MENU

On This Page

  1. Prerequisites
  2. Start and Initialize Services
  3. Launch Metasploit Console
  4. Load the Wmap Module
  5. Add and List Target Sites
  6. Set Scan Targets
  7. Run the Wmap Scan
  8. View Identified Vulnerabilities
  9. See Also

Metasploit: Scanning a Website with Wmap

Metasploit Framework is one of the most powerful tools in a penetration tester's arsenal. Among its many modules, Wmap provides integrated web application scanning capabilities, allowing you to discover endpoints, analyze attack surface, and identify potential vulnerabilities.

This guide walks you through setting up Metasploit, loading Wmap, and scanning a target website (https://dhound.io) to map its web attack surface.

Prerequisites

Ensure Metasploit and PostgreSQL are installed. On Debian/Ubuntu:

sudo apt install metasploit-framework postgresql

Metasploit uses a database to store hosts, services, and vulnerabilities. PostgreSQL is the default backend.

Start and Initialize Services

Start the PostgreSQL service and initialize the Metasploit database:

service postgresql start
msfdb init

Alternatively, if the database is already set up, you can start Metasploit directly.

Launch Metasploit Console

Start the Metasploit console:

msfconsole

Once inside, verify the database connection:

msf > db_status
[*] Connected to msf database at postgresql://msf:password@127.0.0.1/msf

If disconnected, run db_connect manually.

Load the Wmap Module

Load the Wmap plugin for web scanning:

msf > load wmap

You should see:

[*] Successfully loaded plugin: wmap

Add and List Target Sites

Check current sites (initially empty):

msf > wmap_sites

Add a target website:

msf > wmap_sites -a https://dhound.io
  • -a: Add site(s) using space-separated URLs.

List all registered sites:

msf > wmap_sites -l

Set Scan Targets

Assign the first site (ID 0) as the current target:

msf > wmap_targets -d 0
  • -d: Designate site by index as the active target.

Run the Wmap Scan

First, crawl and identify available endpoints:

msf > wmap_run -t
  • -t: Run crawling and topology analysis.

Then, perform vulnerability checks:

msf > wmap_run -e
  • -e: Execute full vulnerability scan.
Note: Scans may take several minutes depending on the site size and response time.

View Identified Vulnerabilities

List all discovered vulnerabilities:

msf > wmap_vulns -l

This will display potential issues such as:

  • Open admin panels
  • Exposed backup files
  • Outdated software versions
  • Missing security headers

See Also

Published on Aug 20, 2025