Open the Metasploit Framework Console (msfconsole):
$ msfconsole
o 8 o o
8 8 8
ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
8' 8 8 8oooo8 8 .oooo8 Yb.. 8 8 8 8 8 8 8
8 8 8 8. 8 8 8 'Yb. 8 8 8 8 8 8 8
8 8 8 `Yooo' 8 `YooP8 `YooP' 8YooP' 8 `YooP' 8 8
..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
=[ metasploit v3.3.3-dev [core:3.3 api:1.0]
+ -- --=[ 469 exploits - 219 auxiliary
+ -- --=[ 192 payloads - 22 encoders - 8 nops
=[ svn r7844 updated today (2009.12.13)
Create a database
msf> db_create wmap_test [*] Creating a new database instance... [*] Successfully connected to the database [*] File: wmap_test
Load the WMAP plugin
msf > load db_wmap [*] =[ WMAP v0.6 - et [ ] metasploit.com [*] Successfully loaded plugin: db_wmap
Add and select a target
msf > wmap_targets -a http://www.example.com/ [*] Added target www.example.com 80 0 [*] Added request www.example.com msf > wmap_targets -p [*] Id. Host Port SSL [*] 1. www.example.com 80 msf > wmap_targets -s 1 msf > wmap_targets -p [*] Id. Host Port SSL [*] => 1. www.example.com 80
Running WMAP modules¶
Now that a target has been selected, we can obtain a list of what WMAP modules are available using the wmap_run -t command:
msf > wmap_run -t [*] Loaded auxiliary/admin/http/tomcat_administration ... [*] Loaded auxiliary/admin/http/tomcat_manager ... [*] Loaded auxiliary/scanner/http/frontpage_login ... [*] Loaded auxiliary/scanner/http/options ... [*] Loaded auxiliary/scanner/http/version ... [*] Loaded auxiliary/scanner/http/wmap_cert ... [*] Loaded auxiliary/scanner/http/wmap_robots_txt ... [*] Loaded auxiliary/scanner/http/wmap_soap_xml ... [*] Loaded auxiliary/scanner/http/wmap_ssl ... [*] Loaded auxiliary/scanner/http/wmap_svn_scanner ... [*] Loaded auxiliary/scanner/http/wmap_verb_auth_bypass ... [*] Loaded auxiliary/scanner/http/wmap_vhost_scanner ... [*] Loaded auxiliary/scanner/http/wmap_webdav_internal_ip ... [*] Loaded auxiliary/scanner/http/wmap_webdav_scanner ... [*] Loaded auxiliary/scanner/http/wmap_webdav_website_content ... [*] Loaded auxiliary/scanner/http/ms09_020_webdav_unicode_bypass ... [*] Loaded auxiliary/scanner/http/wmap_backup_file ... [*] Loaded auxiliary/scanner/http/wmap_brute_dirs ... [*] Loaded auxiliary/scanner/http/wmap_copy_of_file ... [*] Loaded auxiliary/scanner/http/wmap_dir_listing ... [*] Loaded auxiliary/scanner/http/wmap_dir_scanner ... [*] Loaded auxiliary/scanner/http/wmap_dir_webdav_unicode_bypass ... [*] Loaded auxiliary/scanner/http/wmap_file_same_name_dir ... [*] Loaded auxiliary/scanner/http/wmap_files_dir ... [*] Loaded auxiliary/scanner/http/wmap_prev_dir_same_name_file ... [*] Loaded auxiliary/scanner/http/wmap_replace_ext ... [*] Loaded auxiliary/scanner/http/writable ... [*] Loaded auxiliary/scanner/http/wmap_blind_sql_query ... [*] Loaded auxiliary/scanner/http/wmap_error_sql_injection ...
To actually run the modules, we execute wmap_run with the -e parameter:
msf > wmap_run -e
Reporting¶
Currently, the results of the WMAP scan are stored in the database. The database can be used to build custom reporting tools, or queried directly from the console:
msf > db_notes msf > db_vulns
Configuration¶
If a test module requires a specific parameter to be set or you want to modify the value of a predefined variable, this can be done with the 'setg' command. Example:
msf > setg VHOST www.targetco.com msf > setg DOMAIN targetco.com msf > setg EXT .asp msf > setg WMAP_EXCLUDE_FILE <regex_to_exclude_testing_files>
If you would like to limit the WMAP test to a specific set of modules, you can use a profile file. Profiles can be specified via additional arguments to the wmap_run command.
msf > wmap_run -e path/to/profile/file
The profile file contains the list of modules to execute. See data/wmap/wmap_sample.profile for a sample.
URL:http://www.metasploit.com/redmine/projects/framework/wiki/WMAP
