Shulou(Shulou.com)06/01 Report--

Metasploit is an extremely powerful testing framework that contains a large number of modules. However, the large number of modules makes it very inconvenient to use. So there is WMAP. This tool can use multiple modules at a time and save the results in the database, which is very convenient.

Because in the process of learning, when searching on Baidu, I couldn't find the articles specifically described by WMAP, so I planned to translate an English tutorial to make it more convenient for everyone to learn.

The following is the text of the article:

What is WMAP?

WMAP is a multi-functional network application vulnerability scanner originally created by SQLMap. This tool is integrated into Metasploit and can be launched from Metasploit Framework for website scanning.

Vulnerability scanning with WMAP

We first need to create a database to hold our WMAP scan results, load the "wmap" plug-in, and then type "help" to see which new commands we can use.

Msf > load wmap.-..-..---..---. | | | -'`- ^ -'` -'[WMAP 1.5.1] = = et [] metasploit.com 2012 [*] Successfully loaded plugin: wmapmsf > helpwmap Commands= Command Description-- Wmap_modules Manage wmap modules wmap_nodes Manage nodes wmap_run Test targets wmap_sites Manage sites wmap_targets Manage targets wmap_vulns Display web vulns...snip...wmap command = command description-wmap_modules management Wmap module wmap_nodes management node wmap_run test target wmap_sites management site wmap_targets management target wmap_vulns display scanned vulnerabilities

We need to use "wmap_sites" before scanning. And "- a" parameters to add a new target url. Then, execute the "wmap_sites-l" command to print out all added targets.

Msf > wmap_sites-h [*] Usage: wmap_targets [options]-h Display this help text-a [url] Add site (vhost,url)-l List all available sites-s [id] Display site structure (vhost Url | ids) (level) msf > wmap_sites-a http://172.16.194.172[*] Site created.msf > wmap_sites-l [*] Available sites= Id Host Vhost Port Proto # Pages # Forms- 0 172.16.194.172 172.16.194.172 80 http 0 0msf > wmap_sites-h [*] Usage: wmap_sites [options]-h display help instructions-a [url] add site (vhost Url)-d [ids] Delete sites (separate id with spaces)-l list all sites-s [id] Show url structure (vhost,url | ids) (level)

Next, add a target with the "wmap_targets" command.

Msf > wmap_targets-h [*] Usage: wmap_targets [options]-h Display this help text-t [urls] Define target sites (vhost1,url [space] vhost2,url)-d [ids] Define target sites (id1, id2 Id3...)-c Clean target sites list-l List all target sitesmsf > wmap_targets-t http://172.16.194.172/mutillidae/index.php

Msf > wmap_targets-h [*] Usage: wmap_targets [options]-h shows help instructions-t [urls] use url to define one or more sites that have been added as targets. Url is separated by spaces. (vhost1,url [space] vhost2,url)-d [ids] defines one or more sites that have been added as targets with id. Id are separated by commas. (id1, id2, id3...)-c clear the target list-l shows all targets

After adding targets, we can use'- l'to display all targets.

Msf > wmap_targets-l [*] Defined targets= Id Vhost Host Port SSL Path-0 172.16.194.172 172.16.194.172 80 false / mutillidae/index.php

Use the "wmap_run" command to start scanning the target.

Msf > wmap_run-h [*] Usage: wmap_run [options]-h Display this help text-t Show all enabled modules-m [regex] Launch only modules that name match provided regex. P [regex] Only test path defined by regex. -e [/ path/to/profile] Launch profile modules against all matched targets. (No profile file runs all enabled modules.) msf > wmap_run-h [*] Usage: wmap_run [options]-h display help instructions-t display all available modules-m [regex] enable modules with names matching regular expressions. -p [regex] tests only paths that match regular expressions. -e [/ path/to/profile] enables modules in the configuration for all matching targets. If there is no configuration, all available modules are enabled.

We can use the "- t" parameter to list the modules to be used in the scan.

Msf > wmap_run-t

[*] Testing target:

[*] Site: 192.168.1.100 (192.168.1.100)

[*] Port: 80 SSL: false

[*] =

[*] Testing started. 2012-01-16 15:46:42-0500

[*]

= [SSL testing] =

[*] =

[*] Target is not SSL. SSL modules disabled.

[*]

= [Web Server testing] =

[*] =

[*] Loaded auxiliary/admin/http/contentkeeper_fileaccess...

[*] Loaded auxiliary/admin/http/tomcat_administration...

[*] Loaded auxiliary/admin/http/tomcat_utf8_traversal...

[*] Loaded auxiliary/admin/http/trendmicro_dlp_traversal...

.. snip...

Msf >

The remaining step is to start a WMAP scan of our target.

Msf > wmap_run-e [*] Using ALL wmap enabled modules. [-] NO WMAP NODES DEFINED. Executing local modules [*] Testing target: [*] Site: 172.16.194.172 (172.16.194.172) [*] Port: 80 SSL: false=== [*] Testing started 2012-06-27 09:29:13-0400 [*] = [SSL testing] = = [*] Target is not SSL SSL modules disabled. [*] = [Web Server testing] = = [*] Module auxiliary/scanner/http/http_version [*] 172.16.194.172 Apache/2.2.8 (Ubuntu) DAV/2 (Powered by PHP/5.2.4-2ubuntu5.10) [*] Module auxiliary/scanner/http/open_proxy [*] Module auxiliary/scanner/http/robots_txt..snip... [*] Module auxiliary/scanner/http / soap_xml [*] Path: / [*] Server 172.16.194.172 Server 80 returned HTTP 404 for /. Use a different one. [*] Module auxiliary/scanner/http/trace_axd [*] Path: / [*] Module auxiliary/scanner/http/verb_auth_bypass [*] = [Unique Query testing] = = [*] Module auxiliary/scanner/http/blind_sql_query [*] Module auxiliary/scanner/http/error_sql_injection [*] Module auxiliary/scanner/http/http_traversal [*] Module auxiliary/scanner/http/rails_mass_assignment [*] Module exploit/multi/http/lcms_ Php_exec [*] = [Query testing] = = [*] = [General testing] = = + Launch completed in 212.01512002944946 seconds.+++ [*] Done.

After the scan, we can check the database to see what WMAP has found interesting for us.

Msf > wmap_vulns-l [*] + [172.16.194.172] (172.16.194.172): scraper / [*] scraper Scraper [*] GET Metasploitable2-Linux [*] + [172.16.194.172] (172.16.194.172): directory / dav/ [*] directory Directory found. [*] GET Res code: 200 [*] + [172.16.194.172] (172.16.194.172): Directory / cgi-bin/ [*] directory Directoy found. [*] GET Res code: 403...snip...msf >

The above information tells us that WMAP has found an available vulnerability. Execute the "vulns" command to view the details.

Msf > vulns [*] Time: 2012-01-16 20:58:49 UTC Vuln: host=172.16.2.207 port=80 proto=tcp name=auxiliary/scanner/http/options refs=CVE-2005-3398

After WMAP is used for vulnerability scanning, we can use these scans to gather more in-depth information about the reported vulnerabilities. As testers, we need to investigate each discovery more deeply and find out if there are potential methods.

Summarize the usage of WMAP:

Msf > wmap_sites-a url add url

Msf > wmap_targets-t url add destination

Msf > wmap_run-e start

Msf > vulns to view vulnerability details

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.