The Web Local
 

 

 

 

WMAP (Metasploit Module)

 

WMAP is a general purpose web application scanning framework recently incorporated into Metasploit 3. In the WMAP design, the attack proxy acts as a data gathering tool. All traffic between the client(s) (i.e. favourite browser and/or spider) will be stored in the MSF

database.

 

 

WMAP is a Metasploit plugin and interacts with the database, reading all gathered traffic, processing it and launching the different tests implemented as modules. As WMAP Modules

are MSF Modules they can be easily implemented, and can be run manually from the

command line or automatically via WMAP.

 

At the time of writing WMAP can use/ initiate the following (ruby) modules to conduct its test against the target website (I'm sure more will be forthcoming in the near future :-) ).

 

  • frontpage

  • wmap_ssl_vhost
  • wmap_dir_scanner
  • frontpage_login
  • wmap_replace_ext
  • wmap_dir_listing
  • version
  • wmap_prev_dir_same_name_file
  • wmap_brute_dirs
  • writable
  • wmap_files_dir
  • wmap_blind_sql_query
  • wmap_vhost_scanner
  • wmap_file_same_name_dir
  • wmap_backup_file

 

A detailed explanation of WMAP can be found here

 

Requirements

 

  • Metasploit :-)

  • Ratproxy

  • SQLite3

 

Note: - Metasploit requires the following packages:

ruby ruby-irb ruby-libs ruby-rdoc ruby-devel readline rubygems

 

Installation

 

Ratproxy

 

[root@FC9 ~]# wget http://ratproxy.googlecode.com/files/ratproxy-1.51.tar.gz
--2008-11-27 19:17:13-- http://ratproxy.googlecode.com/files/ratproxy-1.51.tar.gz
Resolving ratproxy.googlecode.com... 74.125.47.82
Connecting to ratproxy.googlecode.com|74.125.47.82|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 168409 (164K) [application/x-gzip]
Saving to: `ratproxy-1.51.tar.gz'
100%[======================================>] 168,409 54.2K/s in 3.0s
2008-11-27 19:17:16 (54.2 KB/s) - `ratproxy-1.51.tar.gz' saved [168409/168409]
[root@FC9]# tar -zxvf ratproxy-1.51.tar.gz

 

Now we need to patch ratproxy with the supplied patch in metasploit:


[root@FC9 ratproxy]# patch -d . < /framework-3.2/external/ratproxy/ratproxy_wmap.diff
patching file Makefile
patching file ratproxy.c
patching file http.c
[root@FC9 ratproxy]# make  [DONE]

 

SQLite 3

 

[root@FC9]yum install sqlite3

 

We also need sqlite3-ruby which I installed from within metasploit msfconsole itself

 

msf > gem install sqlite3-ruby
[*] exec: gem install sqlite3-ruby

Building native extensions. This could take a while...
Successfully installed sqlite3-ruby-1.2.4
1 gem installed
Installing ri documentation for sqlite3-ruby-1.2.4...
Installing RDoc documentation for sqlite3-ruby-1.2.4...

 

Execution:

 

Load the databases and create a wmap testing database

 

./msfconsole

msf > load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
msf > db_create wmapper.db
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: wmapper.db
msf > load db_wmap
[*] =[ WMAP v0.3 - ET LoWNOISE
[*] Successfully loaded plugin: db_wmap
msf > db_connect wmapper.db
[*] Successfully connected to the database
[*] File: wmapper.db

 

Start Ratproxy:

 

[root@FC9 ratproxy]# ./ratproxy -v /framework-3.2/ -b wmapper.db
ratproxy version 1.51-beta by <lcamtuf@google.com>

[!] WARNING: Running with no 'friendly' domains specified. Many cross-domain
checks will not work. Please consult the documentation for advice.
[*] Proxy configured successfully. Have fun, and please do not be evil.
[+] Accepting connections on port 8080/tcp (local only)...

Change your proxy settings in Firefox to use port 8080

Browse to target website

 

msf > wmap_targets
[*] Usage: wmap_targets [options]
-h Display this help text
-p Print all available targets
-r Reload targets table
-s [id] Select target for testing

msf > wmap_targets -r
[*] Added. 107.86.156.139 80 0

[*] Added. 107.86.156.142 80 0
 

msf > wmap_targets -p
[*] Id. Host Port SSL
[*] 1. 107.86.156.139 80

[*] 2. 107.86.156.142 80
[*] Done.

Select the instance you wish to test against (in this case instance 1)

 

msf > wmap_targets -s 1

 

Set the tool to quickly review the websites structure


msf > wmap_website
[*] Website structure
[*] 107.86.156.139:80 SSL:0
ROOT_TREE
| styles
| +------style2.css
[*] Done.
 

Load any available modules

 

msf > wmap_run -t
[*] Loaded auxiliary/scanner/http/frontpage ...
[*] Loaded auxiliary/scanner/http/frontpage_login ...
[*] Loaded auxiliary/scanner/http/wmap_vhost_scanner ...
[*] Loaded auxiliary/scanner/http/version ...
[*] Loaded auxiliary/scanner/http/wmap_ssl_vhost ...
[*] Loaded auxiliary/scanner/http/wmap_prev_dir_same_name_file ...
[*] Loaded auxiliary/scanner/http/wmap_files_dir ...
[*] Loaded auxiliary/scanner/http/wmap_dir_listing ...
[*] Loaded auxiliary/scanner/http/wmap_replace_ext ...
[*] Loaded auxiliary/scanner/http/wmap_brute_dirs ...
[*] Loaded auxiliary/scanner/http/wmap_file_same_name_dir ...
[*] Loaded auxiliary/scanner/http/writable ...
[*] Loaded auxiliary/scanner/http/wmap_dir_scanner ...
[*] Loaded auxiliary/scanner/http/wmap_backup_file ...
[*] Loaded auxiliary/scanner/http/wmap_blind_sql_query ...
[*] Analysis completed in 2.4388530254364 seconds.
[*] Done.
 

Run the available modules

 

msf > wmap_run -e
[*] Launching auxiliary/scanner/http/frontpage WMAP_SERVER against 107.86.156.139:80
[*] http://107.86.156.139:80 is running Microsoft-IIS/6.0
[*] FrontPage not found on http://107.86.156.139:80 [404 Not Found]
[*] Launching auxiliary/scanner/http/frontpage_login WMAP_SERVER against 107.86.156.139:80
[*] http://107.86.156.139:80/ may not support FrontPage Server Extensions
[*] Launching auxiliary/scanner/http/wmap_vhost_scanner WMAP_SERVER against 107.86.156.139:80
[*] Launching auxiliary/scanner/http/version WMAP_SERVER against 107.86.156.139:80
[*] 107.86.156.139 is running Microsoft-IIS/6.0 ( Powered by ASP.NET )
[*] Launching auxiliary/scanner/http/wmap_ssl_vhost WMAP_SERVER against 107.86.156.139:80
[*] Error: 107.86.156.139 unknown protocol
[*] Launching auxiliary/scanner/http/wmap_prev_dir_same_name_file WMAP_DIR / against 107.86.156.139:80...
[-] Blank or default PATH set.
[*] Launching auxiliary/scanner/http/wmap_prev_dir_same_name_file WMAP_DIR /styles/ against

107.86.156.139:80
[*] NOT Found http://107.86.156.139:80/styles.null
[*] NOT Found http://107.86.156.139:80/styles.backup
--------- ABRIDGED --------------
[*] Launching auxiliary/scanner/http/wmap_backup_file WMAP_FILE /styles/style2.css against 107.86.156.139:80
[*] NOT Found http://107.86.156.139:80/styles/style2.css.backup
[*] NOT Found http://107.86.156.139:80/styles/style2.css.bak
[*] NOT Found http://107.86.156.139:80/styles/style2.css.copy
[*] NOT Found http://107.86.156.139:80/styles/style2.css.old
[*] NOT Found http://107.86.156.139:80/styles/style2.css.orig
[*] NOT Found http://107.86.156.139:80/styles/style2.css.temp
[*] NOT Found http://107.86.156.139:80/styles/style2.css.txt
[*] NOT Found http://107.86.156.139:80/styles/style2.css~
[*] NOT Found http://107.86.156.139:80/styles/.style2.css.swp

 

What are the reporting options:


msf > wmap_reports
[*] Usage: wmap_reports [options]
-h Display this help text
-p Print all available reports
-s [id] Select report for display
 

Display all available reports


msf > wmap_reports -p
[*] Id. Created Target (host,port,ssl)
1. Thu Nov 27 20:34:28 +0000 2008 107.86.156.139,80,0
[*] Done.
 

Select instance 1

 

msf > wmap_reports -s 1
WMAP REPORT: 107.86.156.139,80,0 Metasploit WMAP Report [Thu Nov 27 20:34:28 +0000 2008]
WEB_SERVER TYPE: Microsoft-IIS/6.0 ( Powered by ASP.NET ) [Thu Nov 27 20:34:31 +0000 2008]
DIRECTORY NAME: /News/ Directory /News/ found. [Thu Nov 27 20:49:07 +0000 2008]
DIRECTORY RESP_CODE: 403 [Thu Nov 27 20:49:07 +0000 2008]
DIRECTORY NAME: /contact/ Directory /contact/ found. [Thu Nov 27 20:50:26 +0000 2008]
DIRECTORY RESP_CODE: 403 [Thu Nov 27 20:50:27 +0000 2008]
DIRECTORY NAME: /faq/ Directory /faq/ found. [Thu Nov 27 20:51:08 +0000 2008]
DIRECTORY RESP_CODE: 403 [Thu Nov 27 20:51:08 +0000 2008]
DIRECTORY NAME: /forum/ Directory /forum/ found. [Thu Nov 27 20:51:16 +0000 2008]
DIRECTORY RESP_CODE: 200 [Thu Nov 27 20:51:16 +0000 2008]
DIRECTORY NAME: /images/ Directory /images/ found. [Thu Nov 27 20:51:37 +0000 2008]
DIRECTORY RESP_CODE: 403 [Thu Nov 27 20:51:37 +0000 2008]
DIRECTORY NAME: /resources/ Directory /resources/ found. [Thu Nov 27 20:53:00 +0000 2008]
DIRECTORY RESP_CODE: 403 [Thu Nov 27 20:53:00 +0000 2008]
DIRECTORY NAME: /services/ Directory /services/ found. [Thu Nov 27 20:53:12 +0000 2008]
DIRECTORY RESP_CODE: 403 [Thu Nov 27 20:53:12 +0000 2008]
DIRECTORY NAME: /styles/ Directory /styles/ found. [Thu Nov 27 20:53:37 +0000 2008]
DIRECTORY RESP_CODE: 403 [Thu Nov 27 20:53:37 +0000 2008]
[*] Done.
msf >

 

Okay nothing startling from the test server but then I new it wasn't vulnerable before

I tested it :-)

 
References:

 

These I found very useful, I had a few gotchas on my default install, especially with

sqlite3-ruby not being installed which made my life fun till I sorted that one out :-(

http://darkoperator.blogspot.com/2008/10/metasploit-wmap-web-attack-and.html
http://carnal0wnage.blogspot.com/2008/11/metasploit-and-wmap_24.html
http://code.google.com/p/ratproxy/wiki/RatproxyDoc

 

Code:
 

Ratproxy is available from http://code.google.com/p/ratproxy/


 

IT Security News:

 

Pen Testing Framework:

 

Latest Tool Reviews: