WMAP Web Scanner
From Metasploit Unleashed
(Redirected from Wmap-web-scanner)
WMAP is a feature-rich web vulnerability scanner that was originally created from a tool named SQLMap. This tool is integrated with Metasploit and allows us to conduct webapp scanning from within the Framework.
We begin by first creating a new database to store our scan results in, load the "wmap" plugin, and run "help" to see what new commands are available to us.
msf > db_connect -y /opt/framework/config/database.yml msf > load wmap [*] [WMAP 1.0] === et [ ] metasploit.com 2011 [*] Successfully loaded plugin: wmap msf > help Wmap Commands ============= Command Description ------- ----------- wmap_run Test targets wmap_sites Manage sites wmap_targets Manage targets ...snip...
Prior to running a scan, we first need to add a new target URL by passing the "-a" switch to "wmap_sites". Afterwards, running "wmap_sites -l" will print out the available targets.
msf > wmap_sites -h [*] Usage: wmap_targets [options] -h Display this help text -a [url] Add site (vhost,url) -l List all available sites -s [urls] (level) Display site structure (vhost,url) msf > wmap_sites -a http://192.168.1.100 [*] Site created. msf > wmap_sites -l [*] Available sites =============== Id Host Vhost Port # Pages # Forms -- ---- ----- ---- ------- ------- 0 192.168.1.100 192.168.1.100 80 0 0 msf >
Next, we add the site as a target with "wmap_targets".
msf > wmap_targets -t http://192.168.1.100
Using the "wmap_run" command will scan the target system.
msf > wmap_run -h [*] Usage: wmap_run [options] -h Display this help text -t Show all enabled modules -m [regex] Launch only modules that name match provided regex. -e [/path/to/profile] Launch profile modules against all matched targets. No file runs all enabled modules.
We first using the "-t" switch to list the modules that will be used to scan the remote system.
msf > wmap_run -t [*] Testing target: [*] Site: 192.168.1.100 (192.168.1.100) [*] Port: 80 SSL: false [*] ============================================================ [*] Testing started. 2012-01-16 15:46:42 -0500 [*] =[ SSL testing ]= [*] ============================================================ [*] Target is not SSL. SSL modules disabled. [*] =[ Web Server testing ]= [*] ============================================================ [*] Loaded auxiliary/admin/http/contentkeeper_fileaccess ... [*] Loaded auxiliary/admin/http/tomcat_administration ... [*] Loaded auxiliary/admin/http/tomcat_utf8_traversal ... [*] Loaded auxiliary/admin/http/trendmicro_dlp_traversal ... ..snip... msf >
All that remains now is to actually run the scan against our target URL.
msf > wmap_run -e [*] Using ALL wmap enabled modules. [*] Testing target: [*] Site: 172.16.2.207 (172.16.2.207) [*] Port: 80 SSL: false [*] ============================================================ [*] Testing started. 2012-01-16 15:57:51 -0500 ..snip...
Once the scan has finished executing, we take a look at the database to see if wmap found anything of interest.
msf > hosts -c address,svcs,vulns
Hosts
=====
address svcs vulns
------- ---- -----
192.168.1.100 1 1
msf >
Looking at the above output, we can see that wmap has reported on 1 vulnerability. Running "vulns" will list the details for us.
msf > vulns [*] Time: 2012-01-16 20:58:49 UTC Vuln: host=172.16.2.207 port=80 proto=tcp name=auxiliary/scanner/http/options refs=CVE-2005-3398,CVE-2005-3498,OSVDB-877,BID-11604,BID-9506,BID-9561 msf >
We can now use this information to gather further information on the reported vulnerability. As pentesters, we would want to investigate each finding further and identify if there are potential methods for attack.
Vulnerability Scanning > WMAP Web Scanner
SMB Login Check | VNC Authentication | Open X11 | WMAP Web Scanner | Working With NeXpose | Working With Nessus | Using The Database
