Masaryk University Faculty of Informatics

The use of Metasploit tool in development lifecycle

Bachelor’s Thesis

Miroslav Maceček

Brno, Spring 2016

Declaration

Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source.

Miroslav Maceček

Advisor: RNDr. Petr Švenda, Ph.D.

i

Acknowledgement

I would like to express my gratitude to my collegues and friends for their support. I woul like to thank to my advisor RNDr. Petr Švenda, Ph.D. for his patience.

iii Abstract

This bachelor thesis explore the use of Metasploit in the web applica- tion development process. Firstly, it describes structure and general workflow of an open source Metasploit Framework. It also describes most extensive plugin for web application testing Wmap. This plu- gin is tested against application Mutillidae II, which contains a lot of known vulnerabilities. The success of this test is evaluated afterwards. This text describe a couple different ways of creating customized test scenarios, which evaluates OwnCloud and LimeSurvey applications.

iv Keywords

Metasploit, penetration testing, web application, development process, Mutilidae II

v

Contents

1 Introduction ...... 1 2 Metasploit ...... 3 2.1 Metasploit Framework Components ...... 3 2.1.1 Libraries ...... 3 2.1.2 Interfaces ...... 3 2.1.3 Modules ...... 4 2.1.4 Mixins and Plugins ...... 5 2.2 General Workflow ...... 5 3 Wmap Plugin ...... 7 3.1 List of modules ...... 7 3.1.1 wmap_ssl ...... 7 3.1.2 wmap_server ...... 7 3.1.3 wmap_dir ...... 9 3.1.4 wmap_file ...... 10 3.1.5 wmap_unique_query ...... 11 3.1.6 Managing modules ...... 11 4 Test Environment ...... 13 4.1 Mutillidae II ...... 13 4.2 LimeSurvey ...... 14 4.3 OwnCloud ...... 14 5 Use of the Metasploit ...... 17 5.1 Mapping the Application ...... 17 5.2 Discovering Vulnerabilities ...... 18 5.3 Analyzing the Results ...... 19 5.3.1 Mutillidae II Results ...... 19 5.3.2 LimeSurvey Results ...... 21 5.3.3 OwnCloud Results ...... 21 6 Test Automation ...... 23 6.1 Resource Scripts ...... 23 6.2 Plugins ...... 23 6.3 Auxiliary Module Custom Commands ...... 23 6.4 Custom Auxiliary Modules ...... 24 6.5 Metasploit Remote API ...... 24 6.6 Ruby Programming ...... 24 7 Creating Resource Script ...... 25

vii 8 Conclusion ...... 27 Bibliography ...... 29 A An appendix ...... 31

viii 1 Introduction

Web applications take important role in today’s world. They perform lot of useful functions and they are used daily by a significant amount of people. A lot of users count on them without realising that neither of them is a 100% secure. There are applications which contain or han- dle financial transactions, personal information, classified or private documents. These data draw attackers, seeking their way to gain an unauthorized access to them and eventually selling them or releasing them publicly. Every successful attack can cause significant losses to the owners and to the companies responsible for the data. To prevent such damage a penetration testing was introduced. The purpose of this thesis is to explore the possibilities of Metas- ploit[1] as a tool for the web application penetration testing. This verification consists of running and evaluating tests on the application with known vulnerabilities Mutillidae II[2]. Large partion of the text describes Wmap plugin.

1

2 Metasploit

Metasploit Project was started in 2003 by H. D. Moore as a computer security project to provide a public resource to exploit development. One of its most famous sub-projects is Metasploit Framework. It used to be written in Perl, but it was completely rewritten in Ruby in 2007. This originally open source project has been acquired by a commercial security company Rapid7 in 2009[3].

2.1 Metasploit Framework Components

Metasploit Framework is a modular system based on a few core com- ponents: libraries, interfaces, modules, mixins, and plugins[4].

2.1.1 Libraries At the core of Metasploit Framework are libraries. These libraries contain a set of classes and utilities that manage the various parts of Metasploit Framework, such as modules, plugins, and interfaces. ∙ REX - Ruby Extension Library, is the most fundamental com- ponent of Metasploit Framework. It handles sockets, protocols, servers and text transformations.

∙ Core - The Core library (msfcore) provides the basic API. It en- ables exploits, sessions, and plugins to interact with the different interfaces.

∙ Base - The Base library (msfbase) provides wrapper routines and utility classes for easier work with the Core library.

2.1.2 Interfaces There are several interfaces that can be used to access and utilize the functionality of Metasploit Framework. ∙ MSFconsole - The console interface, also known as msfconsole, provides an easy and interactive way to access the features and options within Metasploit Framework.

3 2. Metasploit

∙ MSFgui - MSFgui is a Java based graphical interface that pro- vides the same functionality as the console with the additional benefits of GUI. Additionally, msfgui enables you to connect to a remote msfrpcd session on a remote host.

∙ MSFcli - MSFcli runs directly from the command line. MSFcli enables you to automate exploit testing without the use of an interactive interface.

∙ Armitage - Armitage is a graphical user interface that visually streamlines the features within the Metasploit Framework, such as host discovery, server-side and client-side exploitation, pivot- ing, and privilege escalation.

2.1.3 Modules Modules are the core components of Metasploit Framework. A mod- ule is a piece of software that can perform a specific action, such as exploitation, fuzzing, and scanning. Each task that you can perform with Metasploit Framework is defined within a module. Modules that are available can be located in the following directory: /metasploit/msf3/modules. There are several module types available that depend on the purpose of the module and the type of action that the module performs.

∙ Exploit - Executes a sequence of commands to target a specific vulnerability in order to provide the attacker with access to the targeted system.

∙ Auxiliary - Performs arbitrary actions like information gathering, database fingerprinting, network scanning.

∙ Post-Exploitation - Enables attacker to gather more informations or to gain further access.

∙ Payload - It is the shell code that runs after an exploit successfully compromises a system. The payload enables attacker to define how he wants to connect to the shell and what he wants to do to the target system.

4 2. Metasploit

∙ NOP generator - Generates a series of random bytes that can be used to bypass standard IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) NOP sled signatures.

∙ Payload encoder - A payload encoder enables attacker to evade IDS and IPS signatures that are looking for specific bytes of a payload.

2.1.4 Mixins and Plugins A mixin provides way for sharing a code between modules. A plugin works directly with the API. It is a component that extends, enhances or alters the functionality of the Metasploit Framework.

2.2 General Workflow

The following section provides a brief description of the general work- flow for the Metasploit Framework.

∙ Choose a module - The type of module which user should use is defined by the purpose of the task. All modules can be listed by show all command. If the user already knows what kind of module does he need, he can narrow down the search by entering show and the type of module mentioned in 2.1.3 eg. show Payload. Selected module has to be loaded via load for future usage.

∙ Configure the module - Available options for loaded module can be displayed by show option. If an option is required, user must specify a value for it. Otherwise, it can be left empty.

∙ Set the option - For specifying options, user can use set and unset command. Changes made with these commands work only within the current module context.

∙ Select a target - before running an exploit module, the user has to choose a vulnerable target. List of potential targets can be displayed by show targets.

5 2. Metasploit

∙ Select a payload - After selecting the target, user can display list of payloads for given vulnerability with show payloads. The chosen payload has to be set with set command.

∙ Run the module - The command for running the module is exploit.

6 3 Wmap Plugin

Wmap is a web application scanner for Metasploit originatelly created from the tool SQLMap[5]. It is integrated in Metasploit Framework and it consists of several modules. „As of Metasploit Framework version 3.3.2, every exploit module has been assigned a rank based on its potential impact to the target system."[6] Nearly all of the 39 default modules have normal ranking, which means that „The exploit is otherwise reliable, but depends on a specific version and can’t (or doesn’t) reliably autodetect."[6] There is one exception. It is the module exploit/multi/http/lcms_php_exec with excellent ranking (exploit will never crash the service). Since there is no available data supporting this ranking system I did not consider it meaningful and reliable. This plugin is capable of reading all gathered traffic stored in the Metasploit database. The test itself runs all enabled modules and allows user to configure nodes for distributed clients storing all results to the central database. In case there are no nodes configured, the test will be run from the local host.

3.1 List of modules

3.1.1 wmap_ssl auxiliary/scanner/http/cert This module checks the server certificate if it is valid and not expired.

auxiliary/scanner/http/ssl Parse the server SSL certificate to obtain the common name and signa- ture algorithm.

3.1.2 wmap_server auxiliary/admin/http/tomcat_administration Detects the Tomcat administration interface. auxiliary/admin/http/tomcat_utf8_traversal Tests whether a directory traversal vulnerability is present in versions of Apache Tomcat 4.1.0 - 4.1.37, 5.5.0 - 5.5.26 and 6.0.0 – 6.0.16. Further-

7 3. Wmap Plugin more, the server must use Java versions prior to Sun 1.4.2_19, 1.5.0_17, 6u11 - or prior to IBM Java 5.0 SR9, 1.4.2 SR13, SE 6 SR4 releases. auxiliary/scanner/http/drupal_views_user_enum Exploits an information disclosure vulnerability in the ’Views’ module of Drupal, brute-forcing the first 10 usernames from ’a’ to ’z’. auxiliary/scanner/http/frontpage_login Queries the FrontPage Server Extensions and determines whether anonymous access is allowed. auxiliary/scanner/http/http_version Displays version information about each system. auxiliary/scanner/http/open_proxy Checks if an HTTP proxy is open. False positives are avoided verifying the HTTP return code and matching a pattern. auxiliary/scanner/http/options Displays available HTTP options for each system. auxiliary/scanner/http/robots_txt Detects robots.txt files and analyze their content. auxiliary/scanner/http/scraper Scraps defined data from a specific web page based on a regular ex- pression. auxiliary/scanner/http/svn_scanner Detects subversion directories and files and analyze their content. Only SVN Version > 7 supported. auxiliary/scanner/http/trace Checks if the host is vulnerable to Cross-Site Tracing (XST). auxiliary/scanner/http/vhost_scanner This module tries to identify unique virtual hosts hosted by the target web server.

8 3. Wmap Plugin

auxiliary/scanner/http/webdav_internal_ip Detects web servers internal IPs through WebDAV.

auxiliary/scanner/http/webdav_scanner Detects web servers with WebDAV enabled.

auxiliary/scanner/http/webdav_website_content Detects web servers disclosing its content through WebDAV.

3.1.3 wmap_dir auxiliary/scanner/http/brute_dirs This module identifies the existence of interesting directories by brute forcing the name in a given directory path.

auxiliary/scanner/http/dir_listing This module identifies directory listing vulnerabilities in a given di- rectory path.

auxiliary/scanner/http/dir_scanner This module identifies the existence of interesting directories in a given directory path.

auxiliary/scanner/http/dir_webdav_unicode_bypass This module is based on HTTP Directory Scanner module, but where authentication is required, it attempts to bypass it using the WebDAV IIS6 Unicode vulnerability discovered by Kingcope.

auxiliary/scanner/http/file_same_name_dir Identifies the existence of files in a given directory path namedsame as the name of the directory.

auxiliary/scanner/http/files_dir Identifies the existence of interesting files in a given directory path.

auxiliary/scanner/http/http_put This module can abuse misconfigured web servers to upload and delete web content via PUT and DELETE HTTP requests. This module

9 3. Wmap Plugin attempts to bypass authentication using the WebDAV IIS6 Unicode vulnerability discovered by Kingcope. auxiliary/scanner/http/ms09_020_webdav_unicode_bypass This module attempts to bypass authentication using the WebDAV IIS6 Unicode vulnerability discovered by Kingcope. auxiliary/scanner/http/prev_dir_same_name_file Identifies files in the first parent directory with same name asthe given directory path. auxiliary/scanner/http/soap_xml Attempts to brute force SOAP/XML requests to uncover hidden meth- ods. auxiliary/scanner/http/trace_axd Detects trace.axd files and analyze their content.

3.1.4 wmap_file auxiliary/dos/http/apache_range_dos The byterange filter in the Apache HTTP Server 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service. auxiliary/scanner/http/backup_file Identifies the existence of possible copies of a specific file inagiven path. auxiliary/scanner/http/copy_of_file Identifies the existence of possible copies of a specific file inagiven path. auxiliary/scanner/http/replace_ext Identifies the existence of additional files by modifying the extension of an existing file.

10 3. Wmap Plugin

auxiliary/scanner/http/verb_auth_bypass This module tests for authentication bypass using different HTTP verbs.

3.1.5 wmap_unique_query auxiliary/scanner/http/blind_sql_query Identifies the existence of Blind SQL injection issues in GET/POST Query parameters values.

auxiliary/scanner/http/error_sql_injection Identifies the existence of Error Based SQL injection issues.

auxiliary/scanner/http/http_traversal Test if a web application is vulnerable to directory traversal with three different actions. The ’CHECK’ action (default) is used to automatically find if directory traversal exists in the web server, and then return the path that triggers the vulnerability.

auxiliary/scanner/http/rails_mass_assignment This module scans Ruby On Rails sites for models with attributes not protected by attr_protected or attr_accessible.

exploit/multi/http/lcms_php_exec This module exploits a vulnerability found in Lotus CMS 3.0’s Router() function. This is done by embedding PHP code in the ’page’ parameter, which will be passed to an eval() call, therefore allowing remote code execution.

3.1.6 Managing modules As can be seen the Metasploit console interface does not allow user to enable/disable modules or change their default order. msf > wmap_modules [*] Usage: wmap_modules [options] -h Display this help text -l List all wmap enabled modules -r Reload wmap modules

11 3. Wmap Plugin

There is only one way how to alter the behaviour of Wmap. It is done by creating a profile file containing the list of modules which should be used for the test. If the user wants to have the advantages which come from Wmap database handling but run only the test scenario targeted on sql injections, he has to create .txt file with this content:

# This is a comment section - only blind_sql_query and # error_sql_injection modules will be launched blind_sql_query error_sql_injection

After configuring Wmap targets the profile file can berunby msf > wmap_run -e /path/to/profile

12 4 Test Environment

4.1 Mutillidae II

"Mutillidae II is free, open source, deliberately vulnerable web/application target for web-security training."[7] It has over 35 vulnerabilities and contains at least one vulnerability for each of the OWASP Top Ten 2007 and 2010[8]. It provides safe and legal target for labs, security analysts and vulnerability assessment tools. There are three security levels prepared. The Mutillidae by default runs insecure code, but it allows user to easily switch to fully secure mode by "Toggle Security" button. In case of any unexpected behavior, the user can remove all persistent changes done to the system by resetting the whole database. For the purpose of automated testing there were some changes which had to be done. Firstly, the user with username "macecek" and password "passwd" was created. This user had access to the system with basic rights. Secondly, it has been shown that any web spidering tool for scanning the targeted website used the functionalities of Mu- tillidae in the disruptive way. The file set-up-database.php had to be removed otherwise all created users were deleted. Also, the functions toggle security and enable ssl in the file function-control.php had to be disabled. In another case, the security level would be risen to the level 1 (partially secured) and the SSL would be enabled. This was done by altering the behaviour of two switch cases "toggle-enforce-ssl" and "toggle-security" in the file process-commands.php as follows. case "toggle-enforce-ssl": $_SESSION["EnforceSSL"] = "False"; $lhintsPopUpNotificationCode = "SSLO1"; header("Location: ".$_SERVER[’SCRIPT_NAME’]. ’?popUpNotificationCode=’. $lhintsPopUpNotificationCode. ’&’.str_ireplace(’do=toggle-enforce-ssl&’, ’’, $_SERVER[’QUERY_STRING’]), true, 302); exit(); break; //case "toggle-enforce-ssl"

case "toggle-security":

13 4. Test Environment

$lSecurityLevel = $_SESSION["security-level"]; $lSecurityLevel = ’0’; $_SESSION["showhints"] = 1; $_SESSION["hints-enabled"] = "Enabled (1 - 5cr1pt K1dd1e))"; setcookie("showhints", "1"); $CustomErrorHandler->setSecurityLevel($lSecurityLevel); $LogHandler->setSecurityLevel($lSecurityLevel); $BubbleHintHandler->setSecurityLevel($lSecurityLevel); $MySQLHandler->setSecurityLevel($lSecurityLevel); $SQLQueryHandler->setSecurityLevel($lSecurityLevel); $RemoteFileHandler->setSecurityLevel($lSecurityLevel); $RequiredSoftwareHandler-> setSecurityLevel($lSecurityLevel); $lhintsPopUpNotificationCode = "SL0"; header("Location: ".$_SERVER[’SCRIPT_NAME’]. ’?popUpNotificationCode=’. $lhintsPopUpNotificationCode. ’&’.str_ireplace(’do=toggle-security&’, ’’, $_SERVER[’QUERY_STRING’]), true, 302); exit(); break; //case "toggle-hints"

4.2 LimeSurvey

LimeSurvey is a free and open source on-line survey application writ- ten in PHP[9]. It uses MySQL, PostgreSQL or MSSQL database, dis- tributed under the GNU General Public License. To enable its func- tionalities a user with administrator rights was created. Under this user a one public survey containing 10 question with different fields for answers was created.

4.3 OwnCloud

OwnCloud is an open source, self-hosted file sync and share app platform[10]. It allows user to share one or more files and folders on computer, and synchronize them with ownCloud server. It is possible

14 4. Test Environment to place files into shared directories, and those files will be synchro- nized to the server and to other devices using the ownCloud Desktop Sync Client, Android app, or iOS app. Three different users were created with 10 uploaded files each.

15

5 Use of the Metasploit

5.1 Mapping the Application

The first step in the process of attacking an application is gathering and examining some key information about it to gain a better understand- ing. There are several tools for performing an automated web spidering and storing gathered information to a central database. The first one is auxiliary/scanner/http/crawler, second one is auxiliary/crawler /msfcrawler. The structure which creates auxiliary/crawler/msfcr- awler can not be later used as a target for Wmap, which is big disad- vantage. Third option is to use db_import command to import scan result from different tools like Burp and Appsca. The last option isto use any module from auxiliary/scanner/http/. They will add a site to the database which can be later targeted by Wmap, however it stores only the root path of the website. This section demonstrates the use of auxiliary/scanner/ http/crawler. Since Metasploit Framework stores data in the current workspace, I would recommend to create a new one for each individual project. It allows a better data handling by database back end commands[11].

msfconsole Starts Metasploit console

msf > db_status Checks the status of the connected database. If there is no database connected, quit msfconsole and start postgresql service.

msf > workspace Displays available workspaces. Currently selected workspace is marked by *.

msf > workspace -a mutillidae Creates workspace called mutillidae and automatically selects it.

msf > use auxiliary/scanner/http/crawler Selects http crawler.

17 5. Use of the Metasploit msf auxiliary(crawler) > show options Displays list of options. For the purpose of this thesis I decided to use following settings: msf auxiliary(crawler) > set MAX_PAGES 500 The Mutillidae has about 550 pages. After that, the crawler started to explore /mutillidae/phpmyadmin which is the background set- ting of this application and therefore it wasn’t necessary to include it completely into the test. Nevertheless, this module is capable of going through approximately 4500 pages in 5 minutes. msf auxiliary(crawler) > set USERNAME macecek msf auxiliary(crawler )> set PASSWORD passwd Sets credentials for authenticated user. msf auxiliary(crawler) > set RHOST 127.1.1.1 msf auxiliary(crawler) > set URI /mutillidae/ Sets the target host and URI msf auxiliary(crawler) > run Runs the crawler It should be noted that this kind of fully automated approach often leads to missing some important parts of the web application. These tools cannot handle dynamically created menus and links hidden in Java or Flash applets. Good user input validation cannot be penetrated by basic attacks often used by web crawlers for time saving.

5.2 Discovering Vulnerabilities

After mapping the application, all data created by crawler are still available. For fast discovering of potential vulnerabilities we will use wmap plugin. Enter: msf auxiliary(crawler) > load wmap Loads the wmap

18 5. Use of the Metasploit msf auxiliary(crawler) > wmap_sites -l Displays the list of available sites msf auxiliary(crawler) > wmap_sites -s [target_id] Displays the web application structure msf auxiliary(crawler) > wmap_targets -t 127.1.1.1, http://127.1.1.1/mutillidae/ Selects the 127.1.1.1 as a target msf auxiliary(crawler) > wmap_run -e Runs the vulnerability scanner msf auxiliary(crawler) > wmap_vuln -l Displays the results

5.3 Analyzing the Results

5.3.1 Mutillidae II Results Metasploit Framework should display found vulnerabilities with vulns command. The list is empty in this case. The wmap_vulns -l provides more informations. As can be seen in the appendix A, most of the log is filled with information about found files and directories. Someof them contain application path disclosure, comments with sensitive data, information disclosure in HTML comments and platform path disclosure. There was SQL Injection in three different files. The re- sult displayed error message because of the newer version of MySQL database, nevertheless the vulnerability was present. If every vulnerability present would be counted once, the log file contained 5 out of 54. The success rate would be 9.2%. If every vulner- ability present was counted by the number of occurrence, the log file contained 5 out of 716. The success rate would be 0.7%.

Table 5.1: Wmap results

VULNERABILITY PRESENT FOUND Application Exception 1 0

19 5. Use of the Metasploit

Application log injection 9 0 Application path disclosure 2 1 Authentication Bypass via SQL injection 2 0 Brute force secret admin pages 1 0 Buffer overflow 1 0 Cascading style sheet injection 1 0 CBC bit flipping (latest) 1 0 Clickjacking 3 0 Client-side Security 1 0 Comments with sensitive data 57 2 Content type is not specified 57 0 Cookie scoped to parent domain 57 0 Credit card numbers disclosed 57 0 Cross Site Request Forgery 2 0 Denial of Service 1 0 Directory Browsing 1 0 DOM injection 1 0 Forms caching 1 0 Frame source injection 1 0 HTML injection 18 0 HTTP Parameter Pollution 1 0 Information disclosure (HTML comments) 57 2 Insecure Cookies 57 0 JavaScript Injection 1 0 JavaScript validation bypass 6 0 JSON injection 2 0 Loading of any arbitrary file 1 0 Local File Inclusion 1 0 Log injection 1 0 Method Tampering 8 0 O/S Command injection 1 0 Parameter addition 1 0 Password field submitted by GET method 1 0 Path Relative Stylesheet Injection 1 0 PHPMyAdmin Console 1 0

20 5. Use of the Metasploit

PHP server configuration disclosure 1 0 Phishing 1 0 Platform path disclosure 2 1 Privilege Escalation via Cookie Injection 57 0 Reflected Cross Site Scripting 2 0 Remote File Inclusion 1 0 robots.txt information disclosure 2 0 Stored Cross Site Scripting 1 0 SSL Stripping 57 0 SQL Injection 57 3 XML Entity Expansion 1 0 XML Injection 1 0 XML External Entity Injection 1 0 XPath Injection 1 0 Unencrypted database credentials 57 0 Unrestricted File Upload 57 0 Username enumeration 2 0 Unvalidated Redirects and Forwards 2 0

5.3.2 LimeSurvey Results The log file contains only list of found files and directories with one exception. It is Blind SQL Injection present on page /limesurvey/ index.php/surveys/publiclist, which I was not able to verify.

5.3.3 OwnCloud Results The log file contains only list of found files and directories. The number of vulnerabilities present is not known and none were found.

21

6 Test Automation

Metasploit Framework supports automation at multiple levels, but there are six most common methods of doing so[12].

6.1 Resource Scripts

These scripts contain a set of console commands. In addition to basic console commands, these scripts are also treated as ERB templates, which is a way to embed Ruby code directly into a document. This allows user to call APIs that are not exposed via console commands. Resource Scripts can be specified with the -r option to the Metasploit Console and " /.msf4/msfconsole.rc” is automatically executed on startup if it exists. Resource Scripts can also be executed from the console prompt through the /texttt“resource” command.

6.2 Plugins

Plugins add new console commands that provide a utility or automa- tion function. The flexibility of the Ruby language allows Plugins to perform a lot of different functions, from exposing new automation capabilities, to providing socket-level content filtering to prevent the tripping of a remote IDS. Direct integration with Nexpose, Nessus, and OpenVAS from the console are accomplished through plugins. Plugins are the suggested way to work on new console commands and share them with the wider community.

6.3 Auxiliary Module Custom Commands

Auxiliary modules are defined as any Metasploit module that per- forms a remote operation, but doesn’t take an actual payload like an exploit. Auxiliary modules handle things like reconnaissance, authen- tication bypass, network sniffing, and vulnerability discovery. One little-used feature of auxiliary modules is the ability to define new console commands from within the module context.

23 6. Test Automation 6.4 Custom Auxiliary Modules

Although the modules that run other modules are not accepted into the Metasploit Framework, they are trivial to create as custom modules and allow for any form of automation, exposed through any supported user interface.

6.5 Metasploit Remote API

Metasploit Framework supports automation using a documented re- mote API. On the framework side, this exposes a wide range of func- tionality at the lowest level, allowing the caller to run modules, interact with sessions, and generally access the backend of the Metasploit in- stance.

6.6 Ruby Programming

Metasploit Framework is a development environment more than it is a standalone product. The APIs offered make it easy to embed a copy of the framework into another tool, parse the module database looking for a specific set of criteria, or even repurpose the existing network APIs to build something new. Each of the previous methods makes it easy to load custom Ruby code and leverage that code in a useful way.

24 7 Creating Resource Script

As mentioned in the section 6.1 the resource script is basically console commands. Unfortunately it does not allow database handling as Wmap. However we can use profile file to enable most important modules and lunch the test by using resource file as follows. Create profile file profile.txt # # WMAP Sample Profile # wmap_run -e /path/to/profile brute_dirs dir_listing Dir_scanner files_dir error_sql_injection blind_sql_query

Create resource script resource.rc use auxiliary/scanner/http/crawler set USERNAME limeuser set PASSWORD limeuser set RHOST 127.1.1.1 set URI /limesurvey/ run load wmap wmap_targets -t 127.1.1.1, http://127.1.1.1/limesurvey/ Wmap_run -e path/to/profile.txt

25

8 Conclusion

As a result of this thesis I can not recommend Metasploit as a regular testing tool in the development cycle of web application. The most extensive and commonly used plugin Wmap is highly unreliable. It provides good functionality because of its data handling, cooperation with crawler and the possibility of managing modules by profile files. However the test result on Mutillidae II was not good. From 54 different vulnerabilities it discovered only 5. Creating personalized test sets is more problematic than it looks. The most viable way is to use resource script. Although there is no database functionality. It is possible to write the data handling mech- anism in ruby but it would be basically rewriting Wmap mechanism. Due to the fact that Wmap uses about 39 most widely targeted modules, it could be a waste of resources. Since Metasploit Framework is for free, I would recommend to run full scale test occasionally on targeted application. It can sometimes discover some vulnerability but it is not authoritative. It would be interesting to see how Metasploit Pro with integrated web application scanner performs.

27

Bibliography

[1] 2016. url: https://www.metasploit.com/. [2] II. OWASP Mutillidae II. 2016. url: https://sourceforge.net/ projects/mutillidae/. [3] Blgtechn.blogspot.cz. Metasploit - blogger technology. 2012. url: http://blgtechn.blogspot.cz/2012/08/metasploit.html. [4] 1st ed. Rapid7, 2012. url: http://www.nothink.org/metasploit/ documentation/MSF_UserGuide_4.2.0.pdf. [5] Efrain Torres. lattera/metasploit. 2016. url: https://github.com/ lattera/metasploit/blob/master/documentation/wmap.txt. [6] Tod Beardsley. rapid7/metasploit-framework. 2013. url: https:// github.com/rapid7/metasploit-framework/wiki/Exploit- Ranking. [7] Druin Jeremy. 1st ed. 2013. url: http://www.giac.org/paper/ gwapt/3387/introduction-owasp-mutillidae-ii-web-pen- test-training-environment/126917. [8] 2016. url: https : / / www . owasp . org / index . php / Category : OWASP_Top_Ten_Project. [9] Carsten Schmitz. LimeSurvey - the most popular FOSS survey tool on the web. 2016. url: https://www.limesurvey.org/. [10] 2016. url: https://owncloud.org/. [11] Sumedt Jitpukdebodin. 1st ed. 2012. url: https://dl.packetstormsecurity. net/papers/attack/hack-websites-with-metasploit.pdf. [12] 2016. url: https://community.rapid7.com/community/metasploit/ blog/2011/12/08/six-ways-to-automate-metasploit.

29

A An appendix

result_mutillidae.txt - log from running test on Mutillidae II result_limesurve.txt - log from running test on LimeSurvey result_owncloud.txt - log from running test on OwnCloud

31