 So thank you very much for coming and not leaving that means that whatever you want Okay, this is a turbo talk. It's not gonna be a one-hour long presentation. I think someone screwed up in the schedule I didn't receive a check. So It is what it is First of all, there is no agenda in this presentation. No crap about we are gonna see these and stuff like that No zone what's who art of war the stuff in this presentation either? I'm trying to make this campaign of no more free art of war stuff in security presentations It applies to everything. So come on. Give us a break No more free campaigns. See the dollar sign at the end. I Know that we have to pay bills, but come on man give stuff for free. All right No history of web scanners and no drama, but I think we have saw a little bit in the beginning of the presentation I'm sorry for that. It's not my fault my name if I interest Kind of 10 years enjoying IT security. I'm not going to say that I'm a pro. I think that's too high I'm proud member of the metal exploit team. This is my address and proud member Tambien of a country of Colombia So how many Colombians are here? All right, one two three and that's it. All right, man. Thank you very much By the way, please visit Colombia. Don't throw CNN Go there. I'm evidence that if you go there, you will not be kidnapped Well, no for now Okay, the intro this thing is about a web assessment as metasploit modules We're gonna run the models by hand or automated Still on early stages. They meet to the crisis. I had to work. I have to work a lot so my free time is getting smaller and HD more in metasploit in the conference sector in 2008 He said that well expect a big announcement soon. This is it and get in a hold of this I was my I was like shaking now. I'm shaking less All right So why I did WMAP? First of all, I struggle with the dem tools that you see it nowadays Let's say that I hate the commercial tools. Sorry the guys if you are from web inspect or one of those Sorry, I don't like it. First of all, you are finding vulnerabilities while browsing an application That's a easy way to get detected and make mistakes I prefer just to crawl as a normal user then wait for a couple of days then just Attack, okay, and then I can have my data and keep playing with it And I don't have to deal with all the bullshit with the graphical user interface. Sorry for the world But it is what it is right, I Also hate that it can only be run on Windows. I needed something that I can run everywhere and I don't want to be tied to a specific browser also specifically to the Internet Explorer control Sometimes you have to check some websites that have like bad malware and Well, if you use one of those tools you will get on And it hurts second motivation too much focus on whistles and bells No more bullshit regarding vulnerability classification and hard-coded risk I'm tired of seeing that an issue is high an issue is low an issue is a medium What the fuck what that means man What the hell man and then you go to the client and the client say well, what is a low and then you are like well low is Low is low, right? But the truth is that when sometimes a high is just a low and a couple of lows can get you high What is the real impact? That's why we're playing with metasploit. This is just a plugin So we can jump from the testing part directly to the exploitation methods, okay? How everything is working today? So I say like let's do something really cool. That's the damn graphic that I make So when you play with these tools with the net with the commercial tools I Like the commercial tools is just that I see that they can do better. Okay Now it's like playing with lemmings You just see that then packets are their quest just being gone through it and they just fall and nothing happens I cannot fit it take those results and feed them back to the engine. It's a pain in the back The proxy is kind of like on the side it's like a it's like the ugly child of the family No, it's one additional toe and they say it is free. So yes, you can use it sometimes But what is the good way to do it? Well, let's go back to basics the proxy the man in the middle proxy There are tons of proxies out there fiddler bar paros, etc man is awesome awesome awesome tools that actually does a much much better job than The one above, okay Okay, what is the objective of Dolima being a simple tool Command line based a way to testing methods with exploitation methods You can use it as scanner, but it's just an extension of the meta split framework and Again something easy to extend and modify. I didn't like the API is to Adjust or add new extensions to some of the frameworks out there So it takes forever to build something. We just need something easy. Okay Actually, we have to do a campaign like no more difficult tools or no more complex tools. Let's go back to basics dudes right Note no more web assessment no more the more web assessment tools the better For example w3af is awesome. That's Andres Bianchos is if he's over there or the people that contributes. Thank you very much a sequel map is awesome Bernardo dameles if he's over there or some people over that work in the project is around here. Thank you again, too and Each tool has its own limitations Choose the damn tool you like. It's just a tool Poor worksman playing his tools. I don't know who said that but I just copy and paste By the way, I left a blank field in the bottom so you can write there whatever you use Okay, I'm not saying that w-map is the shit. Okay. We are just starting and even if I finish with w-map still There are two good tools out there. So just put whatever you want there What is the design? The design is awesome. What I did is just Decouple everything just separating every single thing that is out there so I can have multiple Spiders or clients or devices that connect to the proxy The proxy just going to store every single request in through the metasploit database And then from the metasploit database W-map that is the plugin will take that information It will create a tree of the website and will store launching all the auxiliary modules one by one in the order That makes sense. That's it Actually, that's the way that the other tools does but This is simple. So why do we have to pay for that much? Okay, and then we just launches the test to the target and we can take the results because we own those results And we can do whatever they want like Put it again into the database or if you have something additional to do just throw it through the proxy And then you can test it again Easy the proxy the proxy only store requests in the database Initially when I started W-map I did a small plugin for Fiddler. Fiddler is made by Eric Lawrence from Microsoft I haven't released the plugin because it's ugly. So Still needs some improvement on the GUI because it's Windows patch for the patch that I use right now is a patch for a rat proxy from Elkentuff and and Also, thank you to a spin bad that has made some additional plugins for a Borg proxy Okay, but if you have anything that can take you the requests and store it in the database Do it man This is the Schema that you can use to store everything is very simple the host the port what else just that I don't see very well over there Or I'm here. That's why I use glasses. So I have to check this Okay, so we have the path we have the headers the query the body the response the response the response header The response code and the actual response when it was created. That's it. If you can put it in that format You're good to go Well, this is a small list of the auxiliary models are I Located right now in the metasploit framework Again, like I told you early this is on early stages, but if you see it the plugins that are here the modules They have the basic functionality that you need to have like a good understanding of your target and also You can use them Modified a little bit and create new tests without any problem. So please go to this directory Take one module. Just check it out. It's very simple to understand And all thanks to HD. Okay, it's not me. I'm just reusing his his work Let's start with some explanation with the With some type of the modules because I think the most important parts are the actual modules not the actual plug-in The plug-in just again just runs all of them on a certain order and This is just one basic example on how to run a Specific WMAP module just use it as any other module on the framework You set the specific variables for the module the target remember that each module can be used as a scanner you can put a range over there and We define the port In this case, we are going to use the WMAP SSL module So I'm going to say that we are going to use SSL and let's run it the specific example Just what to mention that I use What it does is going to query a bunch of certificates I'm just gonna show me the information from them It's a very good way to see the virtual hosts So if you have a bunch of IP addresses that usually happen on the pentest and you find those weird websites when you say, okay The web page doesn't show what is the virtual host this? This is a good plug-in to use. Okay a good module The other thing is for this example. I use well here. It says that I that is like the x y c Demco.com company, but in reality is one of those banks in America So what I did is I run it through a couple of IP addresses and just check the information that it returns it returns stuff like They're running a J-Balls and web sphere. So it's good good information to have I should only start for information gathering in this case. I'm gonna show you some The way that the that another module works that is the way that we detect directories on a web server Usually what happens is that the tools that you have out there they only check for the return code That sucks man because sometimes not nowadays. They have their own error pages. Well, thank you to HD and my work We were able to create a small module that has Signatures to check the error page. So if it returns whatever code it is it will really detect if Directly exists exists or not The second important part of WMAP is the data storage and reporting I think the most important part is that with the data We are we were used to only work with the data on the way that the developers were supposed to To give us access to in this case You can store anything you want in Put any name on it. That means that is in the future. There is someone that devices a new Attack technique or a new vulnerability and it requires a specific cool name then you can put it over there and Have that information is started on a tree that you can later reuse for analysis Like for example, let's check a little bit about this code The only thing that it has to do is is is going to find the report on The on the first part. It's gonna find the report ID is Based it on the host on the port number and if it uses SSL or not And then when with that report ID, you will be storing all the information that you want On the format that you see displayed is basically type Description that's it. Let's talk now about the WMAP plugin But basically what it does it identifies possible targets From the database that that all the requests are stored we build a target website with data structure and We run the models in a specific order reporting we already talked about it and If you see in the bottom of the presentation does the initial command to run WMAP One thing if we don't have time to run the demo Then the only thing that you have to do is to load the DB WMAP and then you just say WMAP Target to select and WMAP run and that's it Okay, there is no thing to select what plugins do you want to use you can do it on In other different ways, but it's very easy to use. That's what I wanted to do So how WMAP works basically we have a specific mixing where you can define Specific types of modules. So we have this type of Modules and what it does is I take the module I put the type WMAP the text what is the type and it will launch it at the right time For example, the first thing that it will do when I run something is that it will run every single module that is defined as a WMAP scan server, okay Then it will try to scan every single mod. It will run every single module that is for files or directories actually they run kind of At the same time then modules that require to execute at every single query and You see that I have something different that is called unique query because what it does is it will create a Signature of the query that you have a get request or a pulse request And I don't want to run it every time only because the values changes I only need to run it just because I see the same parameters all over again So I can do that just with the WMAP scan unique query Then also I have a Something to scan the body or to run or to work with the body of their quest The headers and something called generic that is always run at the end So this is where we can analyze the all the information that we have been retrieved Take that information and put it back into the database or fill it back to the proxy Okay, one basic example is the WMAP generic email extract This is the only type of modules on the framework that you cannot run it interactively or through the command line Because the only input that it takes is the database and this is just extracts all the emails the only email addresses so you can take it and run and use some social engineering with the e-mailer and using the tools that Jabra has Help me develop For the for the framework Okay, so how to build a WMAP module? Just take a metasploit module. It doesn't have to be an auxiliary model can be any module not only HTTP Just include the the mixing type and that's it so if you see there You just put the type that you need take this one run it Easy, right? Okay, what is the demo? We only have five minutes. Okay, so what I did Is I took a specific IP address on the internet and I did a small video But I think you guys deserve respect. So I did something like really a website on the internet Not something that I crafted here because that's kind of cheesy And let's see how it goes the full screen there it goes all right So what is what we're doing right now? We are learning the plugin we connect to the database I'm showing the comments that we that it has available We're gonna take the we're gonna define the targets So the first thing is we are going to reload Reload them from the database. That's it only one Sorry for the guy from the IP. I'm only browsing his web page. Okay, so no attacks were performed And the thing is then I just print the available targets And I'm going to select the first one actually I selected first before printing, but it works the same And what I'm going to do right now is I'm going to set the variables That usually are required by the modules again by the modules not by the by the WMAP plugins So these are the modules that are available You can enable and disable them through a profile to so check the documentation of the WMAP And now what I'm going to do is I'm looking at the website structure This is the most important part If you guys do a web app assessments, you will see that the structure is is where they the gold is always Then again, I like I said you set different variables in this case I'm setting the extension of That I need to play with Then at that time I receive a call from my wife, and then I have to stop a little bit. I kept going By the way, I'm gonna be at that so Thank you very much. I said the virtual host. That's all the other cool thing Some of the tools don't allow you to play with the virtual host. So You have a lot of range here to play with I'm checking the domain For some of the plugins that for example performs on brute forcing to identify additional virtual hosts Then I receive another call from my wife Yeah And there he goes now I'm going to type WMAP run the help Come on, man. And there it Goes all right And Then the module stop and there it goes So basically it's gonna start is running all the crap That's it It's easy simple. That's it, man We are not training the not flying brains here. Okay. That's why I think what that's what the type of tools that we require And I'm going to stop the demo here. Okay, because the time is over. So thank you very much, man