=[ WMAP v0.3                                ET LoWNOISE  et[]metasploit.com
---------------------------------------------------------------------------
                        "Metasploit goes Web", H D Moore.


=[ Intro.

WMAP is a general purpose web application scanning framework for 
Metasploit 3. The architecture is simple and its simplicity is what makes
it powerful. It's a different approach compared to other open source 
alternatives and commercial scanners, as WMAP is not build around any browser 
or spider for data capture and manipulation. 


=[ How it works.

In the WMAP design, the attack proxy acts as a data gathering tool. All 
traffic between the client(s) (i.e. favorite browser and/or spider) will be 
stored in the MSF database. (See figure.) 

[CLIENT] ----- [ATTACK PROXY] ----- [TARGET]
                      |                 ^ 
               [METASPLOIT DB]          |
                      |                 |
            [MSF 3 - WMAP SCANNER]      | 
            [MSF 3 - WMAP MODULES] -----+

WMAP is a Metasploit plugin and will interact with the database, reading all
gathered traffic, processing it and launching the different tests 
implemented as modules.  As WMAP Modules are MSF Modules they can be easily 
implemented, and can be run manually from the command line or automatically 
via WMAP.

As you may see this simple architecture allows you to have different 
distributed clients and even different proxies all storing data to the 
central repository. Remember everything is based on Metasploit, the test 
modules are implemented as auxiliary modules and they can interact with any 
other MSF component including the database, exploits and plugins.


=[ WMAP Modules.
 	 
The test modules implemented at this time are basic and will improve over 
time not only in quality and quantity, so you are more than welcome to 
submit new modules.

Each module has a WMAP type, this determine when the module is launched and
to a certain degree, the minimum type of information it requires to be 
executed. The best way to develop a new test for WMAP, is to use already 
implemented modules as a base and then develop a normal MSF module that can 
be run manually from the command line. To enable a module to be run 
automatically via WMAP  just include the mixin that determine the type 
of the module. 

	Example:

	include Auxiliary::WMAPScanFile

The following are the types of modules implemented at this time and they are
listed in the order WMAP runs them:

WMAPScanServer      - Run once against the target Web Server
WMAPScanDir         - Runs for every directory found in the target 
WMAPScanFile        - Runs for every file found in the target
WMAPScanUniqueQuery - Runs for every unique query found in each request to the 
                      target 
WMAPScanQuery       - Runs for every query found in each request to the target
WMAPScanBody        - Runs for every Body found in each request to the target
WMAPScanHeaders     - Runs for every Header found in each request to the target
WMAPScanGeneric     - Modules to be run after all tests complete. Good place to
                      perform passive analysis of responses, analysis of test
                      results to launch other modules (i.e. exploits). 

=[ Reporting.

Each module is capable of storing reporting information. 
Reporting key concepts:
	
	+ Reporting is used to gather and store data.
	+ Bye bye to useless risk levels. 
	+ Data is not only findings (i.e vulnerabilities) but also any relevant 
	  data (i.e. Database name from a SQL injection).
	+ Data is available to other modules so reporting becomes a method to 
	  share information.
	+ Data has context and that context can be preserved. 
 	+ Context is preserved by having a tree structure in the Report database 
	  table.
	+ Every report entry has a parent_id the top parent_id is 0 and only used 
	  to create a report entry (this allows for the storage of multiple reports).
	+ The report table is basically a type,name,value database.
	+ This schema allows the storage of data/vulnerabilities with any
       classification/naming convention. (very useful to store vulnerabilities 
       discovered in year 2060).

	So how it works:

	When a module is executed (using WMAP 'wmap_run -e' or standalone):

	WMAP creates a new report entry, then in each module when something is found or 
	something needs to be reported, the module should implement the following lines:			

	Example:

	if (vulnerability is found)
		print_status("FOUND BLAH BLAH BLAH")

          #OBTAIN THE LATEST REPORT ID FOR HOST,PORT,SSL (target)
          rep_id = wmap_base_report_id(
                   wmap_target_host,
                   wmap_target_port,
                   wmap_target_ssl
                )
		
		# REPORT ABOUT THE FINDING
             	vuln_id = wmap_report(rep_id,'VULNERABILITY','SQL_INJECTION',url_path,"A SQL injection 
				vulnerability was found in the following URL in the parameter 'test'")
                		
		# LETS SAY WE NEED TO STORE ALSO THE PARAMETER VULNERABLE TO THE INJECTION AND THE TYPE 
		# OF INJECTION. 

		NOTE: wmap_report() returns the id of this entry

		wmap_report(vuln_id,'SQL_INJECTION','PARAMETER',parameter,"Notes balh blah")
		wmap_report(vuln_id,'SQL_INJECTION','TYPE','String',"Notes 2 balh blah")	 
     end

	
 	If you are connected to a database (db_connect) then reporting is active 
     and every module executed will store its results for reporting. Even if 
     you define a RHOSTS range then the results auto-magically will be organized 
     per host,port as wmap_base_report_id() returns the last available report 
     for the specified host,port,ssl target.  

	Anything can be represented and reported and other modules will have access 
     to this information to do whatever they want.

	To view available reports use the 'wmap_reports' command:

	msf > db_driver
	[*]	Active Driver: sqlite3
	[*]        Available: sqlite3, mysql
	msf > load db_wmap
	[*] =[ WMAP v0.3 - ET LoWNOISE
	[*] Successfully loaded plugin: db_wmap
	msf > db_connect
	[*] Successfully connected to the database
	[*] File: /Users/et/.msf3/sqlite3.db
	...
	msf > wmap_reports -p
	[*] 	Id. Created				Target (host,port,ssl)
		1.  Wed Oct 22 23:22:16 -0500 2008	XX.XXX.XXX.XXX,80,0
	[*] Done.
	msf > wmap_reports -s 1
	WMAP REPORT: XX.XXX.XXX.XXX,80,0 Metasploit WMAP Report 	[Wed Oct 22 23:22:16 -0500 2008]
	WEB_SERVER TYPE: Apache  					[Wed Oct 22 23:22:16 -0500 2008]
	VULNERABILITY SQL_INJECTION: /test.asp 	SQL injection found.    [Wed Oct 22 23:22:31 -0500 2008]
	SQL_INJECTION PARAMETER: id					[Wed Oct 22 23:22:31 -0500 2008]
	SQL_INJECTION TYPE: String					[Wed Oct 22 23:22:31 -0500 2008]
	[*] Done.


=[ Simple example.

The following are the basic steps for testing a web server/app using WMAP: 

  1. Mentally choose a target ...;
  2. Launch a wmap enabled attack proxy;
          
     NOTE: Eventually WMAP will include its own attack proxy code and spider
     and at this time WMAP integrates very well with lcamtuf's ratproxy 
     (via a patch located in the /external/ratproxy directory). 

	 ratproxy (ratproxy_wmap.diff applied) basic example: 

	 $ ./ratproxy -v /Users/et/.msf3/ -b sqlite3.db -a 
   	 ratproxy version 1.51-beta by <lcamtuf@google.com>
   	 [*] Proxy configured successfully. Have fun, and please do not be evil.
   	 [+] Accepting connections on port 8080/tcp (local only)...

     NOTE: If you want to use a different database than the default MSF database
     or was destroyed. You have to create again the database with the 'db_create'
     command. 'db_create <path/database>':

         msf > db_create /dir/target_test.db
         [*] Creating a new database instance...
         [*] Successfully connected to the database
         [*] File: /dir/target_test.db

  3. Browse the target by running your favorite spider/crawler/browser etc.
     NOTE: Dont forget to configure the proxy;

  4. In Metasploit select sqlite3 using the db_driver command;

     $ ./msfconsole

                      |                    |      _) |  
       __ `__ \   _ \ __|  _` |  __| __ \  |  _ \  | __|
       |   |   |  __/ |   (   |\__ \ |   | | (   | | |  
      _|  _|  _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
                                    _|                  


            =[ msf v3.2-release
     + -- --=[ 304 exploits - 172 payloads
     + -- --=[ 20 encoders - 6 nops
            =[ 74 aux

     msf > load db_driver
     [*]    Active Driver: sqlite3
     [*]        Available: sqlite3, mysql
     msf > load db_wmap
     [*] =[ WMAP v0.3 - ET LoWNOISE
     [*] Successfully loaded plugin: db_wmap

  5. Connect to the WMAP database;

     msf > db_connect
     [*] Successfully connected to the database
     [*] File: /users/et/.msf3/sqlite3.db


     msf > wmap_targets -r
     [*] Reloading targets...
     [*] Added. 192.168.1.1 80 0
     [*] Added. 192.168.2.10 80 0
     [*] Added. 192.168.5.11 80 0
     [*] Added. 192.168.1.3 80 0

  6. View available targets;

     msf > wmap_targets -p
     [*]    Id. Host                              Port    SSL
     [*]    1. 192.168.1.1                        80   
     [*]    2. 192.168.2.10                       80   
     [*]    3. 192.168.5.11                       80   
     [*]    4. 192.168.1.3                        80   
     [*] Done.
  
  7. Select target (i.e. select target.com);   

     msf > wmap_targets -s 2   
     msf > wmap_targets -p
     [*]    Id. Host                              Port    SSL
     [*]    1. 192.168.1.1                        80   
     [*] => 2. 192.168.2.10                       80   
     [*]    3. 192.168.5.11                       80   
     [*]    4. 192.168.1.3                        80   
     [*] Done.

  8. View target website structure; 	
     msf > wmap_website
     [*] Website structure
     [*] 192.168.2.10:80 SSL:0
     ROOT_TREE
	+------	index.asp
     |	images
     |	+------	logo.gif
	+------	login.asp
	|	menu
	|	+------	menu.asp
	|	+------	logout.asp
	|	+------	help.asp
     [*] Done.

  9. List loaded modules; 
  
     msf > wmap_run -t
     [*] Loaded auxiliary/scanner/http/wmap_vhost_scanner ...
     [*] Loaded auxiliary/scanner/http/frontpage_login ...
     [*] Loaded auxiliary/scanner/http/version ...
     ...
     [*] Loaded auxiliary/scanner/http/wmap_blind_sql_query ...
     [*] Analysis completed in 3.1337145306448364 seconds.
     [*] Done.

  10. If a test module requires a specific parameter to be set 
      or you want to modify the value of a predefined variable, 
      this can be done with the 'setg' command.  

      Example:

      msf > setg VHOST www.targetco.com
      VHOST => www.targetco.com		            

      msf > setg DOMAIN targetco.com
      DOMAIN => targetco.com

      msf > setg EXT .asp
      EXT => .asp

      msf > setg WMAP_EXCLUDE_FILE <regex_to_exclude_testing_files>

            NOTE: By default image files are not included in the tests.	

  11. Test the target;

      msf > wmap_run -e

            NOTE: If required profiles can be defined in the following way:

                  wmap_run -e path/to/profile/file

                  The profile file contains the list of modules to execute.
                  See data/wmap/wmap_sample.profile for a sample.		

      [*] Launching auxiliary/scanner/http/wmap_vhost_scanner WMAP_SERVER against 
          www.target.com:80
      [*] Sending request with random domain rGvsV.targetco.com 
      [*] NOT Found admin.targetco.com
      [*] NOT Found services.targetco.com
      [*] Vhost found webmail.targetco.com
      [*] NOT Found console.targetco.com
      [*] NOT Found apps.targetco.com
      [*] NOT Found mail.targetco.com
      [*] NOT Found intranet.targetco.com
      [*] NOT Found intra.targetco.com
      [*] NOT Found corporate.targetco.com
      [*] Launching auxiliary/scanner/http/frontpage WMAP_SERVER against 
          www.targetco.com:80
      [*] http://xxx.xxx.xxx.xxx:80 is running Apache
      [*] FrontPage not found on http://192.168.2.10:80 [302 Object Moved]
      ...
      ...
      [*] Done.

=[ TODO. 
  
This is first release version of WMAP and as you know, the Metasploit project
welcomes feedback, comments, ideas, patches, modules, etc. This TODO list is
more of a placeholder of the things you may see in the near future.

- Add more commands
- Add more types of reports (PDF, XML, etc.)
- Develop more modules
- Create more module types to perform tasks like response analysis
- Support other databases (only sqlite3 supported at this time)
- Develop plugins for more proxies
- Develop WMAP Proxy
- Develop WMAP Spider
- Include you idea here.


=[ EOF.		                     ET LoWNOISE  et[]metasploit.com   2008.









