Having completed my incursion into Metasploiitable 2 I’m beginning my foray into Mutillidae II.
Before starting the manual hands-on stuff I thought I’d throw some automated scanners at the web app for fun and see what results they might generate for me.
Mutillidea version 2.6.5 is hosted on my Windwes 7 system using XAMPP and i’m scanning from Kali Linux.
I was keen to use Metasploit for this and discovered the WMAP module and followed instructions given here.
Once the scan was complete I looked for vulnerabilities but Metasploit came back empty.
I followed the instructions given in the below video:
And Metasploit still generated no vulnerability results; however, looking at this video closely I noted the professional version is used.
Looking back through the output generated during the scan there appears errors that begin: /opt/metasploit/apps/pro which indicates the “pro” version is needed for this.
Looking at Metasploit’s web gui and clicking the “web Apps” tab it talks of upgrading to the pro version for use.
Metasploit’s website details the differences between the versions and it’s clear that web app testing only comes with the pro version.
Although it’s a shame there are no Metasploit feature for web app testing in the community version, there are plenty of open source scanners and Metasploit’s free version does come packed with goodies.