Metasploit是一个极其强大的渗透测试框架,包含了巨量模块。但是,模块数量众多,使得在使用的时候也很不方便。于是就有了WMAP。这个工具可以一次运用多个模块,并将结果保存在数据库中,十分方便。
由于在学习过程中,在百度上搜索时没能找到WMAP的较为专门描述的文章,就打算翻译一个英文教程,让大家的学习更方便。
以下是文章正文:
什么是WMAP?
WMAP 是一款最初由 SQLMap 创建而来的多功能网络应用漏洞扫描器.这个工具整合在Metasploit中,并且可以从Metasploit Framework中启动进行 网站扫描.
用WMAP进行漏洞扫描
我们首先要创建一个数据库来保存我们的 WMAP 扫描结果, 加载 “wmap” 插件, 然后输入 “help”来看看我们多了哪些新命令可以使用.
msf > load wmap.-.-.-..-.-.-..---..---. | | | || | | || | || |-‘ `-----‘`-‘-‘-‘`-^-‘`-‘[WMAP 1.5.1] === et [ ] metasploit.com 2012[*] Successfully loaded plugin: wmap msf > helpwmap Commands ============= Command Description ------- ----------- wmap_modules Manage wmap modules wmap_nodes Manage nodes wmap_run Test targets wmap_sites Manage sites wmap_targets Manage targets wmap_vulns Display web vulns...snip...
wmap命令 ================= 命令 描述 ---------- ---------------------------- wmap_modules 管理wmap模块 wmap_nodes 管理结点 wmap_run 测试目标 wmap_sites 管理站点 wmap_targets 管理目标 wmap_vulns 显示扫描到的漏洞
在进行扫描之前, 我们需要用 “wmap_sites”.和“-a”参数来添加一个新的目标url. 然后, 执行 “wmap_sites -l” 命令打印出所有已添加目标.
msf > wmap_sites -h [*]Usage: wmap_targets [options] -h Display this help text -a [url] Add site (vhost,url) -l List all available sites -s [id] Display site structure (vhost,url|ids) (level) msf > wmap_sites -a http://172.16.194.172 [*] Site created. msf > wmap_sites -l [*] Available sites =============== Id Host Vhost Port Proto # Pages # Forms -- ---- ----- ---- ----- ------- ------- 0 172.16.194.172 172.16.194.172 80 http 0 0
msf > wmap_sites -h [*] Usage: wmap_sites [options] -h 显示帮助说明 -a [url] 添加站点(vhost,url) -d [ids] 删除站点(用空格将id隔开) -l 列出所有站点 -s [id] 显示url结构 (vhost,url|ids) (level)
接着, 用 “wmap_targets”命令添加一个目标.
msf > wmap_targets -h[*] Usage: wmap_targets [options] -h Display this help text -t [urls] Define target sites (vhost1,url[space]vhost2,url) -d [ids] Define target sites (id1, id2, id3 ...) -c Clean target sites list -l List all target sites msf > wmap_targets -t http://172.16.194.172/mutillidae/index.php
msf > wmap_targets -h [*] Usage: wmap_targets [options] -h 显示帮助说明 -t [urls] 用url将已经添加的一个或者多个站点定义为目标。url用空格隔开。(vhost1,url[space]vhost2,url) -d [ids] 用id将已经添加的一个或者多个站点定义为目标。 id用逗号隔开。(id1, id2, id3 ...) -c 清除目标列表 -l 显示所有目标
添加目标后, 我们可以用 ‘-l’ 显示所有目标.
msf > wmap_targets -l [*] Defined targets =============== Id Vhost Host Port SSL Path -- ----- ---- ---- --- ---- 0 172.16.194.172 172.16.194.172 80 false /mutillidae/index.php
用“wmap_run” 命令就可以开始扫描目标了.
msf > wmap_run -h[*] Usage: wmap_run [options] -h Display this help text -t Show all enabled modules -m [regex] Launch only modules that name match provided regex. -p [regex] Only test path defined by regex. -e [/path/to/profile] Launch profile modules against all matched targets. (No profile file runs all enabled modules.)
msf > wmap_run -h [*] Usage: wmap_run [options] -h 显示帮助说明 -t 显示所有可用模块 -m [regex] 启用名字匹配正则表达式的模块. -p [regex] 只测试匹配正则表达式的路径. -e [/path/to/profile] 对所有匹配的目标启用配置中的模块. (若无配置,则启用所有可用模块.)
我们可以用 “-t” 参数来列出扫描中将要用到的模块.
msf > wmap_run -t
[*] Testing target:
[*] Site: 192.168.1.100 (192.168.1.100)
[*] Port: 80 SSL: false
[*] ============================================================
[*] Testing started. 2012-01-16 15:46:42 -0500
[*]
=[ SSL testing ]=
[*] ============================================================
[*] Target is not SSL. SSL modules disabled.
[*]
=[ Web Server testing ]=
[*] ============================================================
[*] Loaded auxiliary/admin/http/contentkeeper_fileaccess ...
[*] Loaded auxiliary/admin/http/tomcat_administration ...
[*] Loaded auxiliary/admin/http/tomcat_utf8_traversal ...
[*] Loaded auxiliary/admin/http/trendmicro_dlp_traversal ...
..snip...
msf >
剩下的步骤就是对我们的目标启动 WMAP扫描.
msf > wmap_run -e [*]Using ALL wmap enabled modules. [-]NO WMAP NODES DEFINED. Executing local modules [*]Testing target: [*]Site: 172.16.194.172 (172.16.194.172) [*]Port: 80 SSL: false ============================================================ [*]Testing started. 2012-06-27 09:29:13 -0400 [*] =[ SSL testing ]= ============================================================ [*]Target is not SSL. SSL modules disabled. [*] =[ Web Server testing ]= ============================================================ [*]Module auxiliary/scanner/http/http_version [*]172.16.194.172:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 ) [*]Module auxiliary/scanner/http/open_proxy [*] Module auxiliary/scanner/http/robots_txt ..snip... ..snip... ..snip... [*]Module auxiliary/scanner/http/soap_xml [*]Path: / [*]Server 172.16.194.172:80 returned HTTP 404 for /. Use a different one. [*]Module auxiliary/scanner/http/trace_axd [*]Path: / [*]Module auxiliary/scanner/http/verb_auth_bypass [*] =[ Unique Query testing ]= ============================================================ [*]Module auxiliary/scanner/http/blind_sql_query [*]Module auxiliary/scanner/http/error_sql_injection [*]Module auxiliary/scanner/http/http_traversal [*]Module auxiliary/scanner/http/rails_mass_assignment [*]Module exploit/multi/http/lcms_php_exec [*] =[ Query testing ]= ============================================================ [*] =[ General testing ]= ============================================================ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Launch completed in 212.01512002944946 seconds. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ [*]Done.
扫描结束后, 我们可以查看数据库,看看 WMAP给我们找到了什么有趣的东西.
msf > wmap_vulns -l [*] + [172.16.194.172] (172.16.194.172): scraper / [*] scraper Scraper [*] GET Metasploitable2 - Linux [*] + [172.16.194.172] (172.16.194.172): directory /dav/ [*] directory Directory found. [*] GET Res code: 200 [*] + [172.16.194.172] (172.16.194.172): directory /cgi-bin/ [*] directory Directoy found. [*] GET Res code: 403...snip...msf >
上面的信息告诉我们 WMAP 找到了一个可用漏洞. 执行“vulns” 命令来查看详细信息.
msf > vulns[*] Time: 2012-01-16 20:58:49 UTC Vuln: host=172.16.2.207 port=80 proto=tcp name=auxiliary/scanner/http/options refs=CVE-2005-3398,CVE-2005-3498,OSVDB-877,BID-11604,BID-9506,BID-9561 msf >
用了WMAP进行 漏洞扫描 后, 我们能够使用这些扫描结果来对报告的漏洞收集更深入的信息. 作为渗透测试人员, 我们要更深入的调查每个发现,并找出是否有潜在的攻击方法.
总结一下WMAP的用法:
msf>wmap_sites -a url 添加url
msf>wmap_targets -t url 添加目标
msf>wmap_run -e 开搞
msf>vulns 查看漏洞详细信息