不乱于心,不困于情。
不畏将来,不念过往。如此,安好。

WMAP网络扫描仪

什么是WMAP?

WMAP是功能丰富的Web应用程序漏洞扫描程序,最初是通过名为SQLMap的工具创建的。该工具与Metasploit集成在一起,使我们能够从Metasploit框架内进行Web应用程序扫描。

使用WMAP进行漏洞扫描

首先,我们首先创建一个新数据库来存储WMAP扫描结果,加载wmap插件,然后运行 help 以查看哪些新命令可供我们使用。

msf > load wmap
.-.-.-..-.-.-..---..---.
| | | || | | || | || |-'
`-----'`-'-'-'`-^-'`-'
[WMAP 1.5.1] ===  et [  ] metasploit.com 2012
[*] Successfully loaded plugin: wmap

msf >  help

wmap Commands
=============

    Command       Description
    -------       -----------
    wmap_modules  Manage wmap modules
    wmap_nodes    Manage nodes
    wmap_run      Test targets
    wmap_sites    Manage sites
    wmap_targets  Manage targets
    wmap_vulns    Display web vulns

...snip...

在运行Web应用程序扫描之前,我们首先需要通过将 -a 传递给wmap_sites来添加新的目标URL 。然后,运行wmap_sites -l将打印出可用的目标。

msf > wmap_sites -h
[*]  Usage: wmap_targets [options]
	-h        Display this help text
	-a [url]  Add site (vhost,url)
	-l        List all available sites
	-s [id]   Display site structure (vhost,url|ids) (level)

	
msf > wmap_sites -a http://172.16.194.172
[*] Site created.
msf > wmap_sites -l
[*] Available sites
===============

     Id  Host            Vhost           Port  Proto  # Pages  # Forms
     --  ----            -----           ----  -----  -------  -------
     0   172.16.194.172  172.16.194.172  80    http   0        0

接下来,我们使用wmap_targets将站点添加为目标。

msf > wmap_targets -h
[*] Usage: wmap_targets [options]
	-h 		Display this help text
	-t [urls]	Define target sites (vhost1,url[space]vhost2,url) 
	-d [ids]	Define target sites (id1, id2, id3 ...)
	-c 		Clean target sites list
	-l  		List all target sites


msf > wmap_targets -t http://172.16.194.172/mutillidae/index.php

添加后,我们可以使用控制台中的-l开关查看目标列表。

msf > wmap_targets -l
[*] Defined targets
===============

     Id  Vhost           Host            Port  SSL    Path
     --  -----           ----            ----  ---    ----
     0   172.16.194.172  172.16.194.172  80    false	/mutillidae/index.php

使用wmap_run命令将扫描目标系统。

msf > wmap_run -h
[*] Usage: wmap_run [options]
	-h                        Display this help text
	-t                        Show all enabled modules
	-m [regex]                Launch only modules that name match provided regex.
	-p [regex]                Only test path defined by regex.
	-e [/path/to/profile]     Launch profile modules against all matched targets.
	                          (No profile file runs all enabled modules.)

我们首先使用-t开关列出将用于扫描远程系统的模块。

msf > wmap_run -t

[*] Testing target:
[*] 	Site: 192.168.1.100 (192.168.1.100)
[*] 	Port: 80 SSL: false
[*] ============================================================
[*] Testing started. 2012-01-16 15:46:42 -0500
[*] 
=[ SSL testing ]=
[*] ============================================================
[*] Target is not SSL. SSL modules disabled.
[*] 
=[ Web Server testing ]=
[*] ============================================================
[*] Loaded auxiliary/admin/http/contentkeeper_fileaccess ...
[*] Loaded auxiliary/admin/http/tomcat_administration ...
[*] Loaded auxiliary/admin/http/tomcat_utf8_traversal ...
[*] Loaded auxiliary/admin/http/trendmicro_dlp_traversal ...
...snip...

msf >

现在剩下的就是对我们的目标URL实际运行WMAP扫描。

msf > wmap_run -e
[*] Using ALL wmap enabled modules.
[-] NO WMAP NODES DEFINED. Executing local modules
[*] Testing target:
[*] 	Site: 172.16.194.172 (172.16.194.172)
[*] 	Port: 80 SSL: false
============================================================
[*] Testing started. 2012-06-27 09:29:13 -0400
[*] 
=[ SSL testing ]=
============================================================
[*] Target is not SSL. SSL modules disabled.
[*] 
=[ Web Server testing ]=
============================================================
[*] Module auxiliary/scanner/http/http_version

[*] 172.16.194.172:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )
[*] Module auxiliary/scanner/http/open_proxy
[*] Module auxiliary/scanner/http/robots_txt

...snip...
...snip...
...snip...

[*] Module auxiliary/scanner/http/soap_xml
[*] Path: /
[*] Server 172.16.194.172:80 returned HTTP 404 for /.  Use a different one.
[*] Module auxiliary/scanner/http/trace_axd
[*] Path: /
[*] Module auxiliary/scanner/http/verb_auth_bypass
[*] 
=[ Unique Query testing ]=
============================================================
[*] Module auxiliary/scanner/http/blind_sql_query
[*] Module auxiliary/scanner/http/error_sql_injection
[*] Module auxiliary/scanner/http/http_traversal
[*] Module auxiliary/scanner/http/rails_mass_assignment
[*] Module exploit/multi/http/lcms_php_exec
[*] 
=[ Query testing ]=
============================================================
[*] 
=[ General testing ]=
============================================================
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Launch completed in 212.01512002944946 seconds.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[*] Done.

扫描完成执行后,我们看一下数据库,看看WMAP是否找到了感兴趣的东西。

msf > wmap_vulns -l
[*] + [172.16.194.172] (172.16.194.172): scraper /
[*] 	scraper Scraper
[*] 	GET Metasploitable2 - Linux
[*] + [172.16.194.172] (172.16.194.172): directory /dav/
[*] 	directory Directory found.
[*] 	GET Res code: 200
[*] + [172.16.194.172] (172.16.194.172): directory /cgi-bin/
[*] 	directory Directoy found.
[*] 	GET Res code: 403

...snip...

msf >

查看以上输出,我们可以看到WMAP报告了一个漏洞。正在运行的外伤将为我们列出详细信息。

msf > vulns
[*] Time: 2012-01-16 20:58:49 UTC Vuln: host=172.16.2.207 port=80 proto=tcp name=auxiliary/scanner/http/options refs=CVE-2005-3398,CVE-2005-3498,OSVDB-877,BID-11604,BID-9506,BID-9561

msf >

由于我们使用WMAP进行漏洞扫描,因此我们现在可以使用这些结果来收集有关所报告漏洞的更多信息。作为测试者,我们希望进一步调查每个发现,并确定是否存在潜在的攻击方法。

赞(0)
未经允许不得转载:seo优化_前端开发_渗透技术 » WMAP网络扫描仪