CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/auxiliary/scanner/http/crawler.md
Views: 11788

Description

This module is a http crawler, it will browse the links recursively from the web site. If you have loaded a database plugin and connected to a database, this module will report web pages and web forms.

Vulnerable Application

You can use any web application to test the crawler.

Options

URI

Default path is /

DirBust

Bruteforce common url path, default is true but may generate noise in reports.

HttpPassword, HttpUsername, HTTPAdditionalHeaders, HTTPCookie

You can add some login information

UserAgent

Default User Agent is Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

Verification Steps

  1. Do: use auxiliary/scanner/http/crawler

  2. Do: set RHOST [IP]

  3. Do: set RPORT [PORT]

  4. Do: set URI [PATH]

  5. Do: run

Scenarios

Example against WebGoat

msf> use auxiliary/scanner/http/crawler
msf auxiliary(crawler) > set RHOST 127.0.0.1
msf auxiliary(crawler) > set RPORT 8080
msf auxiliary(crawler) > set URI /webgoat/
msf auxiliary(crawler) > set DirBust false
msf auxiliary(crawler) > run
[*] Crawling http://127.0.0.1:8008/webgoat/...
[*] [00001/00500]    302 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/ -> /webgoat/login.mvc
[*] [00002/00500]    200 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/login.mvc
[*]                         FORM: POST /webgoat/j_spring_security_check;jsessionid=8B1EAF2554B60EFC93A52AFCA4B6C202
[-] [00003/00500]    404 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/images/favicon.ico
[*] [00004/00500]    200 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/plugins/bootstrap/css/bootstrap.min.css
[*] [00005/00500]    200 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/css/font-awesome.min.css
[*] [00006/00500]    200 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/css/animate.css
[*] [00007/00500]    302 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/j_spring_security_check;jsessionid=8B1EAF2554B60EFC93A52AFCA4B6C202 -> /webgoat/login.mvc;jsessionid=8B1EAF2554B60EFC93A52AFCA4B6C202?error
[*] [00008/00500]    200 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/login.mvc;jsessionid=8B1EAF2554B60EFC93A52AFCA4B6C202?error
[*]                         FORM: GET /webgoat/login.mvc
[*]                         FORM: POST /webgoat/j_spring_security_check;jsessionid=8B1EAF2554B60EFC93A52AFCA4B6C202
[*] [00009/00500]    200 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/css/main.css
[*] [00010/00500]    302 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/start.mvc -> http://127.0.0.1:8008/webgoat/login.mvc
[*] [00011/00500]    200 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/login.mvc
[*]                         FORM: POST /webgoat/j_spring_security_check
[*] Crawl of http://127.0.0.1:8008/webgoat/ complete
[*] Auxiliary module execution completed

Follow-on: Wmap

As you see, the result is not very user friendly...

But you can view a tree of your website with the Wmap plugin. Simply run :

msf auxiliary(crawler) > load wmap
msf auxiliary(crawler) > wmap_sites -l
[*] Available sites
===============

     Id  Host           Vhost          Port  Proto  # Pages  # Forms
     --  ----           -----          ----  -----  -------  -------
     0   127.0.0.1      127.0.0.1      8080  http   70       80


msf auxiliary(crawler) > wmap_sites -s 0

    [127.0.0.1] (127.0.0.1)
     webgoat (7)
         css (3)
            animate.css
            font-awesome.min.css
            main.css
         j_spring_security_check;jsessionid=8B1EAF2554B60EFC93A52AFCA4B6C202
         login.mvc
         login.mvc;jsessionid=8B1EAF2554B60EFC93A52AFCA4B6C202
         plugins (1)
            bootstrap (1)
                css (1)
                    bootstrap.min.css
         start.mvc
         j_spring_security_check