1|Page   Armitage-the cyber attack                        managementArmitage is a graphical Cyber Attack Management tool f...
2|PageBASIC REQUIREMENTS:Windows xp,Windows 7BackTrack r3PostgresqlMy-SqlLinux(here I have used BlackBuntu)A fresh install...
3|PageArmitage: A HAcker’s PercePtiveAbout Armitage:Armitage is a graphical cyber-attack management tool for Metasploit(ht...
4|PageArmitage makes Metasploit usable for security practitioners who understandhacking but dont use Metasploit every day....
5|Page10.10.10.1Operating System: Cisco IOSName:MAC Address: 08:00:27:26:cc:f910.10.10.3Operating System: Microsoft Window...
6|Page• Microsoft Windows Authenticated User Code ExecutionThis module uses a valid administrator username and password (o...
7|Page03-01-12 09:14:46 PM unknown Microsoft Server Service Relative Path StackCorruptionVulnerabilities• Microsoft Server...
8|Page985b281184a14fc8ddccGuestaad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae9                       31 b73c59d7e0c089c0Ad...
9|Page445 tcp          Windows XP Service Pack 2 (languageEnglish) (name:JOSHDEV) (domain:CORP)Credentialsuser           p...
10 | P a g eServicesport proto name      info80      tcp    http Apache/2.2.14 (Ubuntu)22      tcpssh SSH-2.0-OpenSSH_5.3p...
11 | P a g e10.10.10.189Operating System: Microsoft Windows 7 SP0Name: CEOSBOXMAC Address: 08:00:27:78:78:fbServicesport p...
12 | P a g e192.168.12.110Operating System: Microsoft Windows 7Name:MAC Address:192.168.57.1Operating System: Linux Ubuntu...
13 | P a g eCredentialsuserpassjsokoljoshrocksCompromisesopened duration method03-01-12 09:16:58 PM unknown SSH Login Chec...
14 | P a g eToken          Description%To%           The email address of the person the message is sent to%To_Name% The n...
15 | P a g e1.4Client-side Reconnaissance        System ProfilerThe system profiler is a reconnaissance tool for the clien...
16 | P a g e   If a tasking is available, Beacon will download its tasks and execute them.This style of command and contro...
17 | P a g e                Once youre in, Armitage provides several post-exploitation toolsbuilt on the capabilities of t...
18 | P a g eexploit, you must choose an exploit module, set one or more variables,andlaunch it.Armitage aims to make this ...
19 | P a g e    4.2onlinux:    To install Armitage on Linux:    1. Make sure youre the root user.    Download          and...
20 | P a g eNow start MYSQL server so that Armitage stores resultsroot@bt:� /etc/init.d/mysql start         #Now its time ...
21 | P a g e4.5 on mac os-x:Armitage works on MacOS X but its not a supported platform for Armitage.Metasploit does not ha...
22 | P a g e5. Manual setupSome crazy people choose to install Metasploit without the benefit of the fullinstaller. This m...
23 | P a g e        This step will downgrade the Armitage release included with Metasploit        too. You can download th...
24 | P a g e7. User interface format(g.u.i)The user interface can be very easy and friendly to a pentaster as also as ahac...
25 | P a g eClick a host to select it. You may select multiple hosts by clicking and dragginga box over the desired hosts....
26 | P a g eGo to View7.1.2.1 Targets ->Table Viewto switch to this mode. Armitage will remember your preference.Click any...
27 | P a g e8.console format:Metasploit console, Meterpreter console, and shell interfaces each use a consoletab. A consol...
28 | P a g e9 Host management:9.1Dynamic workspaceArmitages dynamic workspaces feature allows you to create views into the...
29 | P a g eGive your dynamic workspace a name. It doesnt matter what you call it. Thisdescription is for you.If youd like...
30 | P a g eAmap Log -mAppscan XMLBurp Session XMLFoundstone XMLIP360 ASPLIP360 XML v3Microsoft Baseline Security Analyzer...
31 | P a g eHighlight one or more hosts, right-click, and click Scan to launch this feature.You may also go to Host -> MSF...
32 | P a g eIf manual exploitation fails, you have the hail mary option. Attack -> Hail Marylaunches this feature. Armitag...
33 | P a g e11. Post Exploitation:11.1 Managing sessionsArmitage makes it easy to manage the meterpreter agent once you su...
34 | P a g e12. Maneuver12.1 PivotingMetasploit can launch attacks from a compromised host and receive sessions onthe same...
35 | P a g elocal instance. Some Armitage features require read and write access to localfiles to work. Armitagesdeconflic...
36 | P a g e13.1 multi-player metasploit setupThe Armitage Linux package comes with a teamserver script that you may useto...
37 | P a g eMultiple users may use any Meterpreter session at the same time. Each usermay open one or more command shells,...
38 | P a g e14.2 standalone botsA stand-alone version of Cortana is distributed with Armitage. You mayconnect the stand-al...
39 | P a g eown. You may also use Cortana scripts to extend Armitage and add newfeatures to it. Cortana scripts may define...
40 | P a g e                              Conclusion     Advanced users will find Armitage valuable for managing remote  ...
Upcoming SlideShare
Loading in …5
×

ARMITAGE-THE CYBER ATTACK MANAGEMENT

11,248 views
11,065 views

Published on

Armitage developed by Raphael mudge a gui format for metasploit framework for pentesr and security researcher,here u can manage as also prevent the cyber attack.this project means for educational purpose only.do not use as crime

Published in: Education
0 Comments
7 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
11,248
On SlideShare
0
From Embeds
0
Number of Embeds
32
Actions
Shares
0
Downloads
226
Comments
0
Likes
7
Embeds 0
No embeds

No notes for slide

ARMITAGE-THE CYBER ATTACK MANAGEMENT

  1. 1. 1|Page Armitage-the cyber attack managementArmitage is a graphical Cyber Attack Management tool for Metasploit(http://www.metasploit.com) that visualizes your targets, recommends exploits,and exposes the advanced capabilities of the framework. Advanced users will find Armitage valuable for managingremote Metasploit instances and collaboration. Armitagesred teamcollaboration features allow your team to use the same sessions, share data, andcommunicate through one Metasploit instance.Metasploit is a popular exploitation framework that has seen plenty ofcoverage towards a penetraster. Armitage, a new GUI for Metasploit builtaround the hacking process. Today, I will show you how to use Armitage toscan a Linux host, find the right exploit, exploit the host, and handle post-exploitation. By following this project, we will learn how to use Armitage andMetasploit in our own work. This wonderful feature of penetration testing hasbeen created by Raphael Mudge
  2. 2. 2|PageBASIC REQUIREMENTS:Windows xp,Windows 7BackTrack r3PostgresqlMy-SqlLinux(here I have used BlackBuntu)A fresh install of Metasploit (http://www.metasploit.com/) 4.4 or laterOracles Java 1.7 (http://www.java.com)MAC OSX
  3. 3. 3|PageArmitage: A HAcker’s PercePtiveAbout Armitage:Armitage is a graphical cyber-attack management tool for Metasploit(http://www.metasploit.com) that visualizes your targets, recommends exploits,and exposes the advanced capabilities of the framework. Advanced users willfind Armitage valuable for managing remote Metasploit instances andcollaboration. Armitagesred teamcollaboration features allow your team to usethe same sessions, share data, and communicate through one Metasploitinstance. Armitage is a scriptable red team collaboration tool for Metasploit thatvisualizes targets, recommends exploits, and exposes the advancedpost-exploitation features in the framework. Through one Metasploit instance, ourteam will:  Use the same sessions  Share hosts, captured data, and downloaded files  Communicate through a shared event log.  Run bots to automate red team tasksWhen metasploit and armitage meet to each other than they make a powerfulcyber management tool for doing pen testing on the network(s). Armitage allowyour team to use the same sessions, share data, and communicate through oneMetasploit instance. It is very helpful tool to learn about the cyber securitybecause it provides a graphical interface instead of command line.
  4. 4. 4|PageArmitage makes Metasploit usable for security practitioners who understandhacking but dont use Metasploit every day. Armitage can help us by providingfollowing modules on cyber attack management which are:1.commercial supportArmitage is open source software developed by Raphael Mudges companyStrategic Cyber LLC. Cobalt Strike is the commercially supported big brotherof Armitage. Cobalt Strike adds features to support professional penetrationtesters and red teams, including:  Professional Reports  Spear Phishing  Web Drive-by Attacks  Client-side Reconnaissance  VPN Pivoting  Covert Command and Control1.1Professional ReportsProfessional Reports depends on the following hosts and vulnerabilities whichis based on host reportHosts ReportMarch 1, 2012This report shows host information gathered during this penetration test.SummaryHosts: 12Services: 30Vulnerabilities: 7Compromises: 11
  5. 5. 5|Page10.10.10.1Operating System: Cisco IOSName:MAC Address: 08:00:27:26:cc:f910.10.10.3Operating System: Microsoft Windows 2008 R2 SP0Name: DCMAC Address: 08:00:27:1c:62:e1Servicesport proto name info139 tcp135 tcp389 tcp445 tcpsmb Windows Server 2008 R2 Enterprise (Build 7600) (language:Unknown) (name:DC) (domain:CORP)CredentialsUser passAdministrator e52cac67419a9a22d419bc5eacf63c92:83414a69a47afeec7e3a37d05a81dc3bCompromisesopenedduration method03-01-12 09:23:54 PM 1 minute Microsoft Windows Authenticated User Code Execution03-01-12 09:21:28 PM 1 minute Microsoft Windows Authenticated User Code ExecutionVulnerabilities
  6. 6. 6|Page• Microsoft Windows Authenticated User Code ExecutionThis module uses a valid administrator username and password (or passwordhash) to execute an arbitrary payload. This module is similar to the "psexec"utility provided by SysInternals. This module is now able to clean up after itself.The service created by this tool uses a randomly chosen name and description.10.10.10.4Operating System: Microsoft Windows .NET Server SP0Name: FILESERVERMAC Address: 08:00:27:5c:d4:adServicesport proto name info139 tcp135 tcp445 tcpWindows 2003 No Service Pack (language:Unknown)(name:FILESERVER)(domain:CORP)Credentialsuser passAdministrator e52cac67419a9a22d419bc5eacf63c92:83414a69a47afeec7e3a37d05a81dc3bSUPPORT_388945a0 aad3b435b51404eeaad3b435b51404ee:5ace382672979 85b281184a14fc8ddccGuest aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0Compromisesopenedduration method
  7. 7. 7|Page03-01-12 09:14:46 PM unknown Microsoft Server Service Relative Path StackCorruptionVulnerabilities• Microsoft Server Service Relative Path Stack CorruptionThis module exploits a parsing flaw in the path canonicalization code ofNetAPI32.dll through the Server Service. This module is capable of bypassingNX on some operating systems and service packs. The correct target must beused to prevent the Server Service (along with a dozen others in the sameprocess) from crashing. Windows XP targets seem to handle multiple successfulexploitation events, but 2003 targets will often crash or hang on subsequentattempts. This is just the first version of this module, full support for NX bypasson 2003, along with other platforms, is still in development.10.10.10.5Operating System: Microsoft Windows .NET Server SP0Name: MAILMAC Address: 08:00:27:1f:1d:86Servicesport proto name info25 tcpsmtp 220 ACME Corporation Mail Server[hMailServer]139 tcp143 tcpimap * OK IMAPrev1110 tcp pop3 +OK POP3135 tcp445 tcp Windows 2003 No Service Pack (language:Unknown) (name:MAIL) (domain:CORP)Credentialsuser passSUPPORT_388945a0aad3b435b51404eeaad3b435b51404ee:5ace38267297
  8. 8. 8|Page985b281184a14fc8ddccGuestaad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae9 31 b73c59d7e0c089c0Administratore52cac67419a9a22d419bc5eacf63c92:83414a69a47afe ec7e3a37d05a81dc3bCompromisesopened duration method03-01-12 09:14:46 PM unknown Microsoft Server Service Relative Path Stack CorruptionVulnerabilities• Microsoft Server Service Relative Path Stack CorruptionThis module exploits a parsing flaw in the path canonicalization code ofNetAPI32.dll through the Server Service. This module is capable of bypassingNX on some operating systems and service packs. The correct target must beused to prevent the Server Service (along with a dozen others in the sameprocess) from crashing. Windows XP targets seem to handle multiple successfulexploitation events, but 2003 targets will often crash or hang on subsequentattempts. This is just the first version of this module, full support for NX bypasson 2003, along with other platforms, is still in development10.10.10.18Operating System: Microsoft Windows XP SP2Name: JOSHDEVMAC Address: 08:00:27:5a:86:29Servicesport proto name info135 tcp139 tcp
  9. 9. 9|Page445 tcp Windows XP Service Pack 2 (languageEnglish) (name:JOSHDEV) (domain:CORP)Credentialsuser passjosh.sokol aad3b435b51404eeaad3b435b51404ee:34c63bad990d7b7c ffa64bf36f8ba19cUser aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931 b73c59d7e0c089c0Administrator e52cac67419a9a22d419bc5eacf63c92:83414a69a47afeec7e3a37d05a81dc3bCompromisesopenedduration method03-01-12 09:14:49 PM unknown Microsoft Server Service Relative Path StackCorruptionVulnerabilities• Microsoft Server Service Relative Path Stack CorruptionThis module exploits a parsing flaw in the path canonicalization code ofNetAPI32.dll through the Server Service. This module is capable of bypassingNX on some operating systems and service packs. The correct target must beused to prevent the Server Service (along with a dozen others in the sameprocess) from crashing. Windows XP targets seem to handle multiple successfulexploitation events, but 2003 targets will often crash or hang on subsequentAttempts. This is just the first version of this module, full support for NXbypass on 2003, along with other platforms, is still in development.10.10.10.21Operating System: Linux UbuntuName: 10.10.10.21MAC Address: 08:00:27:9d:3c:64
  10. 10. 10 | P a g eServicesport proto name info80 tcp http Apache/2.2.14 (Ubuntu)22 tcpssh SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu710.10.10.188Operating System: Microsoft Windows 7 SP0Name: WS2MAC Address: 08:00:27:08:3f:1dServicesport proto name info139 tcp135tcp445 tcpsmbWindows 7 Ultimate (Build 7600) (language:Unknown) (name:WS2)(domain:CORP)Credentialsuserpassadministrator e52cac67419a9a22d419bc5eacf63c92:83414a69a47afeec7e3a37d05a81dc3bCompromisesopenedduration method03-01-12 09:23:53 PM 1 minute Microsoft Windows Authenticated User CodeExecution03-01-12 09:11:42 PM unknown Generic Payload Handler03-01-12 09:21:26 PM 1 minute Microsoft Windows Authenticated User CodeExecutionVulnerabilities• Microsoft Windows Authenticated User Code ExecutionThis module uses a valid administrator username and password (orpassword hash)to execute an arbitrary payload. This module is similarto the "psexec" utility providedby SysInternals. This module is now ableto clean up after itself. The service createdby this tool uses a randomlychosen name and description.
  11. 11. 11 | P a g e10.10.10.189Operating System: Microsoft Windows 7 SP0Name: CEOSBOXMAC Address: 08:00:27:78:78:fbServicesport proto name info135tcp139tcp445tcpsmb Windows 7 Ultimate (Build 7600) (language:Unknown) (name:CEOSBOX) (domain:CORP)Credentialsuserpassadministratore52cac67419a9a22d419bc5eacf63c92:83414a69a47afeec7e3a37d05a81dc3bCORP/administrator e52cac67419a9a22d419bc5eacf63c92:83414a69a47afeec7e3a37d05a81dc3bCompromisesopenedduration method03-01-12 09:23:53 PM 1 minute Microsoft Windows Authenticated User CodeExecution03-01-12 09:21:28 PM 1 minute Microsoft Windows Authenticated User CodeExecutionVulnerabilities• Microsoft Windows Authenticated User Code ExecutionThis module uses a valid administrator username and password (or passwordhash) to execute an arbitrary payload. This module is similarto the "psexec"utility provided by SysInternals. This module is now ableto clean up after itself.The service created by this tool uses a randomly chosen name and description.
  12. 12. 12 | P a g e192.168.12.110Operating System: Microsoft Windows 7Name:MAC Address:192.168.57.1Operating System: Linux UbuntuName: 192.168.57.1MAC Address: 0a:00:27:00:00:01192.168.57.8Operating System: Microsoft Windows XP SP2Name:MAC Address: 08:00:27:3b:3b:ddServicesPort proto name info135 tcp139 tcp445 tcpsmb Windows XP Service Pack 2 (language:English) (name:JOSHDEV) (domain:CORP)192.168.57.18Operating System: Linux UbuntuName:MAC Address: 08:00:27:e9:f9:8eServicesport proto name info22tcpsshSSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
  13. 13. 13 | P a g eCredentialsuserpassjsokoljoshrocksCompromisesopened duration method03-01-12 09:16:58 PM unknown SSH Login Check ScannerVulnerabilities• SSH Login Check ScannerThis module will test ssh logins on a range of machines and report successfullogins. If you have loaded a database pluginand connected to a database thismodule will record successful logins and hosts so you can track your access.1.1 SPEAR PHISHINGCobalt Strikes spear phishing tool allows you to send pixel perfect spearphishing messages using an arbitrary message as a template.Set Targets toimport a list of targets. You may import a flat text-file containing one emailaddress per line. Import a file containing one email address and name separatedby a tab or comma for stronger message customization.Set Template to an email message template. A Cobalt Strike message templateis simply a saved email message. Cobalt Strike will strip unnecessary headers,remove attachments, rewrite URLs, re-encode themessage, and rewrite it foryou. Cobalt Strike does not give you a means to compose a message. Use anemail client, write a message, and send it to yourself. Most webmail clientsinclude a means to see the original message source. In GMail, click the downarrow next to Reply and select Show original.You may customize a saved message with Cobalt Strike tokens. Cobalt Strikereplaces these tokens whensending an email. The tokens include:
  14. 14. 14 | P a g eToken Description%To% The email address of the person the message is sent to%To_Name% The name of the person the message is sent to. This token is onlyavailable when importing a tab-separated file containing a name.%URL% The contents of the URL field in the spear phishing dialog.Set Embed URL to have Cobalt Strike rewrite each URL in the messagetemplate to point to the embedded URL. URLs added in this way will contain atoken that allows Cobalt Strike to trace any visitor back to this Press ... tochoose one of the Cobalt Strike hosted sites youve started.Set Mail Server to an open relay or the mail exchange server for your target.Set Bounce To to an email address where bounced messages should go. Thisvalue will not affect the message your targets see. Press Preview to see anassembled message to one of your recipients. If the preview looks good, pressSend to start your attack.Cobalt Strikes spear phishing capability sends messages from your local client.If youre managing a remote server, know that messages will come from yourlocal host and not the remote server.1.3 Web-Drive-By Attacks Firefox Addon AttackThis tool is available through Attacks -> Web Drive-by -> Firefox Addon Attack. Thistool will start aMetasploit® web-server that serves a dynamically created FirefoxAdd-on.This is a great attack to embed in a cloned website. Find a popular Firefoxaddon, clone its site, and embed the Firefox Add-on Attack URL.
  15. 15. 15 | P a g e1.4Client-side Reconnaissance System ProfilerThe system profiler is a reconnaissance tool for the client-side attack process.This tool starts a local web-server and fingerprints any one who visits it. Thesystem profiler discovers the internal IP address of users behind a proxy alongwith several applications and their version information.To start the system profiler, go to Attacks -> Web Drive-by -> System Profiler.The start the profiler you must specify a URI to bind to and a port to start theCobalt Strike web-server from. If you specify a Redirect URL, Cobalt Strikewill redirect visitors to this URL once their profile is taken. Click Launch tostart the system profiler.1.5VPN PivotingCovert VPNCobalt Strike offers VPN pivoting through its Covert VPN feature. Covert VPNcreates a network interface on the Cobalt Strike system and bridges thisinterface into the targets network. Through a Covert VPN interface: your system may sniff traffic ontarget’s network, act as a rogue server, or perform man-in-the-middle attacksnormally reserved for internal assessments. You may use external scanning andattack tools to assess your target network as well.1.6 Covert Command and ControlWhat is Beacon?Beacon is Cobalt Strikes remote administration payload for long-termengagements. Beacon does not provide real-time control of a compromised host.Beacon is asynchronous. It spends most of its time sleeping. Occasionally,Beacon will contact Cobalt Strike to check for tasks.
  16. 16. 16 | P a g e If a tasking is available, Beacon will download its tasks and execute them.This style of command and control is common with sophisticated malware andAdvanced Persistent Threat actors. Cobalt Strikes Beacon payload may attemptto communicate through multiple domains. This makes your control10/ 20/ 12 Beaconing - CobaltStrike www.advancedpentest .com/ help- beacon 2/ 2of a compromised hostmore robust. If a system administrator blocks one IP address or domain, Beaconmaystill receive tasks through its other domains. When tasks are available,Beacon downloads them and sends output using the HTTP protocol. Beaconmaycheck for tasks through HTTP or DNS requests.2. CYBER ATTACK MANAGEMETArmitage organizes Metasploits capabilities around the hacking process. Thereare features for discovery, access, post-exploitation, and maneuver. This sectiondescribes these features at a high-level, the rest of this manual covers thesecapabilities in detail.For discovery, Armitage exposes several of Metasploitshost managementfeatures. You can import hosts and launch scans to populate a database oftargets. Armitage also visualizes the database of targets--youll always knowwhich hosts youre working with and where you have sessionsArmitage assists with remote exploitation--providing features to automaticallyrecommend exploits and even run active checks so you know which exploitswill work. If these options fail, you can use the Hail Mary approach and unleashArmitages smarter db_autopwn against your target database.For those of you who are hacking post-2003, Armitage exposes the client-sidefeatures of Metasploit. You can launch browser exploits, generate maliciousfiles, and create Meterpreter executable.
  17. 17. 17 | P a g e Once youre in, Armitage provides several post-exploitation toolsbuilt on the capabilities of the Meterpreter agent. With the click of a menu youwill escalate your privileges, dump password hashes to a local credentialsdatabase, browse the file system like youre local, and launch command shells.Finally, Armitage aids the process of setting up pivots, a capability that lets youuse compromised hosts as a platform for attacking other hosts and furtherinvestigating the target network. Armitage also exposes Metasploits SOCKSproxy module which allows external tools to take advantage of these pivots.With these tools, you can further explore and maneuver through the network.The rest of this manual is organized around this process, providing what youneed to know in the order youll need it.3.NECESSARY THINGS TO KNOWTo use Armitage, it helps to understand Metasploit. Here are a few things youabsolutely must know before continuing:Metasploit (http://www.metasploit.com/) is a console driven application.Anything you do in Armitage is translated into a command Metasploitunderstands. You can bypass Armitage and type commands yourself (coveredlater). If youre ever lost in a console, type help and hit enter.Metasploit presents its capabilities as modules. Every scanner, exploit, andeven payload is available as a module. If youre scanning a host, you use anauxiliary module. Before launching a module, you must set one or morevariables to configure the module. The exploit process is similar. To launch an
  18. 18. 18 | P a g eexploit, you must choose an exploit module, set one or more variables,andlaunch it.Armitage aims to make this process easier for you.If you successfully exploit ahost, you will have a session on that host. Armitage knows how to interact withshell and Windows meterpreter sessions.Meterpreteris an advanced agent that makes a lot of post-exploitationfunctionality available to you. Armitage is built to take advantage ofMeterpreter. Working with Meterpreter is covered later.4.installation4.1 on windows:Here are the steps to install and run Armitage on Windows:1. Install Metasploit 4.4 or later2. Install Oracles Java 1.7 (JRE or JDK)3. Start -> Programs ->Metasploit -> Framework -> Framework Update4. Start -> Programs ->Metasploit -> Framework -> Framework Console (dothis once to initialize the database)5.Make sure youre the Administrator userTo run Armitage:Start -> Programs ->Metasploit -> Framework -> ArmitageClick ConectClick Yes when asked whether or not to start Metasploits RPC daemonIf asked where Metasploit is installed, select the Metasploit directory. You willonly need to do this once (e.g., c:metasploit).The best Armitage user experience is on Linux. If youre a Windows user,consider using Armitage from a BackTrack virtual machine.
  19. 19. 19 | P a g e 4.2onlinux: To install Armitage on Linux: 1. Make sure youre the root user. Download and Install the Metasploit Framework from http://www.metasploit.com/ (http://www.metasploit.com/) . 2.Get the full package with all of the Linux dependencies. 3. After installation, type: /opt/framework/app/msfupdate to update Metasploit. 4. Install a VNC viewer (e.g., apt-get install vncviewer on Ubuntu) You can get install armitage by a simple command but before execute this application getcommand you need to be a root user to install armitage so open terminal and type exactly, $ sudosu # apt-get installarmitage We need to enable RPC daemon for metasploit use this command on the terminal, root@bt:~# msfrpcd -f -U msf -P test -t Basic Open a terminal Add /usr/local/bin to $PATH: e x p o r t P A T H = $ P A T H : / u s r / l o c a l / bin Since Metasploit 4.1, you now need to make sure you have a database startup script: echoexec/opt/metasploit-4.4/postgresql/scripts/ct l .s h " $ @ " > / e t c / i n i t . d / f r a m e w o r k - p o s t g r e s chmod+x/etc/init.d/metasploit-postgres /etc/init.d/metasploit-postgresstart update-rc.dmetasploit-postgresdefaultThis database startup script creation step isnt necessary if you opt to start Metasploit as a servicewhen the installer runs. The downside being that the Metasploit as a service option starts up thecommercial/community edition of Metasploit on boot too. If you use this version--great. If not, itsa waste of system resources.
  20. 20. 20 | P a g eNow start MYSQL server so that Armitage stores resultsroot@bt:� /etc/init.d/mysql start #Now its time to run Armitage, locate the directory and typeroot@bt:/pentest/exploits/armitage# ./armitage.shTo start Armitage:Open a terminalType: a r m i t a g eClick ConnectPress Yes if asked to start msfrpcd.The settings for Metasploits installed database are already set up for you. Younot need to change the DB connect string.noteIf youre using Armitage with a *local* Metasploit instance, then Armitage mustalso run as root. Why? Because Armitageneeds root privileges to read thedatabase.yml file created by Metasploits installer. If Armitage cant read thisfile, it will not be able to connect to the database.4.3 on back-track r3:Armitage comes with BackTrack Linux 5r3. The latest Armitage releaserequires BackTrack 5r3. 5r2,5r0 and 5r1 are out! If you uinstallMetasploit (hint:/path/to/metasploit/uninstall) and reinstall with the Metasploit installer, then youmay use any version of BackTrack that you want.To start Armitage:Open a terminal  Type: a r m i t a g e  Click Connect  Press Yes if asked to start msfrpcd.
  21. 21. 21 | P a g e4.5 on mac os-x:Armitage works on MacOS X but its not a supported platform for Armitage.Metasploit does not have an official package for OS X.There is a lot of manual setup involved getting the pre-requisites working.CedricBaillet created a step-by-step guide (http://www.cedric-baillet.fr/IMG/pdf/armitage_configuration_on_macosx.pdf) to configuringPostgres and Ruby for use with Armitage onMacOS X as well.Armitage on MacOS X works fine as a remote client to Metasploit. Downloadthe MacOS X package, extract it, and double-click the Armitage.app file to getstarted. Here are three MacOS X Armitage install guides that others haveproduced, these may help you. Please dont ask me to provide support for themthough:  The Black Matrix (http://theblackmatrixnews.blogspot.com/2011/11/installing-armitage-on- osx-by-defau1t.html)  Night Lions Guide to Installing Metasploit 4 and Armitage on Mac OSX Lion (http://blog.nightlionsecurity.com/guides/2011/12/guideto-  installing-metasploit-4-and-armitage-on-mac-osx-lion/)  Faulty Logic Blog (http://briancanfixit.blogspot.com/2011/12/setting-up- metasploit-and-armitage-on.html)Armitage is a fast moving project and these project may suggest methods forstarting the Metasploit Framework RPC daemon that are slightly dated. Thecorrect way to start msfrpcd for Armitage to connect to is:msfrpcd-Umsf-Ppassword-S-f
  22. 22. 22 | P a g e5. Manual setupSome crazy people choose to install Metasploit without the benefit of the fullinstaller. This method is not supported. If you go this route,here are some of therequirements:  A PostgreSQL database. No other database is supported.  msfrpcd is in $PATH  $MSF_DATABASE_CONFIG points to a YAML file  $MSF_DATABASE_CONFIG is available to msfrpcd and armitage  the msgpack ruby gem6.UpdatingmetasploitThe m s f u p d a t e command updates the Metasploit Framework by pulling thelatest source code from a subversion repository that is syncedwith the gitrepository that developers commit to.When you run m s f u p d a t e , its possible that you may break Armitage bydoing this. The Metasploit team is cautious about what theycommit to theprimary git repository and theyre extremely responsive to bug reports. That saidthings still break from time to time.If you run m s f u p d a t e and Armitage stops working, you have a few options. 1) You can run m s f u p d a t e later and hope the issue gets fixed. Many times this is a valid strategy. 2) You can downgrade Metasploit to the last revision .Take a look at the change log file for the latest development releasetested against Armitage. The revision number is located next to the release date. To downgrade Metasploit: cd/path/to/metasploit/msf3 source../scripts/setenv.sh s v n u p d a t e - r [revision number]
  23. 23. 23 | P a g e This step will downgrade the Armitage release included with Metasploit too. You can download the latest Armitage release from this site inthe mean time. 3) Reinstall Metasploit using the installer provided by Rapid7. The Metasploit installer includes the latest stable version of Metasploit. Usually, this release is very stable. If youre preparing to use Armitage and Metasploit somewhere important- -do not run m s f u p d a t e and assume it will work. Its very important to stick with what you know works or test the functionality you need to make sure it works. When in doubt, go with option (2) or(3). 6.1 quick connect:If youd like to quickly connect Armitage to a Metasploit server without fillingin the setup dialog, use the - - c l i e n t option to specify a file with theconnection details.java-jararmitage.jar--clientconnect.propHeres an example connect.prop file:h o s t = 1 9 2.1 6 8 .9 5 .2 4 1p o r t = 55553u s e r = misterp a s s = bojanglesIf you have to manage multiple Armitage/Metasploit servers, consider creating adesktop shortcut that calls this --client option with a different properties file foreach server.
  24. 24. 24 | P a g e7. User interface format(g.u.i)The user interface can be very easy and friendly to a pentaster as also as ahacker.it is made so easy that without any help a user can manage the cyberattack7.1 OverviewThe Armitage user interface has three main panels: modules, targets, and tabs.You may click the area between these panels to resize them to your liking.7.1.1 modules:The module browser lets you launch a Metasploit auxiliary module, throw anexploit, generate a payload, and even run a post-exploitation script. Clickthrough the tree to find the desired module. Double click the module to bring upa dialog with options.Armitage will place highlighted hosts from the targets panel into the RHOSTSvariable of any module launched from here.You can search for modules too. Click in the search box below the tree, type awildcard expression (e.g., ssh_*), and hit enter. The module tree will then showyour search results, already expanded for quick viewing. Clear the search boxand press enter to restore the module browser to its original state.7.1.2 Targets - Graph View:The targets panel shows all hosts in the current workspace. Armitage representseach target as a computer with its IP address and other information about itbelow the computer. The computer screen shows the operating system thecomputer is running.A red computer with electrical jolts indicates acompromised host. Right click the computer to use any sessions related to thehost. A directional green line indicates a pivot from one host to another.Pivoting allows Metasploit to route attacks and scans through intermediatehosts. A bright green line indicates the pivot communication path is in use.
  25. 25. 25 | P a g eClick a host to select it. You may select multiple hosts by clicking and dragginga box over the desired hosts. Where possible, Armitage will try to apply anaction (e.g., launching an exploit) to all selected hosts.Right click a host to bring up a menu with available options. The attached menuwill show attack and login options, menus for existing sessions, and options toedit the host information.The login menu is only available after a port scan reveals open ports thatMetasploit can log in to. The Attack menu is onlyavailable after finding attacks through the Attacks menu bar. Shell andMeterpretermenus only show up when a shell or Meterpreter session exists onthe selected host. Several keyboard shortcuts are available in the targets panel.You may edit these in the Armitage ->Preferences menu.Ctrl Plus - zoom inCtrl Minus - zoom outCtrl 0 - reset the zoom levelCtrl A - select all hostsEscape - clear selectionCtrl C - arrange hosts into a circleCtrl S - arrange hosts into a stackCtrl H - arrange hosts into a hierarchy. This only works when a pivot is set up.Ctrl R - refresh hosts from the databaseCtrl P - export hosts into an imageRight click the targets area with no selected hosts to configure the layout andzoom-level of the targets area.Targets - Table ViewIf you have a lot of hosts, the graph view becomes difficult to work with. Forthis situation Armitage has a table view.
  26. 26. 26 | P a g eGo to View7.1.2.1 Targets ->Table Viewto switch to this mode. Armitage will remember your preference.Click any of the table headers to sort the hosts. Highlight a row and right-click itto bring up a menu with options for that host.Armitage will bold the IP address of any host with sessions. If a pivot is in use,Armitage will make it bold as well.7.1.3 TabArmitage opens each dialog, console, and table in a tab below the module andtarget panels. Click the X button to close a tab.You may right-click the X button to open a tab in a window, take a screenshotof a tab, or close all tabs with the same name.Hold shift and click X to close all tabs with the same name. Hold shift + controland click X to open the tab in its own window.You may drag and drop tabs to change their order.Armitage provides several keyboard shortcuts to make your tab managementexperience as enjoyable as possible.Use Ctrl+T to take a screenshot of the active tab. Use Ctrl+D to close the activetab. Try Ctrl+Left and Ctrl+Right to quickly switch tabs. And Ctrl+W to openthe current tab in its own window.
  27. 27. 27 | P a g e8.console format:Metasploit console, Meterpreter console, and shell interfaces each use a consoletab. A console tab lets you interact with these interfaces through Armitage.The console tab tracks your command history. Use the up arrow to cyclethrough previously typed commands. The down arrow moves back to the lastcommand you typed.In the Metasploit console, use the Tab key to complete commands andparameters. This works just like the Metasploit console outside of Armitage.Use of console panel to make the console font size larger, Ctrl minus to make itsmaller, and Ctrl 0 to reset it. This change is local to the currentconsole only. Visit Armitage -> Preference to permanently change the font.Press ctrl F to show a panel that will let you search for text within the console.Use Ctrl A to select all text in the consoles buffer.Armitage sends a” u s e or a s e t P A Y L O A D” command if you click amodule or a payload name in a console. To open a Console go to View ->Console or press Ctrl+N.The Armitage console uses color to draw your attention to some information.To disable the colors, set the console.show_colors.booleanpreference to false.You may also edit the colors through Armitage -> Preference. Here is theArmitage color palette and the preference associated with each color.
  28. 28. 28 | P a g e9 Host management:9.1Dynamic workspaceArmitages dynamic workspaces feature allows you to create views into thehosts database and quickly switch between them. UseWorkspace -> Manage to manage your dynamic workspaces. Here you mayadd, edit, and remove workspaces you create.To create a new dynamic workspace, press Add. You will see the followingdialog:
  29. 29. 29 | P a g eGive your dynamic workspace a name. It doesnt matter what you call it. Thisdescription is for you.If youd like to limit your workspace to hosts from a certain network, type anetwork description in the Hosts field. A network descriptionmight be: 10.10.0.0/16 to display hosts between 10.10.0.0-10.10.255.255.Separate multiple networks with a comma and a space.You can cheat with the network descriptions a little. If you type:192.168.95.0, Armitage will assume you mean 192.168.95.0-255. If you type:192.168.0.0, Armitage will assume you mean 192.168.0.0-192.168.255.255.Fill out the Ports field to include hosts with certain services. Separate multipleports using a comma and a space. Use the OS field to specify which operatingsystem youd like to see in this workspace. You may type a partial name, suchas indows.Armitage will only include hosts whose OS name includes the partialname. This value is not case sensitive. Separate multiple operatingsystems with a comma and a space. Select Hosts with sessions only to onlyinclude hosts with sessions in this dynamic workspace. You may specify anycombination of these items when you create your dynamic workspace. Eachworkspace will have an item in the Workspace menu. Use these menu items toswitch between workspaces. You may also use Ctrl+1 through Ctrl+9 to switchbetween your first nine workspaces.Use Work space -> Show All or Ctrl+Back space to display the entire databaseUse Work space -> Show all or Ctrl+Backspace to display the entire database.9.2 Importing hostsTo add host information to Metasploit, you may import it. The Host -> ImportHost menu accepts the following files:Acunetix XMLAmap Log
  30. 30. 30 | P a g eAmap Log -mAppscan XMLBurp Session XMLFoundstone XMLIP360 ASPLIP360 XML v3Microsoft Baseline Security AnalyzerNessus NBENessus XML (v1 and v2)NetSparker XMLNeXpose Simple XMLNeXpose XML ReportNmap XMLOpenVAS ReportQualys Asset XMLQualys Scan XMLRetina XM9.3NMap ScanYou may also launch an NMap scan from Armitage and automatically importthe results into Metasploit. The Host ->NMap Scan menuhas several scanning options.Optionally, you may type d b _ n m a p in a console to launch NMap with theoptions you choose.NMap scans do not use the pivots you have set up.9.4 MSF ScanArmitage bundles several Metasploit scans into one feature called MSF Scans.This feature will scan for a handful of open ports. It thenenumerates severalcommon services using Metasploit auxiliary modules built for the purpose.
  31. 31. 31 | P a g eHighlight one or more hosts, right-click, and click Scan to launch this feature.You may also go to Host -> MSF Scan to launch these aswell. These scans work through a pivot and against IPv6 hosts as well. Thesescans do not attempt to discover if a host is alive before scanning.To save time, you should do host discovery first (e.g., an ARP scan, ping sweep,or DNS enumeration) and then launch these scans to enumerate the discoveredhosts.9.5 DNS EnumerationAnother host discovery option is to enumerate a DNS server. Go to Host ->DNS Enum to do this. Armitage will present a modulelauncher dialog withseveral options. You will need to set the DOMAIN option to the domain youwant to enumerate. You may also want to set NS to the IP address of the DNSserver youre enumerating. If youre attacking an IPv6 network, DNSenumeration is one option to discover the IPv6 hosts on the network.9.6 Database maintenanceMetasploit logs everything you do to a database. Over time your database willbecome full of stuff. If you have a performance problem with Armitage, tryclearing your database. To do this, go to Host ->Create Database10. Exploitation:10.1 Remote ExploitationBefore you can attack, you must choose your weapon. Armitage makes thisprocess easy. Use Attack -> Find Attack to generate a custom Attack menu foreach host.To exploit a host: right-click it, navigate to Attack, and choose an exploit. Toshow the right attacks, make sure the operating system is set for the host.10.4 Automatic exploitation
  32. 32. 32 | P a g eIf manual exploitation fails, you have the hail mary option. Attack -> Hail Marylaunches this feature. Armitages Hail Mary feature is a smart db_autopwn. Itfinds exploits relevant to your targets, filters the exploits using knowninformation, and then sorts them into an optimal order.This feature wont find every possible shell, but its a good option if you dontknow what else to try.10.5 client side exploitationThrough Armitage, you may use Metasploits client-side exploits. A client-sideattack is one that attacks an application and not a remote service. If you cant geta remote exploit to work, youll have to use a client-side attack. Use the modulebrowser to find and launch client-side exploits. Search for file format to findexploits that trigger when a user opens a malicious file. Search for browser tofind exploits that server browser attacks from a web server built into Metasploit.10.5 client side exploitation and payloadsIf you launch an individual client-side exploit, you have the option ofcustomizing the payload that goes with it. Armitage picks sane defaultsTo setthe payload, double-click PAYLOAD in the option column of the modulelauncher. This will open a dialog asking you to choose a PayloadHighlight a payload and click Select. Armitage will update the PAYLOAD,DisablePayloadHandler, ExitOnSession, LHOST, and LPORT values for you.Youre welcome to edit these values as you see fit.If you select the Start a handler for this payload option, Armitage will set thepayload options to launch a payload handler when the exploit launches. If youdid not select this value, youre responsible for setting up a multi/handler for thepayload.
  33. 33. 33 | P a g e11. Post Exploitation:11.1 Managing sessionsArmitage makes it easy to manage the meterpreter agent once you successfullyexploit a host. Hosts running a meterpreter payload will have a MeterpreterNmenu for each Meterpreter session.If you have shell access to a host, you will see a ShellN menu for each shellsession. Right click the host to access this menu. If you have aWindows shellsession, you may go to SheellN ->Meterpreter..to upgrade the session to aMeterpreter session. If you have a UNIX shell, go to ShellN -> Upload toupload a file using the UNIX printf command.11.2 Privilege EscalationSome exploits result in administrative access to the host. Other times, you needto escalate privileges yourself. To do this, use the MeterpreterN -> Access ->Escalation privilege menu. This will highlight the privilege escalation modulesin the module browser. Try the getsystem post module against WindowsXP/2003 era hosts.
  34. 34. 34 | P a g e12. Maneuver12.1 PivotingMetasploit can launch attacks from a compromised host and receive sessions onthe same host. This ability is called pivoting.To create a pivot, go to Meterpreter N -> Pivoting -> Setup.... A dialog will askyou to choose which subnet you want to pivot through the session. Once youveset up pivoting, Armitage will draw a green line from the pivot host to alltargets reachable by the pivot you created. The line will become bright greenwhen the pivot is in use.12.2 Scanning and external toolsOnce you have access a host, its good to explore and see what else is on thesame network. If youve set up pivoting, Metasploit will tunnelTCP connectionsto eligible hosts through the pivot host. These connections must come fromMetasploit.To find hosts on the same network as a compromised host, right-click thecompromised host and go to Meterpreter N -> ARP Scan or Ping sweep. Thiswill show you which hosts are alive. Highlight the hosts that appear, right-click,and select Scan to scan these hosts using Armitages MSF Scan feature. Thesescans will honor the pivot you set up. External tools (e.g., nmap) will not usethe pivots youve set up. You may use your pivots with external tools through aSOCKS proxy though. Go to Armitage -> SOCKS PROXY... to launch theSOCKS proxy server The SOCKS4 proxy server is one of the most useful features in Metasploit.13. remotemetasploit Launch this option and you can set up your web browser to connect to13.1 remote connection allows you to browse internal sites on a websites through Metasploit. This network like you’re local.You can use Armitage to connect to an existing Metasploit instance on anotherhost. Working with a remote Metasploit instance is similar toworking with a
  35. 35. 35 | P a g elocal instance. Some Armitage features require read and write access to localfiles to work. Armitagesdeconfliction server adds these features and makes itpossible for Armitage clients to use Metaspoit remotely. Connecting to a remoteMetasploit requires starting a Metasploit RPC server andArmitagesdeconfliction server. With these two servers set up, your use ofMetasploit will look like this diagram:
  36. 36. 36 | P a g e13.1 multi-player metasploit setupThe Armitage Linux package comes with a teamserver script that you may useto start Metasploits RPC daemon and Armitagesdeconfliction server with onecommand. To run it:c d / p a t h / t o / m e t a s p l o i t / m s f 3 / d a t a / a r m i t a g e. / t e a m s e rv e r [ external ip address ] [ password ]This script assumes armitage.jar is in the current folder. Make sure the externalIP address is correct (Armitage doesnt check it) and that your team can reachport 55553 on your attack host. Thats it.Metasploits RPC daemon and theArmitagedeconfliction server are not GUI programs. You may run these overSSH.The Armitage team server communicates over SSL. When you start theteam server, it will present a server fingerprint. This is a SHA-1hash of theservers SSL certificate. When your team members connect, Armitage willpresent the hash of the certificate the server presented to them. They shouldverify that these hashes match. Do not connect to 127.0.0.1 when a teamserveris running. Armitage uses the IP address youre connecting to determine whetherit should use SSL (teamserver, remote address) or non-SSL (msfrpcd,localhost). You may connect Armitage to your teamserverlocally, usethe[external IP address] in the Host field. Armitages red team collaborationsetupis CPU sensitive and it likes RAM. Make sure you have 1.5GB of RAM inyour team server.13.2 multi-player metasploitArmitages red team collaboration mode adds a few new features. These aredescribed here:View -> Event Log opens a shared event log. You may type into this log andcommunicate as if youre using an IRC chat room. In a penetration test thisevent log will help you reconstruct major events.
  37. 37. 37 | P a g eMultiple users may use any Meterpreter session at the same time. Each usermay open one or more command shells, browse files, and take screenshots ofthe compromised host. Metasploit shell sessions are automatically locked andunlocked when in use. If another user is interacting with a shell, Armitage willwarn you that its in use. Some Metasploit modules require you to specify one ormore files. If a file option has anext to it, then you may double-click that optionname to choose a local file to use. Armitage will upload the chosen local fileand set the option to its remote location for you. Generally, Armitage will do itsbest to move files between you and the shared Metasploit server to create theillusion that youre using Metasploit locally. Some meterpreter commands mayhave shortened output. Multi-player Armitage takes the initial output from acommand and delivers it to the client that sent the command. Additional outputis ignored (although the command still executes normally). This limitationprimarily affects long running meterpreter scripts.14. Scripting armitage:14.1 CortanaArmitage includes Cortana, a scripting technology developed through DARPAsCyber Fast Track program. With Cortana, you may writered team bots andextend Armitage with new features. You may also make use of scripts writtenby others. Cortana is based on Sleep, an extensible Perl-like language. Cortanascripts have a .cna suffix.
  38. 38. 38 | P a g e14.2 standalone botsA stand-alone version of Cortana is distributed with Armitage. You mayconnect the stand-alone Cortana interpreter to an Armitage team server.Heres a helloworld.cnaCortana script:onready{println("HelloWorld!");quit();}To run this script, you will need to start Cortana. First, stand-alone Cortanamust connect to a team server. The team server is required because Cortana botsare another red team member. If you want to connect multiple users toMetasploit, you have to start a team server. Next, you will need to create aconnect.propfile to tell Cortana how to connect to the team server you started.Heres an exampleconnect.propfile:h o s t = 1 2 7 . 0 .0 . 1port=55553user=msfpass=passwordnick=MyBotNow, to launch your bot:cd/path/to/metasploit/msf3/data/armitagej a v a - j a r c o r t a n a . j a r c o n n e c t . p r o p h e l l o w o r l d . can14.3 Script managementYou dont have to run Cortana bots stand-alone. You may load any bot intoArmitage directly. When you load a bot into Armitage, you donot need to start ateamserver. Armitage is able to deconflict its actions from any loaded bots on its
  39. 39. 39 | P a g eown. You may also use Cortana scripts to extend Armitage and add newfeatures to it. Cortana scripts may define keyboard shortcuts, insert menus intoArmitage, and create simple user interfaces.To load a script into Armitage, go to Armitage ->script Press Load and choosethe script you would like to load. Scripts loaded in this way will be availableeach time Armitage starts. Output generated by bots and Cortana commands areavailable in the Cortana console. Go to View ->script console
  40. 40. 40 | P a g e Conclusion  Advanced users will find Armitage valuable for managing remote Metasploitinstances and collaboration. Armitages red team collaboration features allow your team to use the same sessions, share data, and communicate through one Metasploit instance.  Armitage aims to make Metasploit usable for security practitioners whoUnderstand hacking but dont use Metasploit every day. If you want tolearnMetasploit and grow into the advanced features, Armitage can helpyou.

×