Wapiti is a powerful automated command-line vulnerability scanner designed for penetration testers and bug bounty hunters. It assists in scanning web applications to identify security vulnerabilities and loopholes. Wapiti is open-source and written in Python, and it comes pre-installed with Kali Linux, a popular penetration testing distribution.
Hello everyone! Today, I'll demonstrate how to utilize
Wapiti to uncover potential security vulnerabilities on websites. Let's get
started!
Before we proceed, ensure you have three essential items ready.
- First, you'll need Kali Linux installed and running on a virtual machine. This virtual environment isolates your scanning activities and safeguards your main computer. Make sure the virtual machine's network adapter is configured in a special mode called "Host-only" to allow communication between Kali and your target website.
- Next, you'll need a website to scan. In this tutorial, we'll use a website called Metasploitable2, which is deliberately designed to be vulnerable for educational purposes. This provides a safe space to practice without harming a real website. Make sure the virtual machine's network adapter is configured in a special mode called "Host-only" to allow communication between Kali and your target website.
- Next, we need a Steady Internet Connection. A stable internet connection is essential for the scanning process to communicate with the target website. First, ensure you have a reliable internet connection. This is crucial for the scanning process to interact with the target website. Access your Kali VM, navigate to settings, then to Network adapter, and confirm that the second adapter is connected to the NAT network.
Once three prerequisites are in place, you're prepared to scan for vulnerabilities on target websites. To begin, we'll exploit a website running on Metasploitable2.
Before proceeding with the scanning process, it's crucial to identify the target's address. Open a terminal window in Kali Linux and execute the "netdiscover" command.
This command acts like a digital radar, searching your network for devices. It will list the discovered devices along with their IP addresses.
We already know previously that Metasploitable2 has a web page running on Port 80. Launch a browser, and you can access its web interface by typing the IP address into your web browser's address bar.
To begin, let's perform a vulnerability scan on this webpage to identify any security issues.
You can find Wapiti within the "Web Applications"
menu on Kali Linux, usually located under "Web Vulnerability
Scanners".
Executing the Wapiti command will reveal all available options along with detailed features and functionalities.
For this demonstration, we will focus our scan on Multillidae.
The reason for this selection is to avoid the lengthy process of scanning the
entire site, which could take a significant amount of time to complete.
By narrowing our scan to specific sections of the site, we can efficiently identify and address potential vulnerabilities.
Now, let's initiate a scan on our target. Open a new terminal and enter wapiti -u, here, paste the URL of multillidae”. Then, type -o, and specify the directory name with its location.
Wapiti will automatically scan the website for vulnerabilities.
Once the scanning process is complete, Wapiti will execute various modules to identify potential security issues.
Keep in mind that Wapiti crawls through all the pages of the website and applies its modules, which can be time-consuming. For instance, on a Metasploitable virtual machine, the scan and module execution took over 15 minutes to finish. On a real-world website, this process could potentially take hours, depending on the size and complexity of the site.
Therefore, be patient during the scanning process, and ensure that you allocate sufficient time for Wapiti to thoroughly analyze the target website for vulnerabilities.
Here, if the website or web application has a large number of pages, the scanning process might take a significant amount of time. However, we have the option to skip certain modules to expedite the process. For instance, if we are confident that the target website does not have any vulnerabilities related to command execution (exec), we can skip this specific module.
During the module execution, if needed, press CTRL+C to interrupt the process.
Here, if you press 'r' and press Enter, Wapiti will halt the scanning process and generate the report. To skip the current module and move to the next one, simply press 'n' and Enter. You can also continue the current attack using 'c', or quit without generating a report by pressing 'q'.
Once the scan is completed, an HTML report will be generated in the specified directory. You can navigate to this directory using a file manager.
Finally, open the generated HTML report in a web browser to view the comprehensive analysis of the scan results. This report will provide detailed insights into any vulnerabilities detected during the scanning process.
You can click on the identified vulnerabilities in the Wapiti report to access more detailed information. Let's take a closer look at an example, such as the Command execution vulnerability highlighted in the Wapiti report.
Wapiti is a valuable tool widely utilized by cybersecurity
researchers and bug bounty hunters due to its effectiveness in identifying
vulnerabilities.
While we covered only the basics in the previous section, it's worth noting that Wapiti offers a wide range of advanced options and features.
One notable capability of Wapiti is its ability to pause a
scan and resume it later. This feature is particularly useful when scans
require extended periods to complete, sometimes taking an entire day or more.
Now that you're familiar with practicing in a safe
environment, let's use Wapiti to test a live website on the internet.
For this exercise, we'll perform a scan on a website called
"testphp.vulnweb.com." Please keep in mind that this website is
intentionally designed to be vulnerable for educational purposes.
The process is similar to what we did previously. However,
instead of using the IP address of a local host like Metasploitable2, we'll use
a URL link.
In the terminal type, wapiti -u, and here paste the URL. Now type -o, and mention the output file name.
This command initiates the complete scanning process.
As before, if you need to skip a running module, press
CTRL+C. To skip the current module and proceed to the next one, press 'r'
followed by Enter.
Once the scan is completed, Wapiti will save the report in the specified directory. Navigate to this directory and open the HTML file to view the detailed scan report.
Wapiti is a widely recognized tool used by security researchers, users, and System Administrators alike. In an era where cybercriminals exploit new and existing vulnerabilities due to poor security practices, Wapiti offers an effective solution for auditing websites and web servers.
Its commands and arguments are straightforward, making it
accessible to users of varying technical levels. Despite its simplicity, Wapiti
is a powerful tool. The HTML-format report it generates provides a clear
overview of urgent issues and potential solutions, eliminating the need for
extensive manual searching and problem-solving.
Using Wapiti, you can gain valuable insights into your
system's vulnerabilities and receive actionable guidance toward resolving
them.
If you have any doubts or questions, feel free to leave them
in the comments section. Thank you for your attention.