Monday, November 24, 2008

Metasploit and WMAP


What is WMAP

"WMAP is a general purpose web application scanning framework for Metasploit 3. The architecture is simple and its simplicity is what makes it powerful. It's a different approach compared to other open source alternatives and commercial scanners, as WMAP is not build around any browser or spider for data capture and manipulation."

Getting it all up & running

Readme is here:
http://www.metasploit.com/dev/trac/browser/framework3/trunk/documentation/wmap.txt

Step 1: Download, patch, and install ratproxy
http://code.google.com/p/ratproxy/

Documentation: http://code.google.com/p/ratproxy/wiki/RatproxyDoc
Code (at time of this posting): http://ratproxy.googlecode.com/files/ratproxy-1.51.tar.gz

Step 2: Run ratproxy and browse the site you are targeting, this will populate the database you will use/need for wmap.

**You'll need to create the database first.

msf > db_create wmaptest.db
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: wmaptest.db


Step 3: Run metasploit, load necessary plugins, and run the wmap modules.

msf > load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
msf > load db_wmap
[*] =[ WMAP v0.3 - ET LoWNOISE
[*] Successfully loaded plugin: db_wmap
msf > db_connect wmaptest.db
[*] Successfully connected to the database
[*] File: wmaptest.db


Show the targets. This is populated by browsing a site with ratproxy.


msf > wmap_targets
[*] Usage: wmap_targets [options]
-h Display this help text
-p Print all available targets
-r Reload targets table
-s [id] Select target for testing

msf > wmap_targets -r
[*] Added. 192.168.0.100 80 0
[*] Added. 64.233.187.99 80 0

msf > wmap_targets -p
[*] Id. Host Port SSL
[*] Added. 192.168.0.100 80 0
[*] Added. 64.233.187.99 80 0
[*] Done.



Select a target and run the print command again to ensure the right target was selected.


msf > wmap_targets -s 1
Host Port SSL

[*] => 1. 192.168.0.100 80

[*] 2. 64.233.187.99 80

[*] Done.


Display the website structure.

msf > wmap_website
[*] Website structure
[*] 192.168.0.100:80 SSL:0
ROOT_TREE
| web
| | css
| | +------gonav.css
| | web
| | | images
| | | +------storepic_4.jpg
| | | +------storepic_264.jpg
| | | +------20080717105615.jpg
| | | +------storepic_125.jpg
| | +------index.php
| | | pic
| | | | part
| | | | +------index_line_1.gif
| | | +------top_index.gif
| | | +------username.gif
| | | +------tail_bg.gif
| | | +------head_bg.gif
| | | +------login_bg.gif
[*] Done.



[*] Usage: wmap_run [options]
-h Display this help text

-t Show all matching exploit modules

-e Launch exploits against all matched targets


Show the available modules for wmap

msf > wmap_run -t
[*] Loaded auxiliary/scanner/http/wmap_ssl_vhost ...
[*] Loaded auxiliary/scanner/http/frontpage_login ...
[*] Loaded auxiliary/scanner/http/version ...
[*] Loaded auxiliary/scanner/http/wmap_vhost_scanner ...
[*] Loaded auxiliary/scanner/http/options ...
[*] Loaded auxiliary/scanner/http/frontpage ...
[*] Loaded auxiliary/scanner/http/wmap_file_same_name_dir ...
[*] Loaded auxiliary/scanner/http/wmap_brute_dirs ...
[*] Loaded auxiliary/scanner/http/wmap_files_dir ...
[*] Loaded auxiliary/scanner/http/wmap_dir_scanner ...
[*] Loaded auxiliary/scanner/http/wmap_dir_listing ...
[*] Loaded auxiliary/scanner/http/wmap_replace_ext ...
[*] Loaded auxiliary/scanner/http/writable ...
[*] Loaded auxiliary/scanner/http/wmap_prev_dir_same_name_file ...
[*] Loaded auxiliary/scanner/http/wmap_backup_file ...
[*] Loaded auxiliary/scanner/http/wmap_blind_sql_query ...
[*] Analysis completed in 1.30465912818909 seconds.
[*] Done.


Run wmap, go get a (rum &) coke because the bruteforce directory modules are going to take awhile.

msf > wmap_run -e
[*] Launching auxiliary/scanner/http/wmap_ssl_vhost WMAP_SERVER against 192.168.0.100:80
[*] Error: 192.168.0.100
[*] Launching auxiliary/scanner/http/frontpage_login WMAP_SERVER against 192.168.0.100:80
[*] http://192.168.0.100:80/ may not support FrontPage Server Extensions
[*] Launching auxiliary/scanner/http/version WMAP_SERVER against 192.168.0.100:80
[*] 192.168.0.100 is running Apache/2.2.3 (CentOS)( Powered by PHP/5.1.6 )
[*] Launching auxiliary/scanner/http/wmap_vhost_scanner WMAP_SERVER against 192.168.0.100:80
[*] >> Exception during launch from auxiliary/scanner/http/wmap_vhost_scanner: The following options failed to validate: DOMAIN.
[*] Launching auxiliary/scanner/http/options WMAP_SERVER against 192.168.0.100:80
[*] 192.168.0.100 allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] Launching auxiliary/scanner/http/frontpage WMAP_SERVER against 192.168.0.100:80
[*] http://192.168.0.100:80 is running Apache/2.2.3 (CentOS)
[*] FrontPage not found on http://192.168.0.100:80 [404 Not Found]
[*] Launching auxiliary/scanner/http/wmap_file_same_name_dir WMAP_DIR / against 192.168.0.100:80...
[-] Blank or default PATH set.
[*] Launching auxiliary/scanner/http/wmap_file_same_name_dir WMAP_DIR /web/ against 192.168.0.100:80...

---SNIP---

msf > wmap_reports
[*] Usage: wmap_reports [options]
-h Display this help text
-p Print all available reports
-s [id] Select report for display


Show available reports.

msf > wmap_reports -p
[*] Id. Created Target (host,port,ssl)

1. Sat Nov 22 22:37:04 -0500 2008 192.168.0.100,80,0

[*] Done.


Show your report.

msf > wmap_reports -s 1
WMAP REPORT: 192.168.0.100,80,0 Metasploit WMAP Report [Sat Nov 22 22:37:04 -0500 2008]
WEB_SERVER TYPE: Apache/2.2.3 (CentOS) ( Powered by PHP/5.1.6 ) [Sat Nov 22 22:37:06 -0500 2008]
WEB_SERVER OPTIONS: GET,HEAD,POST,OPTIONS,TRACE [Sat Nov 22 22:37:07 -0500 2008]
DIRECTORY NAME: /admin/ Directory /admin/ found. [Sat Nov 22 22:50:50 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:50:50 -0500 2008]
DIRECTORY NAME: /administrator/ Directory /administrator/ found. [Sat Nov 22 22:51:14 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:51:14 -0500 2008]
DIRECTORY NAME: /cgi-bin/ Directory /cgi-bin/ found. [Sat Nov 22 22:52:13 -0500 2008]
DIRECTORY RESP_CODE: 403 [Sat Nov 22 22:52:13 -0500 2008]
DIRECTORY NAME: /class/ Directory /class/ found. [Sat Nov 22 22:52:29 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:52:29 -0500 2008]
DIRECTORY NAME: /db/ Directory /db/ found. [Sat Nov 22 22:53:01 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:53:01 -0500 2008]
DIRECTORY NAME: /error/ Directory /error/ found. [Sat Nov 22 22:53:31 -0500 2008]
DIRECTORY RESP_CODE: 403 [Sat Nov 22 22:53:31 -0500 2008]
DIRECTORY NAME: /icons/ Directory /icons/ found. [Sat Nov 22 22:54:13 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:54:13 -0500 2008]
DIRECTORY NAME: /includes/ Directory /includes/ found. [Sat Nov 22 22:54:24 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:54:24 -0500 2008]
DIRECTORY NAME: /js/ Directory /js/ found. [Sat Nov 22 22:54:38 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:54:38 -0500 2008]
DIRECTORY NAME: /manual/ Directory /manual/ found. [Sat Nov 22 22:55:02 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:55:02 -0500 2008]
DIRECTORY NAME: /template/ Directory /template/ found. [Sat Nov 22 22:57:38 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:57:38 -0500 2008]
DIRECTORY NAME: /upload/ Directory /upload/ found. [Sat Nov 22 22:57:55 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:57:55 -0500 2008]
DIRECTORY NAME: /usage/ Directory /usage/ found. [Sat Nov 22 22:57:57 -0500 2008]
DIRECTORY RESP_CODE: 403 [Sat Nov 22 22:57:57 -0500 2008]
DIRECTORY NAME: /web/ Directory /web/ found. [Sat Nov 22 22:58:08 -0500 2008]
DIRECTORY RESP_CODE: 302 [Sat Nov 22 22:58:08 -0500 2008]
DIRECTORY NAME: /web/class/ Directory /web/class/ found. [Sat Nov 22 23:00:53 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 23:00:53 -0500 2008]
DIRECTORY NAME: /web/css/ Directory /web/css/ found. [Sat Nov 22 23:01:16 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 23:01:16 -0500 2008]
DIRECTORY NAME: /web/db/ Directory /web/db/ found. [Sat Nov 22 23:01:26 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 23:01:26 -0500 2008]
VULNERABILITY DIR_LISTING: /web/css/ Directory /web/css/ discloses its contents. [Sat Nov 22 23:02:34 -0500 2008]
VULNERABILITY DIR_LISTING: /web/web/pic/ Directory /web/web/pic/ discloses its contents. [Sat Nov 22 23:02:40 -0500 2008]
VULNERABILITY PUT_ENABLED: /web/web/ Upload succeeded on /web/web/ [Sat Nov 22 23:03:18 -0500 2008]
[*] Done.


Finish your pwnage...errr pentest.
CG

8 comments:

Mark Linton said...

Great explanation of the use of WMAP. I'd be interested to see the next step --> using the WMAP results to launch an exploit using a different metasploit plugin.

Thanks again!

Anonymous said...

yep i am watching this project closely too but more exiting is the new burp coming something in december ;)

Anonymous said...

Unfortunately, ratproxy with the metasploit patch applied will consume all system resources and make this all undoable.

Anonymous said...

Fortunately, you have a brain to figure out how to make it doable.

Anonymous said...

Works like a charm here :)
No system resources hog at all :)
Though the auxiliary/scanner/http/wmap_brute_dirs was rather boring waiting on... Ctrl-C was my best friend here in my test.

CG said...

@tim i obviously got it to work. i did experience some issues with many windows open, just browsing one site i had no problems.

@bob thanks!?!?

Anonymous said...

msf > load db_sqlite3.rb
[-] Failed to load plugin from /pentest/exploits/framework3/plugins/db_sqlite3.rb: No classes were loaded from /pentest/exploits/framework3/plugins/db_sqlite3.rb in the Msf::Plugin namespace.

have you a solution ? (it's the latest svn)

CG said...

@anonymous

looks like you dont have sqlite installed. but that is about my extent of support for backtrack.

build your own distro and you'll know what's on it.