
                         .-.-.-..-.-.-..---..---.
                         | | | || | | || | || |-'
                         `-----'`-'-'-'`-^-'`-' 
                           Metasploit Wmap 1.5
==============================================================================
Efrain Torres                                      et [  ] metasploit.com 2012
------------------------------------------------------------------------------

=[ 0. Intro ] ----------------------------------------------------------------

So its 2012 and before the Mayans are proven to be right I was able to create
a new version of this plugin. If you have read the old wmap documentation this
is what is going on: 

Wmap is still a general purpose web application scanning framework for 
Metasploit.  Still is a different approach compared to other open source 
alternatives and commercial scanners, as Wmap is not build around any browser 
or spider for data capture and manipulation. And the best thing is that still 
is FR33. Lots of bugs are gone and the new code allows for faster and more 
efficient execution.

=[ 1. How it works ] ---------------------------------------------------------

The old architecture (versions < 1.5):

[CLIENT] ----- [ATTACK PROXY] ----- [TARGET]
    |                 |                 ^ 
    +--------->[METASPLOIT DB]          |
                      |                 |
            [MSF 3 - Wmap SCANNER]      | 
            [MSF 3 - Wmap MODULES] -----+

The new architecture:

                                        [CLIENTS]
                                            |
                                            | 
   +-------[Wmap PLUGIN]<-----+----->[METASPLOIT DB]
   |             |            |             |
   |             |            |             | 
[NODE 1]     [NODE 2]     [NODE n] ---------+
   |             |            |   \
   |             |            |   [Wmap MODULES] 
   +---------[TARGETS]--------+    


Wmap is a Metasploit plugin and will interact with the database, reading all
gathered traffic from any client you have configured/adapted or duct taped to
store web sites, requests, responses and forms in the Metasploit DB. 

The test performed are all Metasploit modules which WMAP execute in a 
configurable order. The test modules are implemented as auxiliary or exploit 
modules and they can interact with any other MSF component including the 
database other exploits and plugins.

The new architecture allows to have different distributed clients and nodes 
all storing results and data to a central database. This means that large 
enviorments can be tested using multiple metasploit msfrcpd servers (nodes) 
controled from one (or more) WMAP consoles. Wmap will execute the tests to be 
launched from each node distributing evenly the job load across all configured 
nodes.

In case you dont want to use a distributed model wmap will detect that no 
nodes have been configured and will run the modules from the local host.


=[ 2. Crawlers,proxies and other clients ] -----------------------------------

At this time Metasploit have 4 components that may be used as clients 
to store web sites in the database: 

(1) If you have configured your database properly and use the 
auxiliary/scanner/http/crawler module, this module will create a web site 
(with related host and service) and store all requests,responses and forms 
automatically.

(2) Less known is that metasploit has a different crawler called msfcrawler 
and besides  supporting  modules to parse the responses in any way you want 
it will also  store the required data in the database.

(3) Also any module that creates a web_site in the database (e.g. 
auxiliary/scanner/http/http_version module) 
will add a site to the database that can be selected as a target in Wmap,
however the only path you will be storing will be the root path of the 
website '/'.

(4) Metasploit has the awesome 'db_import' command that allows to import
multiple scan results from many sources. For tools like Acunetix,
Burp and Appscan the results contains web_pages and forms. For the rest 
(at this time) the results will import services (no web sites, pages or 
forms associated to them). 

    msf > db_import
    Usage: db_import <filename> [file2...]

    Filenames can be globs like *.xml, or **/*.xml which will search recursively
    Currently supported file types include:
    Acunetix XML
    Amap Log
    Amap Log -m
    Appscan XML
    Burp Session XML
    ... 


Or you can add a site manually to the database using the 'wmap_sites -a' 
command (after loading the wmap plugin. See '4. Wmap Plugin'):

 msf > wmap_sites -a www.blah.net,http://192.168.0.2/
 [*] Site created. 

    Note: www.blah.net,http://192.168.0.2/ <-- is one site vhost,url
 
For other tools to store web data in the database the only hard part is to 
deal with the ruby marshalling of parameters in the web_forms table. (Topic 
for another paper). But this is one of the main issues regarding the use of 
other tools to connect to the database. However any Ruby based tool can be 
modified easily to do this. 

If you noticed the previous architecture the ATTACK PROXY has gone the way of 
the Dodo (actually not as is just another client). But i will stop mention it 
because i have been unable to create a good Ruby based MITM proxy (Sorry) 
and second because i dont want to maintain plugins for every type of proxy 
out there. Is your exercise to create custom plugins for your tools to connect
to the database, after that Wmap does not care where the data comes from.

=[ 3. The Wmap cycle ]--------------------------------------------------------

Or how every other scanner works but in wmap fancy terms.

0. Gather data from (See Crawlers,proxies and other clients) 
   targets      
1. Load the scanner (Load wmap plugin. See "4. Wmap Plugin")
2. Optional: Define nodes     (Use 'wmap_nodes'. See "6. Wmap Nodes")
3. Define targets   (Use 'wmap_sites' and 'wmap_targets'.See "5. Wmap Targets")
4. Configure        (Lots of things here)
5. Launch           (Use 'wmap_run'. See "7. Launch a scan") 
6. Enjoy WTF Moments(Priceless...)

Note: Step 2 is optional as Wmap allows you to perform distributed scans 
using multiple nodes. If no nodes are configured the scan runs as usual
running all tests from the local host.

=[ 4. Wmap Plugin ]-----------------------------------------------------------

To launch wmap open a Metasploit console and load the wmap plugin.

msf > load wmap
[*] [Wmap 1.5] ===  et [  ] metasploit.com 2012
[*] Successfully loaded plugin: wmap

Now that the plugin is loaded lets go through the list of basic commands:

msf > help wmap

Wmap Commands
=============

    Command       Description
    -------       -----------
    wmap_nodes    Manage nodes
    wmap_run      Test targets
    wmap_sites    Manage sites
    wmap_targets  Manage targets
    wmap_modules  Manage wmap modules
    wmap_vulns    Display web vulns

=[ 5. Wmap Targets ]----------------------------------------------------------

The targets are selected from the sites already stored in the database. For 
example after crawling a site (See "2. Crawlers,proxies and other clients"). 
Now we can use the command 'wmap_sites' to list them:

msf > wmap_sites
[*] Usage: wmap_sites [options]
        -h              Display this help text
        -a [url]        Add site (vhost,url)
        -l              List all available sites
        -s [id]         Display site structure (vhost,url|ids) (level)

msf > wmap_sites -l
[*] Available sites
===============

     Id  Host         Vhost          Port  Proto  # Pages  # Forms
     --  ----         -----          ----  -----  -------  -------
     0   10.10.10.1   blah.xyz.com   443   https  3        2
     1   10.10.10.2   blah.xyz.com   443   https  3        2
     2   10.1.2.2     nah.test.com   443   https  1        0
     3   10.4.3.10    test.abcd.com  80    http   1        1  

Note 1: Metasploit/Wmap supports multiple Vhosts/IPs. 

Note 2: If you want to check the web site structure use the '-s site_id' flag 
like this (also especify an optional level to display):

msf > wmap_sites -s 0 1
      (First level of site 0)
msf > wmap_sites -s 0

   [10.10.10.1] (blah.xyz.com)
         |
         +-------- dir1
                    | 
                    +------ login.php
         +-------- dir2
         ....

Then from the table we can select the targets we want to scan with the
'wmap_targets' command:

msf > wmap_targets
[*] Usage: Wmap_targets [options]
        -h              Display this help text
        -t [urls]       Define target sites (vhost1,url[space]vhost2,url)
        -d [ids]        Define target sites (id1, id2, id3 ...)
        -c              Clean target sites list
        -l              List all target sites

You can define targets in two ways, using the vhost,url syntax (-t) or the 
table ids (-d)

msf > wmap_targets -t test.abcd.com,http://10.4.3.10/

msf > wmap_targets -d 0,1
[*] Loading blah.xyz.com,https://10.10.10.1:443/.
[*] Loading blah.xyz.com,https://10.10.10.2:443/.

To see the list of all the targets to scan at this time run the 
command with the (-l) flag.

msf > wmap_targets -l
[*] Defined targets
===============

     Id  Vhost            Host            Port  SSL    Path
     --  -----            ----            ----  ---    ----
     0   blah.xyz.com     10.10.10.1      443   true   /
     1   blah.xyz.com     10.10.10.2      443   true   /
     2   test.abcd.com    10.4.3.10       80    false  /


=[ 6. Wmap Nodes ]------------------------------------------------------------

Wmap uses 'nodes' as a way to distribute the execution of the test against 
one or more targets. Nodes are not required to run wmap . if nodes are not 
configured and a scan is launched wmap will detect this and launch all tests 
from the local host.

The nodes are just msfrpcd servers that are created the following way:

msf>ruby msfrpcd -h

Usage: msfrpcd <options>

OPTIONS:

    -P <opt>  Specify the password to access msfrpcd
    -S        Disable SSL on the RPC socket
    -U <opt>  Specify the username to access msfrpcd
    -a <opt>  Bind to this IP address
    -f        Run the daemon in the foreground
    -h        Help banner
    -n        Disable database
    -p <opt>  Bind to this port instead of 55553
    -u <opt>  URI for Web server

msf>ruby msfrpcd -U msf -P nodepass
[*] MSGRPC starting on 192.168.0.1:55553 (SSL):Msg...
[*] MSGRPC backgrounding at 2012-01-17 11:01:01 -0600...

if you want to create a msfrpc server from the msfconsole you can do it by
loading the msgrpc plugin:

msf > load msgrpc User=msf Pass=nodepass
[*] MSGRPC Service:  127.0.0.1:55552
[*] MSGRPC Username: msf
[*] MSGRPC Password: nodepass
[*] Successfully loaded plugin: msgrpc

On a later stage in the wmap console we will add such nodes so the scans can 
be distributed across all the configured nodes. so remember how you deployed 
your nodes so they can be configured in wmap.

In the metasploit console after you have loaded the wmap plugin you can add 
the previous nodes with the 'wmap_nodes' command:

msf > wmap_nodes
[*] Usage: wmap_nodes [options]
        -h                              Display this help text
        -c id                           Remove id node (Use ALL for ALL nodes
        -a host port ssl user pass      Add node
        -d host port user pass db       Force all nodes to connect to a db
        -j                              View detailed jobs
        -k ALL|id ALL|job_id            Kill jobs on node
        -l List all current nodes

msf > wmap_nodes -a 192.168.0.1 55553 true msf nodepass
[*] Connected to 192.168.0.1:55553 [4.2.0-dev].
[*] Node created.

Note: When launching msfrpcd waiht for a couple of seconds beofr adding it to 
wmap as msfrpcd sometimes is slow to start accepting connections. 

Add as many nodes you want. To see the list use 'wmap_nodes -l':

msf > wmap_nodes -l
[*] Nodes
=====

     Id  Host        Port   SSL   User  Pass      Status     #jobs
     --  ----        ----   ---   ----  ----      ------     -----
     0   127.0.0.1   55553  true  msf   nodepass  4.2.0-dev  0
     1   192.168.0.1 55553  true  msf   nodepass  4.2.0-dev  0

Note: After launching all tests this command will allow you to see if all 
your jobs have been completed (#jobs == 0).

Remember that all these commands can be added as a .rc file so you dont 
have to type again and again the loading of wmap and the configuration of 
nodes. 

After you have your nodes connected then you can force them to connect to 
the central metasploit database:

msf > wmap_nodes -d 127.0.0.1 7175 dbuser dbpass msf3
[*] db_connect {"driver"=>"postgresql", "db"=>"msf3"} 127.0.0.1:7175 OK
[*] db_connect {"driver"=>"postgresql", "db"=>"msf3"} 192.168.0.1:7175 OK
[*] OK.


=[ 7. Launch a scan ]---------------------------------------------------------

Now that database,targets and maybe nodes are set we run a scan with the 
'wmap_run' command:

msf > wmap_run
[*] Usage: wmap_run [options]
        -h                    Display this help text
        -t                    Show all enabled modules
        -m [regex]            Launch only modules that match provided regex
        -p [regex]            Only test path defined by regex..
        -e [/path/to/profile] Launch profile modules against all targets.
                              No file runs all enabled modules.

msf > wmap_run -e
[*] Using ALL wmap enabled modules.
[*] Testing target:
[*]     Site: test.abcd.com (10.4.3.10)
[*]     Port: 80 SSL: false
============================================================
[*] Testing started. 2012-12-21 0:0:0 -0600
[*]
=[ SSL testing ]=
============================================================
[*] Target is not SSL. SSL modules disabled.
[*]
=[ Web Server testing ]=
============================================================
[*] Module auxiliary/admin/http/http_version
[*] Module auxiliary/admin/http/tomcat_administration
[*] Module auxiliary/admin/http/tomcat_utf8_traversal
[*] Module auxiliary/admin/http/trendmicro_dlp_traversal
[*] Module auxiliary/scanner/http/cisco_nac_manager_traversal
....
msf >

As you see here wmap executes each of the modules against the defined targets.
(See "8. Wmap Modules") If nodes were configured it will go thru the list of 
nodes and will send a job to the less loaded node to execute the especific 
module with the required options. To force a good job distribution across the
nodes wmap has a limit of 25 jobs per node. If a node has reached the limit it
will try with the next node until there is a slot available.  

Check periodically with the 'wmap_nodes -l' command to see the current job 
status. After the asssement is complete now you can use the normal metasploit 
commands to see the results.

To view detailed job information on each node use the 'wmap_nodes' (-j) flag:

msf >wmap_nodes -j
[*] [Node #0: 127.0.0.1 Port:55553 SSL:true User:msf]
[*] Jobs
    ====

     Id  Job name                             Target          PATH
     --  --------                             ------          ----
     0   Auxiliary: scanner/http/dir_scanner  192.168.0.1:80  /
     ...


[*] [Node #1: 127.0.0.1 Port:55555 SSL:true User:msf]
[*] Jobs
    ====

     Id  Job name                             Target          PATH
     --  --------                             ------          ----
     2   Auxiliary: scanner/http/dir_scanner  192.168.0.2:80  /
     ...

Also you can kill especific jobs or all jobs from one or all nodes:

msf > wmap_nodes -k 0 ALL
[*] Node 0 Killed job id 262 Auxiliary: admin/http/tomcat_administration
[*] Node 0 Killed job id 263 Auxiliary: admin/http/tomcat_utf8_traversal
[*] Node 0 Killed job id 271 Auxiliary: scanner/http/soap_xml
[*] Node 0 Killed job id 299 Auxiliary: scanner/http/brute_dirs
[*] Node 0 Killed job id 300 Auxiliary: scanner/http/brute_dirs
[*] Node 0 Killed job id 301 Auxiliary: scanner/http/brute_dirs
....

If during the scan a node dies wmap will disable the node and will keep 
sending the jobs to the other active nodes. 

If nodes were not configured wmap will launch the tests from the 
local host the old fashion.

=[ 8. Wmap Modules ] ---------------------------------------------------------

Wmap modules are normal Metasploit modules. Each module has a WMAP type, 
this determine when the module is launched and to a certain degree,the minimum 
type of information it requires to be executed. The best way to develop a new 
test for wmap, is to use already implemented modules as a base and then 
develop a normal MSF module that can be run manually from the command line. To
enable a module to be run automatically via wmap just include the mixin that 
determine the type of the module (Means: just add the example string to a 
module and use the correct type).  

    Example:

    include Auxiliary::WmapScanFile

The following are the types of modules implemented at this time and they are
listed in the order WMAP runs them:

WmapScanSSL         - Run once against a SSL server
WmapScanServer      - Run once against a target Web Server
WmapScanDir         - Runs for every directory found in the target 
WmapScanFile        - Runs for every file found in the target
WmapScanUniqueQuery - Runs for every unique query found in each request to the 
                      target 
WmapScanQuery       - Runs for every query found in each request to the target
WmapScanGeneric     - Modules to be run after all tests complete.Good place to
                      perform passive analysis of responses, analysis of test
                      results to launch other modules (i.e. exploits). 

Note: Multiple mixins can be included in a module if needed.

The execution order not only is handled by the wmap type but also it can be 
adjusted across all modules by defining a wmap orderid number using the 
'register_wmap_options' method. 

Using http_version.rb module as an example:

Class Metasploit3 < Msf::Auxiliary

 # Exploit mixins should be called first
 include Msf::Exploit::Remote::HttpClient
 include Msf::Auxiliary::WmapScanServer
 # Scanner mixin should be near last
 include Msf::Auxiliary::Scanner

 def initialize
  super(
   'Name'        => 'HTTP Version Detection',
   ...
  )
  
  register_wmap_options({
   'OrderID' => 0,
   'Require' => {},
  })
  ...    

'OrderID' Numeric value that represents the order ALL modules will be executed
          You can see the modules and orderid with the 'wmap_modules -l' 
          command:

          msf > wmap_modules -l
    

'Require' Array of all the modules orderids that are required to be executed 
          and finished first before the curent module. (This specific 
          funtionality is still in the works, but the objective is to have 
          modules to provide results as input to other modules.)
    
Wmap enabled modules can be reloaded using the wmap_modules -r command. 
  
=[ 9. RANDOM NOTES ]----------------------------------------------------------
       
Because every test is a module the datastore is sent to the module in the node
for execution. If a module you create needs a specific option set before 
launch just set it in the console as a regular variable. For example:

msf > set DOMAIN abcd.com
DOMAIN => abcd.com
msf >

This is usefull if you want to include exploits in the testing and not only 
auxiliary modules. WMAP looks for wmap enabled modules in ALL auxiliary and 
exploit modules.  

Also if you have asked yourself why there are commands that receive not only 
table id but the ugly vhost,url syntax for site and target definition is 
because this allows to do complex scripts, so be creative.

If you see a Reauth message in WMAP is because the XMLRPC token is not valid 
and a reauthentication to the nodes is required. But dont worry wmap does that
automaticaly for you.
  
=[ 10. Results ]--------------------------------------------------------------

Modules may report results as notes (notes) , vulnerabilities (vulns) and/or
web vulnerabilities (web vulns). As notes and general vulnerabilities can be
displayed using the metasploit commands 'notes' and 'vulns', Wmap implements
'wmap_vulns' to display the results stored in the web_vulns db table. The 
reporting is basic at this time , however the Metasploit database can be
easily accessed to fullfill your reporting needs.

Note: Always check 'notes', 'vulns' and 'wmap_vulns' for results.
  

=[ 11. TO DO ]----------------------------------------------------------------

- The quality of the scan depends on the quality of the modules. So please 
contribute more modules and improvements. If you dont contribute , you dont 
have the right to complain. The only key issues to consider are:

 + The module should follow metasploit guidelines
 + Add the right mixin(s)
 + The module should store the right data and results in the database
 + Always use report_vuln or report_web_vuln to report output from a 
   module as report_note overwrites results if 'type' is the same.
 + The module has to have a clear purpose!!!! 
   Is better to have multiple modules with simple tasks/objectives that 
   one that does everything. 
 + The variables/options used in the datastore have to be the same between 
   wmap and the module so wmap can pass the right information to it.
   Usually this is the naming convention to use for the options:

   OptString:

   'VHOST'  = HTTP Virtual Host
   'METHOD' = HTTP Method
   'PATH'   = HTTP URI Path.
   'QUERY'  = HTTP URI Query usually in the param1=value1& form.
   'DATA'   = HTTP Data. In a POST request is the body of the request.
              Usually in the param1=value1& form.
   'HEADERS'= HTTP headers (header1=value1;..)
   
   OptBool:
   
   'VERBOSE'= Verbose flag.	 

   Note: This naming convention may change. However if this naming 
   convention is used any changes can be implemented easily.

- Also if you want to take the big task of developing a ruby MITM proxy for 
metasploit that will be very helpfull for the project. 
 
=[ Disclaimer ]---------------------------------------------------------------
I dont work for R7. XD 
==============================================================================
                                                   et [  ] metasploit.com 2012

												   
