WMAP is a framework to run scanning against Web applications, designed to be used as a plugin of MetaSploit Framework, has a simple, but extremely powerful architecture in comparison with other alternatives open source or commercial currently on the market, the simplicity of this plugin is that depends not on any search engine or web browser to capture data and manipulate them.
The libraries that must be installed before proceeding with the execution of the plugin on a Debian/Ubuntu system are:
sudo apt-get install libxml-ruby
sudo apt-get install libxml2-dev
sudo apt-get install libxslt-dev
sudo apt-get install libnokogiri-ruby
gem install libxslt-ruby
gem install msgpack
PostgreSQL
The first thing we will do is create a new database to store the results of analicis.
stuxnet@stuxnet:~$ sudo su postgres [sudo] password for stuxnet: postgres@stuxnet:/home/stuxnet$ createuser metasploit -P Enter password for new role: Enter it again: Shall the new role be a superuser? (y/n) y postgres@stuxnet:/home/stuxnet$ createdb --owner=metasploit metasploit
Then in a terminal, type the following:
sudo /etc/init.d/./postgresql start
After having created the database we will open the metasploit console and type
msf > db_connect metasploit:metasploit@127.0.0.1:5432/metasploit
Where:
User: metasploit (Replace with your user ) Passwd: metasploit (Replace with your password)
After having created the database we will charge WMAP.
msf > load wmap
We then proceed to covertirlo to target
msf > wmap_sites -s 0 1
msf > wmap_targets -t www.twitter.com,199.59.148.10
msf > set DOMIAN www.twitter.com
msf > wmap_targets -l
We then proceed to launch modules of exploitation that will be charged.
msf > msf > wmap_run -t
Once loaded the modules we proceed to throw them at the target site to make the test of security.
msf > wmap_run -e
Completion of all the exploration we will check if there is any vulnerability.
msf > hosts -c address,svcs,vulns