Websploit is an automatic vulnerability assessment, web crawler and exploiter tool. It is an open source command line utility that composed on modular structure. At the time of writing, there are 16 modules are available on Websploit, it can be downloaded from sourceforge project website but it is available on Kali Linux by default.
Websploit can be synchronize with Metasploit WMAP project for web vulnerability scanning, there are four categories of modular are available and they are:
- Web Modules
- Network Modules
- Exploit Modules
- Wireless Modules
In Wireless module we can run some interesting WiFi attacking vector including the WiFi jammer and WiFi DDOS attack. For exploitation, websploit is working on the basis of Metasploit Autopwn service and metasploit browser autopwn service. A large number of interesting attacking vectors are available on the network modules, and they are but not limited to:
- ARP cache DOS attack
- Middle Finger Of Doom Attack
- Man In The Middle Attack
- Man Left In The Middle Attack
- Fake Update Attack Using DNS Spoof
- And more....
Some modules of websploit are depends on Metasploit for example
- Information Gathering From Victim Web Using (Metasploit Wmap)
So it is recommended to configure Metasploit before using these modules, the demonstration of every modules are not possible on this single article, but the basic command and usage of the software mentioned below and it surely help you to use websploit in a professional manner.
If you are on Kali Linux, then click on Applications → Kali Linux → Web Applications → Web Vulnerability Scanners → Websploit
The list of commands that can applicable on websploit are:
set Set Value Of Options To Modules
scan Scan Wifi (Wireless Modules)
stop Stop Attack & Scan (Wireless Modules)
run Execute Module
use Select Module For Use
os Run Linux Commands(ex : os ifconfig)
back Exit Current Module
show modules Show Modules of Current Database
show options Show Current Options Of Selected Module
upgrade Get New Version
update Update Websploit Framework
In the demonstration mentioned below: the web directory scanner attack will be performed.
wsf > show modules
wsf > use web/dir_scanner
wsf:Dir_Scanner > show options
wsf:Dir_Scanner > set TARGET http://ehacking.net
TARGET => ehacking.net
wsf:Dir_Scanner > run
[*] Your Target : ehacking.net
[*]Loading Path List ... Please Wait ...
[index] ... [404 Not Found]
[images] ... [404 Not Found]
[download] ... [404 Not Found]
The commands to perform other attacking vector are same, just follow the steps mentioned above.