336 lines
12 KiB
Plaintext
336 lines
12 KiB
Plaintext
=[ WMAP v0.2 ET LoWNOISE et[]metasploit.com
|
|
---------------------------------------------------------------------------
|
|
"Metasploit goes Web" ,H D Moore.
|
|
|
|
|
|
=[ Intro.
|
|
|
|
WMAP is a general purpose web application scanning framework for
|
|
Metasploit 3. The architechture is simple and its simplicity is what makes
|
|
it powerfull. It's a different approach compared to other open source
|
|
alternatives and commercial scanners, as WMAP is not build around any browser
|
|
or spider for data capture and manipulation.
|
|
|
|
|
|
=[ How it works.
|
|
|
|
In the WMAP design, the attack proxy acts as a data gathering tool. All
|
|
traffic between the client(s) (i.e. favorite browser and/or spider) will be
|
|
stored in the MSF database. (See figure.)
|
|
|
|
[CLIENT] ----- [ATTACK PROXY] ----- [TARGET]
|
|
| ^
|
|
[METASPLOIT DB] |
|
|
| |
|
|
[MSF 3 - WMAP SCANNER] |
|
|
[MSF 3 - WMAP MODULES] -----+
|
|
|
|
WMAP is a Metasploit plugin and will interact with the database, reading all
|
|
gathered traffic, processing it and launching the different tests
|
|
implemented as modules. As WMAP Modules are MSF Modules they can be easily
|
|
implemented, and can be run manually from the command line or automatically
|
|
via WMAP.
|
|
|
|
As you may see this simple architecture allows you to have different
|
|
distributed clients and even different proxies all storing data to the
|
|
central repository. Remember everything is based on Metasploit, the test
|
|
modules are implemented as auxiliary modules and they can interact with any
|
|
other MSF component including the database, exploits and plugins.
|
|
|
|
|
|
=[ WMAP Modules.
|
|
|
|
The test modules implemented at this time are basic and will improve over
|
|
time not only in quality and quantity, so you are more than welcome to
|
|
submit new modules.
|
|
|
|
Each module has a WMAP type, this determine when the module is launched and
|
|
to a certain degree, the minimum type of information it requires to be
|
|
executed. The best way to develop a new test for WMAP, is to use already
|
|
implemented modules as a base and then develop a normal MSF module that can
|
|
be run manually from the command line. To enable a module to be run
|
|
automatically via WMAP just include the mixin that determine the type
|
|
of the module.
|
|
|
|
Example:
|
|
|
|
include Auxiliary::WMAPScanFile
|
|
|
|
The following are the types of modules implemented at this time and they are
|
|
listed in the order WMAP runs them:
|
|
|
|
WMAPScanServer - Run once against the target Web Server
|
|
WMAPScanDir - Runs for every directory found in the target
|
|
WMAPScanFile - Runs for every file found in the target
|
|
WMAPScanUniqueQuery - Runs for every unique query found in each request to the
|
|
target
|
|
WMAPScanQuery - Runs for every query found in each request to the target
|
|
WMAPScanBody - Runs for every Body found in each request to the target
|
|
WMAPScanHeaders - Runs for every Header found in each request to the target
|
|
WMAPScanGeneric - Modules to be run after all tests complete. Good place to
|
|
perform passive analysis of responses, analysis of test
|
|
results to launch other modules (i.e. exploits).
|
|
|
|
=[ Reporting.
|
|
|
|
Each module is capable of storing reporting information.
|
|
Reporting key concepts:
|
|
|
|
+ Reporting is used to gather and store data
|
|
+ Bye bye to useless risk levels
|
|
+ Data is not only findings (i.e vulnerabilities) but also any relevant
|
|
data (i.e. Database name from a SQL injection)
|
|
+ Data is available to other modules so reporting becomes a method to
|
|
share information
|
|
+ Data has context and that context is preserved.
|
|
+ Context is preserved by having a tree structure in the Report database
|
|
table
|
|
+ Every report entry has a parent_id the top parent_id is 0 and only used
|
|
to create a report entry (this allows for the storage of multiple reports)
|
|
+ The report table is basically a type,name,value database.
|
|
+ This schema allows the storage of data/vulnerabilities with any classification/naming
|
|
convention. (very useful to store vulnerabilities discovered in year 2060).
|
|
|
|
So how it works:
|
|
|
|
When q module is executed (using WMAP 'wmap_run -e' or standalone):
|
|
|
|
WMAP creates a new report entry, then in each module when something is found or
|
|
something needs to be reported the module should implement the following lines:
|
|
|
|
Example:
|
|
|
|
if (vulnerability is found)
|
|
print_status("FOUND BLAH BLAH BLAH")
|
|
|
|
#OBTAIN THE LATEST REPORT ID FOR HOST,PORT,SSL (target)
|
|
rep_id = wmap_base_report_id(
|
|
self.target_host,
|
|
self.target_port,
|
|
self.ssl
|
|
)
|
|
|
|
# REPORT ABOUT THE FINDING
|
|
vuln_id = wmap_report(rep_id,'VULNERABILITY','SQL_INJECTION',url_path,"A SQL injection
|
|
vulnerability was found in the following URL in the parameter 'test'")
|
|
|
|
# LETS SAY WE NEED TO STORE ALSO THE PARAMETER VULNERABLE TO THE INJECTION AND THE TYPE
|
|
# OF INJECTION.
|
|
|
|
NOTE: wmap_report() returns the id of this entry
|
|
|
|
wmap_report(vuln_id,'SQL_INJECTION','PARAMETER',parameter,"Notes balh blah")
|
|
wmap_report(vuln_id,'SQL_INJECTION','TYPE','String',"Notes 2 balh blah")
|
|
end
|
|
|
|
|
|
If you are connected to a database (db_connect) then reporting is active and every module executed will
|
|
store its results for reporting. Even if you define a RHOSTS range then the results auto-magically will
|
|
be organized per host,port as wmap_base_report_id() returns the last available report for the specified
|
|
host,port,ssl target.
|
|
|
|
Anything can be represented and reported and other modules will have access to this information to do
|
|
whatever they want.
|
|
|
|
To view available reports use the 'wmap_reports' command:
|
|
|
|
msf > load db_sqlite3
|
|
[*] Successfully loaded plugin: db_sqlite3
|
|
msf > load db_wmap
|
|
[*] =[ WMAP v0.2 - ET LoWNOISE
|
|
[*] Successfully loaded plugin: db_wmap
|
|
msf > db_connect
|
|
[*] Successfully connected to the database
|
|
[*] File: /Users/et/.msf3/sqlite3.db
|
|
...
|
|
msf > wmap_reports -p
|
|
[*] Id. Created Target (host,port,ssl)
|
|
1. Wed Oct 22 23:22:16 -0500 2008 XX.XXX.XXX.XXX,80,0
|
|
[*] Done.
|
|
msf > wmap_reports -s 1
|
|
WMAP REPORT: XX.XXX.XXX.XXX,80,0 Metasploit WMAP Report [Wed Oct 22 23:22:16 -0500 2008]
|
|
WEB_SERVER TYPE: Apache [Wed Oct 22 23:22:16 -0500 2008]
|
|
VULNERABILITY SQL_INJECTION: /test.asp SQL injection found. [Wed Oct 22 23:22:31 -0500 2008]
|
|
SQL_INJECTION PARAMETER: id [Wed Oct 22 23:22:31 -0500 2008]
|
|
SQL_INJECTION TYPE: String [Wed Oct 22 23:22:31 -0500 2008]
|
|
[*] Done.
|
|
|
|
|
|
=[ Simple example.
|
|
|
|
The following are the basic steps for testing a web server/app using WMAP:
|
|
|
|
1. Mentally choose a target ...;
|
|
2. Launch a wmap enabled attack proxy;
|
|
|
|
NOTE: Eventually WMAP will include its own attack proxy code and spider
|
|
and at this time WMAP integrates very well with lcamtuf's ratproxy
|
|
(via a patch located in the /external/ratproxy directory).
|
|
|
|
ratproxy (ratproxy_wmap.diff applied) basic example:
|
|
|
|
$ ./ratproxy -v /Users/et/.msf3/ -b sqlite3.db -a
|
|
ratproxy version 1.51-beta by <lcamtuf@google.com>
|
|
[*] Proxy configured successfully. Have fun, and please do not be evil.
|
|
[+] Accepting connections on port 8080/tcp (local only)...
|
|
|
|
NOTE: If you want to use a different database than the default MSF database
|
|
or was destroyed. You have to create again the database with the 'db_create'
|
|
command. 'db_create <path/database>':
|
|
|
|
msf > db_create /dir/target_test.db
|
|
[*] Creating a new database instance...
|
|
[*] Successfully connected to the database
|
|
[*] File: /dir/target_test.db
|
|
|
|
3. Browse the target by running your favorite spider/crawler/browser etc.
|
|
NOTE: Dont forget to configure the proxy;
|
|
|
|
4. In Metasploit load the db_<database> plugin;
|
|
|
|
$ ./msfconsole
|
|
|
|
| | _) |
|
|
__ `__ \ _ \ __| _` | __| __ \ | _ \ | __|
|
|
| | | __/ | ( |\__ \ | | | ( | | |
|
|
_| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
|
|
_|
|
|
|
|
|
|
=[ msf v3.2-release
|
|
+ -- --=[ 304 exploits - 172 payloads
|
|
+ -- --=[ 20 encoders - 6 nops
|
|
=[ 74 aux
|
|
|
|
msf > load db_sqlite3
|
|
msf > load db_wmap
|
|
[*] =[ WMAP v0.2 - ET LoWNOISE
|
|
[*] Successfully loaded plugin: db_wmap
|
|
|
|
5. Connect to the WMAP database;
|
|
|
|
msf > db_connect
|
|
[*] Successfully connected to the database
|
|
[*] File: /users/et/.msf3/sqlite3.db
|
|
|
|
|
|
msf > wmap_targets -r
|
|
[*] Reloading targets...
|
|
[*] Added. 192.168.1.1 80 0
|
|
[*] Added. 192.168.2.10 80 0
|
|
[*] Added. 192.168.5.11 80 0
|
|
[*] Added. 192.168.1.3 80 0
|
|
|
|
6. View available targets;
|
|
|
|
msf > wmap_targets -p
|
|
[*] Id. Host Port SSL
|
|
[*] 1. 192.168.1.1 80
|
|
[*] 2. 192.168.2.10 80
|
|
[*] 3. 192.168.5.11 80
|
|
[*] 4. 192.168.1.3 80
|
|
[*] Done.
|
|
|
|
7. Select target (i.e. select target.com);
|
|
|
|
msf > wmap_targets -s 2
|
|
msf > wmap_targets -p
|
|
[*] Id. Host Port SSL
|
|
[*] 1. 192.168.1.1 80
|
|
[*] => 2. 192.168.2.10 80
|
|
[*] 3. 192.168.5.11 80
|
|
[*] 4. 192.168.1.3 80
|
|
[*] Done.
|
|
|
|
8. View target website structure;
|
|
msf > wmap_website
|
|
[*] Website structure
|
|
[*] 192.168.2.10:80 SSL:0
|
|
ROOT_TREE
|
|
+------ index.asp
|
|
| images
|
|
| +------ logo.gif
|
|
+------ login.asp
|
|
| menu
|
|
| +------ menu.asp
|
|
| +------ logout.asp
|
|
| +------ help.asp
|
|
[*] Done.
|
|
|
|
9. List loaded modules;
|
|
|
|
msf > wmap_run -t
|
|
[*] Loaded auxiliary/scanner/http/wmap_vhost_scanner ...
|
|
[*] Loaded auxiliary/scanner/http/frontpage_login ...
|
|
[*] Loaded auxiliary/scanner/http/version ...
|
|
...
|
|
[*] Loaded auxiliary/scanner/http/wmap_blind_sql_query ...
|
|
[*] Analysis completed in 3.1337145306448364 seconds.
|
|
[*] Done.
|
|
|
|
10. If a test module requires a specific parameter to be set
|
|
or you want to modify the value of a predefined variable,
|
|
this can be done with the 'setg' command.
|
|
|
|
Example:
|
|
|
|
msf > setg VHOST www.targetco.com
|
|
VHOST => www.targetco.com
|
|
|
|
msf > setg DOMAIN targetco.com
|
|
DOMAIN => targetco.com
|
|
|
|
msf > setg EXT .asp
|
|
EXT => .asp
|
|
|
|
11. Test the target;
|
|
|
|
msf > wmap_run -e
|
|
[*] Launching auxiliary/scanner/http/wmap_vhost_scanner WMAP_SERVER against
|
|
www.target.com:80
|
|
[*] Sending request with random domain rGvsV.targetco.com
|
|
[*] NOT Found admin.targetco.com
|
|
[*] NOT Found services.targetco.com
|
|
[*] Vhost found webmail.targetco.com
|
|
[*] NOT Found console.targetco.com
|
|
[*] NOT Found apps.targetco.com
|
|
[*] NOT Found mail.targetco.com
|
|
[*] NOT Found intranet.targetco.com
|
|
[*] NOT Found intra.targetco.com
|
|
[*] NOT Found corporate.targetco.com
|
|
[*] Launching auxiliary/scanner/http/frontpage WMAP_SERVER against
|
|
www.targetco.com:80
|
|
[*] http://xxx.xxx.xxx.xxx:80 is running Apache
|
|
[*] FrontPage not found on http://192.168.2.10:80 [302 Object Moved]
|
|
...
|
|
...
|
|
[*] Done.
|
|
|
|
=[ TODO.
|
|
|
|
This is first release version of WMAP and as you know, the Metasploit project
|
|
welcomes feedback, comments, ideas, patches, module, etc. This TODO list is
|
|
more of a placeholder of the things you may see in the near future.
|
|
|
|
- Add more commands
|
|
- Add more types of reports (PDF, XML, etc.)
|
|
- Develop more modules
|
|
- Create more module types to perform tasks like response analysis
|
|
- Support other databases (only sqlite3 supported at this time)
|
|
- Develop plugins for more proxies
|
|
- Develop WMAP Proxy
|
|
- Develop WMAP Spider
|
|
- Include you idea here.
|
|
|
|
|
|
=[ EOF. ET LoWNOISE et[]metasploit.com 2008.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|