Noosphere

WMAP Web Vulnerability Scanning in Metasploit

3 min read

WMAP — Web Vulnerability Scanning in Metasploit

Alright, time for some web hacking nostalgia with WMAP, the OG web vulnerability scanner baked into Metasploit. Before fancy tools like Burp or Nessus got all the hype, WMAP was lurking in MSF, ready to map and poke your web apps for holes.

WTF is WMAP?

WMAP is Metasploit’s built-in web application assessment tool. It:

  • Crawls web applications
  • Scans for common web vulnerabilities
  • Integrates results directly into your Metasploit database
  • Helps you pivot straight into exploiting stuff you discover

Think of it as a primitive web scanner — not as feature-rich as Burp Suite, but useful if you’re already rolling in MSF.

How to Use WMAP — Full Pipeline

Here’s how to run WMAP from start to finish, with all the MSF commands you’d want for a Windows or Linux target.

1. Fire Up Metasploit

If you haven’t already:

msfconsole

2. Load WMAP

In the console, load the WMAP plugin:

load wmap

If it loads successfully, you’ll see:

[*] Successfully loaded plugin: wmap

WMAP works best if you’re logging data into MSF’s database.

Initialize it:

db_status

If it says “connected,” you’re good. Otherwise, create a workspace:

workspace -a mywebscan

4. Add Your Target

Add your target web server URL to WMAP:

wmap_targets -a http://10.10.10.20

Or HTTPS:

wmap_targets -a https://10.10.10.20

List targets to confirm:

wmap_targets -l

5. Launch a Site Mapping Scan

Before scanning for vulns, WMAP can crawl the target to gather paths and pages.

Run a site map:

wmap_run -t

This grabs URLs, parameters, etc.

6. Launch a Vulnerability Scan

Now let’s actually look for vulnerabilities.

Run vulnerability scans with:

wmap_run -e

Or combine mapping and scanning in one shot:

wmap_run -ae
  • -a = run all modules
  • -e = execute exploits/modules
  • -t = run site mapping only

7. Check the Results

After scans, check collected loot in your MSF database. For example:

hosts
services
vulns

Vulnerabilities discovered are stored and can be used to plan further attacks.

Example WMAP Workflow

Here’s a full example:

msfconsole
load wmap
workspace -a webtest
wmap_targets -a http://10.10.10.20
wmap_targets -l
wmap_run -t
wmap_run -e
vulns

If you spot something tasty (e.g. SQLi, XSS), pivot into Metasploit modules for exploiting it.

Caveats

  • WMAP is old and a bit dusty. It’s nowhere near as comprehensive as Burp, Nessus, or modern scanners.
  • Results can be noisy — false positives happen.
  • Limited support for complex modern apps (e.g. heavy JavaScript).

Why Bother?

  • If you’re already working in MSF, it’s fast to kick off some basic scans.
  • Vulnerability data stays in your Metasploit workspace for easy follow-up exploitation.

Side note: WMAP won’t replace Burp Suite, but it’s a cool trick to keep in your hacker toolbox. And sometimes it catches low-hanging fruit the fancy tools miss.

Reference

Graph View

Backlinks