Vulnerability Scanning with Metasploit: Part II

December 19, 2013 by

In the previous article, we learned how to perform a network vulnerability assessment by using the OpenVAS plug-in. In this continuation, we will see how to perform a web application vulnerability assessment by using the wmap plug-in.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

WMAP is a feature-rich web vulnerability scanner that was originally created from a tool named SQLMap. This tool is integrated with Metasploit and allows us to conduct webapp scanning from within the framework.

Launch msfconsole and type in load wmap.

It will load and open the wmap plug-in from its database. Now type in help and it will show all usage commands for wmap.

As can be seen in the above figure, the wmap_sites command is used for managing sites, so we are going to use this command. Type in wmap_sites -h and it will show all usage options for managing sites.

In the above figure, we can see that the -a option is for adding a site. So let us add a site by using this options. Type in wmap_site -a <target>. Here we hosted a web application in our local machine . That's why our target IP is a local IP address: wmap_sites -a

Once the site is created, we can check our added sites by typing wmap_sites -l and it will list all of them.

Our site is added; now we will add the target. First type in the wmap_targets -h command for listing all wmap_targets usage options.

As we can see in the usage options, we can add our target by using two options. One is -t, for which we have to provide the target URL. If we use -d, we have to give target site id. Here we will use the -d option. So our command is wmap_targets -d 0

After adding the target ID, we can see that it loaded the target address. Now we can check the list to see if our target is added or not; type in wmap_targets -l

Now everything is ready; the target is successfully added and we can run our wmap for scanning the web applications. The scanning command is wmap_run but, before running this command, check all the usage options. Type in wmap_run -h

As we can see in the usage options, -t is for checking all enabled modules, which is used for scanning. So type in wmap_run -t

After triggering this command, it will show all the various testing modules.

Now type in wmap_run -e and it will start scanning with all enabled modules.

It will take some time, depending on how big the application is. After completion of scanning, it will look like this.

Now we can check all vulnerabilities by typing vulns.

Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.

We can see in the above figure that the trace method is enabled on the application detected and the vulnerability references CVE ID, OSVD, BID, etc., are showing.


Warlock works as a Information Security Professional. He has quite a few global certifications to his name such as CEH, CHFI, OSCP and ISO 27001 Lead Implementer. He has experience in penetration testing, social engineering, password cracking and malware obfuscation. He is also involved with various organizations to help them in strengthening the security of their applications and infrastructure.