Metasploit是一个极其强大的渗透测试框架,包含了巨量模块。但是,模块数量众多,使得在使用的时候也很不方便。于是就有了WMAP。这个工具可以一次运用多个模块,并将结果保存在数据库中,十分方便。
由于在学习过程中,在百度上搜索时没能找到WMAP的较为专门描述的文章,就打算翻译一个英文教程,让大家的学习更方便。
以下是文章正文:
什么是WMAP?
WMAP 是一款最初由 SQLMap 创建而来的多功能网络应用漏洞扫描器.这个工具整合在Metasploit中,并且可以从Metasploit Framework中启动进行 网站扫描.
用WMAP进行漏洞扫描
我们首先要创建一个数据库来保存我们的WMAP扫描结果, 加载 “wmap” 插件, 然后输入 “help”来看看我们多了哪些新命令可以使用.
msf > load wmap.-.-.-..-.-.-..---..---.
| | | || | | || | || |-'
`-----'`-'-'-'`-^-'`-'[WMAP 1.5.1] === et [ ] metasploit.com 2012[*] Successfully loaded plugin: wmap
msf > helpwmap Commands
=============
Command Description
------- -----------
wmap_modules Manage wmap modules
wmap_nodes Manage nodes
wmap_run Test targets
wmap_sites Manage sites
wmap_targets Manage targets
wmap_vulns Display web vulns...snip...
wmap命令
=================
命令 描述
---------- ----------------------------
wmap_modules 管理wmap模块
wmap_nodes 管理结点
wmap_run 测试目标
wmap_sites 管理站点
wmap_targets 管理目标
wmap_vulns 显示扫描到的漏洞
在进行扫描之前, 我们需要用 “wmap_sites”.和“-a”参数来添加一个新的目标url.然后, 执行 “wmap_sites -l” 命令打印出所有已添加目标.
msf > wmap_sites -h
[*]Usage: wmap_targets [options]
-h Display this help text
-a [url] Add site (vhost,url)
-l List all available sites
-s [id] Display site structure (vhost,url|ids) (level)
msf > wmap_sites -a http://172.16.194.172
[*] Site created.
msf > wmap_sites -l
[*] Available sites
===============
Id Host Vhost Port Proto # Pages # Forms
-- ---- ----- ---- ----- ------- -------
0 172.16.194.172 172.16.194.172 80 http 0 0
msf > wmap_sites -h
[*] Usage: wmap_sites [options]
-h 显示帮助说明
-a [url] 添加站点(vhost,url)
-d [ids] 删除站点(用空格将id隔开)
-l 列出所有站点
-s [id] 显示url结构 (vhost,url|ids) (level)
接着, 用 “wmap_targets”命令添加一个目标.
msf > wmap_targets -h[*] Usage: wmap_targets [options]
-h Display this help text
-t [urls] Define target sites (vhost1,url[space]vhost2,url)
-d [ids] Define target sites (id1, id2, id3 ...)
-c Clean target sites list
-l List all target sites
msf > wmap_targets -t http://172.16.194.172/mutillidae/index.php
msf > wmap_targets -h
[*] Usage: wmap_targets [options]
-h 显示帮助说明
-t [urls] 用url将已经添加的一个或者多个站点定义为目标。url用空格隔开。(vhost1,url[space]vhost2,url)
-d [ids] 用id将已经添加的一个或者多个站点定义为目标。 id用逗号隔开。(id1, id2, id3 ...)
-c 清除目标列表
-l 显示所有目标
添加目标后, 我们可以用 ‘-l’ 显示所有目标.
msf > wmap_targets -l
[*] Defined targets
===============
Id Vhost Host Port SSL Path
-- ----- ---- ---- --- ----
0 172.16.194.172 172.16.194.172 80 false /mutillidae/index.php
用“wmap_run” 命令就可以开始扫描目标了.
msf > wmap_run -h[*] Usage: wmap_run [options]
-h Display this help text
-t Show all enabled modules
-m [regex] Launch only modules that name match provided regex.
-p [regex] Only test path defined by regex.
-e [/path/to/profile] Launch profile modules against all matched targets.
(No profile file runs all enabled modules.)
msf > wmap_run -h
[*] Usage: wmap_run [options]
-h 显示帮助说明
-t 显示所有可用模块
-m [regex] 启用名字匹配正则表达式的模块.
-p [regex] 只测试匹配正则表达式的路径.
-e [/path/to/profile] 对所有匹配的目标启用配置中的模块.
(若无配置,则启用所有可用模块.)
我们可以用 “-t” 参数来列出扫描中将要用到的模块.
msf >wmap_run -t
[*]Testing target:
[*]Site: 192.168.1.100 (192.168.1.100)
[*]Port: 80 SSL: false
[*]============================================================
[*]Testing started. 2012-01-16 15:46:42 -0500
[*]
=[ SSL testing ]=
[*]============================================================
[*]Target is not SSL. SSL modules disabled.
[*]
=[ Web Server testing ]=
[*]============================================================
[*]Loaded auxiliary/admin/http/contentkeeper_fileaccess ...
[*]Loaded auxiliary/admin/http/tomcat_administration ...
[*]Loaded auxiliary/admin/http/tomcat_utf8_traversal ...
[*]Loaded auxiliary/admin/http/trendmicro_dlp_traversal ...
..snip...
msf >
剩下的步骤就是对我们的目标启动 WMAP扫描.
msf > wmap_run -e
[*]Using ALL wmap enabled modules.
[-]NO WMAP NODES DEFINED. Executing local modules
[*]Testing target:
[*]Site: 172.16.194.172 (172.16.194.172)
[*]Port: 80 SSL: false
============================================================
[*]Testing started. 2012-06-27 09:29:13 -0400
[*]
=[ SSL testing ]=
============================================================
[*]Target is not SSL. SSL modules disabled.
[*]
=[ Web Server testing ]=
============================================================
[*]Module auxiliary/scanner/http/http_version
[*]172.16.194.172:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )
[*]Module auxiliary/scanner/http/open_proxy
[*] Module auxiliary/scanner/http/robots_txt
..snip...
..snip...
..snip...
[*]Module auxiliary/scanner/http/soap_xml
[*]Path: /
[*]Server 172.16.194.172:80 returned HTTP 404 for /. Use a different one.
[*]Module auxiliary/scanner/http/trace_axd
[*]Path: /
[*]Module auxiliary/scanner/http/verb_auth_bypass
[*]
=[ Unique Query testing ]=
============================================================
[*]Module auxiliary/scanner/http/blind_sql_query
[*]Module auxiliary/scanner/http/error_sql_injection
[*]Module auxiliary/scanner/http/http_traversal
[*]Module auxiliary/scanner/http/rails_mass_assignment
[*]Module exploit/multi/http/lcms_php_exec
[*]
=[ Query testing ]=
============================================================
[*]
=[ General testing ]=
============================================================
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Launch completed in 212.01512002944946 seconds.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[*]Done.
扫描结束后, 我们可以查看数据库,看看 WMAP给我们找到了什么有趣的东西.
msf > wmap_vulns -l
[*] + [172.16.194.172] (172.16.194.172): scraper /
[*] scraper Scraper
[*] GET Metasploitable2 - Linux
[*] + [172.16.194.172] (172.16.194.172): directory /dav/
[*] directory Directory found.
[*] GET Res code: 200
[*] + [172.16.194.172] (172.16.194.172): directory /cgi-bin/
[*] directory Directoy found.
[*] GET Res code: 403...snip...msf >
上面的信息告诉我们 WMAP 找到了一个可用漏洞. 执行“vulns” 命令来查看详细信息.
msf > vulns[*] Time: 2012-01-16 20:58:49 UTC Vuln: host=172.16.2.207 port=80 proto=tcp name=auxiliary/scanner/http/options refs=CVE-2005-3398,CVE-2005-3498,OSVDB-877,BID-11604,BID-9506,BID-9561
msf >
用了WMAP进行 漏洞扫描 后, 我们能够使用这些扫描结果来对报告的漏洞收集更深入的信息. 作为渗透测试人员, 我们要更深入的调查每个发现,并找出是否有潜在的攻击方法.
总结一下WMAP的用法:
msf>wmap_sites -a url 添加url
msf>wmap_targets -t url 添加目标
msf>wmap_run -e 开搞
msf>vulns 查看漏洞详细信息