The exploitee system comprises: Windows XP Pro Service Pack 2 (unpatched). I’m following instructions given in Chapter 5 (The Joy of Exploitation) of Metasploit: The Penetration Tester’s Guide. I shall attempt my first exploit and target the Windows portion of my Virtual Hacking Lab. I must say the w3af results output is very comprehensive you can view it in numerous formats including HTML and email.įrom this brief interaction with w3af it seems like a powerful tool. I will get to know these tools more intimately but sometimes it’s fun just to dive in, have go, and see what happens. Just to be clear I’m not proficient with w3af or any other web app scanner, I didn’t read any manuals, used the GUI, and selected “Full Audit” randomly. I guess this option is the reason w3af is described as a “web based Metasploit“. There is an “Exploit all Vulns” button, but I didn’t opt for this as I want my broken web app intact for manual hacking. To make things more interesting I booted up my deliberately vulnerable broken web app and ran the same scan, and the vulnerabilities and exploits spewed forth, which is expected. The results were quite boring with no ‘exploits’ or ‘vulnerabilities’ noted, which is good news. So, I ran w3af, selected “Full Audit” and scanned this blog. In some ways it is like a web-focused Metasploit. It is easy to use and extend and features dozens of web assessment and exploitation plugins. W3af is an extremely popular, powerful, and flexible framework for finding and exploiting web application vulnerabilities. W3af is ranked as the third most popular Web Vulnerability Scanner on SecTools and comes included with Kali Linux. Whilst I’m working my way through Webgoat I thought I’d try out one of the Web Application Scanners.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |