Metasploit WMAP Web Attack and Exploitation

Recently in the SVN for Metasploit 3.2 the wmap tools for web exploitation and assessment where added to the framework, this tools are developed by Efrain Torres and can be run individually or automated as auxiliary modules., at the time of this post it is still in the early stages but I wanted to start getting familiar with the tools and techniques. We will be using ratproxy and patch it to be used in this example of the automated way of attack inside of Backtrack3. Before starting one must get the latest version of Metasploit from the svn trunk this is easily done by running “svn update” inside the /msf3 folder which is a link to /pentest/exploits/framework3 in backtrack3.

building proxy:

cd /root

wget http://ratproxy.googlecode.com/files/ratproxy-1.51.tar.gz

tar xvzf ratproxy-1.51.tar.gz

patch -d /root/ratproxy < /msf3/external/ratproxy/ratproxy_wmap.diff

cd ratproxy

make

before we run the proxy you have to create the new db since the one included in the data folder has a problem with it's schema at least in my version of the SVN. you can accomplish this in msfconsole

bt msf3 # ./msfconsole


888 888 d8b888

888 888 Y8P888

888 888 888

88888b.d88b. .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888

888 "888 "88bd8P Y8b888 "88b88K 888 "88b888d88""88b888888

888 888 88888888888888 .d888888"Y8888b.888 888888888 888888888

888 888 888Y8b. Y88b. 888 888 X88888 d88P888Y88..88P888Y88b.

888 888 888 "Y8888 "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888

888

888

888



=[ msf v3.2-testing

+ -- --=[ 305 exploits - 173 payloads

+ -- --=[ 20 encoders - 6 nops

=[ 74 aux


msf > load db_wmap

[*] =[ WMAP v0.1 - ET LoWNOISE

[*] Successfully loaded plugin: db_wmap_sqlite3

msf > wmap_destroy

msf > wmap_create

[*] Creating a new database instance...

[*] Successfully connected to the database

[*] File: /pentest/exploits/framework3/data/wmap/wmap_sqlite3.db

msf >

now that we have a clean db we can run the proxy

./ratproxy -v /msf3/data/wmap/ -b wmap_sqlite3.db

ratproxy version 1.51-beta by

[!] WARNING: Running with no 'friendly' domains specified. Many cross-domain

checks will not work. Please consult the documentation for advice.

[*] Proxy configured successfully. Have fun, and please do not be evil.

[+] Accepting connections on port 8080/tcp (local only)...

we configure our browser to use localhost port 8080 as the proxy and we browse our target site

as an example I will browse a local server in my lab called acme.com, I will simply browse with Firefox for the example but other automated tools that support proxies can be used and in a real life engagement will provide better results like httptrack or even wget to mirror the website for later evaluation, once we have browsed most of the links we now can load the information in to Metasploit

msf > wmap_connect

[*] Successfully connected to the wmap database

[*] File: /pentest/exploits/framework3/data/wmap/wmap_sqlite3.db

[*] Reloading targets...

[*] Added. www.acme.com 80 0


now that we have loaded the website in to the DB we have to chose this website as our target so we print the information in the db by running wmap_targets with the -p option this will print all sites in the db, then we select the site that will become our target by using the -s option and the number of the site


msf > wmap_targets -p

[*] Id. Host Port SSL

[*] 1. www.acme.com 80

[*] Done.

msf > wmap_targets -s 1

msf > wmap_targets -p

[*] Id. Host Port SSL

[*] => 1. www.acme.com 80

[*] Done.

Then we check what exploit modules match the info in the database by running the wmap_run with the -t option

msf > wmap_run -t

[*] Loaded auxiliary/scanner/http/version ...

[*] Loaded auxiliary/scanner/http/frontpage ...

[*] Loaded auxiliary/scanner/http/wmap_vhost_scanner ...

[*] Loaded auxiliary/scanner/http/frontpage_login ...

[*] Loaded auxiliary/scanner/http/writable ...

[*] Loaded auxiliary/scanner/http/wmap_backup_file ...

[*] Loaded auxiliary/scanner/http/wmap_files_dir ...

[*] Loaded auxiliary/scanner/http/wmap_brute_dirs ...

[*] Loaded auxiliary/scanner/http/wmap_replace_ext ...

[*] Loaded auxiliary/scanner/http/wmap_blind_sql_query ...

[*] Analysis completed in 1.69395589828491 seconds.

[*] Done.

The version of Metasploit from the SVN currently has the following modules that can be used either in an automated way or individualy:

auxiliary/scanner/http/frontpage FrontPage Server Extensions Detection

auxiliary/scanner/http/frontpage_login FrontPage Server Extensions Login Utility

auxiliary/scanner/http/lucky_punch HTTP Microsoft SQL Injection Table XSS Infection

auxiliary/scanner/http/version HTTP Version Detection

auxiliary/scanner/http/wmap_backup_file HTTP Backup File Scanner

auxiliary/scanner/http/wmap_blind_sql_query HTTP Blind SQL Injection GET QUERY Scanner auxiliary/scanner/http/wmap_brute_dirs HTTP Directory Brute Force Scanner

auxiliary/scanner/http/wmap_files_dir HTTP Interesting File Scanner

auxiliary/scanner/http/wmap_replace_ext HTTP File Extension Scanner

auxiliary/scanner/http/wmap_vhost_scanner HTTP Virtual Host Brute Force Scanner

auxiliary/scanner/http/writable HTTP Writable Path PUT/DELETE File Access

Next we set the general options for the attack, this are DOMAIN so as to indicate the domain part that will be used for the directory and sub domain brute force, then we will set the RHOSTS option that will be the IP address or IP range so that the modules will be able to perform the virtualhost enumeration and last the EXT option that will help to identify files for several of the attacks. I would recommend running each of the auxiliary modules in a lab individually so as to become better familiarized with them and their variables.


msf > setg DOMAIN acme.com

DOMAIN => acme.com

msf > setg RHOSTS 10.1.1.23

RHOSTS => 10.1.1.23

msf > setg EXT .asp

EXT => .asp

once the global variables are set we can perform the attack, this is achieved by running wmap_run with the -e option to run all the exploit modules

msf > wmap_run -e

[*] Launching auxiliary/scanner/http/version WMAP_SERVER against www.darkoperator.com:80

[*] 10.1.1.23 is running Microsoft-IIS/6.0

[*] Launching auxiliary/scanner/http/frontpage WMAP_SERVER against www.darkoperator.com:80

[*] http://10.1.1.23:80 is running Microsoft-IIS/6.0

[*] FrontPage not found on http://10.1.1.23:80 [404 Not Found]

[*] Launching auxiliary/scanner/http/wmap_vhost_scanner WMAP_SERVER against www.acme.com:80

[*] Sending request with random domain vDuwT.acme.com

[*] NOT Found admin.acme.com

[*] NOT Found services.acme.com

[*] NOT Found webmail.acme.com

[*] NOT Found console.acme.com

[*] NOT Found apps.acme.com

[*] Vhost found mail.acme.com

.............

as you can see the information is displayed on screen, after taking a look at the db file I notice that no information of what was found and not found was not saved to it. This is a feature in development in fact it is not released as stable, but as we can see this is the beginning of the attack framework inside of Metasploit, I hope they incorporate features like reporting in to Metasploit in the near future as more an more is made automated in Metasploit and as a consultant that might be under time constraint during engagements having the information on the db so a to script the creation of reports or a module that would generate reports would be of great help. I can only wait now for new stuff to appear and surprise me in Metasploit up to know I have been happily surprise with what I have seen so far.