ARMITAGE-THE CYBER ATTACK MANAGEMENT

1|Page

Armitage-the cyber attack
management

Armitage is a graphical Cyber Attack Management tool for Metasploit
(http://www.metasploit.com) that visualizes your targets, recommends exploits,
and exposes the advanced capabilities of the framework.
Advanced users will find Armitage valuable for managing
remote Metasploit instances and collaboration. Armitage'sred team
collaboration features allow your team to use the same sessions, share data, and
communicate through one Metasploit instance.

Metasploit is a popular exploitation framework that has seen plenty of
coverage towards a penetraster. Armitage, a new GUI for Metasploit built
around the hacking process. Today, I will show you how to use Armitage to
scan a Linux host, find the right exploit, exploit the host, and handle post-
exploitation. By following this project, we will learn how to use Armitage and
Metasploit in our own work. This wonderful feature of penetration testing has
been created by Raphael Mudge

2|Page

BASIC REQUIREMENTS:
Windows xp,Windows 7
BackTrack r3
Postgresql
My-Sql
Linux(here I have used BlackBuntu)
A fresh install of Metasploit (http://www.metasploit.com/) 4.4 or later
Oracle's Java 1.7 (http://www.java.com)
MAC OSX

3|Page

Armitage: A HAcker’s PercePtive
About Armitage:
Armitage is a graphical cyber-attack management tool for Metasploit
(http://www.metasploit.com) that visualizes your targets, recommends exploits,
and exposes the advanced capabilities of the framework. Advanced users will
find Armitage valuable for managing remote Metasploit instances and
collaboration. Armitage'sred teamcollaboration features allow your team to use
the same sessions, share data, and communicate through one Metasploit
instance.
Armitage is a scriptable red team collaboration tool for Metasploit that
visualizes targets, recommends exploits, and exposes the advancedpost-
exploitation features in the framework. Through one Metasploit instance, our
team will:
 Use the same sessions
 Share hosts, captured data, and downloaded files
 Communicate through a shared event log.
 Run bots to automate red team tasks

When metasploit and armitage meet to each other than they make a powerful
cyber management tool for doing pen testing on the network(s). Armitage allow
your team to use the same sessions, share data, and communicate through one
Metasploit instance. It is very helpful tool to learn about the cyber security
because it provides a graphical interface instead of command line.

4|Page

Armitage makes Metasploit usable for security practitioners who understand
hacking but don't use Metasploit every day. Armitage can help us by providing
following modules on cyber attack management which are:

1.commercial support
Armitage is open source software developed by Raphael Mudge's company
Strategic Cyber LLC. Cobalt Strike is the commercially supported big brother
of Armitage. Cobalt Strike adds features to support professional penetration
testers and red teams, including:
 Professional Reports
 Spear Phishing
 Web Drive-by Attacks
 Client-side Reconnaissance
 VPN Pivoting
 Covert Command and Control

1.1Professional Reports
Professional Reports depends on the following hosts and vulnerabilities which
is based on host report

Hosts Report
March 1, 2012
This report shows host information gathered during this penetration test.

Summary
Hosts: 12
Services: 30
Vulnerabilities: 7
Compromises: 11

5|Page

10.10.10.1
Operating System: Cisco IOS
Name:
MAC Address: 08:00:27:26:cc:f9

10.10.10.3
Operating System: Microsoft Windows 2008 R2 SP0
Name: DC
MAC Address: 08:00:27:1c:62:e1

Services
port proto name info
139 tcp
135 tcp
389 tcp
445 tcpsmb Windows Server 2008 R2 Enterprise (Build 7600)
(language:Unknown) (name:DC) (domain:CORP)
Credentials
User pass
Administrator e52cac67419a9a22d419bc5eacf63c92:83414a69a47afeec7
e3a37d05a81dc3b
Compromises
openedduration method
03-01-12 09:23:54 PM 1 minute Microsoft Windows Authenticated User
Code Execution
03-01-12 09:21:28 PM 1 minute Microsoft Windows Authenticated User
Code Execution

Vulnerabilities

6|Page

• Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password
hash) to execute an arbitrary payload. This module is similar to the "psexec"
utility provided by SysInternals. This module is now able to clean up after itself.
The service created by this tool uses a randomly chosen name and description.

10.10.10.4
Operating System: Microsoft Windows .NET Server SP0
Name: FILESERVER
MAC Address: 08:00:27:5c:d4:ad
Services
139 tcp
135 tcp
445 tcpWindows 2003 No Service Pack (language:Unknown)
(name:FILESERVER)(domain:CORP)
Credentials
user pass
Administrator e52cac67419a9a22d419bc5eacf63c92:83414a69a47afe
ec7e3a37d05a81dc3b
SUPPORT_388945a0 aad3b435b51404eeaad3b435b51404ee:5ace382672979
85b281184a14fc8ddcc
Guest aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931
b73c59d7e0c089c0

Compromises

7|Page

03-01-12 09:14:46 PM unknown Microsoft Server Service Relative Path Stack
Corruption
Vulnerabilities
• Microsoft Server Service Relative Path Stack Corruption
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32.dll through the Server Service. This module is capable of bypassing
NX on some operating systems and service packs. The correct target must be
used to prevent the Server Service (along with a dozen others in the same
process) from crashing. Windows XP targets seem to handle multiple successful
exploitation events, but 2003 targets will often crash or hang on subsequent
attempts. This is just the first version of this module, full support for NX bypass
on 2003, along with other platforms, is still in development.

10.10.10.5
Operating System: Microsoft Windows .NET Server SP0
Name: MAIL
MAC Address: 08:00:27:1f:1d:86
Services
25 tcpsmtp 220 ACME Corporation Mail Server[hMailServer]
139 tcp
143 tcpimap * OK IMAPrev1
110 tcp pop3 +OK POP3
135 tcp
445 tcp Windows 2003 No Service Pack (language:Unknown)
(name:MAIL) (domain:CORP)

Credentials
user pass
SUPPORT_388945a0aad3b435b51404eeaad3b435b51404ee:5ace38267297

8|Page

985b281184a14fc8ddcc
Guestaad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae9
31 b73c59d7e0c089c0
Administratore52cac67419a9a22d419bc5eacf63c92:83414a69a47afe
ec7e3a37d05a81dc3b
Compromises
opened duration method
Corruption
Vulnerabilities
attempts. This is just the first version of this module, full support for NX bypass
on 2003, along with other platforms, is still in development

10.10.10.18
Operating System: Microsoft Windows XP SP2
Name: JOSHDEV
MAC Address: 08:00:27:5a:86:29

Services
135 tcp
139 tcp

9|Page

445 tcp Windows XP Service Pack 2 (language
English) (name:JOSHDEV) (domain:CORP)
Credentials
user pass
josh.sokol aad3b435b51404eeaad3b435b51404ee:34c63bad990d7b7c
ffa64bf36f8ba19c
User aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931
b73c59d7e0c089c0
Administrator e52cac67419a9a22d419bc5eacf63c92:83414a69a47afeec7
e3a37d05a81dc3b
Compromises
Corruption
Vulnerabilities
Attempts. This is just the first version of this module, full support for NX
bypass on 2003, along with other platforms, is still in development.

10.10.10.21
Operating System: Linux Ubuntu
Name: 10.10.10.21
MAC Address: 08:00:27:9d:3c:64

10 | P a g e

Services
80 tcp http Apache/2.2.14 (Ubuntu)
22 tcpssh SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7

10.10.10.188
Operating System: Microsoft Windows 7 SP0
Name: WS2
MAC Address: 08:00:27:08:3f:1d
Services
139 tcp
135tcp
445 tcpsmbWindows 7 Ultimate (Build 7600) (language:Unknown) (name:WS2)
(domain:CORP)
Credentials
userpass
administrator e52cac67419a9a22d419bc5eacf63c92:83414a69a47afeec7
e3a37d05a81dc3b

Compromises
03-01-12 09:23:53 PM 1 minute Microsoft Windows Authenticated User Code
Execution
03-01-12 09:11:42 PM unknown Generic Payload Handler
Execution

Vulnerabilities
This module uses a valid administrator username and password (orpassword hash)
to execute an arbitrary payload. This module is similarto the "psexec" utility provided
by SysInternals. This module is now ableto clean up after itself. The service created
by this tool uses a randomlychosen name and description.

11 | P a g e

10.10.10.189
Operating System: Microsoft Windows 7 SP0
Name: CEOSBOX
MAC Address: 08:00:27:78:78:fb
Services
135tcp
139tcp
445tcpsmb Windows 7 Ultimate (Build 7600) (language:
Unknown) (name:CEOSBOX) (domain:CORP)
Credentials
userpass
administratore52cac67419a9a22d419bc5eacf63c92:83414a69a47afeec7
e3a37d05a81dc3b
CORP/administrator e52cac67419a9a22d419bc5eacf63c92:83414a69a47afeec7
e3a37d05a81dc3b
Compromises
Execution
Execution

Vulnerabilities
This module uses a valid administrator username and password (or password
hash) to execute an arbitrary payload. This module is similarto the "psexec"
utility provided by SysInternals. This module is now ableto clean up after itself.
The service created by this tool uses a randomly chosen name and description.

12 | P a g e

192.168.12.110
Operating System: Microsoft Windows 7
Name:
MAC Address:

192.168.57.1
Name: 192.168.57.1
MAC Address: 0a:00:27:00:00:01

192.168.57.8
Operating System: Microsoft Windows XP SP2
Name:
MAC Address: 08:00:27:3b:3b:dd
Services
Port proto name info
135 tcp
139 tcp
445 tcpsmb Windows XP Service Pack 2 (language:English)
(name:JOSHDEV) (domain:CORP)

192.168.57.18
Name:
MAC Address: 08:00:27:e9:f9:8e
Services
22tcpsshSSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7

13 | P a g e

Credentials
userpass
jsokoljoshrocks
Compromises
opened duration method
03-01-12 09:16:58 PM unknown SSH Login Check Scanner
Vulnerabilities
• SSH Login Check Scanner
This module will test ssh logins on a range of machines and report successful
logins. If you have loaded a database pluginand connected to a database this
module will record successful logins and hosts so you can track your access.

1.1 SPEAR PHISHING
Cobalt Strike's spear phishing tool allows you to send pixel perfect spear
phishing messages using an arbitrary message as a template.Set Targets to
import a list of targets. You may import a flat text-file containing one email
address per line. Import a file containing one email address and name separated
by a tab or comma for stronger message customization.

Set Template to an email message template. A Cobalt Strike message template
is simply a saved email message. Cobalt Strike will strip unnecessary headers,
remove attachments, rewrite URLs, re-encode themessage, and rewrite it for
you. Cobalt Strike does not give you a means to compose a message. Use an
email client, write a message, and send it to yourself. Most webmail clients
include a means to see the original message source. In GMail, click the down
arrow next to Reply and select Show original.

You may customize a saved message with Cobalt Strike tokens. Cobalt Strike
replaces these tokens whensending an email. The tokens include:

14 | P a g e

Token Description
%To% The email address of the person the message is sent to
%To_Name% The name of the person the message is sent to. This token is only
available when importing a tab-separated file containing a name.
%URL% The contents of the URL field in the spear phishing dialog.

Set Embed URL to have Cobalt Strike rewrite each URL in the message
template to point to the embedded URL. URLs added in this way will contain a
token that allows Cobalt Strike to trace any visitor back to this Press ... to
choose one of the Cobalt Strike hosted sites you've started.
Set Mail Server to an open relay or the mail exchange server for your target.

Set Bounce To to an email address where bounced messages should go. This
value will not affect the message your targets see. Press Preview to see an
assembled message to one of your recipients. If the preview looks good, press
Send to start your attack.
Cobalt Strike's spear phishing capability sends messages from your local client.
If you're managing a remote server, know that messages will come from your
local host and not the remote server.

1.3 Web-Drive-By Attacks
Firefox Addon Attack

This tool is available through Attacks -> Web Drive-by -> Firefox Addon Attack. This
tool will start aMetasploit® web-server that serves a dynamically created Firefox
Add-on.

This is a great attack to embed in a cloned website. Find a popular Firefox
addon, clone its site, and embed the Firefox Add-on Attack URL.

15 | P a g e

1.4Client-side Reconnaissance
System Profiler
The system profiler is a reconnaissance tool for the client-side attack process.
This tool starts a local web-server and fingerprints any one who visits it. The
system profiler discovers the internal IP address of users behind a proxy along
with several applications and their version information.
To start the system profiler, go to Attacks -> Web Drive-by -> System Profiler.
The start the profiler you must specify a URI to bind to and a port to start the
Cobalt Strike web-server from. If you specify a Redirect URL, Cobalt Strike
will redirect visitors to this URL once their profile is taken. Click Launch to
start the system profiler.

1.5VPN Pivoting
Covert VPN
Cobalt Strike offers VPN pivoting through its Covert VPN feature. Covert VPN
creates a network interface on the Cobalt Strike system and bridges this
interface into the target's network.
Through a Covert VPN interface: your system may sniff traffic on
target’s network, act as a rogue server, or perform man-in-the-middle attacks
normally reserved for internal assessments. You may use external scanning and
attack tools to assess your target network as well.

1.6 Covert Command and Control
What is Beacon?

Beacon is Cobalt Strike's remote administration payload for long-term
engagements. Beacon does not provide real-time control of a compromised host.
Beacon is asynchronous. It spends most of its time sleeping. Occasionally,
Beacon will contact Cobalt Strike to check for tasks.

16 | P a g e

If a tasking is available, Beacon will download its tasks and execute them.
This style of command and control is common with sophisticated malware and
Advanced Persistent Threat actors. Cobalt Strike's Beacon payload may attempt
to communicate through multiple domains.
This makes your control10/ 20/ 12 Beaconing - Cobalt
Strike www.advancedpentest .com/ help- beacon 2/ 2of a compromised host
more robust. If a system administrator blocks one IP address or domain, Beacon
maystill receive tasks through its other domains. When tasks are available,
Beacon downloads them and sends output using the HTTP protocol. Beacon
maycheck for tasks through HTTP or DNS requests.

2. CYBER ATTACK MANAGEMET
Armitage organizes Metasploit's capabilities around the hacking process. There
are features for discovery, access, post-exploitation, and maneuver. This section
describes these features at a high-level, the rest of this manual covers these
capabilities in detail.

For discovery, Armitage exposes several of Metasploit'shost management
features. You can import hosts and launch scans to populate a database of
targets. Armitage also visualizes the database of targets--you'll always know
which hosts you're working with and where you have sessions

Armitage assists with remote exploitation--providing features to automatically
recommend exploits and even run active checks so you know which exploits
will work. If these options fail, you can use the Hail Mary approach and unleash
Armitage's smarter db_autopwn against your target database.
For those of you who are hacking post-2003, Armitage exposes the client-side
features of Metasploit. You can launch browser exploits, generate malicious
files, and create Meterpreter executable.

17 | P a g e

Once you're in, Armitage provides several post-exploitation tools
built on the capabilities of the Meterpreter agent. With the click of a menu you
will escalate your privileges, dump password hashes to a local credentials
database, browse the file system like you're local, and launch command shells.
Finally, Armitage aids the process of setting up pivots, a capability that lets you
use compromised hosts as a platform for attacking other hosts and further
investigating the target network. Armitage also exposes Metasploit's SOCKS
proxy module which allows external tools to take advantage of these pivots.
With these tools, you can further explore and maneuver through the network.
The rest of this manual is organized around this process, providing what you
need to know in the order you'll need it.

3.NECESSARY THINGS TO KNOW
To use Armitage, it helps to understand Metasploit. Here are a few things you
absolutely must know before continuing:
Metasploit (http://www.metasploit.com/) is a console driven application.
Anything you do in Armitage is translated into a command Metasploit
understands. You can bypass Armitage and type commands yourself (covered
later). If you're ever lost in a console, type help and hit enter.
Metasploit presents its capabilities as modules. Every scanner, exploit, and
even payload is available as a module. If you're scanning a host, you use an
auxiliary module. Before launching a module, you must set one or more
variables to configure the module. The exploit process is similar. To launch an

18 | P a g e

exploit, you must choose an exploit module, set one or more variables,
andlaunch it.
Armitage aims to make this process easier for you.If you successfully exploit a
host, you will have a session on that host. Armitage knows how to interact with
shell and Windows meterpreter sessions.
Meterpreteris an advanced agent that makes a lot of post-exploitation
functionality available to you. Armitage is built to take advantage of
Meterpreter. Working with Meterpreter is covered later.

4.installation
4.1 on windows:
Here are the steps to install and run Armitage on Windows:
1. Install Metasploit 4.4 or later
2. Install Oracle's Java 1.7 (JRE or JDK)
3. Start -> Programs ->Metasploit -> Framework -> Framework Update
4. Start -> Programs ->Metasploit -> Framework -> Framework Console (do
this once to initialize the database)
5.Make sure you're the Administrator user
To run Armitage:
Start -> Programs ->Metasploit -> Framework -> Armitage
Click Conect
Click Yes when asked whether or not to start Metasploit's RPC daemon
If asked where Metasploit is installed, select the Metasploit directory. You will
only need to do this once (e.g., c:metasploit).
The best Armitage user experience is on Linux. If you're a Windows user,
consider using Armitage from a BackTrack virtual machine.

19 | P a g e

4.2onlinux:
To install Armitage on Linux:
1. Make sure you're the root user.
Download and Install the Metasploit Framework from
http://www.metasploit.com/ (http://www.metasploit.com/) .
2.Get the full package with all of the Linux dependencies.
3. After installation, type: /opt/framework/app/msfupdate to update Metasploit.
4. Install a VNC viewer (e.g., apt-get install vncviewer on Ubuntu)
You can get install armitage by a simple command but before execute this
application getcommand you need to be a root user to install armitage so open
terminal and type exactly,
$ sudosu
# apt-get installarmitage
We need to enable RPC daemon for metasploit use this command on the
terminal,
root@bt:~# msfrpcd -f -U msf -P test -t Basic
Open a terminal
Add /usr/local/bin to $PATH: e x p o r t P A T H = $ P A T H : / u s r / l o c a l /
bin
Since Metasploit 4.1, you now need to make sure you have a database startup
script:
echo'exec/opt/metasploit-4.4/postgresql/scripts/ct
l .s h " $ @ " ' > / e t c / i n i t . d / f r a m e w o r k - p o s t g r e s

chmod+x/etc/init.d/metasploit-postgres
/etc/init.d/metasploit-postgresstart
update-rc.dmetasploit-postgresdefault

This database startup script creation step isn't necessary if you opt to start Metasploit as a service
when the installer runs. The downside being that the Metasploit as a service option starts up the
commercial/community edition of Metasploit on boot too. If you use this version--great. If not, it's
a waste of system resources.

20 | P a g e

Now start MYSQL server so that Armitage stores results
root@bt:� /etc/init.d/mysql start
#
Now its time to run Armitage, locate the directory and type
root@bt:/pentest/exploits/armitage# ./armitage.sh
To start Armitage:

Open a terminal
Type: a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd.
The settings for Metasploit's installed database are already set up for you. You
not need to change the DB connect string.
note
If you're using Armitage with a *local* Metasploit instance, then Armitage must
also run as root. Why? Because Armitageneeds root privileges to read the
database.yml file created by Metasploit's installer. If Armitage can't read this
file, it will not be able to connect to the database.

4.3 on back-track r3:
Armitage comes with BackTrack Linux 5r3. The latest Armitage release
requires BackTrack 5r3. 5r2,5r0 and 5r1 are out! If you uinstallMetasploit (hint:
/path/to/metasploit/uninstall) and reinstall with the Metasploit installer, then you
may use any version of BackTrack that you want.
To start Armitage:

Open a terminal
 Type: a r m i t a g e
 Click Connect
 Press Yes if asked to start msfrpcd.

21 | P a g e

4.5 on mac os-x:
Armitage works on MacOS X but it's not a supported platform for Armitage.
Metasploit does not have an official package for OS X.
There is a lot of manual setup involved getting the pre-requisites working.
CedricBaillet created a step-by-step guide (http://www.cedric-
baillet.fr/IMG/pdf/armitage_configuration_on_macosx.pdf) to configuring
Postgres and Ruby for use with Armitage onMacOS X as well.
Armitage on MacOS X works fine as a remote client to Metasploit. Download
the MacOS X package, extract it, and double-click the Armitage.app file to get
started.
Here are three MacOS X Armitage install guides that others have
produced, these may help you. Please don't ask me to provide support for them
though:
 The Black Matrix
(http://theblackmatrixnews.blogspot.com/2011/11/installing-armitage-on-
osx-by-defau1t.html)
 Night Lion's Guide to Installing Metasploit 4 and Armitage on Mac OSX
Lion (http://blog.nightlionsecurity.com/guides/2011/12/guideto-
 installing-metasploit-4-and-armitage-on-mac-osx-lion/)
 Faulty Logic Blog (http://briancanfixit.blogspot.com/2011/12/setting-up-
metasploit-and-armitage-on.html)

Armitage is a fast moving project and these project may suggest methods for
starting the Metasploit Framework RPC daemon that are slightly dated. The
correct way to start msfrpcd for Armitage to connect to is:
msfrpcd-Umsf-Ppassword-S-f

22 | P a g e

5. Manual setup
Some crazy people choose to install Metasploit without the benefit of the full
installer. This method is not supported. If you go this route,here are some of the
requirements:
 A PostgreSQL database. No other database is supported.
 msfrpcd is in $PATH
 $MSF_DATABASE_CONFIG points to a YAML file
 $MSF_DATABASE_CONFIG is available to msfrpcd and armitage
 the msgpack ruby gem

6.Updatingmetasploit
The m s f u p d a t e command updates the Metasploit Framework by pulling the
latest source code from a subversion repository that is syncedwith the git
repository that developers commit to.
When you run m s f u p d a t e , it's possible that you may break Armitage by
doing this. The Metasploit team is cautious about what theycommit to the
primary git repository and they're extremely responsive to bug reports. That said
things still break from time to time.
If you run m s f u p d a t e and Armitage stops working, you have a few options.
1) You can run m s f u p d a t e later and hope the issue gets fixed. Many
times this is a valid strategy.
2) You can downgrade Metasploit to the last revision .Take a look at the
change log file for the latest development releasetested against Armitage.
The revision number is located next to the release date. To downgrade
Metasploit:
cd/path/to/metasploit/msf3
source../scripts/setenv.sh
s v n u p d a t e - r [revision number]

23 | P a g e

This step will downgrade the Armitage release included with Metasploit
too. You can download the latest Armitage release from this site inthe
mean time.
3) Reinstall Metasploit using the installer provided by Rapid7. The
Metasploit installer includes the latest stable version of Metasploit.
Usually, this release is very stable.
If you're preparing to use Armitage and Metasploit somewhere important-
-do not run m s f u p d a t e and assume it will work. It's very
important to stick with what you know works or test the functionality you
need to make sure it works. When in doubt, go with option (2) or(3).

6.1 quick connect:
If you'd like to quickly connect Armitage to a Metasploit server without filling
in the setup dialog, use the - - c l i e n t option to specify a file with the
connection details.
java-jararmitage.jar--clientconnect.prop
Here's an example connect.prop file:
h o s t = 1 9 2.1 6 8 .9 5 .2 4 1
p o r t = 55553
u s e r = mister
p a s s = bojangles
If you have to manage multiple Armitage/Metasploit servers, consider creating a
desktop shortcut that calls this --client option with a different properties file for
each server.

24 | P a g e

7. User interface format(g.u.i)
The user interface can be very easy and friendly to a pentaster as also as a
hacker.it is made so easy that without any help a user can manage the cyber
attack

7.1 Overview
The Armitage user interface has three main panels: modules, targets, and tabs.
You may click the area between these panels to resize them to your liking.
7.1.1 modules:
The module browser lets you launch a Metasploit auxiliary module, throw an
exploit, generate a payload, and even run a post-exploitation script. Click
through the tree to find the desired module. Double click the module to bring up
a dialog with options.
Armitage will place highlighted hosts from the targets panel into the RHOSTS
variable of any module launched from here.
You can search for modules too. Click in the search box below the tree, type a
wildcard expression (e.g., ssh_*), and hit enter. The module tree will then show
your search results, already expanded for quick viewing. Clear the search box
and press enter to restore the module browser to its original state.
7.1.2 Targets - Graph View:
The targets panel shows all hosts in the current workspace. Armitage represents
each target as a computer with its IP address and other information about it
below the computer. The computer screen shows the operating system the
computer is running.A red computer with electrical jolts indicates a
compromised host. Right click the computer to use any sessions related to the
host. A directional green line indicates a pivot from one host to another.
Pivoting allows Metasploit to route attacks and scans through intermediate
hosts. A bright green line indicates the pivot communication path is in use.

25 | P a g e

Click a host to select it. You may select multiple hosts by clicking and dragging
a box over the desired hosts. Where possible, Armitage will try to apply an
action (e.g., launching an exploit) to all selected hosts.
Right click a host to bring up a menu with available options. The attached menu
will show attack and login options, menus for existing sessions, and options to
edit the host information.
The login menu is only available after a port scan reveals open ports that
Metasploit can log in to. The Attack menu is only
available after finding attacks through the Attacks menu bar. Shell and
Meterpretermenus only show up when a shell or Meterpreter session exists on
the selected host. Several keyboard shortcuts are available in the targets panel.
You may edit these in the Armitage ->Preferences menu.
Ctrl Plus - zoom in
Ctrl Minus - zoom out
Ctrl 0 - reset the zoom level
Ctrl A - select all hosts
Escape - clear selection
Ctrl C - arrange hosts into a circle
Ctrl S - arrange hosts into a stack
Ctrl H - arrange hosts into a hierarchy. This only works when a pivot is set up.
Ctrl R - refresh hosts from the database
Ctrl P - export hosts into an image
Right click the targets area with no selected hosts to configure the layout and
zoom-level of the targets area.
Targets - Table View
If you have a lot of hosts, the graph view becomes difficult to work with. For
this situation Armitage has a table view.

26 | P a g e

Go to View

7.1.2.1 Targets ->Table View
to switch to this mode. Armitage will remember your preference.
Click any of the table headers to sort the hosts. Highlight a row and right-click it
to bring up a menu with options for that host.
Armitage will bold the IP address of any host with sessions. If a pivot is in use,
Armitage will make it bold as well.

7.1.3 Tab
Armitage opens each dialog, console, and table in a tab below the module and
target panels. Click the X button to close a tab.
You may right-click the X button to open a tab in a window, take a screenshot
of a tab, or close all tabs with the same name.

Hold shift and click X to close all tabs with the same name. Hold shift + control
and click X to open the tab in its own window.
You may drag and drop tabs to change their order.
Armitage provides several keyboard shortcuts to make your tab management
experience as enjoyable as possible.
Use Ctrl+T to take a screenshot of the active tab. Use Ctrl+D to close the active
tab. Try Ctrl+Left and Ctrl+Right to quickly switch tabs. And Ctrl+W to open
the current tab in its own window.

27 | P a g e

8.console format:
Metasploit console, Meterpreter console, and shell interfaces each use a console
tab. A console tab lets you interact with these interfaces through Armitage.
The console tab tracks your command history. Use the up arrow to cycle
through previously typed commands. The down arrow moves back to the last
command you typed.
In the Metasploit console, use the Tab key to complete commands and
parameters. This works just like the Metasploit console outside of Armitage.
Use of console panel to make the console font size larger, Ctrl minus to make it
smaller, and Ctrl 0 to reset it. This change is local to the current
console only. Visit Armitage -> Preference to permanently change the font.
Press ctrl F to show a panel that will let you search for text within the console.
Use Ctrl A to select all text in the console's buffer.
Armitage sends a” u s e or a s e t P A Y L O A D” command if you click a
module or a payload name in a console. To open a Console go to View ->
Console or press Ctrl+N.
The Armitage console uses color to draw your attention to some information.
To disable the colors, set the console.show_colors.booleanpreference to false.
You may also edit the colors through Armitage -> Preference. Here is the
Armitage color palette and the preference associated with each color.

28 | P a g e

9 Host management:
9.1Dynamic workspace
Armitage's dynamic workspaces feature allows you to create views into the
hosts database and quickly switch between them. Use
Workspace -> Manage to manage your dynamic workspaces. Here you may
add, edit, and remove workspaces you create.

To create a new dynamic workspace, press Add. You will see the following
dialog:

29 | P a g e

Give your dynamic workspace a name. It doesn't matter what you call it. This
description is for you.
If you'd like to limit your workspace to hosts from a certain network, type a
network description in the Hosts field. A network description
might be: 10.10.0.0/16 to display hosts between 10.10.0.0-10.10.255.255.
Separate multiple networks with a comma and a space.

You can cheat with the network descriptions a little. If you type:
192.168.95.0, Armitage will assume you mean 192.168.95.0-255. If you type:
192.168.0.0, Armitage will assume you mean 192.168.0.0-192.168.255.255.

Fill out the Ports field to include hosts with certain services. Separate multiple
ports using a comma and a space. Use the OS field to specify which operating
system you'd like to see in this workspace. You may type a partial name, such
as indows.Armitage will only include hosts whose OS name includes the partial
name. This value is not case sensitive. Separate multiple operating
systems with a comma and a space. Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace. You may specify any
combination of these items when you create your dynamic workspace. Each
workspace will have an item in the Workspace menu. Use these menu items to
switch between workspaces. You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces.
Use Work space -> Show All or Ctrl+Back space to display the entire database
Use Work space -> Show all or Ctrl+Backspace to display the entire database.

9.2 Importing hosts
To add host information to Metasploit, you may import it. The Host -> Import
Host menu accepts the following files:
Acunetix XML
Amap Log

30 | P a g e

Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM

9.3NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit. The Host ->NMap Scan menu
has several scanning options.
Optionally, you may type d b _ n m a p in a console to launch NMap with the
options you choose.
NMap scans do not use the pivots you have set up.

9.4 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans.
This feature will scan for a handful of open ports. It thenenumerates several
common services using Metasploit auxiliary modules built for the purpose.

31 | P a g e

Highlight one or more hosts, right-click, and click Scan to launch this feature.
You may also go to Host -> MSF Scan to launch these as
well. These scans work through a pivot and against IPv6 hosts as well. These
scans do not attempt to discover if a host is alive before scanning.
To save time, you should do host discovery first (e.g., an ARP scan, ping sweep,
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts.

9.5 DNS Enumeration
Another host discovery option is to enumerate a DNS server. Go to Host ->
DNS Enum to do this. Armitage will present a modulelauncher dialog with
several options. You will need to set the DOMAIN option to the domain you
want to enumerate. You may also want to set NS to the IP address of the DNS
server you're enumerating. If you're attacking an IPv6 network, DNS
enumeration is one option to discover the IPv6 hosts on the network.

9.6 Database maintenance
Metasploit logs everything you do to a database. Over time your database will
become full of stuff. If you have a performance problem with Armitage, try
clearing your database. To do this, go to Host ->Create Database

10. Exploitation:
10.1 Remote Exploitation
Before you can attack, you must choose your weapon. Armitage makes this
process easy. Use Attack -> Find Attack to generate a custom Attack menu for
each host.
To exploit a host: right-click it, navigate to Attack, and choose an exploit. To
show the right attacks, make sure the operating system is set for the host.

10.4 Automatic exploitation

32 | P a g e

If manual exploitation fails, you have the hail mary option. Attack -> Hail Mary
launches this feature. Armitage's Hail Mary feature is a smart db_autopwn. It
finds exploits relevant to your targets, filters the exploits using known
information, and then sorts them into an optimal order.
This feature won't find every possible shell, but it's a good option if you don't
know what else to try.

10.5 client side exploitation
Through Armitage, you may use Metasploit's client-side exploits. A client-side
attack is one that attacks an application and not a remote service. If you can't get
a remote exploit to work, you'll have to use a client-side attack. Use the module
browser to find and launch client-side exploits. Search for file format to find
exploits that trigger when a user opens a malicious file. Search for browser to
find exploits that server browser attacks from a web server built into Metasploit.

10.5 client side exploitation and payloads
If you launch an individual client-side exploit, you have the option of
customizing the payload that goes with it. Armitage picks sane defaultsTo set
the payload, double-click PAYLOAD in the option column of the module
launcher. This will open a dialog asking you to choose a Payload
Highlight a payload and click Select. Armitage will update the PAYLOAD,
DisablePayloadHandler, ExitOnSession, LHOST, and LPORT values for you.
You're welcome to edit these values as you see fit.
If you select the Start a handler for this payload option, Armitage will set the
payload options to launch a payload handler when the exploit launches. If you
did not select this value, you're responsible for setting up a multi/handler for the
payload.

33 | P a g e

11. Post Exploitation:
11.1 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host. Hosts running a meterpreter payload will have a MeterpreterN
menu for each Meterpreter session.

If you have shell access to a host, you will see a ShellN menu for each shell
session. Right click the host to access this menu. If you have aWindows shell
session, you may go to SheellN ->Meterpreter..to upgrade the session to a
Meterpreter session. If you have a UNIX shell, go to ShellN -> Upload to
upload a file using the UNIX printf command.

11.2 Privilege Escalation
Some exploits result in administrative access to the host. Other times, you need
to escalate privileges yourself. To do this, use the MeterpreterN -> Access ->
Escalation privilege menu. This will highlight the privilege escalation modules
in the module browser. Try the getsystem post module against Windows
XP/2003 era hosts.

34 | P a g e

12. Maneuver
12.1 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host. This ability is called pivoting.
To create a pivot, go to Meterpreter N -> Pivoting -> Setup.... A dialog will ask
you to choose which subnet you want to pivot through the session. Once you've
set up pivoting, Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created. The line will become bright green
when the pivot is in use.

12.2 Scanning and external tools
Once you have access a host, it's good to explore and see what else is on the
same network. If you've set up pivoting, Metasploit will tunnelTCP connections
to eligible hosts through the pivot host. These connections must come from
Metasploit.
To find hosts on the same network as a compromised host, right-click the
compromised host and go to Meterpreter N -> ARP Scan or Ping sweep. This
will show you which hosts are alive. Highlight the hosts that appear, right-click,
and select Scan to scan these hosts using Armitage's MSF Scan feature. These
scans will honor the pivot you set up. External tools (e.g., nmap) will not use
the pivots you've set up. You may use your pivots with external tools through a
SOCKS proxy though. Go to Armitage -> SOCKS PROXY... to launch the
SOCKS proxy server
The SOCKS4 proxy server is one of the most useful features in Metasploit.
13. remotemetasploit
Launch this option and you can set up your web browser to connect to
13.1 remote connection allows you to browse internal sites on a
websites through Metasploit. This
network like you’re local.
You can use Armitage to connect to an existing Metasploit instance on another
host. Working with a remote Metasploit instance is similar toworking with a

35 | P a g e

local instance. Some Armitage features require read and write access to local
files to work. Armitage'sdeconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely. Connecting to a remote
Metasploit requires starting a Metasploit RPC server and
Armitage'sdeconfliction server. With these two servers set up, your use of
Metasploit will look like this diagram:

36 | P a g e

13.1 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploit's RPC daemon and Armitage'sdeconfliction server with one
command. To run it:
c d / p a t h / t o / m e t a s p l o i t / m s f 3 / d a t a / a r m i t a g e. / t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitage.jar is in the current folder. Make sure the external
IP address is correct (Armitage doesn't check it) and that your team can reach
port 55553 on your attack host. That's it.Metasploit's RPC daemon and the
Armitagedeconfliction server are not GUI programs. You may run these over
SSH.The Armitage team server communicates over SSL. When you start the
team server, it will present a server fingerprint. This is a SHA-1hash of the
server's SSL certificate. When your team members connect, Armitage will
present the hash of the certificate the server presented to them. They should
verify that these hashes match. Do not connect to 127.0.0.1 when a teamserver
is running. Armitage uses the IP address you're connecting to determine whether
it should use SSL (teamserver, remote address) or non-SSL (msfrpcd,
localhost). You may connect Armitage to your teamserverlocally, use
the[external IP address] in the Host field. Armitage's red team collaboration
setupis CPU sensitive and it likes RAM. Make sure you have 1.5GB of RAM in
your team server.

13.2 multi-player metasploit
Armitage's red team collaboration mode adds a few new features. These are
described here:
View -> Event Log opens a shared event log. You may type into this log and
communicate as if you're using an IRC chat room. In a penetration test this
event log will help you reconstruct major events.

37 | P a g e

Multiple users may use any Meterpreter session at the same time. Each user
may open one or more command shells, browse files, and take screenshots of
the compromised host. Metasploit shell sessions are automatically locked and
unlocked when in use. If another user is interacting with a shell, Armitage will
warn you that it's in use. Some Metasploit modules require you to specify one or
more files. If a file option has anext to it, then you may double-click that option
name to choose a local file to use. Armitage will upload the chosen local file
and set the option to its remote location for you. Generally, Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that you're using Metasploit locally. Some meterpreter commands may
have shortened output. Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command. Additional output
is ignored (although the command still executes normally). This limitation
primarily affects long running meterpreter scripts.

14. Scripting armitage:
14.1 Cortana
Armitage includes Cortana, a scripting technology developed through DARPA's
Cyber Fast Track program. With Cortana, you may writered team bots and
extend Armitage with new features. You may also make use of scripts written
by others. Cortana is based on Sleep, an extensible Perl-like language. Cortana
scripts have a .cna suffix.

38 | P a g e

14.2 standalone bots
A stand-alone version of Cortana is distributed with Armitage. You may
connect the stand-alone Cortana interpreter to an Armitage team server.
Here's a helloworld.cnaCortana script:
onready
{
println("HelloWorld!");
quit();
}
To run this script, you will need to start Cortana. First, stand-alone Cortana
must connect to a team server. The team server is required because Cortana bots
are another red team member. If you want to connect multiple users to
Metasploit, you have to start a team server. Next, you will need to create a
connect.propfile to tell Cortana how to connect to the team server you started.
Here's an example
connect.propfile:
h o s t = 1 2 7 . 0 .0 . 1
port=55553
user=msf
pass=password
nick=MyBot
Now, to launch your bot:
cd/path/to/metasploit/msf3/data/armitage
j a v a - j a r c o r t a n a . j a r c o n n e c t . p r o p h e l l o w o r l d . can

14.3 Script management
You don't have to run Cortana bots stand-alone. You may load any bot into
Armitage directly. When you load a bot into Armitage, you donot need to start a
teamserver. Armitage is able to deconflict its actions from any loaded bots on its

39 | P a g e

own. You may also use Cortana scripts to extend Armitage and add new
features to it. Cortana scripts may define keyboard shortcuts, insert menus into
Armitage, and create simple user interfaces.
To load a script into Armitage, go to Armitage ->script Press Load and choose
the script you would like to load. Scripts loaded in this way will be available
each time Armitage starts. Output generated by bots and Cortana commands are
available in the Cortana console. Go to View ->script console

40 | P a g e

Conclusion

 Advanced users will find Armitage valuable for managing remote
Metasploitinstances and collaboration. Armitage's red team collaboration
features allow your team to use the same sessions, share data, and
communicate through one Metasploit instance.

 Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but don't use Metasploit every day. If you want to
learnMetasploit and grow into the advanced features, Armitage can help
you.

ARMITAGE-THE CYBER ATTACK MANAGEMENT

Recomendados

Recomendados

Mais conteúdo relacionado

Destaque

Destaque (20)

Semelhante a ARMITAGE-THE CYBER ATTACK MANAGEMENT

Semelhante a ARMITAGE-THE CYBER ATTACK MANAGEMENT (20)

Último

Último (20)

ARMITAGE-THE CYBER ATTACK MANAGEMENT