Navigation

Entries in WMAP (2)

Monday
Oct272008

Basic Reporting in Metasploit wmap

Well today I was pleasantly surprised when I did an SVN update and saw several changes to wmap, when reading the documentation I was even more surprised by seeing that basic reporting was added!!! know this is something that I have always found laking in MSF and seeing it in wmap really makes me happy, I do hope that the project keeps improving like it has been so far.
Information from the documentation:

Each module is capable of storing reporting information.
Reporting key concepts:

+ Reporting is used to gather and store data
+ Bye bye to useless risk levels
+ Data is not only findings (i.e vulnerabilities) but also any relevant
data (i.e. Database name from a SQL injection)
+ Data is available to other modules so reporting becomes a method to
share information
+ Data has context and that context is preserved.
+ Context is preserved by having a tree structure in the Report database
table
+ Every report entry has a parent_id the top parent_id is 0 and only used
to create a report entry (this allows for the storage of multiple reports)
+ The report table is basically a type,name,value database.
+ This schema allows the storage of data/vulnerabilities with any classification/naming
convention. (very useful to store vulnerabilities discovered in year 2060).

So how it works:

When q module is executed (using WMAP 'wmap_run -e' or standalone):

WMAP creates a new report entry, then in each module when something is found or
something needs to be reported the module should implement the following lines:

Example:

if (vulnerability is found)
print_status("FOUND BLAH BLAH BLAH")

#OBTAIN THE LATEST REPORT ID FOR HOST,PORT,SSL (target)
rep_id = wmap_base_report_id(
self.target_host,
self.target_port,
self.ssl
)

# REPORT ABOUT THE FINDING
vuln_id = wmap_report(rep_id,'VULNERABILITY','SQL_INJECTION',url_path,"A SQL injection
vulnerability was found in the following URL in the parameter 'test'")

# LETS SAY WE NEED TO STORE ALSO THE PARAMETER VULNERABLE TO THE INJECTION AND THE TYPE
# OF INJECTION.

NOTE: wmap_report() returns the id of this entry

wmap_report(vuln_id,'SQL_INJECTION','PARAMETER',parameter,"Notes balh blah")
wmap_report(vuln_id,'SQL_INJECTION','TYPE','String',"Notes 2 balh blah")
end


If you are connected to a database (db_connect) then reporting is active and every module executed will
store its results for reporting. Even if you define a RHOSTS range then the results auto-magically will
be organized per host,port as wmap_base_report_id() returns the last available report for the specified
host,port,ssl target.

Anything can be represented and reported and other modules will have access to this information to do
whatever they want.

To view available reports use the 'wmap_reports' command:

msf > load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
msf > load db_wmap
[*] =[ WMAP v0.2 - ET LoWNOISE
[*] Successfully loaded plugin: db_wmap
msf > db_connect
[*] Successfully connected to the database
[*] File: /Users/et/.msf3/sqlite3.db
...
msf > wmap_reports -p
[*] Id. Created Target (host,port,ssl)
1. Wed Oct 22 23:22:16 -0500 2008 XX.XXX.XXX.XXX,80,0
[*] Done.
msf > wmap_reports -s 1
WMAP REPORT: XX.XXX.XXX.XXX,80,0 Metasploit WMAP Report [Wed Oct 22 23:22:16 -0500 2008]
WEB_SERVER TYPE: Apache [Wed Oct 22 23:22:16 -0500 2008]
VULNERABILITY SQL_INJECTION: /test.asp SQL injection found. [Wed Oct 22 23:22:31 -0500 2008]
SQL_INJECTION PARAMETER: id [Wed Oct 22 23:22:31 -0500 2008]
SQL_INJECTION TYPE: String [Wed Oct 22 23:22:31 -0500 2008]
[*] Done.

Sunday
Oct122008

Metasploit WMAP Web Attack and Exploitation

Recently in the SVN for Metasploit 3.2 the wmap tools for web exploitation and assessment where added to the framework, this tools are developed by Efrain Torres and can be run individually or automated as auxiliary modules., at the time of this post it is still in the early stages but I wanted to start getting familiar with the tools and techniques. We will be using ratproxy and patch it to be used in this example of the automated way of attack inside of Backtrack3. Before starting one must get the latest version of Metasploit from the svn trunk this is easily done by running “svn update” inside the /msf3 folder which is a link to /pentest/exploits/framework3 in backtrack3.

building proxy:

cd /root

wget http://ratproxy.googlecode.com/files/ratproxy-1.51.tar.gz

tar xvzf ratproxy-1.51.tar.gz

patch -d /root/ratproxy < /msf3/external/ratproxy/ratproxy_wmap.diff

cd ratproxy

make

before we run the proxy you have to create the new db since the one included in the data folder has a problem with it's schema at least in my version of the SVN. you can accomplish this in msfconsole

bt msf3 # ./msfconsole


888 888 d8b888

888 888 Y8P888

888 888 888

88888b.d88b. .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888

888 "888 "88bd8P Y8b888 "88b88K 888 "88b888d88""88b888888

888 888 88888888888888 .d888888"Y8888b.888 888888888 888888888

888 888 888Y8b. Y88b. 888 888 X88888 d88P888Y88..88P888Y88b.

888 888 888 "Y8888 "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888

888

888

888



=[ msf v3.2-testing

+ -- --=[ 305 exploits - 173 payloads

+ -- --=[ 20 encoders - 6 nops

=[ 74 aux


msf > load db_wmap

[*] =[ WMAP v0.1 - ET LoWNOISE

[*] Successfully loaded plugin: db_wmap_sqlite3

msf > wmap_destroy

msf > wmap_create

[*] Creating a new database instance...

[*] Successfully connected to the database

[*] File: /pentest/exploits/framework3/data/wmap/wmap_sqlite3.db

msf >

now that we have a clean db we can run the proxy

./ratproxy -v /msf3/data/wmap/ -b wmap_sqlite3.db

ratproxy version 1.51-beta by

[!] WARNING: Running with no 'friendly' domains specified. Many cross-domain

checks will not work. Please consult the documentation for advice.

[*] Proxy configured successfully. Have fun, and please do not be evil.

[+] Accepting connections on port 8080/tcp (local only)...

we configure our browser to use localhost port 8080 as the proxy and we browse our target site

as an example I will browse a local server in my lab called acme.com, I will simply browse with Firefox for the example but other automated tools that support proxies can be used and in a real life engagement will provide better results like httptrack or even wget to mirror the website for later evaluation, once we have browsed most of the links we now can load the information in to Metasploit

msf > wmap_connect

[*] Successfully connected to the wmap database

[*] File: /pentest/exploits/framework3/data/wmap/wmap_sqlite3.db

[*] Reloading targets...

[*] Added. www.acme.com 80 0


now that we have loaded the website in to the DB we have to chose this website as our target so we print the information in the db by running wmap_targets with the -p option this will print all sites in the db, then we select the site that will become our target by using the -s option and the number of the site


msf > wmap_targets -p

[*] Id. Host Port SSL

[*] 1. www.acme.com 80

[*] Done.

msf > wmap_targets -s 1

msf > wmap_targets -p

[*] Id. Host Port SSL

[*] => 1. www.acme.com 80

[*] Done.

Then we check what exploit modules match the info in the database by running the wmap_run with the -t option

msf > wmap_run -t

[*] Loaded auxiliary/scanner/http/version ...

[*] Loaded auxiliary/scanner/http/frontpage ...

[*] Loaded auxiliary/scanner/http/wmap_vhost_scanner ...

[*] Loaded auxiliary/scanner/http/frontpage_login ...

[*] Loaded auxiliary/scanner/http/writable ...

[*] Loaded auxiliary/scanner/http/wmap_backup_file ...

[*] Loaded auxiliary/scanner/http/wmap_files_dir ...

[*] Loaded auxiliary/scanner/http/wmap_brute_dirs ...

[*] Loaded auxiliary/scanner/http/wmap_replace_ext ...

[*] Loaded auxiliary/scanner/http/wmap_blind_sql_query ...

[*] Analysis completed in 1.69395589828491 seconds.

[*] Done.

The version of Metasploit from the SVN currently has the following modules that can be used either in an automated way or individualy:

auxiliary/scanner/http/frontpage FrontPage Server Extensions Detection

auxiliary/scanner/http/frontpage_login FrontPage Server Extensions Login Utility

auxiliary/scanner/http/lucky_punch HTTP Microsoft SQL Injection Table XSS Infection

auxiliary/scanner/http/version HTTP Version Detection

auxiliary/scanner/http/wmap_backup_file HTTP Backup File Scanner

auxiliary/scanner/http/wmap_blind_sql_query HTTP Blind SQL Injection GET QUERY Scanner auxiliary/scanner/http/wmap_brute_dirs HTTP Directory Brute Force Scanner

auxiliary/scanner/http/wmap_files_dir HTTP Interesting File Scanner

auxiliary/scanner/http/wmap_replace_ext HTTP File Extension Scanner

auxiliary/scanner/http/wmap_vhost_scanner HTTP Virtual Host Brute Force Scanner

auxiliary/scanner/http/writable HTTP Writable Path PUT/DELETE File Access

Next we set the general options for the attack, this are DOMAIN so as to indicate the domain part that will be used for the directory and sub domain brute force, then we will set the RHOSTS option that will be the IP address or IP range so that the modules will be able to perform the virtualhost enumeration and last the EXT option that will help to identify files for several of the attacks. I would recommend running each of the auxiliary modules in a lab individually so as to become better familiarized with them and their variables.


msf > setg DOMAIN acme.com

DOMAIN => acme.com

msf > setg RHOSTS 10.1.1.23

RHOSTS => 10.1.1.23

msf > setg EXT .asp

EXT => .asp

once the global variables are set we can perform the attack, this is achieved by running wmap_run with the -e option to run all the exploit modules

msf > wmap_run -e

[*] Launching auxiliary/scanner/http/version WMAP_SERVER against www.darkoperator.com:80

[*] 10.1.1.23 is running Microsoft-IIS/6.0

[*] Launching auxiliary/scanner/http/frontpage WMAP_SERVER against www.darkoperator.com:80

[*] http://10.1.1.23:80 is running Microsoft-IIS/6.0

[*] FrontPage not found on http://10.1.1.23:80 [404 Not Found]

[*] Launching auxiliary/scanner/http/wmap_vhost_scanner WMAP_SERVER against www.acme.com:80

[*] Sending request with random domain vDuwT.acme.com

[*] NOT Found admin.acme.com

[*] NOT Found services.acme.com

[*] NOT Found webmail.acme.com

[*] NOT Found console.acme.com

[*] NOT Found apps.acme.com

[*] Vhost found mail.acme.com

.............

as you can see the information is displayed on screen, after taking a look at the db file I notice that no information of what was found and not found was not saved to it. This is a feature in development in fact it is not released as stable, but as we can see this is the beginning of the attack framework inside of Metasploit, I hope they incorporate features like reporting in to Metasploit in the near future as more an more is made automated in Metasploit and as a consultant that might be under time constraint during engagements having the information on the db so a to script the creation of reports or a module that would generate reports would be of great help. I can only wait now for new stuff to appear and surprise me in Metasploit up to know I have been happily surprise with what I have seen so far.