WMAP (DRAFT)¶
Introduction¶
WMAP is a general purpose web application scanning framework for Metasploit Framework 3. The architecture is simple and its simplicity is what makes it powerful. It's a different approach compared to other open source alternatives and commercial scanners, as WMAP is not build around any browser or spider for data capture and manipulation.
Overview¶
In the WMAP design, the attack proxy acts as a data gathering tool. All traffic between the client(s) (i.e. favorite browser and/or spider) will be stored in the MSF database. (See figure.)
[CLIENT] ----- [ATTACK PROXY] ----- [TARGET]
| ^
[METASPLOIT DB] |
| |
[MSF 3 - WMAP SCANNER] |
[MSF 3 - WMAP MODULES] -----+
WMAP is a Metasploit plugin and will interact with the database, reading all gathered traffic, processing it and launching the different tests implemented as modules. Because WMAP modules are Metasploit Framework modules they can be easily implemented, and can be run manually from the command line or automatically via WMAP. As you may see this simple architecture allows you to have different distributed clients and even different proxies all storing data to the central repository. Remember everything is based on the Metasploit Framework, the test modules are implemented as auxiliary modules and they can interact with any other Metasploit Framework component including the database, exploits and plugins.
Modules¶
The test modules implemented at this time are basic and will improve over time not only in quality and quantity, so you are more than welcome to submit new modules. Each module has a WMAP type, this determine when the module is launched and to a certain degree, the minimum type of information it requires to be executed. The best way to develop a new test for WMAP, is to use already implemented modules as a base and then develop a normal Metasploit module that can be run manually from the command line. To enable a module to be run automatically via WMAP just include the mixin that determine the type of the module.
include Auxiliary::WMAPScanFile
The following are the types of modules implemented at this time and they are listed in the order WMAP runs them:
| WMAPScanServer | Run once against the target Web Server |
| WMAPScanDir | Runs for every directory found in the target |
| WMAPScanFile | Runs for every file found in the target |
| WMAPScanUniqueQuery | Runs for every unique query found in each request to the target |
| WMAPScanQuery | Runs for every query found in each request to the target |
| WMAPScanBody | Runs for every Body found in each request to the target |
| WMAPScanHeaders | Runs for every Header found in each request to the target |
| WMAPScanGeneric | Modules to be run after all tests complete. Good place to perform passive analysis of responses, analysis of test results to launch other modules (i.e. exploits). |
Reporting¶
Each module is capable of storing reporting information.
Reporting key concepts:
- Reporting is used to gather and store data.
- Bye bye to useless risk levels.
- Data is not only findings (i.e vulnerabilities) but also any relevant data (i.e. Database name from a SQL injection).
- Data is available to other modules so reporting becomes a method to share information.
- Data has context and that context can be preserved.
- Context is preserved by having a tree structure in the Report database table.
- Every report entry has a parent_id the top parent_id is 0 and only used to create a report entry (this allows for the storage of multiple reports).
- The report table is basically a type,name,value database.
- This schema allows the storage of data/vulnerabilities with any classification/naming convention. (very useful to store vulnerabilities discovered in year 2060).
Using WMAP¶
WMAP is implemented as a Metasploit plugin and depends on an active database to function. The database is used to store a list of target URLs as well as the results of the WMAP modules. To get started with WMAP, the database needs to be configured and at least one target must be added. In most situations, you would bring target data into WMAP through a spider, proxy, or export from another tool. In the example below we will add a target by hand to demonstrate the process.
Start the Metasploit Framework¶
Open the Metasploit Framework Console (msfconsole):
$ msfconsole
o 8 o o
8 8 8
ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
8' 8 8 8oooo8 8 .oooo8 Yb.. 8 8 8 8 8 8 8
8 8 8 8. 8 8 8 'Yb. 8 8 8 8 8 8 8
8 8 8 `Yooo' 8 `YooP8 `YooP' 8YooP' 8 `YooP' 8 8
..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
=[ metasploit v3.3.3-dev [core:3.3 api:1.0]
+ -- --=[ 469 exploits - 219 auxiliary
+ -- --=[ 192 payloads - 22 encoders - 8 nops
=[ svn r7844 updated today (2009.12.13)
Create a database
msf> db_create wmap_test
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: wmap_test
Load the WMAP plugin
msf > load db_wmap
[*] =[ WMAP v0.6 - et [ ] metasploit.com
[*] Successfully loaded plugin: db_wmap
Add and select a target
msf > wmap_targets -a http://www.example.com/
[*] Added target www.example.com 80 0
[*] Added request www.example.com
msf > wmap_targets -p
[*] Id. Host Port SSL
[*] 1. www.example.com 80
msf > wmap_targets -s 1
msf > wmap_targets -p
[*] Id. Host Port SSL
[*] => 1. www.example.com 80
Running WMAP modules¶
Now that a target has been selected, we can obtain a list of what WMAP modules are available using the wmap_run -t command:
msf > wmap_run -t [*] Loaded auxiliary/admin/http/tomcat_administration ... [*] Loaded auxiliary/admin/http/tomcat_manager ... [*] Loaded auxiliary/scanner/http/frontpage_login ... [*] Loaded auxiliary/scanner/http/options ... [*] Loaded auxiliary/scanner/http/version ... [*] Loaded auxiliary/scanner/http/wmap_cert ... [*] Loaded auxiliary/scanner/http/wmap_robots_txt ... [*] Loaded auxiliary/scanner/http/wmap_soap_xml ... [*] Loaded auxiliary/scanner/http/wmap_ssl ... [*] Loaded auxiliary/scanner/http/wmap_svn_scanner ... [*] Loaded auxiliary/scanner/http/wmap_verb_auth_bypass ... [*] Loaded auxiliary/scanner/http/wmap_vhost_scanner ... [*] Loaded auxiliary/scanner/http/wmap_webdav_internal_ip ... [*] Loaded auxiliary/scanner/http/wmap_webdav_scanner ... [*] Loaded auxiliary/scanner/http/wmap_webdav_website_content ... [*] Loaded auxiliary/scanner/http/ms09_020_webdav_unicode_bypass ... [*] Loaded auxiliary/scanner/http/wmap_backup_file ... [*] Loaded auxiliary/scanner/http/wmap_brute_dirs ... [*] Loaded auxiliary/scanner/http/wmap_copy_of_file ... [*] Loaded auxiliary/scanner/http/wmap_dir_listing ... [*] Loaded auxiliary/scanner/http/wmap_dir_scanner ... [*] Loaded auxiliary/scanner/http/wmap_dir_webdav_unicode_bypass ... [*] Loaded auxiliary/scanner/http/wmap_file_same_name_dir ... [*] Loaded auxiliary/scanner/http/wmap_files_dir ... [*] Loaded auxiliary/scanner/http/wmap_prev_dir_same_name_file ... [*] Loaded auxiliary/scanner/http/wmap_replace_ext ... [*] Loaded auxiliary/scanner/http/writable ... [*] Loaded auxiliary/scanner/http/wmap_blind_sql_query ... [*] Loaded auxiliary/scanner/http/wmap_error_sql_injection ...
To actually run the modules, we execute wmap_run with the -e parameter:
msf > wmap_run -e
Reporting¶
Currently, the results of the WMAP scan are stored in the database. The database can be used to build custom reporting tools, or queried directly from the console:
msf > db_notes msf > db_vulns
Configuration¶
If a test module requires a specific parameter to be set or you want to modify the value of a predefined variable, this can be done with the 'setg' command. Example:
msf > setg VHOST www.targetco.com msf > setg DOMAIN targetco.com msf > setg EXT .asp msf > setg WMAP_EXCLUDE_FILE <regex_to_exclude_testing_files>
If you would like to limit the WMAP test to a specific set of modules, you can use a profile file. Profiles can be specified via additional arguments to the wmap_run command.
msf > wmap_run -e path/to/profile/file
The profile file contains the list of modules to execute. See data/wmap/wmap_sample.profile for a sample.
Conclusion¶
Full WMAP automation is still in the early stages, but we believe that the functionality available today is valuable and that it can be difficult to achieve the same results with other tools. WMAP is a community project and we would be happy to incorporate your patches and ideas. For questions concerning WMAP or to become involved in development, please contact Efrain Torrest via et[at]metasploit.com