Using Metasploit for Web Application Scanning

This guide walks you through using Metasploit to scan and identify vulnerabilities in Metasploitable 2, a purposefully vulnerable virtual machine ideal for security testing. Metasploit enables penetration testers to assess and exploit weaknesses in web applications effectively. By following this guide, you’ll gain foundational skills in using Metasploit’s scanning features to explore vulnerabilities in a controlled environment.

Mahran Al-Zyoud
|
17 steps

Metasploit

Kali

Virtualbox

- **Virtualization Software:** Oracle VirtualBox 7.1.4 - **Host Operating System:** Windows 11 - **Guest Operating System:** Kali Linux - **Tool**: Metasploit - **Last Updated:** November 2024 - **Created by**: Mahran Al-Zyoud. For any improvements, corrections, or suggestions, please feel free to contact me at [mahran.alzyoud@gmail.com](mailto:mahran.alzyoud@gmail.com). Your feedback is appreciated!

**Metasploit** is a widely used open-source framework that provides security professionals with powerful tools for conducting penetration testing and vulnerability assessments. Originally developed by H.D. Moore in 2003 and now maintained by Rapid7, Metasploit includes a vast library of exploits, payloads, and auxiliary modules that allow users to simulate attacks on systems to identify potential vulnerabilities. This tool is particularly valued for its ability to conduct comprehensive security assessments, offering features like automated scanning, payload generation, and a variety of exploitation options across different platforms and environments. One of Metasploit’s core strengths is its flexibility and extensibility; users can create custom exploits and modules to tailor assessments to specific needs. It’s also deeply integrated with other security tools and platforms, such as Nmap for discovery and Meterpreter for post-exploitation activities. Metasploit is popular among ethical hackers and security professionals for its ability to replicate real-world attacks in a controlled environment, helping organizations address vulnerabilities before they are exploited by malicious actors.

Ensure that both Kali Linux and Metasploitable 2 virtual machines are running.

Run **[[sudo service postgresql start]]**[[ ]]to start the PostgreSQL. Run **[[sudo msfdb init]]** to initialize **Metasploit**.

Run **[[msfconsole]]** to access the **Metasploit** framework.

Run **[[load wmap]]** to load the WMAP web vulnerability scanner module within Metasploit.

To set the target machine as Metasploitable 2, execute the following command: **[[wmap_sites -a http://172.17.2.21]]** Note: The IP address of my Metasploitable 2 virtual machine is 172.17.2.21. Please verify yours. Run **[[wmap_sites -l]]** to list the available sites.

We will be targeting the **Mutillidae** web application within the Metasploitable 2 virtual machine. To specify the URL of the targeted web application, execute the following command: **[[wmap_targets -t http://172.17.2.21/mutillidae]]** Note: The IP address of my Metasploitable 2 virtual machine is 172.17.2.21. Please verify yours. Run **[[wmap_targets -l]]** to see all individual URLs within the registered sites that are queued for scanning.

To automatically load various web scanning modules from Metasploit, run the following command: **[[wmap_run -t]]** This prepares the selected modules to be ready for scanning, but it doesn’t actually start the scan itself.

Once the web scanning modules have been loaded, use the following command to perform web security testing on the target web application: **[[wmap_run -e]]** This will execute the loaded modules. After using **[[-t]]** to load the modules, running **[[wmap_run -e]]** initiates the actual scan by executing the modules against the specified targets.

Run **[[wmap_vulns -l]]** to list all identified vulnerabilities from scans performed on web application targets. This provides a report of vulnerabilities detected on the scanned targets, helping users quickly review security issues identified during web application assessments.

Use the **[[vulns]]** command to see the overall results of the security assessment from WMAP. If Metasploit is able to identify vulnerabilities based on their CVE IDs, it will be\ shown with the vulns command.