WMAP se encuentra implementado como un plugin de Metasploit y su funcionamiento depende de tener activa una base de datos. La base de datos es utilizada para almacenar una lista de URLs objetivo al igual que para almacenar los resultados de los módulos WMAP. Para iniciar con WMAP, es necesario configurar la base de datos y se debe agregar al menos una URL objetivo. En la mayoría de los casos, se importa la información obtenida del sitio web objetivo en WMAP a través de un spider, proxy, o de un export hecho con otra herramienta. En el siguiente ejemplo utilizaremos el módulo HTTP Crawler de Metasploit Framework para agregar un objetivo y demostrar el proceso.
Debemos instalar los siguientes paquetes:
sudo apt-get install libxml-ruby libxml2-dev sudo apt-get install libxslt-ruby libxslt-dev sudo apt-get install libnokogiri-ruby
o también:
sudo gem install robots sudo gem install nokogiri sudo gem install anemone
Iniciar Metasploit Framework
Ejecutaremos la consola de Metasploit Framework (msfconsole):
$ ./msconsole # # ###### ##### ## #### ##### # #### # ##### ## ## # # # # # # # # # # # # # ## # ##### # # # #### # # # # # # # # # # # ###### # ##### # # # # # # # # # # # # # # # # # # # # # ###### # # # #### # ###### #### # # =[ metasploit v3.7.0-dev [core:3.7 api:1.0] + -- --=[ 669 exploits - 345 auxiliary + -- --=[ 217 payloads - 27 encoders - 8 nops =[ svn r12131 updated today (2011.03.25) msf >
Seleccionamos el driver de la base de datos (para este tutorial vamos a utilizar el driver sqlite3 pero también es posible utilizar el driver postgresql).
msf > db_driver sqlite3 [*] Using database driver sqlite3
Creamos la base de datos
msf> db_connect wmap_test [-] Note that sqlite is not supported due to numerous issues. [-] It may work, but don't count on it [*] Creating a new database file... [*] Successfully connected to the database [*] File: wmap_test
Rastrear el objetivo
Cargamos el analizador HTTP
msf > use scanner/http/crawler msf auxiliary(crawler) > show options Module options (auxiliary/scanner/http/crawler): Name Current Setting Required Description ---- --------------- -------- ----------- MAX_MINUTES 5 yes The maximum number of minutes to spend on each URL MAX_PAGES 500 yes The maximum number of pages to crawl per URL MAX_THREADS 4 yes The maximum number of concurrent requests Proxies no Use a proxy chain RHOST yes The target address RPORT 80 yes The target port URI / yes The starting page to crawl VHOST no HTTP server virtual host msf auxiliary(crawler) >
Definir el objetivo
msf auxiliary(crawler) > set RHOST www.target.com msf auxiliary(crawler) > set RPORT 443
Ejecutar el análisis
msf auxiliary(crawler) > run [*] Crawling https://www.target.com [*] [00001/00500] 200 - www.target.com - https://www.target.com/ [*] FORM: POST /index.asp [*] [00002/00500] 200 - www.target.com - https://www.target.com/index.asp?lg=EN [*] FORM: GET /index.asp [*] FORM: POST /index.asp [*] [00003/00500] 200 - www.target.com - https://www.target.com/index.asp?lg=FR [*] FORM: GET /index.asp [*] FORM: POST /index.asp [*] [00004/00500] 200 - www.target.com - https://www.target.com/index.asp [*] FORM: POST /index.asp [*] Crawl of https://www.target.com:443/ complete [*] Auxiliary module execution completed
Cargar el plugin WMAP
msf > load wmap [*] [WMAP 1.0] === et [ ] metasploit.com 2011 [*] Successfully loaded plugin: wmap
Verificar los resultados del Crawler HTTP
msf > wmap_sites -l Available sites =============== Id Host Vhost Port # Pages # Forms -- ---- ----- ---- ------- ------- 0 XXX.XXX.XXX.XXX www.target.com 443 4 3
Nota: Si se requiere establecer un parámetro específico para algún módulo de prueba o sise desea cambiar el valor de una variable definida, esto puede hacerse utilizando el comando setg.
Ejemplo:
msf > setg VHOST www.target.com msf > setg DOMAIN target.com msf > setg EXT .asp msf > setg WMAP_EXCLUDE_FILE
Seleccionar el objetivo
msf > wmap_targets -t www.target.com:443,XXX.XXX.XXX.XXX:443
Para visualizar los objetivos:
msf > wmap_targets -l Defined targets =============== Id Vhost Host Port SSL Path -- ----- ---- ---- --- ---- 0 www.target.com XXX.XXX.XXX.XXX 443 true
Ejecutando módulos WMAP
Ahora que un objetivo ha sido seleccionado, se podrá obtener una lista de los módulos WMAP disponibles utilizando el comando wmap_run -t:
msf > wmap_run -t wmap_run -t [*] Testing target: [*] Site: www.target.com (XXX.XXX.XXX.XXX) [*] Port: 443 SSL: true ============================================================ [*] Testing started. Fri Mar 25 14:12:23 +0100 2011 =[ SSL testing ]= ============================================================ [*] Loaded auxiliary/scanner/http/ssl ... [*] Loaded auxiliary/scanner/http/cert ... =[ Web Server testing ]= ============================================================ [*] Loaded auxiliary/scanner/http/verb_auth_bypass ... [*] Loaded auxiliary/scanner/http/robots_txt ... [*] Loaded auxiliary/admin/http/tomcat_administration ... [*] Loaded auxiliary/scanner/http/webdav_internal_ip ... [*] Loaded auxiliary/scanner/http/webdav_website_content ... [*] Loaded auxiliary/scanner/http/http_version ... [*] Loaded auxiliary/scanner/http/frontpage_login ... [*] Loaded auxiliary/admin/http/tomcat_utf8_traversal ... [*] Loaded auxiliary/scanner/http/webdav_scanner ... [*] Loaded auxiliary/scanner/http/web_vulndb ... [*] Loaded auxiliary/scanner/http/vhost_scanner ... [*] Loaded auxiliary/scanner/http/options ... [*] Loaded auxiliary/scanner/http/open_proxy ... [*] Loaded auxiliary/scanner/http/svn_scanner ... =[ File/Dir testing ]= ============================================================ [*] Loaded auxiliary/scanner/http/ms09_020_webdav_unicode_bypass ... [*] Loaded auxiliary/scanner/http/files_dir ... [*] Loaded auxiliary/scanner/http/replace_ext ... [*] Loaded auxiliary/scanner/http/dir_webdav_unicode_bypass ... [*] Loaded auxiliary/scanner/http/copy_of_file ... [*] Loaded auxiliary/scanner/http/file_same_name_dir ... [*] Loaded auxiliary/scanner/http/dir_listing ... [*] Loaded auxiliary/scanner/http/brute_dirs ... [*] Loaded auxiliary/scanner/http/writable ... [*] Loaded auxiliary/scanner/http/prev_dir_same_name_file ... [*] Loaded auxiliary/scanner/http/dir_scanner ... [*] Loaded auxiliary/scanner/http/backup_file ... [*] Loaded auxiliary/scanner/http/trace_axd ... =[ Unique Query testing ]= ============================================================ [*] Loaded auxiliary/scanner/http/error_sql_injection ... [*] Loaded auxiliary/scanner/http/blind_sql_query ... =[ Query testing ]= ============================================================ =[ General testing ]= ============================================================ [*] Analysis completed in 52.9915919303894 seconds. [*] Done. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Nota:
Para consultar la ayuda: wmap_run -h
En wmap/date/ podemos encontrar varios archivos de configuración como un ejemplo del perfi, activado con wmap_run -e path/profile
Si quisiéramos limitar la prueba WMAP a un conjunto de módulos específicos, podemos utilizar un archivo de perfil.
Los perfiles pueden definirse a través de argumentos adicionales al comando wmap_run.
msf > wmap_run -e path/to/profile/file
El archivo de perfil contiene la lista de módulos a ejecutar. Para ver un ejemplo podemos consultar en data/wmap/wmap_sample.profile.
Conclusion
Para ejecutar los módulos, ejecutamos wmap_run -e:
msf > wmap_run -e [*] Using ALL wmap enabled modules. [*] Testing target: [*] Site: www.target.com (XXX.XXX.XXX.XXX) [*] Port: 443 SSL: true ============================================================ [*] Testing started. Fri Mar 25 14:14:33 +0100 2011
Reportes
Actualmente, los resultados del análisis WMAP son almacenados en la base de datos.
La base de datos puede utilizarse para construir herramientas personalizadas de reportes, o para hacer consultas directamente desde la consola:
msf > db_notes [*] Time: Fri Mar 25 13:15:21 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=http.vhost data={:name=>"www.target.com"} [*] Time: Fri Mar 25 13:15:21 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=ssl.certificate data={:cn=>"www.target.com", :subject=>[["serialNumber", "xxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxx", xx], ["C", "US", 19], ["O", "www.target.com", 19], ["OU", "TX", 19], ["OU", "See www.trust.com/resources/cps (c)11", 19], ["OU", "Domain Control Validated - QuickSSL(R) Premium", 19], ["CN", "www.target.com", 19]], :algorithm=>"sha1WithRSAEncryption"} [*] Time: Fri Mar 25 13:15:38 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=HTTP_OPTIONS data="OPTIONS, TRACE, GET, HEAD, POST" [*] Time: Fri Mar 25 13:23:19 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=FILE data="/intro.htm Code: 200" [*] Time: Fri Mar 25 13:33:15 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=FILE data="/css Code: 301" [*] Time: Fri Mar 25 13:33:24 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=FILE data="/images Code: 301" [*] Time: Fri Mar 25 13:33:37 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=FILE data="/script Code: 301" [*] Time: Fri Mar 25 13:34:23 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=FILE data="/script Code: 404" [*] Time: Fri Mar 25 13:44:58 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=DIRECTORY data="/css/ Code: 403" [*] Time: Fri Mar 25 13:45:29 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=DIRECTORY data="/images/ Code: 403" [*] Time: Fri Mar 25 13:46:00 UTC 2011 Note: host=XXX.XXX.XXX.XXX service=https type=DIRECTORY data="/script/ Code: 403" msf > db_vulns [*] Time: Fri Mar 25 13:15:40 UTC 2011 Vuln: host=XXX.XXX.XXX.XXX port=443 proto=tcp name=HTTP-TRACE-ENABLED refs=BAhbByIIQ1ZFIg4yMDA1LTMzOTg= ,BAhbByIIQ1ZFIg4yMDA1LTM0OTg= ,BAhbByIKT1NWREIiCDg3Nw== ,BAhbByIIQklEIgoxMTYwNA== ,BAhbByIIQklEIgk5NTA2 ,BAhbByIIQklEIgk5NTYx msf >
La información de la vulnerabilidad es codificada en formato base64, por lo tanto debemos decodificarla. Podremos utilizar openssl para esto.
msf > echo "BAhbByIIQ1ZFIg4yMDA1LTMzOTg=" | openssl base64 -d [*] exec: echo "BAhbByIIQ1ZFIg4yMDA1LTMzOTg=" | openssl base64 -d [CVE"2005-3398 msf >
Ahora podemos utilizar estos datos para recolectar información mas detallada sobre la vulnerabilidad reportada.
Como pentesters, nos gustaría investigar cada hallazgo en profundidad e identificar si existen métodos para ataques potenciales.
Para obtener detalles CVE podemos utilizar Google: