Metasploit for website pentest using wmap. This is a short tutorial on using the wmap module inside metasploit. Wmap is a web application scanner that runs within metasploit. We can use wmap to get an outline of the application we are probing.
If you enjoy this tutorial, please check out my metasploit tutorials below
Start dvwa inside vagrant
In this tutorial I’ll be using the excellent dvwa in vagrant as my lab-based target as not to harm any real machines (and also because it can be started when I need it and stopped when I don’t – meaning that I don’t run a vulnerable system on my network if I don’t need to)
If you dont have dvwa setup inside vagrant [or running on a box on your network, eg through proxmox or opencloud or even bare metal] yet, follow the link above to go to my tutorial, otherwise
cd /path/to/vagrantfile vagrant up
Start metasploit
Following the start of my metasploit tutorial for beginners, before starting the metasploit console, we will start the database service and set up the metasploit database if not already done:
service postgreqsql start
if this is the first time you are running metasploit, run the following command to create the database schema for you:
msfdb init
if it is not your first time, start your postgesql service as you will already have the database schema in place.
service postgresql start
Then you can start metasploit using the msfconsole command from a regular terminal
msfconsole
Once msfconsole has started and loaded all the modules and dependancies, you will meet with a splash screen in your terminal – the splash screens are random, so don’t worry if you see a different one when yours starts up:
This is msfconsole. Msfconsole is the main command line interface to MetaSploit. There are other interfaces available – GUI interfaces (armitage), and a web interface too (websploit). With msfconsole you can launch exploits, create listeners, configure payloads etc – its always useful to learn the commandline version as its the quickest way to assemble a database of targets for later analysis.
The module we are interested in for our web app vulnerability scanning is called wmap. We load the wmap module with the following command
load wmap
At any point inside msfconsole, we can bring up help commands with the question-mark command ?
There are a lot of commands shown, but at the top of the list will be the current module, in our case, wmap
msf > ?
wmap Commands
=============
Command Description
------- -----------
wmap_modules Manage wmap modules
wmap_nodes Manage nodes
wmap_run Test targets
wmap_sites Manage sites
wmap_targets Manage targets
wmap_vulns Display web vulns
You can type any of the wmap commands shown above and you will get a list of the required parameters, eg typing wmap_vulns gives you all the options available:
Metasploit for website pentest – Selecting a site to scan
Now that we have the wmap module loaded the next step is to get wmap to scan an actual site (ot target in metasploit terminology), we have to add the target to our wmap module configuration – we do this with the wmap_sites command
msf > ? wmap_sites
[*] Usage: wmap_sites [options]
-h Display this help text
-a [url] Add site (vhost,url)
-d [ids] Delete sites (separate ids with space)
-l List all available sites
-s [id] Display site structure (vhost,url|ids) (level) (unicode output true/false)
To actually add the site to the module configuration, we can see that we have to use the -a flag and specify the url (we must include the protocol too)
wmap_sites -a http://192.168.x.x
There is not a limit on the number of sites that you can add to wmap, so you could add multiple domains, subdomains or protocols to perform a scan across multiple domains (or a single domain in http and https) in one fell swoop, a word of warning though, it may take a very long time to perform the actual scan if you load up a large number of sites.
wmap_sites -a https://192.168.x.x
The -l flag is used to show all the sites in the queue
msf > wmap_sites -l
[*] Available sites
===============
Id Host Vhost Port Proto # Pages # Forms
-- ---- ----- ---- ----- ------- -------
0 192.168.x.x 192.168.x.x 80 http 0 0
0 192.168.x.x 192.168.x.x 443 https 0 0
Metasploit for website pentest – URLs
In the urls section, we add target urls (eg urls that we know have a buffer overflow, etc) for wmap to check the existance of on the domains.
We use the wmap_targets command to add urls to the scanner
msf > wmap_targets [*] Usage: wmap_targets [options] -h Display this help text -t [urls] Define target sites (vhost1,url[space]vhost2,url) -d [ids] Define target sites (id1, id2, id3 ...) -c Clean target sites list -l List all target sites
To actually add the url, we see that we have to use the -t flag and specify the url
wmap_targets -t http://192.168.x.x/dvwa/index.php
There isnt a limit on the urls you can add, so you could add multiple domains, subdomains or protocols to perform a scan across multiple domains (or a single domain in http and https) in one fell swoop
wmap_targets -t https://192.168.x.x/dvwa/index.php
The -l flag is used to show all the urls in the queue
msf > wmap_targets -l
[*] Defined targets
===============
Id Vhost Host Port SSL Path
-- ----- ---- ---- --- ----
0 192.168.x.x 192.168.x.x 80 false /dvwa/index.php
0 192.168.x.x 192.168.x.x 443 true /dvwa/index.php
Metasploit for website pentest – Running the Scanner
The next stage is to run the scanner
msf > wmap_run
[*] Usage: wmap_run [options]
-h Display this help text
-t Show all enabled modules
-m [regex] Launch only modules that name match provided regex.
-p [regex] Only test path defined by regex.
-e [/path/to/profile] Launch profile modules against all matched targets.
(No profile file runs all enabled modules.)
We can use wmap_run with the -t flag to list all the enabled modules before we scan the target.
msf > wmap_run -t [*] Testing target: [*] Site: 192.168.x.x (192.168.x.x) [*] Port: 80 SSL: false ============================================================ [*] Testing started. 2019-02-09 21:17:33 +0000 [*] Loading wmap modules... [*] 39 wmap enabled modules loaded. [*] =[ SSL testing ]= ============================================================ [*] Target is not SSL. SSL modules disabled. [*] =[ Web Server testing ]= ============================================================ [*] Module auxiliary/scanner/http/http_version [*] Module auxiliary/scanner/http/open_proxy [*] Module auxiliary/admin/http/tomcat_administration [*] Module auxiliary/admin/http/tomcat_utf8_traversal [*] Module auxiliary/scanner/http/drupal_views_user_enum [*] Module auxiliary/scanner/http/frontpage_login [*] Module auxiliary/scanner/http/host_header_injection [*] Module auxiliary/scanner/http/options [*] Module auxiliary/scanner/http/robots_txt [*] Module auxiliary/scanner/http/scraper [*] Module auxiliary/scanner/http/svn_scanner [*] Module auxiliary/scanner/http/trace [*] Module auxiliary/scanner/http/vhost_scanner [*] Module auxiliary/scanner/http/webdav_internal_ip [*] Module auxiliary/scanner/http/webdav_scanner [*] Module auxiliary/scanner/http/webdav_website_content [*] =[ File/Dir testing ]= ============================================================ [*] Module auxiliary/scanner/http/backup_file [*] Module auxiliary/scanner/http/brute_dirs [*] Module auxiliary/scanner/http/copy_of_file [*] Module auxiliary/scanner/http/dir_listing [*] Module auxiliary/scanner/http/dir_scanner [*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass [*] Module auxiliary/scanner/http/file_same_name_dir [*] Module auxiliary/scanner/http/files_dir [*] Module auxiliary/scanner/http/http_put [*] Module auxiliary/scanner/http/ms09_020_webdav_unicode_bypass [*] Module auxiliary/scanner/http/prev_dir_same_name_file [*] Module auxiliary/scanner/http/replace_ext [*] Module auxiliary/scanner/http/soap_xml [*] Module auxiliary/scanner/http/trace_axd [*] Module auxiliary/scanner/http/verb_auth_bypass [*] =[ Unique Query testing ]= ============================================================ [*] Module auxiliary/scanner/http/blind_sql_query [*] Module auxiliary/scanner/http/error_sql_injection [*] Module auxiliary/scanner/http/http_traversal [*] Module auxiliary/scanner/http/rails_mass_assignment [*] Module exploit/multi/http/lcms_php_exec [*] =[ Query testing ]= ============================================================ [*] =[ General testing ]= ============================================================ [*] Done. [*] Testing target: [*] Site: 192.168.x.x (192.168.x.x) [*] Port: 443 SSL: true ============================================================ [*] Testing started. 2019-02-09 21:20:28 +0000 [*] Loading wmap modules... [*] 39 wmap enabled modules loaded. [*] =[ SSL testing ]= ============================================================ [*] =[ Web Server testing ]= ============================================================ [*] Module auxiliary/scanner/http/http_version [*] Module auxiliary/scanner/http/open_proxy [*] Module auxiliary/admin/http/tomcat_administration [*] Module auxiliary/admin/http/tomcat_utf8_traversal [*] Module auxiliary/scanner/http/drupal_views_user_enum [*] Module auxiliary/scanner/http/frontpage_login [*] Module auxiliary/scanner/http/host_header_injection [*] Module auxiliary/scanner/http/options [*] Module auxiliary/scanner/http/robots_txt [*] Module auxiliary/scanner/http/scraper [*] Module auxiliary/scanner/http/svn_scanner [*] Module auxiliary/scanner/http/trace [*] Module auxiliary/scanner/http/vhost_scanner [*] Module auxiliary/scanner/http/webdav_internal_ip [*] Module auxiliary/scanner/http/webdav_scanner [*] Module auxiliary/scanner/http/webdav_website_content [*] =[ File/Dir testing ]= ============================================================ [*] Module auxiliary/scanner/http/backup_file [*] Module auxiliary/scanner/http/brute_dirs [*] Module auxiliary/scanner/http/copy_of_file [*] Module auxiliary/scanner/http/dir_listing [*] Module auxiliary/scanner/http/dir_scanner [*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass [*] Module auxiliary/scanner/http/file_same_name_dir [*] Module auxiliary/scanner/http/files_dir [*] Module auxiliary/scanner/http/http_put [*] Module auxiliary/scanner/http/ms09_020_webdav_unicode_bypass [*] Module auxiliary/scanner/http/prev_dir_same_name_file [*] Module auxiliary/scanner/http/replace_ext [*] Module auxiliary/scanner/http/soap_xml [*] Module auxiliary/scanner/http/trace_axd [*] Module auxiliary/scanner/http/verb_auth_bypass [*] =[ Unique Query testing ]= ============================================================ [*] Module auxiliary/scanner/http/blind_sql_query [*] Module auxiliary/scanner/http/error_sql_injection [*] Module auxiliary/scanner/http/http_traversal [*] Module auxiliary/scanner/http/rails_mass_assignment [*] Module exploit/multi/http/lcms_php_exec [*] =[ Query testing ]= ============================================================ [*] =[ General testing ]= ============================================================ [*] Done.
We can get some information on each of the metasploit modules if we use the info command:
info auxiliary/scanner/http/error_sql_injection
Name: HTTP Error Based SQL Injection Scanner
Module: auxiliary/scanner/http/error_sql_injection
License: BSD License
Rank: Normal
Provided by:
et
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DATA no HTTP Body/Data Query
METHOD GET yes HTTP Request Method (Accepted: GET, POST)
PATH /default.aspx yes The path/file to test SQL injection
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
QUERY no HTTP URI Query
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
Description:
This module identifies the existence of Error Based SQL injection
issues. Still requires a lot of work
Running the Scanner
The next stage in using Metasploit for website pentest is to run the scanner. We run the scan with the wmap_run command:
msf > wmap_run
[*] Usage: wmap_run [options]
-h Display this help text
-t Show all enabled modules
-m [regex] Launch only modules that name match provided regex.
-p [regex] Only test path defined by regex.
-e [/path/to/profile] Launch profile modules against all matched targets.
(No profile file runs all enabled modules.)
Running wmap_run -e with no other arguments will run all of the enabled modules (39 in our case from the previous section). It will take a while for the scan to complete.
wmap_run -e
[*] Using ALL wmap enabled modules.
[-] NO WMAP NODES DEFINED. Executing local modules
[*] Testing target:
[*] Site: 192.168.x.x (192.168.x.x)
[*] Port: 80 SSL: false
============================================================
[*] Testing started. 2019-02-10 13:44:33 +0000
[*] Loading wmap modules...
[*] 39 wmap enabled modules loaded.
[*]
=[ SSL testing ]=
============================================================
[*] Target is not SSL. SSL modules disabled.
[*]
=[ Web Server testing ]=
============================================================
[*] Module auxiliary/scanner/http/http_version
[+] 192.168.x.x:80 Apache/2.4.10 (Debian)
[*] Module auxiliary/scanner/http/open_proxy
[*] Module auxiliary/admin/http/tomcat_administration
[*] Module auxiliary/admin/http/tomcat_utf8_traversal
[*] Attempting to connect to 192.168.x.x:80
[+] No File(s) found
[*] Module auxiliary/scanner/http/drupal_views_user_enum
[-] 192.168.x.x does not appear to be vulnerable, will not continue
[*] Module auxiliary/scanner/http/frontpage_login
[*] 192.168.x.x:80 - http://192.168.x.x/ may not support FrontPage Server Extensions
[*] Module auxiliary/scanner/http/host_header_injection
[*] Module auxiliary/scanner/http/options
[+] 192.168.x.x allows GET,HEAD,POST,OPTIONS methods
[*] Module auxiliary/scanner/http/robots_txt
[*] Module auxiliary/scanner/http/scraper
[+] [192.168.x.x] / [Apache2 Debian Default Page: It works]
[*] Module auxiliary/scanner/http/svn_scanner
[*] Using code '404' as not found.
[*] Module auxiliary/scanner/http/trace
[*] Module auxiliary/scanner/http/vhost_scanner
[*] >> Exception during launch from auxiliary/scanner/http/vhost_scanner: The following options failed to validate: DOMAIN.
[*] Module auxiliary/scanner/http/webdav_internal_ip
[*] Module auxiliary/scanner/http/webdav_scanner
[*] 192.168.x.x (Apache/2.4.10 (Debian)) WebDAV disabled.
[*] Module auxiliary/scanner/http/webdav_website_content
[*]
=[ File/Dir testing ]=
============================================================
[*] Module auxiliary/scanner/http/backup_file
[*] Module auxiliary/scanner/http/brute_dirs
[*] Path: /
[*] Using code '404' as not found.
[*] Module auxiliary/scanner/http/copy_of_file
[*] Module auxiliary/scanner/http/dir_listing
[*] Path: /
[*] Module auxiliary/scanner/http/dir_scanner
[*] Path: /
[*] Detecting error code
[*] Using code '404' as not found for 192.168.x.x
[+] Found http://192.168.x.x:80/icons/ 404 (192.168.x.x)
[*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass
[*] Path: /
[*] Using code '404' as not found.
# I stopped the scan here because it took ages, IRL you would let the scan run to completion
Scan Results
We can now review the results of the scan we have performed with the wmap_vulns -l command
wmap_vulns -l [*] + [192.168.x.x] (192.168.x.x): scraper / [*] scraper Scraper [*] GET Apache2 Debian Default Page: It works [*] + [192.168.x.x] (192.168.x.x): directory /icons/ [*] directory Directoy found. [*] GET Res code: 403
We have now come to the end of this mini Metasploit for website pentest tutorial on the wmap metasploit module. There are better tools out there to perform these types of scan, but it is good to be able to do such scans inside metasploit to gain an idea of whats out there, and to increase your skills.
** dont forget to run vagrant destroy to stop your dvwa image running after you complete the exercise as vagrant can use lots of resources on your host machine (especially if you end up with 4 or 5 vagrant instances running)
If you enjoy this tutorial, please check out my metasploit tutorials below
Sources
- https://www.offensive-security.com/metasploit-unleashed/wmap-web-scanner/
- https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/
- https://subscription.packtpub.com/book/networking_and_servers/9781788295970/7/ch07lvl1sec52/web-application-scanning-using-wmap
- https://www.rapid7.com/db/modules/auxiliary/scanner/http/error_sql_injection
Great writeup Jonathan!
Only caveat I found was that the url needed to be an IP, even though sites are resolved to IPs.
And File/Dir testing at the ‘404’ stage takes forever! :)