WMAP is implemented as a Metasploit plugin and depends on an active database to function. The database is used to store a list of target URLs as well as the results of the WMAP modules. To get started with WMAP, the database needs to be configured and at least one target must be added. In most situations, you would bring target data into WMAP through a spider, proxy, or export from another tool. In the example below we will use the msf http crawler module to add a target and demonstrate the process.
Install these packages:
Start the Metasploit Framework¶
Open the Metasploit Framework Console (msfconsole):
Crawling the target
Load the scanner
Define target
Launch the scan
Load the WMAP plugin
Check the crawler results
Note: If a test module requires a specific parameter to be set or we want to modify the value of a predefined variable,
this can be done with the 'setg' command.
Example:
Select the target
To view the targets:
Running WMAP modules¶
Now that a target has been selected, You can obtain a list of what WMAP modules are available using the wmap_run -t command:
Note:
For a help: wmap_run -h
In wmap/date/ You can find various configuration file as an
example of the profile, activated with wmap_run -e path/profile
If you would like to limit the WMAP test to a specific set of modules, you can use a profile file.
Profiles can be specified via additional arguments to the wmap_run command.
The profile file contains the list of modules to execute. See data/wmap/wmap_sample.profile for a sample.
Conclusion¶
To launch the modules, execute wmap_run with the -e parameter:
Reporting¶
Currently, the results of the WMAP scan are stored in the database.
The database can be used to build custom reporting tools, or queried directly from the console:
We can now use this information to gather further information on the reported vulnerability.
As pentesters, we would want to investigate each finding further and identify if there are potential methods for attack.
To get CVE details we can use our friend google
http://www.google.com/custom?q=2005-3398+site:http:\\www.cve.mitre.org
Install these packages:
sudo apt-get install libxml-ruby libxml2-dev sudo apt-get install libxslt-ruby libxslt-dev sudo apt-get install libnokogiri-rubyor
gem install robots gem install nokogiri sudo gem install anemone
Start the Metasploit Framework¶
Open the Metasploit Framework Console (msfconsole):
$ ./msconsole
# # ###### ##### ## #### ##### # #### # #####
## ## # # # # # # # # # # # #
# ## # ##### # # # #### # # # # # # #
# # # # ###### # ##### # # # # #
# # # # # # # # # # # # # #
# # ###### # # # #### # ###### #### # #
=[ metasploit v3.7.0-dev [core:3.7 api:1.0]
+ -- --=[ 669 exploits - 345 auxiliary
+ -- --=[ 217 payloads - 27 encoders - 8 nops
=[ svn r12131 updated today (2011.03.25)
msf >
Select the database driver (for this tutorial I use the sqlite3 driver but if you have an postesql up you can use it with db_driver postgresql).msf > db_driver sqlite3 [*] Using database driver sqlite3Create a database
msf> db_connect wmap_test [-] Note that sqlite is not supported due to numerous issues. [-] It may work, but don't count on it [*] Creating a new database file... [*] Successfully connected to the database [*] File: wmap_test
Crawling the target
Load the scanner
msf > use scanner/http/crawler msf auxiliary(crawler) > show options Module options (auxiliary/scanner/http/crawler): Name Current Setting Required Description ---- --------------- -------- ----------- MAX_MINUTES 5 yes The maximum number of minutes to spend on each URL MAX_PAGES 500 yes The maximum number of pages to crawl per URL MAX_THREADS 4 yes The maximum number of concurrent requests Proxies no Use a proxy chain RHOST yes The target address RPORT 80 yes The target port URI / yes The starting page to crawl VHOST no HTTP server virtual host msf auxiliary(crawler) >
Define target
msf auxiliary(crawler) > set RHOST www.target.com msf auxiliary(crawler) > set RPORT 443
Launch the scan
msf auxiliary(crawler) > run [*] Crawling https://www.target.com [*] [00001/00500] 200 - www.target.com - https://www.target.com/ [*] FORM: POST /index.asp [*] [00002/00500] 200 - www.target.com - https://www.target.com/index.asp?lg=EN [*] FORM: GET /index.asp [*] FORM: POST /index.asp [*] [00003/00500] 200 - www.target.com - https://www.target.com/index.asp?lg=FR [*] FORM: GET /index.asp [*] FORM: POST /index.asp [*] [00004/00500] 200 - www.target.com - https://www.target.com/index.asp [*] FORM: POST /index.asp [*] Crawl of https://www.target.com:443/ complete [*] Auxiliary module execution completed
Load the WMAP plugin
msf > load wmap [*] [WMAP 1.0] === et [ ] metasploit.com 2011 [*] Successfully loaded plugin: wmap
Check the crawler results
msf > wmap_sites -l
Available sites
===============
Id Host Vhost Port # Pages # Forms
-- ---- ----- ---- ------- -------
0 XXX.XXX.XXX.XXX www.target.com 443 4 3
Note: If a test module requires a specific parameter to be set or we want to modify the value of a predefined variable,
this can be done with the 'setg' command.
Example:
msf > setg VHOST www.target.com
msf > setg DOMAIN target.com
msf > setg EXT .asp
msf > setg WMAP_EXCLUDE_FILE
Select the target
msf > wmap_targets -t www.target.com:443,XXX.XXX.XXX.XXX:443
To view the targets:
msf > wmap_targets -l
Defined targets
===============
Id Vhost Host Port SSL Path
-- ----- ---- ---- --- ----
0 www.target.com XXX.XXX.XXX.XXX 443 true
Running WMAP modules¶
Now that a target has been selected, You can obtain a list of what WMAP modules are available using the wmap_run -t command:
msf > wmap_run -t wmap_run -t [*] Testing target: [*] Site: www.target.com (XXX.XXX.XXX.XXX) [*] Port: 443 SSL: true ============================================================ [*] Testing started. Fri Mar 25 14:12:23 +0100 2011 =[ SSL testing ]= ============================================================ [*] Loaded auxiliary/scanner/http/ssl ... [*] Loaded auxiliary/scanner/http/cert ... =[ Web Server testing ]= ============================================================ [*] Loaded auxiliary/scanner/http/verb_auth_bypass ... [*] Loaded auxiliary/scanner/http/robots_txt ... [*] Loaded auxiliary/admin/http/tomcat_administration ... [*] Loaded auxiliary/scanner/http/webdav_internal_ip ... [*] Loaded auxiliary/scanner/http/webdav_website_content ... [*] Loaded auxiliary/scanner/http/http_version ... [*] Loaded auxiliary/scanner/http/frontpage_login ... [*] Loaded auxiliary/admin/http/tomcat_utf8_traversal ... [*] Loaded auxiliary/scanner/http/webdav_scanner ... [*] Loaded auxiliary/scanner/http/web_vulndb ... [*] Loaded auxiliary/scanner/http/vhost_scanner ... [*] Loaded auxiliary/scanner/http/options ... [*] Loaded auxiliary/scanner/http/open_proxy ... [*] Loaded auxiliary/scanner/http/svn_scanner ... =[ File/Dir testing ]= ============================================================ [*] Loaded auxiliary/scanner/http/ms09_020_webdav_unicode_bypass ... [*] Loaded auxiliary/scanner/http/files_dir ... [*] Loaded auxiliary/scanner/http/replace_ext ... [*] Loaded auxiliary/scanner/http/dir_webdav_unicode_bypass ... [*] Loaded auxiliary/scanner/http/copy_of_file ... [*] Loaded auxiliary/scanner/http/file_same_name_dir ... [*] Loaded auxiliary/scanner/http/dir_listing ... [*] Loaded auxiliary/scanner/http/brute_dirs ... [*] Loaded auxiliary/scanner/http/writable ... [*] Loaded auxiliary/scanner/http/prev_dir_same_name_file ... [*] Loaded auxiliary/scanner/http/dir_scanner ... [*] Loaded auxiliary/scanner/http/backup_file ... [*] Loaded auxiliary/scanner/http/trace_axd ... =[ Unique Query testing ]= ============================================================ [*] Loaded auxiliary/scanner/http/error_sql_injection ... [*] Loaded auxiliary/scanner/http/blind_sql_query ... =[ Query testing ]= ============================================================ =[ General testing ]= ============================================================ [*] Analysis completed in 52.9915919303894 seconds. [*] Done. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Note:
For a help: wmap_run -h
In wmap/date/ You can find various configuration file as an
example of the profile, activated with wmap_run -e path/profile
If you would like to limit the WMAP test to a specific set of modules, you can use a profile file.
Profiles can be specified via additional arguments to the wmap_run command.
msf > wmap_run -e path/to/profile/file
The profile file contains the list of modules to execute. See data/wmap/wmap_sample.profile for a sample.
Conclusion¶
To launch the modules, execute wmap_run with the -e parameter:
msf > wmap_run -e [*] Using ALL wmap enabled modules. [*] Testing target: [*] Site: www.target.com (XXX.XXX.XXX.XXX) [*] Port: 443 SSL: true ============================================================ [*] Testing started. Fri Mar 25 14:14:33 +0100 2011
Reporting¶
Currently, the results of the WMAP scan are stored in the database.
The database can be used to build custom reporting tools, or queried directly from the console:
msf > db_notes
[*] Time: Fri Mar 25 13:15:21 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=http.vhost data={:name=>"www.target.com"}
[*] Time: Fri Mar 25 13:15:21 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=ssl.certificate data={:cn=>"www.target.com", :subject=>[["serialNumber", "xxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxx", xx], ["C", "US", 19], ["O", "www.target.com", 19], ["OU", "TX", 19], ["OU", "See www.trust.com/resources/cps (c)11", 19], ["OU", "Domain Control Validated - QuickSSL(R) Premium", 19], ["CN", "www.target.com", 19]], :algorithm=>"sha1WithRSAEncryption"}
[*] Time: Fri Mar 25 13:15:38 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=HTTP_OPTIONS data="OPTIONS, TRACE, GET, HEAD, POST"
[*] Time: Fri Mar 25 13:23:19 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=FILE data="/intro.htm Code: 200"
[*] Time: Fri Mar 25 13:33:15 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=FILE data="/css Code: 301"
[*] Time: Fri Mar 25 13:33:24 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=FILE data="/images Code: 301"
[*] Time: Fri Mar 25 13:33:37 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=FILE data="/script Code: 301"
[*] Time: Fri Mar 25 13:34:23 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=FILE data="/script Code: 404"
[*] Time: Fri Mar 25 13:44:58 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=DIRECTORY data="/css/ Code: 403"
[*] Time: Fri Mar 25 13:45:29 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=DIRECTORY data="/images/ Code: 403"
[*] Time: Fri Mar 25 13:46:00 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=DIRECTORY data="/script/ Code: 403"
msf > db_vulns
[*] Time: Fri Mar 25 13:15:40 UTC 2011 Vuln: host=XXX.XXX.XXX.XXX port=443 proto=tcp name=HTTP-TRACE-ENABLED refs=BAhbByIIQ1ZFIg4yMDA1LTMzOTg=
,BAhbByIIQ1ZFIg4yMDA1LTM0OTg=
,BAhbByIKT1NWREIiCDg3Nw==
,BAhbByIIQklEIgoxMTYwNA==
,BAhbByIIQklEIgk5NTA2
,BAhbByIIQklEIgk5NTYx
msf >
The vulnerability information is encoded in base64-format so we will need to decode. We can use openssl for this.msf > echo "BAhbByIIQ1ZFIg4yMDA1LTMzOTg=" | openssl base64 -d [*] exec: echo "BAhbByIIQ1ZFIg4yMDA1LTMzOTg=" | openssl base64 -d [CVE"2005-3398 msf >
We can now use this information to gather further information on the reported vulnerability.
As pentesters, we would want to investigate each finding further and identify if there are potential methods for attack.
To get CVE details we can use our friend google
http://www.google.com/custom?q=2005-3398+site:http:\\www.cve.mitre.org
Hi DarK!
ReplyDeleteRegarding the business about un-Base64'ing vuln data -- this was actually a bug, so thanks for reporting it! I just closed it up: http://www.metasploit.com/redmine/issues/4026 -- so for future scanning, you shouldn't have to deal with this whole shelling out business.
The bug appears to be limited to the reporting of the HTTP TRACE vuln -- all the other web vulns we check for report their vulns in the normal (non-serialized) way.
Thanks!