2011-02-04 13:57:26 +08:00
|
|
|
=[ WMAP v1.0
|
|
|
|
|
=[ Efrain Torres
|
|
|
|
|
et[]metasploit.com
|
2008-09-28 08:06:06 +08:00
|
|
|
---------------------------------------------------------------------------
|
2009-03-31 04:44:21 +08:00
|
|
|
"Metasploit goes Web", H D Moore.
|
2008-09-28 08:06:06 +08:00
|
|
|
|
|
|
|
|
|
|
|
|
|
=[ Intro.
|
|
|
|
|
|
|
|
|
|
WMAP is a general purpose web application scanning framework for
|
2009-03-31 04:44:21 +08:00
|
|
|
Metasploit 3. The architecture is simple and its simplicity is what makes
|
|
|
|
|
it powerful. It's a different approach compared to other open source
|
2008-10-02 10:36:01 +08:00
|
|
|
alternatives and commercial scanners, as WMAP is not build around any browser
|
2008-09-28 08:06:06 +08:00
|
|
|
or spider for data capture and manipulation.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
=[ How it works.
|
|
|
|
|
|
2011-02-04 13:57:26 +08:00
|
|
|
In the WMAP design, any tool can become a data gathering tool. In the
|
|
|
|
|
general case an attack proxy can be modified to store all the traffic between
|
|
|
|
|
the client(s) (i.e. favorite browser and/or spider). (See figure.)
|
|
|
|
|
|
|
|
|
|
Notice that a client may be used to store data too.
|
|
|
|
|
|
2008-09-28 08:06:06 +08:00
|
|
|
|
|
|
|
|
[CLIENT] ----- [ATTACK PROXY] ----- [TARGET]
|
2011-02-04 13:57:26 +08:00
|
|
|
| | ^
|
|
|
|
|
---------->[METASPLOIT DB] |
|
2008-09-28 08:06:06 +08:00
|
|
|
| |
|
|
|
|
|
[MSF 3 - WMAP SCANNER] |
|
|
|
|
|
[MSF 3 - WMAP MODULES] -----+
|
|
|
|
|
|
|
|
|
|
WMAP is a Metasploit plugin and will interact with the database, reading all
|
|
|
|
|
gathered traffic, processing it and launching the different tests
|
2011-02-04 13:57:26 +08:00
|
|
|
implemented as modules. As tests are MSF Modules they can be easily
|
2008-10-02 10:36:01 +08:00
|
|
|
implemented, and can be run manually from the command line or automatically
|
|
|
|
|
via WMAP.
|
2008-09-28 08:06:06 +08:00
|
|
|
|
|
|
|
|
As you may see this simple architecture allows you to have different
|
|
|
|
|
distributed clients and even different proxies all storing data to the
|
|
|
|
|
central repository. Remember everything is based on Metasploit, the test
|
|
|
|
|
modules are implemented as auxiliary modules and they can interact with any
|
2008-10-12 11:46:49 +08:00
|
|
|
other MSF component including the database, exploits and plugins.
|
2008-09-28 08:06:06 +08:00
|
|
|
|
|
|
|
|
|
|
|
|
|
=[ WMAP Modules.
|
|
|
|
|
|
|
|
|
|
The test modules implemented at this time are basic and will improve over
|
|
|
|
|
time not only in quality and quantity, so you are more than welcome to
|
|
|
|
|
submit new modules.
|
|
|
|
|
|
2008-10-02 10:36:01 +08:00
|
|
|
Each module has a WMAP type, this determine when the module is launched and
|
2008-09-28 08:06:06 +08:00
|
|
|
to a certain degree, the minimum type of information it requires to be
|
2008-10-02 10:36:01 +08:00
|
|
|
executed. The best way to develop a new test for WMAP, is to use already
|
|
|
|
|
implemented modules as a base and then develop a normal MSF module that can
|
|
|
|
|
be run manually from the command line. To enable a module to be run
|
|
|
|
|
automatically via WMAP just include the mixin that determine the type
|
|
|
|
|
of the module.
|
2008-09-28 08:06:06 +08:00
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
|
|
include Auxiliary::WMAPScanFile
|
|
|
|
|
|
|
|
|
|
The following are the types of modules implemented at this time and they are
|
|
|
|
|
listed in the order WMAP runs them:
|
|
|
|
|
|
2011-02-04 13:57:26 +08:00
|
|
|
WMAPScanSSL - Run once against SSL server
|
2008-10-02 10:36:01 +08:00
|
|
|
WMAPScanServer - Run once against the target Web Server
|
|
|
|
|
WMAPScanDir - Runs for every directory found in the target
|
|
|
|
|
WMAPScanFile - Runs for every file found in the target
|
|
|
|
|
WMAPScanUniqueQuery - Runs for every unique query found in each request to the
|
|
|
|
|
target
|
|
|
|
|
WMAPScanQuery - Runs for every query found in each request to the target
|
2008-10-12 11:46:49 +08:00
|
|
|
WMAPScanGeneric - Modules to be run after all tests complete. Good place to
|
|
|
|
|
perform passive analysis of responses, analysis of test
|
2008-11-10 12:38:05 +08:00
|
|
|
results to launch other modules (i.e. exploits).
|
|
|
|
|
|
|
|
|
|
=[ Reporting.
|
|
|
|
|
|
2011-02-04 13:57:26 +08:00
|
|
|
It uses the native reporting capabilities of MEtasploit.
|
2008-11-10 12:38:05 +08:00
|
|
|
|
2011-02-04 13:57:26 +08:00
|
|
|
=[ Database
|
2008-11-10 12:38:05 +08:00
|
|
|
|
2011-02-04 13:57:26 +08:00
|
|
|
No more sqlite. it uses whatever the framework is using.
|
2008-11-10 12:38:05 +08:00
|
|
|
|
2008-09-28 08:06:06 +08:00
|
|
|
=[ Simple example.
|
|
|
|
|
|
|
|
|
|
The following are the basic steps for testing a web server/app using WMAP:
|
|
|
|
|
|
2011-02-04 13:57:26 +08:00
|
|
|
1. Crawl a web site using the /auxiliary/scanner/http/crawler module
|
|
|
|
|
2. Load the wmap plugin
|
|
|
|
|
3. View available sites to test:
|
|
|
|
|
|
|
|
|
|
wmap_sites -l
|
2008-09-28 08:06:06 +08:00
|
|
|
|
2011-02-04 13:57:26 +08:00
|
|
|
4. View site structure
|
2008-09-28 08:06:06 +08:00
|
|
|
|
2011-02-04 13:57:26 +08:00
|
|
|
wmap_sites -s <vhost,url>
|
|
|
|
|
|
|
|
|
|
Example: wmap_sites -s www.testsite.org,http://192.168.1.1
|
2008-09-28 08:06:06 +08:00
|
|
|
|
2011-02-04 13:57:26 +08:00
|
|
|
5. Define targets from available sites
|
2008-10-12 11:46:49 +08:00
|
|
|
|
2011-02-04 13:57:26 +08:00
|
|
|
wmap_targets -t <vhost,url>
|
2008-10-12 11:46:49 +08:00
|
|
|
|
2011-02-04 13:57:26 +08:00
|
|
|
6. Test it.
|
2008-09-28 08:06:06 +08:00
|
|
|
|
2011-02-04 13:57:26 +08:00
|
|
|
wmap_run -e
|
2008-09-28 08:06:06 +08:00
|
|
|
|
2011-02-04 13:57:26 +08:00
|
|
|
=[ Additional Stuff
|
2008-09-28 08:06:06 +08:00
|
|
|
|
2011-02-04 13:57:26 +08:00
|
|
|
Before runing the test you may need to set certain variables
|
|
|
|
|
required by some modules.
|
2008-09-28 08:06:06 +08:00
|
|
|
|
2011-02-04 13:57:26 +08:00
|
|
|
Example:
|
2008-11-10 12:38:05 +08:00
|
|
|
|
2008-09-28 08:06:06 +08:00
|
|
|
msf > setg DOMAIN targetco.com
|
|
|
|
|
DOMAIN => targetco.com
|
|
|
|
|
|
|
|
|
|
msf > setg EXT .asp
|
2009-03-30 11:39:01 +08:00
|
|
|
EXT => .asp
|
|
|
|
|
|
|
|
|
|
msf > setg WMAP_EXCLUDE_FILE <regex_to_exclude_testing_files>
|
|
|
|
|
|
2008-12-08 12:44:46 +08:00
|
|
|
NOTE: By default image files are not included in the tests.
|
2008-09-28 08:06:06 +08:00
|
|
|
|
2011-02-04 13:57:26 +08:00
|
|
|
If required profiles can be defined in the following way:
|
|
|
|
|
|
|
|
|
|
wmap_run -e path/to/profile/file
|
|
|
|
|
|
|
|
|
|
The profile file contains the list of modules to execute.
|
|
|
|
|
See data/wmap/wmap_sample.profile for a sample.
|
2008-09-28 08:06:06 +08:00
|
|
|
|
|
|
|
|
=[ TODO.
|
|
|
|
|
|
2011-02-04 13:57:26 +08:00
|
|
|
|
|
|
|
|
This is first real release version of WMAP and as you know, the Metasploit project
|
|
|
|
|
welcomes feedback, comments, ideas, patches, modules, etc.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
=[ EOF.
|
2008-09-28 08:06:06 +08:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
