Metasploit for website pentest

Metasploit for website pentest using wmap. Wmap is a web application scanner that runs within metasploit. We can use wmap to get an outline of the application we are probing.

If you enjoyed this tutorial, please check out my metasploit tutorials below

Start dvwa inside vagrant

In this tutorial I’ll be using dvwa in vagrant as my target

If you dont have dvwa setup inside vagrant yet, follow the link above to go to my tutorial, otherwise

cd /path/to/vagrantfile
vagrant up

Start metasploit

Following the start of my metasploit tutorial for beginners we start the database service and set up the metasploit database if not already done:

service postgreqsql start
# if this is the first time you are running metasploit, run the following:
msfdb init
# if not, start your postgesql service
service postgresql start
# then start metasploit using msfconsole
msfconsole

You will meet with a splash screen in your terminal:

Metasploit for website pentest
Metasploit for website pentest

This is msfconsole. Msfconsole is the main command line interface to MetaSploit. There are other interfaces available – GUI interfaces (armitage), and a web interface too (websploit). With msfconsole you can launch exploits, create listeners, configure payloads etc.

The module we are interested in for our web app vulnerability scanning is called wmap. We load the wmap module with the following command

load wmap

At any point inside msfconsole, we can bring up help commands with the question-mark command ?

THere are a lot of commands shown, but at the top of the list will be the current module, in our case, wmap

msf > ?

wmap Commands
=============

    Command       Description
    -------       -----------
    wmap_modules  Manage wmap modules
    wmap_nodes    Manage nodes
    wmap_run      Test targets
    wmap_sites    Manage sites
    wmap_targets  Manage targets
    wmap_vulns    Display web vulns

You can type any of the commands and see the required parameters, eg typing wmap_vulns gives all the options available:

Selecting a site to scan

To get wmap to scan a site, we have to add it to our configuration – we do this with the wmap_sites command

msf > ? wmap_sites
[*] Usage: wmap_sites [options]
    -h        Display this help text
    -a [url]  Add site (vhost,url)
    -d [ids]  Delete sites (separate ids with space)
    -l        List all available sites
    -s [id]   Display site structure (vhost,url|ids) (level) (unicode output true/false)

To actually add the site, we see that we have to use the -a flag and specify the url (including protocol)

wmap_sites -a http://192.168.x.x

There isnt a limit on the sites you can add, so you could add multiple domains, subdomains or protocols to perform a scan across multiple domains (or a single domain in http and https) in one fell swoop

wmap_sites -a https://192.168.x.x

The -l flag is used to show all the sites in the queue

msf > wmap_sites -l
[*] Available sites
===============

     Id  Host          Vhost         Port  Proto  # Pages  # Forms
     --  ----          -----         ----  -----  -------  -------
     0   192.168.x.x  192.168.x.x  80    http   0        0
     0   192.168.x.x  192.168.x.x  443   https  0        0

URLs

In the urls section, we add target urls (eg urls that we know have a buffer overflow, etc) for wmap to check the existance of on the domains.

We use the wmap_targets command to add urls to the scanner

msf > wmap_targets
[*] Usage: wmap_targets [options]
	-h 		Display this help text
	-t [urls]	Define target sites (vhost1,url[space]vhost2,url)
	-d [ids]	Define target sites (id1, id2, id3 ...)
	-c 		Clean target sites list
  -l  		List all target sites

To actually add the url, we see that we have to use the -t flag and specify the url

wmap_targets -t http://192.168.x.x/dvwa/index.php

There isnt a limit on the urls you can add, so you could add multiple domains, subdomains or protocols to perform a scan across multiple domains (or a single domain in http and https) in one fell swoop

wmap_targets -t https://192.168.x.x/dvwa/index.php

The -l flag is used to show all the urls in the queue

msf > wmap_targets -l
[*] Defined targets
===============

     Id  Vhost         Host          Port  SSL    Path
     --  -----         ----          ----  ---    ----
     0   192.168.x.x  192.168.x.x  80    false  /dvwa/index.php
     0   192.168.x.x  192.168.x.x  443   true   /dvwa/index.php

Running the Scanner

The next stage is to run the scanner

msf > wmap_run
    [*] Usage: wmap_run [options]
      -h                        Display this help text
      -t                        Show all enabled modules
      -m [regex]                Launch only modules that name match provided regex.
      -p [regex]                Only test path defined by regex.
      -e [/path/to/profile]     Launch profile modules against all matched targets.
                                (No profile file runs all enabled modules.)

We can use wmap_run with the -t flag to list all the enabled modules before we scan the target.

msf > wmap_run -t
[*] Testing target:
[*] 	Site: 192.168.x.x (192.168.x.x)
[*] 	Port: 80 SSL: false
============================================================
[*] Testing started. 2019-02-09 21:17:33 +0000
[*] Loading wmap modules...
[*] 39 wmap enabled modules loaded.
[*]
=[ SSL testing ]=
============================================================
[*] Target is not SSL. SSL modules disabled.
[*]
=[ Web Server testing ]=
============================================================
[*] Module auxiliary/scanner/http/http_version
[*] Module auxiliary/scanner/http/open_proxy
[*] Module auxiliary/admin/http/tomcat_administration
[*] Module auxiliary/admin/http/tomcat_utf8_traversal
[*] Module auxiliary/scanner/http/drupal_views_user_enum
[*] Module auxiliary/scanner/http/frontpage_login
[*] Module auxiliary/scanner/http/host_header_injection
[*] Module auxiliary/scanner/http/options
[*] Module auxiliary/scanner/http/robots_txt
[*] Module auxiliary/scanner/http/scraper
[*] Module auxiliary/scanner/http/svn_scanner
[*] Module auxiliary/scanner/http/trace
[*] Module auxiliary/scanner/http/vhost_scanner
[*] Module auxiliary/scanner/http/webdav_internal_ip
[*] Module auxiliary/scanner/http/webdav_scanner
[*] Module auxiliary/scanner/http/webdav_website_content
[*]
=[ File/Dir testing ]=
============================================================
[*] Module auxiliary/scanner/http/backup_file
[*] Module auxiliary/scanner/http/brute_dirs
[*] Module auxiliary/scanner/http/copy_of_file
[*] Module auxiliary/scanner/http/dir_listing
[*] Module auxiliary/scanner/http/dir_scanner
[*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass
[*] Module auxiliary/scanner/http/file_same_name_dir
[*] Module auxiliary/scanner/http/files_dir
[*] Module auxiliary/scanner/http/http_put
[*] Module auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
[*] Module auxiliary/scanner/http/prev_dir_same_name_file
[*] Module auxiliary/scanner/http/replace_ext
[*] Module auxiliary/scanner/http/soap_xml
[*] Module auxiliary/scanner/http/trace_axd
[*] Module auxiliary/scanner/http/verb_auth_bypass
[*]
=[ Unique Query testing ]=
============================================================
[*] Module auxiliary/scanner/http/blind_sql_query
[*] Module auxiliary/scanner/http/error_sql_injection
[*] Module auxiliary/scanner/http/http_traversal
[*] Module auxiliary/scanner/http/rails_mass_assignment
[*] Module exploit/multi/http/lcms_php_exec
[*]
=[ Query testing ]=
============================================================
[*]
=[ General testing ]=
============================================================
[*] Done.
[*] Testing target:
[*] 	Site: 192.168.x.x (192.168.x.x)
[*] 	Port: 443 SSL: true
============================================================
[*] Testing started. 2019-02-09 21:20:28 +0000
[*] Loading wmap modules...
[*] 39 wmap enabled modules loaded.
[*]
=[ SSL testing ]=
============================================================
[*]
=[ Web Server testing ]=
============================================================
[*] Module auxiliary/scanner/http/http_version
[*] Module auxiliary/scanner/http/open_proxy
[*] Module auxiliary/admin/http/tomcat_administration
[*] Module auxiliary/admin/http/tomcat_utf8_traversal
[*] Module auxiliary/scanner/http/drupal_views_user_enum
[*] Module auxiliary/scanner/http/frontpage_login
[*] Module auxiliary/scanner/http/host_header_injection
[*] Module auxiliary/scanner/http/options
[*] Module auxiliary/scanner/http/robots_txt
[*] Module auxiliary/scanner/http/scraper
[*] Module auxiliary/scanner/http/svn_scanner
[*] Module auxiliary/scanner/http/trace
[*] Module auxiliary/scanner/http/vhost_scanner
[*] Module auxiliary/scanner/http/webdav_internal_ip
[*] Module auxiliary/scanner/http/webdav_scanner
[*] Module auxiliary/scanner/http/webdav_website_content
[*]
=[ File/Dir testing ]=
============================================================
[*] Module auxiliary/scanner/http/backup_file
[*] Module auxiliary/scanner/http/brute_dirs
[*] Module auxiliary/scanner/http/copy_of_file
[*] Module auxiliary/scanner/http/dir_listing
[*] Module auxiliary/scanner/http/dir_scanner
[*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass
[*] Module auxiliary/scanner/http/file_same_name_dir
[*] Module auxiliary/scanner/http/files_dir
[*] Module auxiliary/scanner/http/http_put
[*] Module auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
[*] Module auxiliary/scanner/http/prev_dir_same_name_file
[*] Module auxiliary/scanner/http/replace_ext
[*] Module auxiliary/scanner/http/soap_xml
[*] Module auxiliary/scanner/http/trace_axd
[*] Module auxiliary/scanner/http/verb_auth_bypass
[*]
=[ Unique Query testing ]=
============================================================
[*] Module auxiliary/scanner/http/blind_sql_query
[*] Module auxiliary/scanner/http/error_sql_injection
[*] Module auxiliary/scanner/http/http_traversal
[*] Module auxiliary/scanner/http/rails_mass_assignment
[*] Module exploit/multi/http/lcms_php_exec
[*]
=[ Query testing ]=
============================================================
[*]
=[ General testing ]=
============================================================
[*] Done.

We can get some information on each of the modules if we use the info command:

info auxiliary/scanner/http/error_sql_injection

      Name: HTTP Error Based SQL Injection Scanner
    Module: auxiliary/scanner/http/error_sql_injection
   License: BSD License
      Rank: Normal

Provided by:
 et 

Basic options:
 Name     Current Setting  Required  Description
 ----     ---------------  --------  -----------
 DATA                      no        HTTP Body/Data Query
 METHOD   GET              yes       HTTP Request Method (Accepted: GET, POST)
 PATH     /default.aspx    yes       The path/file to test SQL injection
 Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
 QUERY                     no        HTTP URI Query
 RHOSTS                    yes       The target address range or CIDR identifier
 RPORT    80               yes       The target port (TCP)
 SSL      false            no        Negotiate SSL/TLS for outgoing connections
 THREADS  1                yes       The number of concurrent threads
 VHOST                     no        HTTP server virtual host

Description:
 This module identifies the existence of Error Based SQL injection 
 issues. Still requires a lot of work

Running the Scanner

The next stage is to run the scanner.

msf > wmap_run
    [*] Usage: wmap_run [options]
      -h                        Display this help text
      -t                        Show all enabled modules
      -m [regex]                Launch only modules that name match provided regex.
      -p [regex]                Only test path defined by regex.
      -e [/path/to/profile]     Launch profile modules against all matched targets.
                                (No profile file runs all enabled modules.)

Running wmap_run -e with no other arguments will run all of the enabled modules (39 in our case from the previous section). It will take a while to run.

wmap_run -e
  [*] Using ALL wmap enabled modules.
  [-] NO WMAP NODES DEFINED. Executing local modules
  [*] Testing target:
  [*] 	Site: 192.168.x.x (192.168.x.x)
  [*] 	Port: 80 SSL: false
  ============================================================
  [*] Testing started. 2019-02-10 13:44:33 +0000
  [*] Loading wmap modules...
   
  [*] 39 wmap enabled modules loaded.
  [*] 
  =[ SSL testing ]=
  ============================================================
  [*] Target is not SSL. SSL modules disabled.
  [*] 
  =[ Web Server testing ]=
  ============================================================
  [*] Module auxiliary/scanner/http/http_version
  
  [+] 192.168.x.x:80 Apache/2.4.10 (Debian)
  [*] Module auxiliary/scanner/http/open_proxy
  [*] Module auxiliary/admin/http/tomcat_administration
  [*] Module auxiliary/admin/http/tomcat_utf8_traversal
  [*] Attempting to connect to 192.168.x.x:80
  [+] No File(s) found
  [*] Module auxiliary/scanner/http/drupal_views_user_enum
  [-] 192.168.x.x does not appear to be vulnerable, will not continue
  [*] Module auxiliary/scanner/http/frontpage_login
  [*] 192.168.x.x:80      - http://192.168.x.x/ may not support FrontPage Server Extensions
  [*] Module auxiliary/scanner/http/host_header_injection
  [*] Module auxiliary/scanner/http/options
  [+] 192.168.x.x allows GET,HEAD,POST,OPTIONS methods
  [*] Module auxiliary/scanner/http/robots_txt
  [*] Module auxiliary/scanner/http/scraper
  [+] [192.168.x.x] / [Apache2 Debian Default Page: It works]
  [*] Module auxiliary/scanner/http/svn_scanner
  [*] Using code '404' as not found.
  [*] Module auxiliary/scanner/http/trace
  [*] Module auxiliary/scanner/http/vhost_scanner
  [*]  >> Exception during launch from auxiliary/scanner/http/vhost_scanner: The following options failed to validate: DOMAIN.
  [*] Module auxiliary/scanner/http/webdav_internal_ip
  [*] Module auxiliary/scanner/http/webdav_scanner
  [*] 192.168.x.x (Apache/2.4.10 (Debian)) WebDAV disabled.
  [*] Module auxiliary/scanner/http/webdav_website_content
  [*] 
  =[ File/Dir testing ]=
  ============================================================
  [*] Module auxiliary/scanner/http/backup_file
  [*] Module auxiliary/scanner/http/brute_dirs
  [*] Path: /
  [*] Using code '404' as not found.
  [*] Module auxiliary/scanner/http/copy_of_file
  [*] Module auxiliary/scanner/http/dir_listing
  [*] Path: /
  [*] Module auxiliary/scanner/http/dir_scanner
  [*] Path: /
  [*] Detecting error code
  [*] Using code '404' as not found for 192.168.x.x
  [+] Found http://192.168.x.x:80/icons/ 404 (192.168.x.x)
  [*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass
  [*] Path: /
  [*] Using code '404' as not found.
    
    # I stopped the scan here because it took ages, IRL you would let the scan run to completion
    

Scan Results

We can review the results of the scan with the wmap_vulns -l command

wmap_vulns -l
  [*] + [192.168.x.x] (192.168.x.x): scraper /
  [*] 	scraper Scraper
  [*] 	GET Apache2 Debian Default Page: It works
  [*] + [192.168.x.x] (192.168.x.x): directory /icons/
  [*] 	directory Directoy found.
  [*] 	GET Res code: 403

We have now come to the end of this mini-tutorial on the wmap metasploit module. There are better tools out there to perform these scans, but it is good to be able to do them inside metasploit to get an idea of whats out there

** dont forget to run vagrant destroy to stop your dvwa image running

If you enjoyed this tutorial, please check out my metasploit tutorials below

Sources