root@bt4:/pentest/exploits/framework3# wget http://ratproxy.googlecode.com/files/ratproxy-1.58.tar.gz
 
--2009-06-29 21:41:02-- http://ratproxy.googlecode.com/files/ratproxy-1.58.tar.gz
 
Resolving ratproxy.googlecode.com... 74.125.93.82
Connecting to ratproxy.googlecode.com|74.125.93.82|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 168409 (164K) [application/x-gzip]
Saving to: `ratproxy-1.58.tar.gz'
100%[===================================>] 168,409 201K/s 
in 0.8s 2009-06-29 21:41:03 (201 KB/s) - `ratproxy-1.58.tar.gz' saved [168409/168409]
 
root@bt4:/pentest/exploits/framework3# tar -zxvf ratproxy-1.58.tar.gz
 
Unpacked
 
root@bt4:/pentest/exploits/framework3/ratproxy# patch -d . < /pentest/exploits/framework3/external/ratproxy/ratproxy_wmap.diff
 
patching file Makefile
patching file ratproxy.c
patching file http.c
 
root@bt4:/pentest/exploits/framework3/ratproxy# make
 
Compiled no errors.

Теперь, когда мы пропатчили ratproxy, все готово к работе, мы создадим соединение через ratproxy. Для начала откроем Firefox и перейдем по пунктам меню, Edit, Preferences, Advanced, Network, Settings, Manual proxy configuration, выберем "use this for all protocols" и в поле HTTP прокси, выберите Localhost 8080.
Сначала нужно настроить подключение к нашей базе данных.

root@bt4:/pentest/exploits/framework3# ./msfconsole 
=[ msf v3.3-dev
+ -- --=[ 381 exploits - 231 payloads
+ -- --=[ 20 encoders - 7 nops
 =[ 156 aux
 
msf > db_driver sqlite3
[*] Using database driver sqlite3
msf > db_create wmap.db
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: wmap.db
msf > load db_wmap
[*] =[ WMAP v0.3 - ET LoWNOISE
[*] Successfully loaded plugin: db_wmap
msf > db_connect wmap.db
[*] Successfully connected to the database
[*] File: wmap.db

В другом окне терминала или вкладке, запускаем ratproxy с полным логированием, указав на нашу базу данных.

root@bt4:/pentest/web/ratproxy# ./ratproxy -v /pentest/exploits/framework3/ -b wmap.db
ratproxy version 1.58-beta by lcamtuf@google.com
 
[!] WARNING: Running with no 'friendly' domains specified. Many cross-domain
checks will not work. Please consult the documentation for advice.
 
[*] Proxy configured successfully. Have fun, and please do not be evil.
[+] Accepting connections on port 8080/tcp (local only)...

Теперь все работает, мы переходим к нашему целевому сайту. Будьте готовы провести некоторое время на сайте, для заполнения базы данных достаточной информацией для работы Metasploit.
Как только мы закончим просматривая целевой сайт, мы вернемся к нашей сессии Metasploit и посмотрим, что мы захватили.

msf > wmap_targets -r 
[*] Added. 10.211.55.140 80 0
msf > wmap_targets -p
[*] Id. Host Port SSL
[*] 1. 10.211.55.140 80
[*] Done.
msf > wmap_targets -s 1 
msf > wmap_website 
[*] Website structure
[*] 10.211.55.140:80 SSL:0
ROOT_TREE
| sql
| +------Default.aspx
[*] Done.
 
msf > wmap_run -t 
[*] Loaded auxiliary/scanner/http/wmap_soap_xml ...
[*] Loaded auxiliary/scanner/http/wmap_webdav_scanner ...
[*] Loaded auxiliary/scanner/http/options ...
[*] Loaded auxiliary/scanner/http/frontpage_login ...
[*] Loaded auxiliary/scanner/http/wmap_vhost_scanner ...
[*] Loaded auxiliary/scanner/http/wmap_cert ...
[*] Loaded auxiliary/scanner/http/version ...
[*] Loaded auxiliary/scanner/http/frontpage ...
[*] Loaded auxiliary/admin/http/tomcat_manager ...
[*] Loaded auxiliary/scanner/http/wmap_verb_auth_bypass ...
[*] Loaded auxiliary/scanner/http/wmap_ssl ...
[*] Loaded auxiliary/admin/http/tomcat_administration ...
[*] Loaded auxiliary/scanner/http/wmap_prev_dir_same_name_file ...
[*] Loaded auxiliary/scanner/http/wmap_copy_of_file ...
[*] Loaded auxiliary/scanner/http/writable ...
[*] Loaded auxiliary/scanner/http/wmap_backup_file ...
[*] Loaded auxiliary/scanner/http/ms09_xxx_webdav_unicode_bypass ...
[*] Loaded auxiliary/scanner/http/wmap_dir_listing ...
[*] Loaded auxiliary/scanner/http/wmap_files_dir ...
[*] Loaded auxiliary/scanner/http/wmap_file_same_name_dir ...
[*] Loaded auxiliary/scanner/http/wmap_brute_dirs ...
[*] Loaded auxiliary/scanner/http/wmap_replace_ext ...
[*] Loaded auxiliary/scanner/http/wmap_dir_webdav_unicode_bypass ...
[*] Loaded auxiliary/scanner/http/wmap_dir_scanner ...
[*] Loaded auxiliary/scanner/http/wmap_blind_sql_query ...
[*] Analysis completed in 0.863369941711426 seconds.
[*] Done.
msf > wmap_run -e

WMAP будет использовать файл базы данных и начнет атаку на сайт. Как правило, это занимает некоторое время, так как WMAP содержит значительное количество модулей для атак. Чтобы прекратить выполнение модуля и перейти к следующему, во время атаки достаточно нажать комбинацию клавиш "Control-C".
Подождите завершение процесса и запустите команды, указанные ниже.

msf > wmap_reports
[*] Usage: wmap_reports [options]
-h Display this help text
-p Print all available reports
-s [id] Select report for display
-x [id] Display XML report
 
msf > wmap_reports -p
[*] Id. Created Target (host,port,ssl)
1. Fri Jun 26 08:35:58 +0000 2009 10.211.55.140,80,0
[*] Done.
msf > wmap_reports -s 1
WMAP REPORT: 10.211.55.140,80,0 Metasploit WMAP Report [Fri Jun 26 08:35:58 +0000 2009]
WEB_SERVER WEBDAV: ENABLED [Fri Jun 26 08:38:15 +0000 2009]
WEB_SERVER OPTIONS: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH [Fri Jun 26 08:38:15 +0000 2009]
WEB_SERVER TYPE: Microsoft-IIS/6.0 ( Powered by ASP.NET ) [Fri Jun 26 08:38:18 +0000 2009]
FILE NAME: /sql/default.aspx File /sql/default.aspx found. [Fri Jun 26 08:39:02 +0000 2009]
FILE RESP_CODE: 200 [Fri Jun 26 08:39:02 +0000 2009]
DIRECTORY NAME: /Ads/ Directory /Ads/ found. [Fri Jun 26 08:39:37 +0000 2009]
DIRECTORY NAME: /Cch/ Directory /Cch/ found. [Fri Jun 26 08:44:10 +0000 2009]