Ratproxy, Metasploit WMAP and AUR
Yes, long time no post. (Most) of those who know me personally do know why, and that’s enough.
I’ve been playing around with the newest Metasploit from SVN lately, having a look at the WMAP plugin. It’s a plugin for exploiting web applications and still rough around the edges, but already quite usable. It currently does not include either a spidering engine or an HTTP proxy to update its database of available targets while browsing the site, so you have two options: either provide all target URLs by hand or use the included patch for Ratproxy.
Ratproxy is a passive auditing tool for web applications, running as an HTTP MITM proxy. If you patch it for WMAP support, it will log all URLs passing through it to the WMAP database you specified with the
First, the “load db_sqlite3” command in the linked explanations is deprecated, use “db_driver sqlite3” instead to load it explicitely, but it’s the default anyway.
Second, in the newest Metasploit SVN version, “wmap_run” seems to have a “profile” option to the
-e switch, so you don’t have to run all exploits matching, but only those you selected:
msf > wmap_run -h [*] Usage: wmap_run [options] -h Display this help text -t Show all matching exploit modules -e [profile] Launch profile test modules against all matched targets. No profile runs all enabled modules.
There seems to be no documentation for this feature, but looking at the source code you can see that you have to create a text file with the names of the exploits you want to run. Then you provide the name of this textfile to
-e. The exploit names have to be the names without the full path, e.g. “options” instead of “auxiliary/scanner/http/options”. This is a rather nice improvement, because prior to this, you could only go for the shotgun approach of testing all or nothing. I guess they’re gonna improve this further in the future, as it would be nice to also be able to choose your exploits directly in the msf console, for example.