WMAP is a feature-rich web vulnerability scanner that was originally created from a tool named SQLMap. This tool offers the ability to take a proxy and pipe the output and captured data and perform vulnerability analysis off of a web proxy intercept. First, we need to download a proxy that is compatible and patch it with Metasploit's patch. Also note, that if you haven't already done so, install rubygems and ruby-sqlite3 as those will be required.
root@bt4:/pentest/exploits/framework3# wget http://ratproxy.googlecode.com/files/ratproxy-1.58.tar.gz --2009-06-29 21:41:02-- http://ratproxy.googlecode.com/files/ratproxy-1.58.tar.gz Resolving ratproxy.googlecode.com... 74.125.93.82 Connecting to ratproxy.googlecode.com|74.125.93.82|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 168409 (164K) [application/x-gzip] Saving to: `ratproxy-1.58.tar.gz' 100%[===================================>] 168,409 201K/s in 0.8s 2009-06-29 21:41:03 (201 KB/s) - `ratproxy-1.58.tar.gz' saved [168409/168409] root@bt4:/pentest/exploits/framework3# tar -zxvf ratproxy-1.58.tar.gz Unpacked root@bt4:/pentest/exploits/framework3# cd ratproxy root@bt4:/pentest/exploits/framework3/ratproxy# patch -d . < /pentest/exploits/framework3/external/ratproxy/ratproxy_wmap.diff patching file Makefile patching file ratproxy.c Hunk #8 succeeded at 1785 (offset 9 lines). Hunk #9 succeeded at 1893 (offset 9 lines). patching file http.c Hunk #3 succeeded at 668 (offset 8 lines). root@bt4:/pentest/exploits/framework3/ratproxy# make Compiled no errors.
Now that we have ratproxy patched and ready to go, we have to configure our proxy in order to allow communications to be tunneled through our proxy and ultimately to Metasploit's WMAP. First, open up Firefox and follow the menu items Edit, Preferences, Advanced, Network, Settings, Manual proxy configuration, select "use this proxy server for all protocols" and in the HTTP proxy field, enter localhost and set the port to 8080.
Once this is configured, we will issue a series of commands, navigate to the site, and ultimately attack it. Lets follow the process and see what it looks like. First we need to configure and connect to our database.
msf > db_create wmap.db [*] Creating a new database instance... [*] Successfully connected to the database [*] File: wmap.db msf > load db_wmap [*] =[ WMAP v0.6 - et [ ] metasploit.com [*] Successfully loaded plugin: db_wmap msf > db_connect wmap.db [*] Successfully connected to the database [*] File: wmap.db
In another terminal window or tab, start up ratproxy with full logging, pointing to our database.
root@bt4:/pentest/web/ratproxy# ./ratproxy -v /pentest/exploits/framework3/ -b wmap.db ratproxy version 1.58-beta by lcamtuf@google.com [!] WARNING: Running with no 'friendly' domains specified. Many cross-domain checks will not work. Please consult the documentation for advice. [*] Proxy configured successfully. Have fun, and please do not be evil. [+] Accepting connections on port 8080/tcp (local only)...
Now with everything running, we browse to our target website. Be sure to spend some time going through the site, and populate the database with enough information for Metasploit to work with.
Once we finish browsing through the target site, we go back to our Metasploit session and see what we have captured.
msf > wmap_targets -r [*] Added. 10.211.55.140 80 0 msf > wmap_targets -p [*] Id. Host Port SSL [*] 1. 10.211.55.140 80 [*] Done. msf > wmap_targets -s 1 msf > wmap_website [*] Website structure [*] 10.211.55.140:80 SSL:0 ROOT_TREE | sql | +------Default.aspx [*] Done. msf > wmap_run -t [*] Loaded auxiliary/scanner/http/wmap_soap_xml ... [*] Loaded auxiliary/scanner/http/wmap_webdav_scanner ... [*] Loaded auxiliary/scanner/http/options ... [*] Loaded auxiliary/scanner/http/frontpage_login ... [*] Loaded auxiliary/scanner/http/wmap_vhost_scanner ... [*] Loaded auxiliary/scanner/http/wmap_cert ... [*] Loaded auxiliary/scanner/http/version ... [*] Loaded auxiliary/scanner/http/frontpage ... [*] Loaded auxiliary/admin/http/tomcat_manager ... [*] Loaded auxiliary/scanner/http/wmap_verb_auth_bypass ... [*] Loaded auxiliary/scanner/http/wmap_ssl ... [*] Loaded auxiliary/admin/http/tomcat_administration ... [*] Loaded auxiliary/scanner/http/wmap_prev_dir_same_name_file ... [*] Loaded auxiliary/scanner/http/wmap_copy_of_file ... [*] Loaded auxiliary/scanner/http/writable ... [*] Loaded auxiliary/scanner/http/wmap_backup_file ... [*] Loaded auxiliary/scanner/http/ms09_xxx_webdav_unicode_bypass ... [*] Loaded auxiliary/scanner/http/wmap_dir_listing ... [*] Loaded auxiliary/scanner/http/wmap_files_dir ... [*] Loaded auxiliary/scanner/http/wmap_file_same_name_dir ... [*] Loaded auxiliary/scanner/http/wmap_brute_dirs ... [*] Loaded auxiliary/scanner/http/wmap_replace_ext ... [*] Loaded auxiliary/scanner/http/wmap_dir_webdav_unicode_bypass ... [*] Loaded auxiliary/scanner/http/wmap_dir_scanner ... [*] Loaded auxiliary/scanner/http/wmap_blind_sql_query ... [*] Analysis completed in 0.863369941711426 seconds. [*] Done. msf > wmap_run -e
WMAP will now use the database file that we have pointed ratproxy to and created with Metasploit and start attacking the website. This generally takes a while as there are a significant amount of attacks through WMAP. Note that some of the checks are not reliable and take a long time to complete. To break out of a specific auxiliary module, just hit "control-c" and it will move on to the next auxiliary module.
Wait for the entire process to finish and then start on the commands below.
msf > wmap_reports [*] Usage: wmap_reports [options] -h Display this help text -p Print all available reports -s [id] Select report for display -x [id] Display XML report msf > wmap_reports -p [*] Id. Created Target (host,port,ssl) 1. Fri Jun 26 08:35:58 +0000 2009 10.211.55.140,80,0 [*] Done. msf > wmap_reports -s 1 WMAP REPORT: 10.211.55.140,80,0 Metasploit WMAP Report [Fri Jun 26 08:35:58 +0000 2009] WEB_SERVER WEBDAV: ENABLED [Fri Jun 26 08:38:15 +0000 2009] WEB_SERVER OPTIONS: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH [Fri Jun 26 08:38:15 +0000 2009] WEB_SERVER TYPE: Microsoft-IIS/6.0 ( Powered by ASP.NET ) [Fri Jun 26 08:38:18 +0000 2009] FILE NAME: /sql/default.aspx File /sql/default.aspx found. [Fri Jun 26 08:39:02 +0000 2009] FILE RESP_CODE: 200 [Fri Jun 26 08:39:02 +0000 2009] DIRECTORY NAME: /Ads/ Directory /Ads/ found. [Fri Jun 26 08:39:37 +0000 2009] DIRECTORY NAME: /Cch/ Directory /Cch/ found. [Fri Jun 26 08:44:10 +0000 2009] DIRECTORY NAME: /Eeo/ Directory /Eeo/ found. [Fri Jun 26 08:49:03 +0000 2009] DIRECTORY NAME: /_private/ Directory /_private/ found. [Fri Jun 26 08:55:22 +0000 2009] DIRECTORY RESP_CODE: 403 [Fri Jun 26 08:55:22 +0000 2009] DIRECTORY NAME: /_vti_bin/ Directory /_vti_bin/ found. [Fri Jun 26 08:55:23 +0000 2009] DIRECTORY RESP_CODE: 207 [Fri Jun 26 08:55:23 +0000 2009] DIRECTORY NAME: /_vti_log/ Directory /_vti_log/ found. [Fri Jun 26 08:55:24 +0000 2009] DIRECTORY RESP_CODE: 403 [Fri Jun 26 08:55:24 +0000 2009] DIRECTORY NAME: /_vti_pvt/ Directory /_vti_pvt/ found. [Fri Jun 26 08:55:24 +0000 2009] DIRECTORY RESP_CODE: 500 [Fri Jun 26 08:55:24 +0000 2009] DIRECTORY NAME: /_vti_txt/ Directory /_vti_txt/ found. [Fri Jun 26 08:55:24 +0000 2009] DIRECTORY RESP_CODE: 403 [Fri Jun 26 08:55:24 +0000 2009] DIRECTORY NAME: /_private/ Directory /_private/ found. [Fri Jun 26 08:56:07 +0000 2009] DIRECTORY RESP_CODE: 403 [Fri Jun 26 08:56:07 +0000 2009] DIRECTORY NAME: /_vti_bin/ Directory /_vti_bin/ found. [Fri Jun 26 08:56:12 +0000 2009] DIRECTORY RESP_CODE: 403 [Fri Jun 26 08:56:12 +0000 2009] DIRECTORY NAME: /_vti_log/ Directory /_vti_log/ found. [Fri Jun 26 08:56:12 +0000 2009] DIRECTORY RESP_CODE: 403 [Fri Jun 26 08:56:12 +0000 2009] [*] Done. msf >
The report given back to us tells us a lot of information about the web application and potential security vulnerabilities that have been identified. As pentesters, we would want to investigate each finding further and identify if there are potential methods for attack.
In the example, there are two good findings. The first is WebDav where we may be able to bypass logins, the other is the PUT method that may allow us to place malicious code on the website. WMAP is a great addition to the Metasploit Framework and allows you to essentially have a vulnerability scanner built into the already great framework itself.
One thing to mention about WMAP is it really is still a work in progress. The site that we just scanned had numerous instances of error based SQL Injection and Cross-Site Scripting which it did not identify. Just be aware when using this, and understand WMAP's current limitations.
0 Comments:
Post a Comment