Friday, March 25, 2011

Pentest: Audit your website security with Metasploit WMAP plugin and the HTTP Crawler Module

WMAP is implemented as a Metasploit plugin and depends on an active database to function. The database is used to store a list of target URLs as well as the results of the WMAP modules. To get started with WMAP, the database needs to be configured and at least one target must be added. In most situations, you would bring target data into WMAP through a spider, proxy, or export from another tool. In the example below we will use the msf http crawler module to add a target and demonstrate the process.


Install these packages:

sudo apt-get install libxml-ruby libxml2-dev
sudo apt-get install libxslt-ruby libxslt-dev
sudo apt-get install libnokogiri-ruby
or
gem install robots
gem install nokogiri 
sudo gem install anemone

Start the Metasploit Framework¶

Open the Metasploit Framework Console (msfconsole):
$ ./msconsole

#    # ###### #####   ##    ####  #####  #       ####  # #####
##  ## #        #    #  #  #      #    # #      #    # #   #
# ## # #####    #   #    #  ####  #    # #      #    # #   #
#    # #        #   ######      # #####  #      #    # #   #
#    # #        #   #    # #    # #      #      #    # #   #
#    # ######   #   #    #  ####  #      ######  ####  #   #


       =[ metasploit v3.7.0-dev [core:3.7 api:1.0]
+ -- --=[ 669 exploits - 345 auxiliary
+ -- --=[ 217 payloads - 27 encoders - 8 nops
       =[ svn r12131 updated today (2011.03.25)

msf > 
Select the database driver (for this tutorial I use the sqlite3 driver but if you have an postesql up you can use it with db_driver postgresql).
msf > db_driver sqlite3
[*] Using database driver sqlite3
Create a database
msf> db_connect wmap_test
[-] Note that sqlite is not supported due to numerous issues.
[-] It may work, but don't count on it
[*] Creating a new database file...
[*] Successfully connected to the database
[*] File: wmap_test


Crawling the target

Load the scanner
msf > use scanner/http/crawler
msf auxiliary(crawler) > show options

Module options (auxiliary/scanner/http/crawler):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   MAX_MINUTES  5                yes       The maximum number of minutes to spend on each URL
   MAX_PAGES    500              yes       The maximum number of pages to crawl per URL
   MAX_THREADS  4                yes       The maximum number of concurrent requests
   Proxies                       no        Use a proxy chain
   RHOST                         yes       The target address
   RPORT        80               yes       The target port
   URI          /                yes       The starting page to crawl
   VHOST                         no        HTTP server virtual host

msf auxiliary(crawler) > 

Define target
msf auxiliary(crawler) > set RHOST www.target.com
msf auxiliary(crawler) > set RPORT 443

Launch the scan
msf auxiliary(crawler) > run
[*] Crawling https://www.target.com
[*] [00001/00500]    200 - www.target.com - https://www.target.com/
[*]                         FORM: POST /index.asp
[*] [00002/00500]    200 - www.target.com - https://www.target.com/index.asp?lg=EN
[*]                         FORM: GET /index.asp
[*]                         FORM: POST /index.asp
[*] [00003/00500]    200 - www.target.com - https://www.target.com/index.asp?lg=FR
[*]                         FORM: GET /index.asp
[*]                         FORM: POST /index.asp
[*] [00004/00500]    200 - www.target.com - https://www.target.com/index.asp
[*]                         FORM: POST /index.asp
[*] Crawl of https://www.target.com:443/ complete
[*] Auxiliary module execution completed


Load the WMAP plugin
msf > load wmap
[*] [WMAP 1.0] ===  et [  ] metasploit.com 2011
[*] Successfully loaded plugin: wmap

Check the crawler results
msf > wmap_sites -l
Available sites
===============

     Id  Host             Vhost                             Port  # Pages  # Forms
     --  ----             -----                             ----  -------  -------
     0   XXX.XXX.XXX.XXX  www.target.com  443   4        3

Note: If a test module requires a specific parameter to be set or we want to modify the value of a predefined variable,
this can be done with the 'setg' command.
Example:
msf > setg VHOST www.target.com
msf > setg DOMAIN target.com
msf > setg EXT .asp
msf > setg WMAP_EXCLUDE_FILE

Select the target

msf > wmap_targets -t www.target.com:443,XXX.XXX.XXX.XXX:443

To view the targets:
msf > wmap_targets -l
Defined targets
===============

     Id  Vhost                             Host             Port  SSL   Path
     --  -----                             ----             ----  ---   ----
     0   www.target.com                    XXX.XXX.XXX.XXX  443   true  


Running WMAP modules¶

Now that a target has been selected, You can obtain a list of what WMAP modules are available using the wmap_run -t command:

msf > wmap_run -t
wmap_run -t
[*] Testing target:
[*]  Site: www.target.com (XXX.XXX.XXX.XXX)
[*]  Port: 443 SSL: true
============================================================
[*] Testing started. Fri Mar 25 14:12:23 +0100 2011
=[ SSL testing ]=
============================================================
[*] Loaded auxiliary/scanner/http/ssl ...
[*] Loaded auxiliary/scanner/http/cert ...

=[ Web Server testing ]=
============================================================
[*] Loaded auxiliary/scanner/http/verb_auth_bypass ...
[*] Loaded auxiliary/scanner/http/robots_txt ...
[*] Loaded auxiliary/admin/http/tomcat_administration ...
[*] Loaded auxiliary/scanner/http/webdav_internal_ip ...
[*] Loaded auxiliary/scanner/http/webdav_website_content ...
[*] Loaded auxiliary/scanner/http/http_version ...
[*] Loaded auxiliary/scanner/http/frontpage_login ...
[*] Loaded auxiliary/admin/http/tomcat_utf8_traversal ...
[*] Loaded auxiliary/scanner/http/webdav_scanner ...
[*] Loaded auxiliary/scanner/http/web_vulndb ...
[*] Loaded auxiliary/scanner/http/vhost_scanner ...
[*] Loaded auxiliary/scanner/http/options ...
[*] Loaded auxiliary/scanner/http/open_proxy ...
[*] Loaded auxiliary/scanner/http/svn_scanner ...

=[ File/Dir testing ]=
============================================================
[*] Loaded auxiliary/scanner/http/ms09_020_webdav_unicode_bypass ...
[*] Loaded auxiliary/scanner/http/files_dir ...
[*] Loaded auxiliary/scanner/http/replace_ext ...
[*] Loaded auxiliary/scanner/http/dir_webdav_unicode_bypass ...
[*] Loaded auxiliary/scanner/http/copy_of_file ...
[*] Loaded auxiliary/scanner/http/file_same_name_dir ...
[*] Loaded auxiliary/scanner/http/dir_listing ...
[*] Loaded auxiliary/scanner/http/brute_dirs ...
[*] Loaded auxiliary/scanner/http/writable ...
[*] Loaded auxiliary/scanner/http/prev_dir_same_name_file ...
[*] Loaded auxiliary/scanner/http/dir_scanner ...
[*] Loaded auxiliary/scanner/http/backup_file ...
[*] Loaded auxiliary/scanner/http/trace_axd ...

=[ Unique Query testing ]=
============================================================
[*] Loaded auxiliary/scanner/http/error_sql_injection ...
[*] Loaded auxiliary/scanner/http/blind_sql_query ...

=[ Query testing ]=
============================================================

=[ General testing ]=
============================================================
[*] Analysis completed in 52.9915919303894 seconds.
[*] Done.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Note:
For a help: wmap_run -h
In wmap/date/ You can find various configuration file as an
example of the profile, activated with wmap_run -e path/profile
If you would like to limit the WMAP test to a specific set of modules, you can use a profile file.
Profiles can be specified via additional arguments to the wmap_run command.

msf > wmap_run -e path/to/profile/file

The profile file contains the list of modules to execute. See data/wmap/wmap_sample.profile for a sample.
Conclusion¶

To launch the modules, execute wmap_run with the -e parameter:
msf > wmap_run -e
[*] Using ALL wmap enabled modules.
[*] Testing target:
[*]  Site: www.target.com (XXX.XXX.XXX.XXX)
[*]  Port: 443 SSL: true
============================================================
[*] Testing started. Fri Mar 25 14:14:33 +0100 2011

Reporting¶
Currently, the results of the WMAP scan are stored in the database.
The database can be used to build custom reporting tools, or queried directly from the console:

msf > db_notes
[*] Time: Fri Mar 25 13:15:21 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=http.vhost data={:name=>"www.target.com"}
[*] Time: Fri Mar 25 13:15:21 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=ssl.certificate data={:cn=>"www.target.com", :subject=>[["serialNumber", "xxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxx", xx], ["C", "US", 19], ["O", "www.target.com", 19], ["OU", "TX", 19], ["OU", "See www.trust.com/resources/cps (c)11", 19], ["OU", "Domain Control Validated - QuickSSL(R) Premium", 19], ["CN", "www.target.com", 19]], :algorithm=>"sha1WithRSAEncryption"}
[*] Time: Fri Mar 25 13:15:38 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=HTTP_OPTIONS data="OPTIONS, TRACE, GET, HEAD, POST"
[*] Time: Fri Mar 25 13:23:19 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=FILE data="/intro.htm Code: 200"
[*] Time: Fri Mar 25 13:33:15 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=FILE data="/css Code: 301"
[*] Time: Fri Mar 25 13:33:24 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=FILE data="/images Code: 301"
[*] Time: Fri Mar 25 13:33:37 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=FILE data="/script Code: 301"
[*] Time: Fri Mar 25 13:34:23 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=FILE data="/script Code: 404"
[*] Time: Fri Mar 25 13:44:58 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=DIRECTORY data="/css/ Code: 403"
[*] Time: Fri Mar 25 13:45:29 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=DIRECTORY data="/images/ Code: 403"
[*] Time: Fri Mar 25 13:46:00 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=DIRECTORY data="/script/ Code: 403"

msf > db_vulns
[*] Time: Fri Mar 25 13:15:40 UTC 2011 Vuln: host=XXX.XXX.XXX.XXX port=443 proto=tcp name=HTTP-TRACE-ENABLED refs=BAhbByIIQ1ZFIg4yMDA1LTMzOTg=
,BAhbByIIQ1ZFIg4yMDA1LTM0OTg=
,BAhbByIKT1NWREIiCDg3Nw==
,BAhbByIIQklEIgoxMTYwNA==
,BAhbByIIQklEIgk5NTA2
,BAhbByIIQklEIgk5NTYx

msf >
The vulnerability information is encoded in base64-format so we will need to decode. We can use openssl for this.
msf > echo "BAhbByIIQ1ZFIg4yMDA1LTMzOTg=" | openssl base64 -d
[*] exec: echo "BAhbByIIQ1ZFIg4yMDA1LTMzOTg=" | openssl base64 -d

[CVE"2005-3398 
msf >

We can now use this information to gather further information on the reported vulnerability.
As pentesters, we would want to investigate each finding further and identify if there are potential methods for attack.

To get CVE details we can use our friend google
http://www.google.com/custom?q=2005-3398+site:http:\\www.cve.mitre.org