Pen testing web applications with Metasploit’s “Wmap scanner”

“Scanning” involves all methods and techniques for identifying live systems like networks or servers to uncover its operating system and architecture. These techniques are used to identify any vulnerable points in a network that can be exploited.

This is a beginner’s tutorial on using the WMAP plugin incorporated in the Metasploit framework to scan for vulnerabilities in web applications. We will use the web application DVWA as a target to demonstrate the scanning process done using WAMP. DVWA is short for “damn vulnerable web application,” and the app is specially designed to used by cybersecurity novices to test and sharpen their penetration skills.

Setting up the Metasploit framework in Kali Linux

We will start by launching the Metasploit framework. First, start up the PostgreSQL server by typing:

$ sudo systemctl start postgresql

Next, initialize the database with msfdb init:

$ msfdb init

Then start the PostgreSQL service with service postgresql start

$ sudo service postgresql start

Then type msfconsole to start the Metasploit database

$ sudo msfconsole

The database is now loaded. You can make sure that the database has loaded properly, type in:

$ msf > db_status


Next up, launch WMAP using the following command:

$ msf > load wmap

The command shell will display the following window:

Type “?” and Metasploit will show the help menu, that’ll probably look something like:

$ msf > ?

Input target site to initiate the scanning

Use the wmap_sites to manage sites you wish to scan.

$ msf > wmap_sites

This is what you input to add a site:

$ msf > wmap_sites -a

$ msf > wmap_sites -l

Now we need to point Metasploit to the victim site by providing the URL

$ msf > wmap_targets

Type in wmap_targets –t to point to the site:

$ msf > wmap_targets -t

$ msf > wmap_targets -l

Loading up the mods

Before we run the scanner, type wmap_run. You will be displayed the options for this command.

$ msf > wmap_run

Put in wmap-run followed by a –t flag.

$ msf > wmap_run -t

As you can see, this has listed all the enabled modules, of which there are all sorts of. There’s are a bunch that is disabled as well. You can see that the SSL module is among the disabled, which is because the victim site is not using it.

If you want detailed info, type info, followed by the information on the mod.

Running the Scanner

To begin the scanning, type in wmap_run succeeded by –e flag. The scanning normally takes quite some time to finish.

$ msf > wmap_run -e

Use the wmap_vulns -l command to see the results of the scan.

$ msf > wmap_vulns -l


This beginner’s walkthrough has been about using Metasploit’s WAMP module for scanning web applications and checking it for vulnerabilities. We’ve set up how to launch the Metasploit database, how to launch the WAMP addon, and to direct it to a web app to initiate scanning. With pen testing, you can check for possible breach hotspots in a web app to eliminate them, thus strengthening its security.

About the author

Younis Said

I am a freelancing software project developer, a software engineering graduate and a content writer. I love working with Linux and open-source software.