top of page
Search

Scan Web Applications Using Metasploit

Updated: Oct 28, 2021

Step 1: Set Up Metasploit Database


The first thing we need to do, if it's not done already, is set up the Metasploit database, since this particular module needs it to run. Metasploit utilizes a PostgreSQL database system, making it extremely useful to keep track of large amounts of information when conducting penetration tests. This allows for the import and export of scan results from other tools, as well as storage of discovered credentials, services, and other valuable data.

We can initialize the database with the msfdb init command in the terminal. This will create a default database and user for Metasploit to interact with.

msfdb init
```
---[Snippet]---
```
[+] Creating initial database schema

Next, start the PostgreSQL service with service postgresql start.

service postgresql start

Now we can fire up Metasploit by typing msfconsole.

msfconsole

Finally, we can check that database is loaded and working properly by using the db_status command:

msf > db_status
[*] postgresql connected to msf


Step 2: Load WMAP


It's easy to load the WMAP module with the load wmap command.

msf > load wmap

```
---[Snippet]---
```
[*] Successfully loaded plugin: wmap

From here, if we type ? to display Metasploit's help menu, we should see the commands for WMAP and their descriptions at the top of the menu.

msf > ?

wmap Commands
=============

    Command       Description
    -------       -----------
    wmap_modules  Manage wmap modules
    wmap_nodes    Manage nodes
    wmap_run      Test targets
    wmap_sites    Manage sites
    wmap_targets  Manage targets
    wmap_vulns    Display web vulns


Step 3: Add Site to Scan


Type any of the commands to display their available options; Let's start by managing sites we wish to scan using wmap_sites.

msf > wmap_sites
[*] Usage: wmap_sites [options]
	-h        Display this help text
	-a [url]  Add site (vhost,url)
	-d [ids]  Delete sites (separate ids with space)
	-l        List all available sites
	-s [id]   Display site structure (vhost,url|ids) (level) (unicode output true/false)

To add a site, use wmap_sites with the -a flag followed by the site address.

msf > wmap_sites -a http://172.16.1.102
[*] Site created.

Now we can list the available sites using wmap_sites with the -l flag.

msf > wmap_sites -l
[*] Available sites
===============

     Id  Host          Vhost         Port  Proto  # Pages  # Forms
     --  ----          -----         ----  -----  -------  -------
     0   172.16.1.102  172.16.1.102  80    http   0        0


Step 4: Specify Target URL


Next, we need to set the specific target URL we want to scan using wmap_targets.

msf > wmap_targets
[*] Usage: wmap_targets [options]
	-h 		Display this help text
	-t [urls]	Define target sites (vhost1,url[space]vhost2,url)
	-d [ids]	Define target sites (id1, id2, id3 ...)
	-c 		Clean target sites list
	-l  		List all target sites

We can define the target using wmap_targets with the -t flag, followed by the URL.

msf > wmap_targets -t http://172.16.1.102/dvwa/index.php

And use wmap_targets with the -l flag to list the defined targets.

msf > wmap_targets -l
[*] Defined targets
===============

     Id  Vhost         Host          Port  SSL    Path
     --  -----         ----          ----  ---    ----
     0   172.16.1.102  172.16.1.102  80    false  	/dvwa/index.php

We should be good to go at this point, so the only thing left to do is to run the scanner.


Step 5: Run Scanner


Type wmap_run at the prompt to view the options for this command.

msf > wmap_run
[*] Usage: wmap_run [options]
	-h                        Display this help text
	-t                        Show all enabled modules
	-m [regex]                Launch only modules that name match provided regex.
	-p [regex]                Only test path defined by regex.
	-e [/path/to/profile]     Launch profile modules against all matched targets.
	                          (No profile file runs all enabled modules.)

We can use wmap_run with the -t flag to list all the enabled modules before we scan the target.

msf > wmap_run -t
[*] Testing target:
[*] 	Site: 172.16.1.102 (172.16.1.102)
[*] 	Port: 80 SSL: false
============================================================
```
---[Snippet]---
```
[*]
=[ General testing ]=
============================================================
[*] Done.

There are a few different categories of modules including ones for directory testing, query testing, web server testing, and SSL testing, although we can see that our target doesn't employ SSL, so these modules are disabled. To get a detailed description of any given module, use the info command followed by the full path of the module that's listed. For example:

msf > info auxiliary/scanner/http/http_version

       Name: HTTP Version Detection
     Module: auxiliary/scanner/http/http_version
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  hdm <x@hdm.io>

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                    yes       The target address range or CIDR identifier
  RPORT    80               yes       The target port (TCP)
  SSL      false            no        Negotiate SSL/TLS for outgoing connections
  THREADS  1                yes       The number of concurrent threads
  VHOST                     no        HTTP server virtual host

Description:
  Display version information about each system.

Back to scanning. Let's begin the scan by using wmap_run with thee flag, which will run all of the modules instead of just a specified one. Depending on the target site and the number of enabled modules, the scan can take quite some time to finish. Once it's done, the scan will show how long it took to complete.

msf > wmap_run -e
[*] Using ALL wmap enabled modules.
[-] NO WMAP NODES DEFINED. Executing local modules
[*] Testing target:
[*] 	Site: 172.16.1.102 (172.16.1.102)
[*] 	Port: 80 SSL: false
============================================================
[*] Testing started. 2018-09-20 10:24:33 -0500
[*]
=[ SSL testing ]=
============================================================
[*] Target is not SSL. SSL modules disabled.
[*]
=[ Web Server testing ]=
============================================================
```
---[Snippet]---
```
Launch completed in 337.37769508361816 seconds.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[*] Done.


Step 6: Interpret Results


Finally, we can type the wmap_vulns -l command to display the results of the scan.

msf > wmap_vulns -l
[*] + [172.16.1.102] (172.16.1.102): scraper /
[*] 	scraper Scraper
[*] 	GET Metasploitable2 - Linux
[*] + [172.16.1.102] (172.16.1.102): directory /dav/
[*] 	directory Directory found.
[*] 	GET Res code: 200
[*] + [172.16.1.102] (172.16.1.102): directory /cgi-bin/
[*] 	directory Directoy found.
[*] 	GET Res code: 403
[*] + [172.16.1.102] (172.16.1.102): directory /doc/
[*] 	directory Directoy found.
[*] 	GET Res code: 200
[*] + [172.16.1.102] (172.16.1.102): directory /icons/
[*] 	directory Directoy found.
[*] 	GET Res code: 200
[*] + [172.16.1.102] (172.16.1.102): directory /index/
[*] 	directory Directoy found.
[*] 	GET Res code: 200
[*] + [172.16.1.102] (172.16.1.102): directory /phpMyAdmin/
[*] 	directory Directoy found.
[*] 	GET Res code: 200

...

We can see it found some potentially interesting directories that could be worth investigating further:

  • The /cgi-bin/ directory allows scripts to be executed and perform console-like functions directly on the server.

  • The /phpMyAdmin/ directory is an open-source administration tool for MySQL database systems.

  • The /dav/ directory allows users to collaborate and perform web authoring activities remotely.

Comentários

©2022 www.theblackthreat.in All right reserved.
bottom of page