

     Id  Host          Vhost         Port  Proto  # Pages  # Forms
     --  ----          -----         ----  -----  -------  -------
     0   192.168.x.x  192.168.x.x  80    http   0        0
     0   192.168.x.x  192.168.x.x  443   https  0        0

Metasploit for website pentest – URLs

In the urls section, we add target urls (eg urls that we know have a buffer overflow, etc) for wmap to check the existance of on the domains.

We use the wmap_targets command to add urls to the scanner

msf > wmap_targets
[*] Usage: wmap_targets [options]
	-h 		Display this help text
	-t [urls]	Define target sites (vhost1,url[space]vhost2,url)
	-d [ids]	Define target sites (id1, id2, id3 ...)
	-c 		Clean target sites list
  -l  		List all target sites

To actually add the url, we see that we have to use the -t flag and specify the url

wmap_targets -t http://192.168.x.x/dvwa/index.php

There isnt a limit on the urls you can add, so you could add multiple domains, subdomains or protocols to perform a scan across multiple domains (or a single domain in http and https) in one fell swoop

wmap_targets -t https://192.168.x.x/dvwa/index.php

The -l flag is used to show all the urls in the queue

msf > wmap_targets -l
[*] Defined targets
===============

     Id  Vhost         Host          Port  SSL    Path
     --  -----         ----          ----  ---    ----
     0   192.168.x.x  192.168.x.x  80    false  /dvwa/index.php
     0   192.168.x.x  192.168.x.x  443   true   /dvwa/index.php

Metasploit for website pentest – Running the Scanner

The next stage is to run the scanner

msf > wmap_run
    [*] Usage: wmap_run [options]
      -h                        Display this help text
      -t                        Show all enabled modules
      -m [regex]                Launch only modules that name match provided regex.
      -p [regex]                Only test path defined by regex.
      -e [/path/to/profile]     Launch profile modules against all matched targets.
                                (No profile file runs all enabled modules.)

We can use wmap_run with the -t flag to list all the enabled modules before we scan the target.

msf > wmap_run -t
[*] Testing target:
[*] 	Site: 192.168.x.x (192.168.x.x)
[*] 	Port: 80 SSL: false
============================================================
[*] Testing started. 2019-02-09 21:17:33 +0000
[*] Loading wmap modules...
[*] 39 wmap enabled modules loaded.
[*]
=[ SSL testing ]=
============================================================
[*] Target is not SSL. SSL modules disabled.
[*]
=[ Web Server testing ]=
============================================================
[*] Module auxiliary/scanner/http/http_version
[*] Module auxiliary/scanner/http/open_proxy
[*] Module auxiliary/admin/http/tomcat_administration
[*] Module auxiliary/admin/http/tomcat_utf8_traversal
[*] Module auxiliary/scanner/http/drupal_views_user_enum
[*] Module auxiliary/scanner/http/frontpage_login
[*] Module auxiliary/scanner/http/host_header_injection
[*] Module auxiliary/scanner/http/options
[*] Module auxiliary/scanner/http/robots_txt
[*] Module auxiliary/scanner/http/scraper
[*] Module auxiliary/scanner/http/svn_scanner
[*] Module auxiliary/scanner/http/trace
[*] Module auxiliary/scanner/http/vhost_scanner
[*] Module auxiliary/scanner/http/webdav_internal_ip
[*] Module auxiliary/scanner/http/webdav_scanner
[*] Module auxiliary/scanner/http/webdav_website_content
[*]
=[ File/Dir testing ]=
============================================================
[*] Module auxiliary/scanner/http/backup_file
[*] Module auxiliary/scanner/http/brute_dirs
[*] Module auxiliary/scanner/http/copy_of_file
[*] Module auxiliary/scanner/http/dir_listing
[*] Module auxiliary/scanner/http/dir_scanner
[*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass
[*] Module auxiliary/scanner/http/file_same_name_dir
[*] Module auxiliary/scanner/http/files_dir
[*] Module auxiliary/scanner/http/http_put
[*] Module auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
[*] Module auxiliary/scanner/http/prev_dir_same_name_file
[*] Module auxiliary/scanner/http/replace_ext
[*] Module auxiliary/scanner/http/soap_xml
[*] Module auxiliary/scanner/http/trace_axd
[*] Module auxiliary/scanner/http/verb_auth_bypass
[*]
=[ Unique Query testing ]=
============================================================
[*] Module auxiliary/scanner/http/blind_sql_query
[*] Module auxiliary/scanner/http/error_sql_injection
[*] Module auxiliary/scanner/http/http_traversal
[*] Module auxiliary/scanner/http/rails_mass_assignment
[*] Module exploit/multi/http/lcms_php_exec
[*]
=[ Query testing ]=
============================================================
[*]
=[ General testing ]=
============================================================
[*] Done.
[*] Testing target:
[*] 	Site: 192.168.x.x (192.168.x.x)
[*] 	Port: 443 SSL: true
============================================================
[*] Testing started. 2019-02-09 21:20:28 +0000
[*] Loading wmap modules...
[*] 39 wmap enabled modules loaded.
[*]
=[ SSL testing ]=
============================================================
[*]
=[ Web Server testing ]=
============================================================
[*] Module auxiliary/scanner/http/http_version
[*] Module auxiliary/scanner/http/open_proxy
[*] Module auxiliary/admin/http/tomcat_administration
[*] Module auxiliary/admin/http/tomcat_utf8_traversal
[*] Module auxiliary/scanner/http/drupal_views_user_enum
[*] Module auxiliary/scanner/http/frontpage_login
[*] Module auxiliary/scanner/http/host_header_injection
[*] Module auxiliary/scanner/http/options
[*] Module auxiliary/scanner/http/robots_txt
[*] Module auxiliary/scanner/http/scraper
[*] Module auxiliary/scanner/http/svn_scanner
[*] Module auxiliary/scanner/http/trace
[*] Module auxiliary/scanner/http/vhost_scanner
[*] Module auxiliary/scanner/http/webdav_internal_ip
[*] Module auxiliary/scanner/http/webdav_scanner
[*] Module auxiliary/scanner/http/webdav_website_content
[*]
=[ File/Dir testing ]=
============================================================
[*] Module auxiliary/scanner/http/backup_file
[*] Module auxiliary/scanner/http/brute_dirs
[*] Module auxiliary/scanner/http/copy_of_file
[*] Module auxiliary/scanner/http/dir_listing
[*] Module auxiliary/scanner/http/dir_scanner
[*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass
[*] Module auxiliary/scanner/http/file_same_name_dir
[*] Module auxiliary/scanner/http/files_dir
[*] Module auxiliary/scanner/http/http_put
[*] Module auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
[*] Module auxiliary/scanner/http/prev_dir_same_name_file
[*] Module auxiliary/scanner/http/replace_ext
[*] Module auxiliary/scanner/http/soap_xml
[*] Module auxiliary/scanner/http/trace_axd
[*] Module auxiliary/scanner/http/verb_auth_bypass
[*]
=[ Unique Query testing ]=
============================================================
[*] Module auxiliary/scanner/http/blind_sql_query
[*] Module auxiliary/scanner/http/error_sql_injection
[*] Module auxiliary/scanner/http/http_traversal
[*] Module auxiliary/scanner/http/rails_mass_assignment
[*] Module exploit/multi/http/lcms_php_exec
[*]
=[ Query testing ]=
============================================================
[*]
=[ General testing ]=
============================================================
[*] Done.

We can get some information on each of the metasploit modules if we use the info command:

info auxiliary/scanner/http/error_sql_injection

      Name: HTTP Error Based SQL Injection Scanner
    Module: auxiliary/scanner/http/error_sql_injection
   License: BSD License
      Rank: Normal

Provided by:
 et 

Basic options:
 Name     Current Setting  Required  Description
 ----     ---------------  --------  -----------
 DATA                      no        HTTP Body/Data Query
 METHOD   GET              yes       HTTP Request Method (Accepted: GET, POST)
 PATH     /default.aspx    yes       The path/file to test SQL injection
 Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
 QUERY                     no        HTTP URI Query
 RHOSTS                    yes       The target address range or CIDR identifier
 RPORT    80               yes       The target port (TCP)
 SSL      false            no        Negotiate SSL/TLS for outgoing connections
 THREADS  1                yes       The number of concurrent threads
 VHOST                     no        HTTP server virtual host

Description:
 This module identifies the existence of Error Based SQL injection 
 issues. Still requires a lot of work

Running the Scanner

The next stage in using Metasploit for website pentest is to run the scanner. We run the scan with the wmap_run command:

msf > wmap_run
    [*] Usage: wmap_run [options]
      -h                        Display this help text
      -t                        Show all enabled modules
      -m [regex]                Launch only modules that name match provided regex.
      -p [regex]                Only test path defined by regex.
      -e [/path/to/profile]     Launch profile modules against all matched targets.
                                (No profile file runs all enabled modules.)

Running wmap_run -e with no other arguments will run all of the enabled modules (39 in our case from the previous section). It will take a while for the scan to complete.

wmap_run -e
  [*] Using ALL wmap enabled modules.
  [-] NO WMAP NODES DEFINED. Executing local modules
  [*] Testing target:
  [*] 	Site: 192.168.x.x (192.168.x.x)
  [*] 	Port: 80 SSL: false
  ============================================================
  [*] Testing started. 2019-02-10 13:44:33 +0000
  [*] Loading wmap modules...
   
  [*] 39 wmap enabled modules loaded.
  [*] 
  =[ SSL testing ]=
  ============================================================
  [*] Target is not SSL. SSL modules disabled.
  [*] 
  =[ Web Server testing ]=
  ============================================================
  [*] Module auxiliary/scanner/http/http_version
  
  [+] 192.168.x.x:80 Apache/2.4.10 (Debian)
  [*] Module auxiliary/scanner/http/open_proxy
  [*] Module auxiliary/admin/http/tomcat_administration
  [*] Module auxiliary/admin/http/tomcat_utf8_traversal
  [*] Attempting to connect to 192.168.x.x:80
  [+] No File(s) found
  [*] Module auxiliary/scanner/http/drupal_views_user_enum
  [-] 192.168.x.x does not appear to be vulnerable, will not continue
  [*] Module auxiliary/scanner/http/frontpage_login
  [*] 192.168.x.x:80      - http://192.168.x.x/ may not support FrontPage Server Extensions
  [*] Module auxiliary/scanner/http/host_header_injection
  [*] Module auxiliary/scanner/http/options
  [+] 192.168.x.x allows GET,HEAD,POST,OPTIONS methods
  [*] Module auxiliary/scanner/http/robots_txt
  [*] Module auxiliary/scanner/http/scraper
  [+] [192.168.x.x] / [Apache2 Debian Default Page: It works]
  [*] Module auxiliary/scanner/http/svn_scanner
  [*] Using code '404' as not found.
  [*] Module auxiliary/scanner/http/trace
  [*] Module auxiliary/scanner/http/vhost_scanner
  [*]  >> Exception during launch from auxiliary/scanner/http/vhost_scanner: The following options failed to validate: DOMAIN.
  [*] Module auxiliary/scanner/http/webdav_internal_ip
  [*] Module auxiliary/scanner/http/webdav_scanner
  [*] 192.168.x.x (Apache/2.4.10 (Debian)) WebDAV disabled.
  [*] Module auxiliary/scanner/http/webdav_website_content
  [*] 
  =[ File/Dir testing ]=
  ============================================================
  [*] Module auxiliary/scanner/http/backup_file
  [*] Module auxiliary/scanner/http/brute_dirs
  [*] Path: /
  [*] Using code '404' as not found.
  [*] Module auxiliary/scanner/http/copy_of_file
  [*] Module auxiliary/scanner/http/dir_listing
  [*] Path: /
  [*] Module auxiliary/scanner/http/dir_scanner
  [*] Path: /
  [*] Detecting error code
  [*] Using code '404' as not found for 192.168.x.x
  [+] Found http://192.168.x.x:80/icons/ 404 (192.168.x.x)
  [*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass
  [*] Path: /
  [*] Using code '404' as not found.
    
    # I stopped the scan here because it took ages, IRL you would let the scan run to completion
    

Scan Results

We can now review the results of the scan we have performed with the wmap_vulns -l command

wmap_vulns -l
  [*] + [192.168.x.x] (192.168.x.x): scraper /
  [*] 	scraper Scraper
  [*] 	GET Apache2 Debian Default Page: It works
  [*] + [192.168.x.x] (192.168.x.x): directory /icons/
  [*] 	directory Directoy found.
  [*] 	GET Res code: 403

We have now come to the end of this mini Metasploit for website pentest tutorial on the wmap metasploit module. There are better tools out there to perform these types of scan, but it is good to be able to do such scans inside metasploit to gain an idea of whats out there, and to increase your skills.

** dont forget to run vagrant destroy to stop your dvwa image running after you complete the exercise as vagrant can use lots of resources on your host machine (especially if you end up with 4 or 5 vagrant instances running)

If you enjoy this tutorial, please check out my metasploit tutorials below

Sources

 

This Post Has One Comment

  1. Will Meek

    Great writeup Jonathan!

    Only caveat I found was that the url needed to be an IP, even though sites are resolved to IPs.

    And File/Dir testing at the ‘404’ stage takes forever! :)

Leave a Reply