Offensive Thinking

Internet Thoughtcrime

Ratproxy, Metasploit WMAP and AUR

Posted: 2009-07-18

Yes, long time no post. (Most) of those who know me personally do know why, and that’s enough.

I’ve been playing around with the newest Metasploit from SVN lately, having a look at the WMAP plugin. It’s a plugin for exploiting web applications and still rough around the edges, but already quite usable. It currently does not include either a spidering engine or an HTTP proxy to update its database of available targets while browsing the site, so you have two options: either provide all target URLs by hand or use the included patch for Ratproxy.

Ratproxy is a passive auditing tool for web applications, running as an HTTP MITM proxy. If you patch it for WMAP support, it will log all URLs passing through it to the WMAP database you specified with the -b switch.

I’m not gonna go into details on how to use WMAP with Ratproxy, as others have already done so. There’s only two things I’d like to share:

First, the “load db_sqlite3” command in the linked explanations is deprecated, use “db_driver sqlite3” instead to load it explicitely, but it’s the default anyway.

Second, in the newest Metasploit SVN version, “wmap_run” seems to have a “profile” option to the -e switch, so you don’t have to run all exploits matching, but only those you selected:

msf > wmap_run -h
[*] Usage: wmap_run [options]
	-h		Display this help text
	-t		Show all matching exploit modules
        -e [profile]	Launch profile test modules against all matched
                        targets. No profile runs all enabled modules.

There seems to be no documentation for this feature, but looking at the source code you can see that you have to create a text file with the names of the exploits you want to run. Then you provide the name of this textfile to -e. The exploit names have to be the names without the full path, e.g. “options” instead of “auxiliary/scanner/http/options”. This is a rather nice improvement, because prior to this, you could only go for the shotgun approach of testing all or nothing. I guess they’re gonna improve this further in the future, as it would be nice to also be able to choose your exploits directly in the msf console, for example.

For Arch users, I have added a Ratproxy PKGBUILD to AUR which automatically applies the WMAP patch for your convenience, if you also wanna play around with this.