ARMITAGE-THE CYBER ATTACK MANAGEMENT
-
Upload
bikash-dashwhitehat -
Category
Education
-
view
9.340 -
download
6
description
Transcript of ARMITAGE-THE CYBER ATTACK MANAGEMENT
1 | P a g e
Armitage-the cyber attack management
Armitage is a graphical Cyber Attack Management tool for Metasploit
(httpwwwmetasploitcom) that visualizes your targets recommends exploits
and exposes the advanced capabilities of the framework
Advanced users will find Armitage valuable for managing
remote Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share data and
communicate through one Metasploit instance
Metasploit is a popular exploitation framework that has seen plenty of
coverage towards a penetraster Armitage a new GUI for Metasploit built
around the hacking process Today I will show you how to use Armitage to
scan a Linux host find the right exploit exploit the host and handle post-
exploitation By following this project we will learn how to use Armitage and
Metasploit in our own work This wonderful feature of penetration testing has
been created by Raphael Mudge
2 | P a g e
BASIC REQUIREMENTSWindows xpWindows 7
BackTrack r3
Postgresql
My-Sql
Linux(here I have used BlackBuntu)
A fresh install of Metasploit (httpwwwmetasploitcom) 44 or later
Oracles Java 17 (httpwwwjavacom)
MAC OSX
Armitage A Hackerrsquos Perceptive
3 | P a g e
About Armitage
Armitage is a graphical cyber-attack management tool for Metasploit
(httpwwwmetasploitcom) that visualizes your targets recommends exploits
and exposes the advanced capabilities of the framework Advanced users will
find Armitage valuable for managing remote Metasploit instances and
collaboration Armitages red team collaboration features allow your team to use
the same sessions share data and communicate through one Metasploit
instance
Armitage is a scriptable red team collaboration tool for Metasploit that
visualizes targets recommends exploits and exposes the advanced post-
exploitation features in the framework Through one Metasploit instance our
team will
Use the same sessions
Share hosts captured data and downloaded files
Communicate through a shared event log
Run bots to automate red team tasks
When metasploit and armitage meet to each other than they make a powerful
cyber management tool for doing pen testing on the network(s) Armitage allow
your team to use the same sessions share data and communicate through one
Metasploit instance It is very helpful tool to learn about the cyber security
because it provides a graphical interface instead of command line
Armitage makes Metasploit usable for security practitioners who understand
hacking but dont use Metasploit every day Armitage can help us by providing
following modules on cyber attack management which are
1commercial support
4 | P a g e
Armitage is open source software developed by Raphael Mudges company
Strategic Cyber LLC Cobalt Strike is the commercially supported big brother
of Armitage Cobalt Strike adds features to support professional penetration
testers and red teams including
Professional Reports
Spear Phishing
Web Drive-by Attacks
Client-side Reconnaissance
VPN Pivoting
Covert Command and Control
11Professional Reports
Professional Reports depends on the following hosts and vulnerabilities which
is based on host report
Hosts ReportMarch 1 2012This report shows host information gathered during this penetration test
Summary
Hosts 12
Services 30
Vulnerabilities 7
Compromises 11
1010101
Operating System Cisco IOS
Name
MAC Address 08002726ccf9
5 | P a g e
1010103
Operating System Microsoft Windows 2008 R2 SP0
Name DC
MAC Address 0800271c62e1
Servicesport proto name info
139 tcp
135 tcp
389 tcp
445 tcp smb Windows Server 2008 R2 Enterprise (Build 7600)
(languageUnknown) (nameDC) (domainCORP)
CredentialsUser passAdministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
Compromises
opened duration method03-01-12 092354 PM 1 minute Microsoft Windows Authenticated User
Code Execution
03-01-12 092128 PM 1 minute Microsoft Windows Authenticated User
Code Execution
Vulnerabilities
bull Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password
hash) to execute an arbitrary payload This module is similar to the psexec
utility provided by SysInternals This module is now able to clean up after itself
The service created by this tool uses a randomly chosen name and description
6 | P a g e
1010104
Operating System Microsoft Windows NET Server SP0
Name FILESERVER
MAC Address 0800275cd4ad
Servicesport proto name info139 tcp
135 tcp
445 tcp Windows 2003 No Service Pack (languageUnknown)
(nameFILESERVER)(domainCORP)
Credentialsuser passAdministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afe
ec7e3a37d05a81dc3b
SUPPORT_388945a0 aad3b435b51404eeaad3b435b51404ee5ace382672979
85b281184a14fc8ddcc
Guest aad3b435b51404eeaad3b435b51404ee31d6cfe0d16ae931
b73c59d7e0c089c0
Compromisesopened duration method
03-01-12 091446 PM unknown Microsoft Server Service Relative Path Stack
Corruption
Vulnerabilitiesbull Microsoft Server Service Relative Path Stack Corruption
7 | P a g e
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32dll through the Server Service This module is capable of bypassing
NX on some operating systems and service packs The correct target must be
used to prevent the Server Service (along with a dozen others in the same
process) from crashing Windows XP targets seem to handle multiple successful
exploitation events but 2003 targets will often crash or hang on subsequent
attempts This is just the first version of this module full support for NX bypass
on 2003 along with other platforms is still in development
1010105
Operating System Microsoft Windows NET Server SP0
Name MAIL
MAC Address 0800271f1d86
Servicesport proto name info25 tcp smtp 220 ACME Corporation Mail Server[hMailServer]
139 tcp
143 tcp imap OK IMAPrev1
110 tcp pop3 +OK POP3
135 tcp
445 tcp Windows 2003 No Service Pack (languageUnknown)
(nameMAIL) (domainCORP)
Credentialsuser pass
SUPPORT_388945a0 aad3b435b51404eeaad3b435b51404ee5ace38267297
985b281184a14fc8ddcc
Guest aad3b435b51404eeaad3b435b51404ee31d6cfe0d16ae9
31 b73c59d7e0c089c0
8 | P a g e
Administrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afe
ec7e3a37d05a81dc3b
Compromises
opened duration method
03-01-12 091446 PM unknown Microsoft Server Service Relative Path Stack
Corruption
Vulnerabilitiesbull Microsoft Server Service Relative Path Stack Corruption
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32dll through the Server Service This module is capable of bypassing
NX on some operating systems and service packs The correct target must be
used to prevent the Server Service (along with a dozen others in the same
process) from crashing Windows XP targets seem to handle multiple successful
exploitation events but 2003 targets will often crash or hang on subsequent
attempts This is just the first version of this module full support for NX bypass
on 2003 along with other platforms is still in development
10101018Operating System Microsoft Windows XP SP2
Name JOSHDEV
MAC Address 0800275a8629
Servicesport proto name info135 tcp139 tcp445 tcp Windows XP Service Pack 2 (language English) (nameJOSHDEV) (domainCORP)
Credentialsuser pass
9 | P a g e
joshsokol aad3b435b51404eeaad3b435b51404ee34c63bad990d7b7c
ffa64bf36f8ba19c
User aad3b435b51404eeaad3b435b51404ee31d6cfe0d16ae931
b73c59d7e0c089c0
Administrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 091449 PM unknown Microsoft Server Service Relative Path Stack
Corruption
Vulnerabilities
bull Microsoft Server Service Relative Path Stack Corruption
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32dll through the Server Service This module is capable of bypassing
NX on some operating systems and service packs The correct target must be
used to prevent the Server Service (along with a dozen others in the same
process) from crashing Windows XP targets seem to handle multiple successful
exploitation events but 2003 targets will often crash or hang on subsequent
Attempts This is just the first version of this module full support for NX
bypass on 2003 along with other platforms is still in development
10101021Operating System Linux Ubuntu
Name 10101021
MAC Address 0800279d3c64
Servicesport proto name info80 tcp http Apache2214 (Ubuntu)
10 | P a g e
22 tcp ssh SSH-20-OpenSSH_53p1 Debian-3ubuntu7
101010188Operating System Microsoft Windows 7 SP0
Name WS2
MAC Address 080027083f1d
Servicesport proto name info139 tcp
135 tcp
445 tcp smb Windows 7 Ultimate (Build 7600) (languageUnknown) (nameWS2)
(domainCORP)
Credentialsuser passadministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7 e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 092353 PM 1 minute Microsoft Windows Authenticated User Code
Execution
03-01-12 091142 PM unknown Generic Payload Handler
03-01-12 092126 PM 1 minute Microsoft Windows Authenticated User Code
Execution
Vulnerabilitiesbull Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password hash)
to execute an arbitrary payload This module is similar to the psexec utility provided
by SysInternals This module is now able to clean up after itself The service created
by this tool uses a randomly chosen name and description
11 | P a g e
101010189Operating System Microsoft Windows 7 SP0
Name CEOSBOX
MAC Address 0800277878fb
Servicesport proto name info
135 tcp
139 tcp
445 tcp smb Windows 7 Ultimate (Build 7600) (language
Unknown) (nameCEOSBOX) (domainCORP)
Credentialsuser pass
administrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
CORPadministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 092353 PM 1 minute Microsoft Windows Authenticated User Code
Execution
03-01-12 092128 PM 1 minute Microsoft Windows Authenticated User Code
Execution
Vulnerabilities
bull Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password
hash) to execute an arbitrary payload This module is similar to the psexec
utility provided by SysInternals This module is now able to clean up after itself
The service created by this tool uses a randomly chosen name and description
12 | P a g e
19216812110Operating System Microsoft Windows 7
Name
MAC Address
192168571Operating System Linux Ubuntu
Name 192168571
MAC Address 0a0027000001
192168578Operating System Microsoft Windows XP SP2
Name
MAC Address 0800273b3bdd
Services
Port proto name info
135 tcp
139 tcp
445 tcp smb Windows XP Service Pack 2 (languageEnglish)
(nameJOSHDEV) (domainCORP)
1921685718Operating System Linux Ubuntu
Name
MAC Address 080027e9f98e
Servicesport proto name info
22 tcp ssh SSH-20-OpenSSH_53p1 Debian-3ubuntu7
13 | P a g e
Credentials
user pass
jsokol joshrocks
Compromises
opened duration method
03-01-12 091658 PM unknown SSH Login Check Scanner
Vulnerabilities
bull SSH Login Check Scanner
This module will test ssh logins on a range of machines and report successful
logins If you have loaded a database pluginand connected to a database this
module will record successful logins and hosts so you can track your access
11 SPEAR PHISHING
Cobalt Strikes spear phishing tool allows you to send pixel perfect spear
phishing messages using an arbitrary message as a templateSet Targets to
import a list of targets You may import a flat text-file containing one email
address per line Import a file containing one email address and name separated
by a tab or comma for stronger message customization
Set Template to an email message template A Cobalt Strike message template
is simply a saved email message Cobalt Strike will strip unnecessary headers
remove attachments rewrite URLs re-encode themessage and rewrite it for
you Cobalt Strike does not give you a means to compose a message Use an
email client write a message and send it to yourself Most webmail clients
include a means to see the original message source In GMail click the down
arrow next to Reply and select Show original
You may customize a saved message with Cobalt Strike tokens Cobalt Strike
replaces these tokens when sending an email The tokens include
14 | P a g e
Token Description
To The email address of the person the message is sent to
To_Name The name of the person the message is sent to This token is only
available when importing a tab-separated file containing a name
URL The contents of the URL field in the spear phishing dialog
Set Embed URL to have Cobalt Strike rewrite each URL in the message
template to point to the embedded URL URLs added in this way will contain a
token that allows Cobalt Strike to trace any visitor back to this Press to
choose one of the Cobalt Strike hosted sites youve started
Set Mail Server to an open relay or the mail exchange server for your target
Set Bounce To to an email address where bounced messages should go This
value will not affect the message your targets see Press Preview to see an
assembled message to one of your recipients If the preview looks good press
Send to start your attack
Cobalt Strikes spear phishing capability sends messages from your local client
If youre managing a remote server know that messages will come from your
local host and not the remote server
13 Web-Drive-By Attacks
Firefox Addon Attack
This tool is available through Attacks -gt Web Drive-by -gt Firefox Addon Attack This
tool will start a Metasploitreg web-server that serves a dynamically created Firefox
Add-on
This is a great attack to embed in a cloned website Find a popular Firefox
addon clone its site and embed the Firefox Add-on Attack URL
14Client-side Reconnaissance
15 | P a g e
System Profiler
The system profiler is a reconnaissance tool for the client-side attack process
This tool starts a local web-server and fingerprints any one who visits it The
system profiler discovers the internal IP address of users behind a proxy along
with several applications and their version information
To start the system profiler go to Attacks -gt Web Drive-by -gt System Profiler
The start the profiler you must specify a URI to bind to and a port to start the
Cobalt Strike web-server from If you specify a Redirect URL Cobalt Strike
will redirect visitors to this URL once their profile is taken Click Launch to
start the system profiler
15VPN Pivoting
Covert VPNCobalt Strike offers VPN pivoting through its Covert VPN feature Covert VPN
creates a network interface on the Cobalt Strike system and bridges this
interface into the targets network
Through a Covert VPN interface your system may sniff traffic on
targetrsquos network act as a rogue server or perform man-in-the-middle attacks
normally reserved for internal assessments You may use external scanning and
attack tools to assess your target network as well
16 Covert Command and Control
What is Beacon
Beacon is Cobalt Strikes remote administration payload for long-term
engagements Beacon does not provide real-time control of a compromised host
Beacon is asynchronous It spends most of its time sleeping Occasionally
Beacon will contact Cobalt Strike to check for tasks
If a tasking is available Beacon will download its tasks and execute them
This style of command and control is common with sophisticated malware and
16 | P a g e
Advanced Persistent Threat actors Cobalt Strikes Beacon payload may attempt
to communicate through multiple domains
This makes your control10 20 12 Beaconing - Cobalt
Strike wwwadvancedpentest com help- beacon 2 2of a compromised host
more robust If a system administrator blocks one IP address or domain Beacon
maystill receive tasks through its other domains When tasks are available
Beacon downloads them and sends output using the HTTP protocol Beacon
maycheck for tasks through HTTP or DNS requests
2 CYBER ATTACK MANAGEMETArmitage organizes Metasploits capabilities around the hacking process There
are features for discovery access post-exploitation and maneuver This section
describes these features at a high-level the rest of this manual covers these
capabilities in detail
For discovery Armitage exposes several of Metasploits host management
features You can import hosts and launch scans to populate a database of
targets Armitage also visualizes the database of targets--youll always know
which hosts youre working with and where you have sessions
Armitage assists with remote exploitation--providing features to automatically
recommend exploits and even run active checks so you know which exploits
will work If these options fail you can use the Hail Mary approach and unleash
Armitages smarter db_autopwn against your target database
For those of you who are hacking post-2003 Armitage exposes the client-side
features of Metasploit You can launch browser exploits generate malicious
files and create Meterpreter executable
Once youre in Armitage provides several post-exploitation tools
built on the capabilities of the Meterpreter agent With the click of a menu you
17 | P a g e
will escalate your privileges dump password hashes to a local credentials
database browse the file system like youre local and launch command shells
Finally Armitage aids the process of setting up pivots a capability that lets you
use compromised hosts as a platform for attacking other hosts and further
investigating the target network Armitage also exposes Metasploits SOCKS
proxy module which allows external tools to take advantage of these pivots
With these tools you can further explore and maneuver through the network
The rest of this manual is organized around this process providing what you
need to know in the order youll need it
3NECESSARY THINGS TO KNOWTo use Armitage it helps to understand Metasploit Here are a few things you
absolutely must know before continuing
Metasploit (httpwwwmetasploitcom) is a console driven application
Anything you do in Armitage is translated into a command Metasploit
understands You can bypass Armitage and type commands yourself (covered
later) If youre ever lost in a console type help and hit enter
Metasploit presents its capabilities as modules Every scanner exploit and
even payload is available as a module If youre scanning a host you use an
auxiliary module Before launching a module you must set one or more
variables to configure the module The exploit process is similar To launch an
exploit you must choose an exploit module set one or more variables and
launch it
18 | P a g e
Armitage aims to make this process easier for youIf you successfully exploit a
host you will have a session on that host Armitage knows how to interact with
shell and Windows meterpreter sessions
Meterpreter is an advanced agent that makes a lot of post-exploitation
functionality available to you Armitage is built to take advantage of
Meterpreter Working with Meterpreter is covered later
4 installation
41 on windows
Here are the steps to install and run Armitage on Windows
1 Install Metasploit 44 or later
2 Install Oracles Java 17 (JRE or JDK)
3 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Update
4 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Console (do
this once to initialize the database)
5Make sure youre the Administrator user
To run Armitage
Start -gt Programs -gt Metasploit -gt Framework -gt Armitage
Click Conect
Click Yes when asked whether or not to start Metasploits RPC daemon
If asked where Metasploit is installed select the Metasploit directory You will
only need to do this once (eg cmetasploit)
The best Armitage user experience is on Linux If youre a Windows user
consider using Armitage from a BackTrack virtual machine
42 on linux
To install Armitage on Linux
1 Make sure youre the root user
19 | P a g e
Download and Install the Metasploit Framework from
httpwwwmetasploitcom (httpwwwmetasploitcom)
2Get the full package with all of the Linux dependencies
3 After installation type optframeworkappmsfupdate to update Metasploit
4 Install a VNC viewer (eg apt-get install vncviewer on Ubuntu)
You can get install armitage by a simple command but before execute this
application get command you need to be a root user to install armitage so open
terminal and type exactly
$ sudo su
apt-get install armitage
We need to enable RPC daemon for metasploit use this command on the
terminal
rootbt~ msfrpcd -f -U msf -P test -t Basic
Open a terminalAdd usrlocalbin to $PATH e x p o r t P A T H = $ P A T H u s r l o c a l
b i n
Since Metasploit 41 you now need to make sure you have a database startup scripte c h o e x e c o p t m e t a s p l o i t - 4 4 p o s t g r e s q l s c r i p t s c t l s h $ gt e t c i n i t d f r a m e w o r k - p o s t g r e s
c h m o d + x e t c i n i t d m e t a s p l o i t - p o s t g r e s e t c i n i t d m e t a s p l o i t - p o s t g r e s s t a r tu p d a t e - r c d m e t a s p l o i t - p o s t g r e s d e f a u l t
Now start MYSQL server so that Armitage stores results
rootbt1048673 etcinitdmysql start
This database startup script creation step isnt necessary if you opt to start Metasploit as a
service when the installer runs The downside being that the Metasploit as a service option
starts up the commercialcommunity edition of Metasploit on boot too If you use this
version--great If not its a waste of system resources
20 | P a g e
Now its time to run Armitage locate the directory and type
rootbtpentestexploitsarmitage armitagesh
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
The settings for Metasploits installed database are already set up for you You
not need to change the DB connect string
note
If youre using Armitage with a local Metasploit instance then Armitage must
also run as root Why Because Armitage needs root privileges to read the
databaseyml file created by Metasploits installer If Armitage cant read this
file it will not be able to connect to the database
43 on back-track r3
Armitage comes with BackTrack Linux 5r3 The latest Armitage release
requires BackTrack 5r3 5r25r0 and 5r1 are out If you uinstall Metasploit
(hint pathtometasploituninstall) and reinstall with the Metasploit installer
then you may use any version of BackTrack that you want
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
45 on mac os-x
Armitage works on MacOS X but its not a supported platform for Armitage
Metasploit does not have an official package for OS X
21 | P a g e
There is a lot of manual setup involved getting the pre-requisites working
CedricBaillet created a step-by-step guide
(httpwwwcedric-bailletfrIMGpdfarmitage_configuration_on_macosxpdf)
to configuring Postgres and Ruby for use with Armitage on MacOS X as well
Armitage on MacOS X works fine as a remote client to Metasploit Download
the MacOS X package extract it and double-click the Armitageapp file to get
started
Here are three MacOS X Armitage install guides that others have
produced these may help you Please dont ask me to provide support for them
though
The Black Matrix
(httptheblackmatrixnewsblogspotcom201111installing-armitage-on-
osx-by-defau1thtml)
Night Lions Guide to Installing Metasploit 4 and Armitage on Mac OSX
Lion (httpblognightlionsecuritycomguides201112guideto-
installing-metasploit-4-and-armitage-on-mac-osx-lion)
Faulty Logic Blog (httpbriancanfixitblogspotcom201112setting-up-
metasploit-and-armitage-onhtml)
Armitage is a fast moving project and these project may suggest methods for
starting the Metasploit Framework RPC daemon that are slightly dated The
correct way to start msfrpcd for Armitage to connect to is
m s f r p c d - U m s f - P p a s s w o r d - S - f
5 Manual setupSome crazy people choose to install Metasploit without the benefit of the full installer This method is not supported If you go this route here are some of the requirements
22 | P a g e
A PostgreSQL database No other database is supported msfrpcd is in $PATH $MSF_DATABASE_CONFIG points to a YAML file $MSF_DATABASE_CONFIG is available to msfrpcd and armitage the msgpack ruby gem
6Updating metasploitThe m s f u p d a t e command updates the Metasploit Framework by pulling
the latest source code from a subversion repository that is synced with the git
repository that developers commit to
When you run m s f u p d a t e its possible that you may break Armitage by
doing this The Metasploit team is cautious about what they commit to the
primary git repository and theyre extremely responsive to bug reports That said
things still break from time to time
If you run m s f u p d a t e and Armitage stops working you have a few options
1) You can run m s f u p d a t e later and hope the issue gets fixed Many
times this is a valid strategy
2) You can downgrade Metasploit to the last revision Take a look at the
change log file for the latest development release tested against Armitage
The revision number is located next to the release date To downgrade
Metasploit
c d p a t h t o m e t a s p l o i t m s f 3
s o u r c e s c r i p t s s e t e n v s h
s v n u p d a t e - r [revision number]
This step will downgrade the Armitage release included with Metasploit
too You can download the latest Armitage release from this site in the
mean time
3) Reinstall Metasploit using the installer provided by Rapid7 The
Metasploit installer includes the latest stable version of Metasploit
Usually this release is very stable
23 | P a g e
If youre preparing to use Armitage and Metasploit somewhere
important--do not run m s f u p d a t e and assume it will work Its very
important to stick with what you know works or test the functionality you
need to make sure it works When in doubt go with option (2) or (3)
61 quick connect
If youd like to quickly connect Armitage to a Metasploit server without filling
in the setup dialog use the - - c l i e n t option to specify a file with the
connection details
j a v a - j a r a r m i t a g e j a r - - c l i e n t c o n n e c t p r o p
Heres an example connectprop file
h o s t = 1 9 21 6 8 9 5 2 4 1
p o r t = 55553
u s e r = mister
p a s s = bojangles
If you have to manage multiple ArmitageMetasploit servers consider creating
a desktop shortcut that calls this --client option with a different properties file
for each server
7 User interface format(gui)The user interface can be very easy and friendly to a pentaster as also as a
hackerit is made so easy that without any help a user can manage the cyber
attack
71 Overview
The Armitage user interface has three main panels modules targets and tabs
You may click the area between these panels to resize them to your liking
24 | P a g e
711 modules
The module browser lets you launch a Metasploit auxiliary module throw an
exploit generate a payload and even run a post-exploitation script Click
through the tree to find the desired module Double click the module to bring up
a dialog with options
Armitage will place highlighted hosts from the targets panel into the RHOSTS
variable of any module launched from here
You can search for modules too Click in the search box below the tree type a
wildcard expression (eg ssh_) and hit enter The module tree will then show
your search results already expanded for quick viewing Clear the search box
and press enter to restore the module browser to its original state
712 Targets - Graph View
The targets panel shows all hosts in the current workspace Armitage represents
each target as a computer with its IP address and other information about it
below the computer The computer screen shows the operating system the
computer is runningA red computer with electrical jolts indicates a
compromised host Right click the computer to use any sessions related to the
host A directional green line indicates a pivot from one host to another
Pivoting allows Metasploit to route attacks and scans through intermediate
hosts A bright green line indicates the pivot communication path is in use
Click a host to select it You may select multiple hosts by clicking and dragging
a box over the desired hosts Where possible Armitage will try to apply an
action (eg launching an exploit) to all selected hosts
Right click a host to bring up a menu with available options The attached menu
will show attack and login options menus for existing sessions and options to
edit the host information
The login menu is only available after a port scan reveals open ports that
Metasploit can log in to The Attack menu is only
25 | P a g e
available after finding attacks through the Attacks menu bar Shell and
Meterpreter menus only show up when a shell or Meterpreter session exists on
the selected host Several keyboard shortcuts are available in the targets panel
You may edit these in the Armitage -gt Preferences menu
Ctrl Plus - zoom in
Ctrl Minus - zoom out
Ctrl 0 - reset the zoom level
Ctrl A - select all hosts
Escape - clear selection
Ctrl C - arrange hosts into a circle
Ctrl S - arrange hosts into a stack
Ctrl H - arrange hosts into a hierarchy This only works when a pivot is set up
Ctrl R - refresh hosts from the database
Ctrl P - export hosts into an image
Right click the targets area with no selected hosts to configure the layout and
zoom-level of the targets area
Targets - Table View
If you have a lot of hosts the graph view becomes difficult to work with For
this situation Armitage has a table view
Go to View
7121 Targets -gt Table View
to switch to this mode Armitage will remember your preference
Click any of the table headers to sort the hosts Highlight a row and right-click it
to bring up a menu with options for that host
Armitage will bold the IP address of any host with sessions If a pivot is in use
Armitage will make it bold as well
26 | P a g e
713 Tab
Armitage opens each dialog console and table in a tab below the module and
target panels Click the X button to close a tab
You may right-click the X button to open a tab in a window take a screenshot
of a tab or close all tabs with the same name
Hold shift and click X to close all tabs with the same name Hold shift + control
and click X to open the tab in its own window
You may drag and drop tabs to change their order
Armitage provides several keyboard shortcuts to make your tab management
experience as enjoyable as possible
Use Ctrl+T to take a screenshot of the active tab Use Ctrl+D to close the active
tab Try Ctrl+Left and Ctrl+Right to quickly switch tabs And Ctrl+W to open
the current tab in its own window
8console formatMetasploit console Meterpreter console and shell interfaces each use a console
tab A console tab lets you interact with these interfaces through Armitage
The console tab tracks your command history Use the up arrow to cycle
through previously typed commands The down arrow moves back to the last
command you typed
In the Metasploit console use the Tab key to complete commands and
parameters This works just like the Metasploit console outside of Armitage
27 | P a g e
Use of console panel to make the console font size larger Ctrl minus to make it
smaller and Ctrl 0 to reset it This change is local to the current
console only Visit Armitage -gt Preference to permanently change the font
Press ctrl F to show a panel that will let you search for text within the console
Use Ctrl A to select all text in the consoles buffer
Armitage sends ardquo u s e or a s e t P A Y L O A Drdquo command if you click a
module or a payload name in a console To open a Console go to View -gt
Console or press Ctrl+N
The Armitage console uses color to draw your attention to some information
To disable the colors set the consoleshow_colorsboolean preference to false
You may also edit the colors through Armitage -gt Preference Here is the
Armitage color palette and the preference associated with each color
9 Host management 91Dynamic workspace
Armitages dynamic workspaces feature allows you to create views into the
hosts database and quickly switch between them Use
Workspace -gt Manage to manage your dynamic workspaces Here you may
add edit and remove workspaces you create
28 | P a g e
To create a new dynamic workspace press Add You will see the following
dialog
Give your dynamic workspace a name It doesnt matter what you call it This
description is for you
If youd like to limit your workspace to hosts from a certain network type a
network description in the Hosts field A network description
might be 10100016 to display hosts between 101000-1010255255
Separate multiple networks with a comma and a space
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
2 | P a g e
BASIC REQUIREMENTSWindows xpWindows 7
BackTrack r3
Postgresql
My-Sql
Linux(here I have used BlackBuntu)
A fresh install of Metasploit (httpwwwmetasploitcom) 44 or later
Oracles Java 17 (httpwwwjavacom)
MAC OSX
Armitage A Hackerrsquos Perceptive
3 | P a g e
About Armitage
Armitage is a graphical cyber-attack management tool for Metasploit
(httpwwwmetasploitcom) that visualizes your targets recommends exploits
and exposes the advanced capabilities of the framework Advanced users will
find Armitage valuable for managing remote Metasploit instances and
collaboration Armitages red team collaboration features allow your team to use
the same sessions share data and communicate through one Metasploit
instance
Armitage is a scriptable red team collaboration tool for Metasploit that
visualizes targets recommends exploits and exposes the advanced post-
exploitation features in the framework Through one Metasploit instance our
team will
Use the same sessions
Share hosts captured data and downloaded files
Communicate through a shared event log
Run bots to automate red team tasks
When metasploit and armitage meet to each other than they make a powerful
cyber management tool for doing pen testing on the network(s) Armitage allow
your team to use the same sessions share data and communicate through one
Metasploit instance It is very helpful tool to learn about the cyber security
because it provides a graphical interface instead of command line
Armitage makes Metasploit usable for security practitioners who understand
hacking but dont use Metasploit every day Armitage can help us by providing
following modules on cyber attack management which are
1commercial support
4 | P a g e
Armitage is open source software developed by Raphael Mudges company
Strategic Cyber LLC Cobalt Strike is the commercially supported big brother
of Armitage Cobalt Strike adds features to support professional penetration
testers and red teams including
Professional Reports
Spear Phishing
Web Drive-by Attacks
Client-side Reconnaissance
VPN Pivoting
Covert Command and Control
11Professional Reports
Professional Reports depends on the following hosts and vulnerabilities which
is based on host report
Hosts ReportMarch 1 2012This report shows host information gathered during this penetration test
Summary
Hosts 12
Services 30
Vulnerabilities 7
Compromises 11
1010101
Operating System Cisco IOS
Name
MAC Address 08002726ccf9
5 | P a g e
1010103
Operating System Microsoft Windows 2008 R2 SP0
Name DC
MAC Address 0800271c62e1
Servicesport proto name info
139 tcp
135 tcp
389 tcp
445 tcp smb Windows Server 2008 R2 Enterprise (Build 7600)
(languageUnknown) (nameDC) (domainCORP)
CredentialsUser passAdministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
Compromises
opened duration method03-01-12 092354 PM 1 minute Microsoft Windows Authenticated User
Code Execution
03-01-12 092128 PM 1 minute Microsoft Windows Authenticated User
Code Execution
Vulnerabilities
bull Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password
hash) to execute an arbitrary payload This module is similar to the psexec
utility provided by SysInternals This module is now able to clean up after itself
The service created by this tool uses a randomly chosen name and description
6 | P a g e
1010104
Operating System Microsoft Windows NET Server SP0
Name FILESERVER
MAC Address 0800275cd4ad
Servicesport proto name info139 tcp
135 tcp
445 tcp Windows 2003 No Service Pack (languageUnknown)
(nameFILESERVER)(domainCORP)
Credentialsuser passAdministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afe
ec7e3a37d05a81dc3b
SUPPORT_388945a0 aad3b435b51404eeaad3b435b51404ee5ace382672979
85b281184a14fc8ddcc
Guest aad3b435b51404eeaad3b435b51404ee31d6cfe0d16ae931
b73c59d7e0c089c0
Compromisesopened duration method
03-01-12 091446 PM unknown Microsoft Server Service Relative Path Stack
Corruption
Vulnerabilitiesbull Microsoft Server Service Relative Path Stack Corruption
7 | P a g e
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32dll through the Server Service This module is capable of bypassing
NX on some operating systems and service packs The correct target must be
used to prevent the Server Service (along with a dozen others in the same
process) from crashing Windows XP targets seem to handle multiple successful
exploitation events but 2003 targets will often crash or hang on subsequent
attempts This is just the first version of this module full support for NX bypass
on 2003 along with other platforms is still in development
1010105
Operating System Microsoft Windows NET Server SP0
Name MAIL
MAC Address 0800271f1d86
Servicesport proto name info25 tcp smtp 220 ACME Corporation Mail Server[hMailServer]
139 tcp
143 tcp imap OK IMAPrev1
110 tcp pop3 +OK POP3
135 tcp
445 tcp Windows 2003 No Service Pack (languageUnknown)
(nameMAIL) (domainCORP)
Credentialsuser pass
SUPPORT_388945a0 aad3b435b51404eeaad3b435b51404ee5ace38267297
985b281184a14fc8ddcc
Guest aad3b435b51404eeaad3b435b51404ee31d6cfe0d16ae9
31 b73c59d7e0c089c0
8 | P a g e
Administrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afe
ec7e3a37d05a81dc3b
Compromises
opened duration method
03-01-12 091446 PM unknown Microsoft Server Service Relative Path Stack
Corruption
Vulnerabilitiesbull Microsoft Server Service Relative Path Stack Corruption
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32dll through the Server Service This module is capable of bypassing
NX on some operating systems and service packs The correct target must be
used to prevent the Server Service (along with a dozen others in the same
process) from crashing Windows XP targets seem to handle multiple successful
exploitation events but 2003 targets will often crash or hang on subsequent
attempts This is just the first version of this module full support for NX bypass
on 2003 along with other platforms is still in development
10101018Operating System Microsoft Windows XP SP2
Name JOSHDEV
MAC Address 0800275a8629
Servicesport proto name info135 tcp139 tcp445 tcp Windows XP Service Pack 2 (language English) (nameJOSHDEV) (domainCORP)
Credentialsuser pass
9 | P a g e
joshsokol aad3b435b51404eeaad3b435b51404ee34c63bad990d7b7c
ffa64bf36f8ba19c
User aad3b435b51404eeaad3b435b51404ee31d6cfe0d16ae931
b73c59d7e0c089c0
Administrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 091449 PM unknown Microsoft Server Service Relative Path Stack
Corruption
Vulnerabilities
bull Microsoft Server Service Relative Path Stack Corruption
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32dll through the Server Service This module is capable of bypassing
NX on some operating systems and service packs The correct target must be
used to prevent the Server Service (along with a dozen others in the same
process) from crashing Windows XP targets seem to handle multiple successful
exploitation events but 2003 targets will often crash or hang on subsequent
Attempts This is just the first version of this module full support for NX
bypass on 2003 along with other platforms is still in development
10101021Operating System Linux Ubuntu
Name 10101021
MAC Address 0800279d3c64
Servicesport proto name info80 tcp http Apache2214 (Ubuntu)
10 | P a g e
22 tcp ssh SSH-20-OpenSSH_53p1 Debian-3ubuntu7
101010188Operating System Microsoft Windows 7 SP0
Name WS2
MAC Address 080027083f1d
Servicesport proto name info139 tcp
135 tcp
445 tcp smb Windows 7 Ultimate (Build 7600) (languageUnknown) (nameWS2)
(domainCORP)
Credentialsuser passadministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7 e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 092353 PM 1 minute Microsoft Windows Authenticated User Code
Execution
03-01-12 091142 PM unknown Generic Payload Handler
03-01-12 092126 PM 1 minute Microsoft Windows Authenticated User Code
Execution
Vulnerabilitiesbull Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password hash)
to execute an arbitrary payload This module is similar to the psexec utility provided
by SysInternals This module is now able to clean up after itself The service created
by this tool uses a randomly chosen name and description
11 | P a g e
101010189Operating System Microsoft Windows 7 SP0
Name CEOSBOX
MAC Address 0800277878fb
Servicesport proto name info
135 tcp
139 tcp
445 tcp smb Windows 7 Ultimate (Build 7600) (language
Unknown) (nameCEOSBOX) (domainCORP)
Credentialsuser pass
administrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
CORPadministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 092353 PM 1 minute Microsoft Windows Authenticated User Code
Execution
03-01-12 092128 PM 1 minute Microsoft Windows Authenticated User Code
Execution
Vulnerabilities
bull Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password
hash) to execute an arbitrary payload This module is similar to the psexec
utility provided by SysInternals This module is now able to clean up after itself
The service created by this tool uses a randomly chosen name and description
12 | P a g e
19216812110Operating System Microsoft Windows 7
Name
MAC Address
192168571Operating System Linux Ubuntu
Name 192168571
MAC Address 0a0027000001
192168578Operating System Microsoft Windows XP SP2
Name
MAC Address 0800273b3bdd
Services
Port proto name info
135 tcp
139 tcp
445 tcp smb Windows XP Service Pack 2 (languageEnglish)
(nameJOSHDEV) (domainCORP)
1921685718Operating System Linux Ubuntu
Name
MAC Address 080027e9f98e
Servicesport proto name info
22 tcp ssh SSH-20-OpenSSH_53p1 Debian-3ubuntu7
13 | P a g e
Credentials
user pass
jsokol joshrocks
Compromises
opened duration method
03-01-12 091658 PM unknown SSH Login Check Scanner
Vulnerabilities
bull SSH Login Check Scanner
This module will test ssh logins on a range of machines and report successful
logins If you have loaded a database pluginand connected to a database this
module will record successful logins and hosts so you can track your access
11 SPEAR PHISHING
Cobalt Strikes spear phishing tool allows you to send pixel perfect spear
phishing messages using an arbitrary message as a templateSet Targets to
import a list of targets You may import a flat text-file containing one email
address per line Import a file containing one email address and name separated
by a tab or comma for stronger message customization
Set Template to an email message template A Cobalt Strike message template
is simply a saved email message Cobalt Strike will strip unnecessary headers
remove attachments rewrite URLs re-encode themessage and rewrite it for
you Cobalt Strike does not give you a means to compose a message Use an
email client write a message and send it to yourself Most webmail clients
include a means to see the original message source In GMail click the down
arrow next to Reply and select Show original
You may customize a saved message with Cobalt Strike tokens Cobalt Strike
replaces these tokens when sending an email The tokens include
14 | P a g e
Token Description
To The email address of the person the message is sent to
To_Name The name of the person the message is sent to This token is only
available when importing a tab-separated file containing a name
URL The contents of the URL field in the spear phishing dialog
Set Embed URL to have Cobalt Strike rewrite each URL in the message
template to point to the embedded URL URLs added in this way will contain a
token that allows Cobalt Strike to trace any visitor back to this Press to
choose one of the Cobalt Strike hosted sites youve started
Set Mail Server to an open relay or the mail exchange server for your target
Set Bounce To to an email address where bounced messages should go This
value will not affect the message your targets see Press Preview to see an
assembled message to one of your recipients If the preview looks good press
Send to start your attack
Cobalt Strikes spear phishing capability sends messages from your local client
If youre managing a remote server know that messages will come from your
local host and not the remote server
13 Web-Drive-By Attacks
Firefox Addon Attack
This tool is available through Attacks -gt Web Drive-by -gt Firefox Addon Attack This
tool will start a Metasploitreg web-server that serves a dynamically created Firefox
Add-on
This is a great attack to embed in a cloned website Find a popular Firefox
addon clone its site and embed the Firefox Add-on Attack URL
14Client-side Reconnaissance
15 | P a g e
System Profiler
The system profiler is a reconnaissance tool for the client-side attack process
This tool starts a local web-server and fingerprints any one who visits it The
system profiler discovers the internal IP address of users behind a proxy along
with several applications and their version information
To start the system profiler go to Attacks -gt Web Drive-by -gt System Profiler
The start the profiler you must specify a URI to bind to and a port to start the
Cobalt Strike web-server from If you specify a Redirect URL Cobalt Strike
will redirect visitors to this URL once their profile is taken Click Launch to
start the system profiler
15VPN Pivoting
Covert VPNCobalt Strike offers VPN pivoting through its Covert VPN feature Covert VPN
creates a network interface on the Cobalt Strike system and bridges this
interface into the targets network
Through a Covert VPN interface your system may sniff traffic on
targetrsquos network act as a rogue server or perform man-in-the-middle attacks
normally reserved for internal assessments You may use external scanning and
attack tools to assess your target network as well
16 Covert Command and Control
What is Beacon
Beacon is Cobalt Strikes remote administration payload for long-term
engagements Beacon does not provide real-time control of a compromised host
Beacon is asynchronous It spends most of its time sleeping Occasionally
Beacon will contact Cobalt Strike to check for tasks
If a tasking is available Beacon will download its tasks and execute them
This style of command and control is common with sophisticated malware and
16 | P a g e
Advanced Persistent Threat actors Cobalt Strikes Beacon payload may attempt
to communicate through multiple domains
This makes your control10 20 12 Beaconing - Cobalt
Strike wwwadvancedpentest com help- beacon 2 2of a compromised host
more robust If a system administrator blocks one IP address or domain Beacon
maystill receive tasks through its other domains When tasks are available
Beacon downloads them and sends output using the HTTP protocol Beacon
maycheck for tasks through HTTP or DNS requests
2 CYBER ATTACK MANAGEMETArmitage organizes Metasploits capabilities around the hacking process There
are features for discovery access post-exploitation and maneuver This section
describes these features at a high-level the rest of this manual covers these
capabilities in detail
For discovery Armitage exposes several of Metasploits host management
features You can import hosts and launch scans to populate a database of
targets Armitage also visualizes the database of targets--youll always know
which hosts youre working with and where you have sessions
Armitage assists with remote exploitation--providing features to automatically
recommend exploits and even run active checks so you know which exploits
will work If these options fail you can use the Hail Mary approach and unleash
Armitages smarter db_autopwn against your target database
For those of you who are hacking post-2003 Armitage exposes the client-side
features of Metasploit You can launch browser exploits generate malicious
files and create Meterpreter executable
Once youre in Armitage provides several post-exploitation tools
built on the capabilities of the Meterpreter agent With the click of a menu you
17 | P a g e
will escalate your privileges dump password hashes to a local credentials
database browse the file system like youre local and launch command shells
Finally Armitage aids the process of setting up pivots a capability that lets you
use compromised hosts as a platform for attacking other hosts and further
investigating the target network Armitage also exposes Metasploits SOCKS
proxy module which allows external tools to take advantage of these pivots
With these tools you can further explore and maneuver through the network
The rest of this manual is organized around this process providing what you
need to know in the order youll need it
3NECESSARY THINGS TO KNOWTo use Armitage it helps to understand Metasploit Here are a few things you
absolutely must know before continuing
Metasploit (httpwwwmetasploitcom) is a console driven application
Anything you do in Armitage is translated into a command Metasploit
understands You can bypass Armitage and type commands yourself (covered
later) If youre ever lost in a console type help and hit enter
Metasploit presents its capabilities as modules Every scanner exploit and
even payload is available as a module If youre scanning a host you use an
auxiliary module Before launching a module you must set one or more
variables to configure the module The exploit process is similar To launch an
exploit you must choose an exploit module set one or more variables and
launch it
18 | P a g e
Armitage aims to make this process easier for youIf you successfully exploit a
host you will have a session on that host Armitage knows how to interact with
shell and Windows meterpreter sessions
Meterpreter is an advanced agent that makes a lot of post-exploitation
functionality available to you Armitage is built to take advantage of
Meterpreter Working with Meterpreter is covered later
4 installation
41 on windows
Here are the steps to install and run Armitage on Windows
1 Install Metasploit 44 or later
2 Install Oracles Java 17 (JRE or JDK)
3 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Update
4 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Console (do
this once to initialize the database)
5Make sure youre the Administrator user
To run Armitage
Start -gt Programs -gt Metasploit -gt Framework -gt Armitage
Click Conect
Click Yes when asked whether or not to start Metasploits RPC daemon
If asked where Metasploit is installed select the Metasploit directory You will
only need to do this once (eg cmetasploit)
The best Armitage user experience is on Linux If youre a Windows user
consider using Armitage from a BackTrack virtual machine
42 on linux
To install Armitage on Linux
1 Make sure youre the root user
19 | P a g e
Download and Install the Metasploit Framework from
httpwwwmetasploitcom (httpwwwmetasploitcom)
2Get the full package with all of the Linux dependencies
3 After installation type optframeworkappmsfupdate to update Metasploit
4 Install a VNC viewer (eg apt-get install vncviewer on Ubuntu)
You can get install armitage by a simple command but before execute this
application get command you need to be a root user to install armitage so open
terminal and type exactly
$ sudo su
apt-get install armitage
We need to enable RPC daemon for metasploit use this command on the
terminal
rootbt~ msfrpcd -f -U msf -P test -t Basic
Open a terminalAdd usrlocalbin to $PATH e x p o r t P A T H = $ P A T H u s r l o c a l
b i n
Since Metasploit 41 you now need to make sure you have a database startup scripte c h o e x e c o p t m e t a s p l o i t - 4 4 p o s t g r e s q l s c r i p t s c t l s h $ gt e t c i n i t d f r a m e w o r k - p o s t g r e s
c h m o d + x e t c i n i t d m e t a s p l o i t - p o s t g r e s e t c i n i t d m e t a s p l o i t - p o s t g r e s s t a r tu p d a t e - r c d m e t a s p l o i t - p o s t g r e s d e f a u l t
Now start MYSQL server so that Armitage stores results
rootbt1048673 etcinitdmysql start
This database startup script creation step isnt necessary if you opt to start Metasploit as a
service when the installer runs The downside being that the Metasploit as a service option
starts up the commercialcommunity edition of Metasploit on boot too If you use this
version--great If not its a waste of system resources
20 | P a g e
Now its time to run Armitage locate the directory and type
rootbtpentestexploitsarmitage armitagesh
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
The settings for Metasploits installed database are already set up for you You
not need to change the DB connect string
note
If youre using Armitage with a local Metasploit instance then Armitage must
also run as root Why Because Armitage needs root privileges to read the
databaseyml file created by Metasploits installer If Armitage cant read this
file it will not be able to connect to the database
43 on back-track r3
Armitage comes with BackTrack Linux 5r3 The latest Armitage release
requires BackTrack 5r3 5r25r0 and 5r1 are out If you uinstall Metasploit
(hint pathtometasploituninstall) and reinstall with the Metasploit installer
then you may use any version of BackTrack that you want
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
45 on mac os-x
Armitage works on MacOS X but its not a supported platform for Armitage
Metasploit does not have an official package for OS X
21 | P a g e
There is a lot of manual setup involved getting the pre-requisites working
CedricBaillet created a step-by-step guide
(httpwwwcedric-bailletfrIMGpdfarmitage_configuration_on_macosxpdf)
to configuring Postgres and Ruby for use with Armitage on MacOS X as well
Armitage on MacOS X works fine as a remote client to Metasploit Download
the MacOS X package extract it and double-click the Armitageapp file to get
started
Here are three MacOS X Armitage install guides that others have
produced these may help you Please dont ask me to provide support for them
though
The Black Matrix
(httptheblackmatrixnewsblogspotcom201111installing-armitage-on-
osx-by-defau1thtml)
Night Lions Guide to Installing Metasploit 4 and Armitage on Mac OSX
Lion (httpblognightlionsecuritycomguides201112guideto-
installing-metasploit-4-and-armitage-on-mac-osx-lion)
Faulty Logic Blog (httpbriancanfixitblogspotcom201112setting-up-
metasploit-and-armitage-onhtml)
Armitage is a fast moving project and these project may suggest methods for
starting the Metasploit Framework RPC daemon that are slightly dated The
correct way to start msfrpcd for Armitage to connect to is
m s f r p c d - U m s f - P p a s s w o r d - S - f
5 Manual setupSome crazy people choose to install Metasploit without the benefit of the full installer This method is not supported If you go this route here are some of the requirements
22 | P a g e
A PostgreSQL database No other database is supported msfrpcd is in $PATH $MSF_DATABASE_CONFIG points to a YAML file $MSF_DATABASE_CONFIG is available to msfrpcd and armitage the msgpack ruby gem
6Updating metasploitThe m s f u p d a t e command updates the Metasploit Framework by pulling
the latest source code from a subversion repository that is synced with the git
repository that developers commit to
When you run m s f u p d a t e its possible that you may break Armitage by
doing this The Metasploit team is cautious about what they commit to the
primary git repository and theyre extremely responsive to bug reports That said
things still break from time to time
If you run m s f u p d a t e and Armitage stops working you have a few options
1) You can run m s f u p d a t e later and hope the issue gets fixed Many
times this is a valid strategy
2) You can downgrade Metasploit to the last revision Take a look at the
change log file for the latest development release tested against Armitage
The revision number is located next to the release date To downgrade
Metasploit
c d p a t h t o m e t a s p l o i t m s f 3
s o u r c e s c r i p t s s e t e n v s h
s v n u p d a t e - r [revision number]
This step will downgrade the Armitage release included with Metasploit
too You can download the latest Armitage release from this site in the
mean time
3) Reinstall Metasploit using the installer provided by Rapid7 The
Metasploit installer includes the latest stable version of Metasploit
Usually this release is very stable
23 | P a g e
If youre preparing to use Armitage and Metasploit somewhere
important--do not run m s f u p d a t e and assume it will work Its very
important to stick with what you know works or test the functionality you
need to make sure it works When in doubt go with option (2) or (3)
61 quick connect
If youd like to quickly connect Armitage to a Metasploit server without filling
in the setup dialog use the - - c l i e n t option to specify a file with the
connection details
j a v a - j a r a r m i t a g e j a r - - c l i e n t c o n n e c t p r o p
Heres an example connectprop file
h o s t = 1 9 21 6 8 9 5 2 4 1
p o r t = 55553
u s e r = mister
p a s s = bojangles
If you have to manage multiple ArmitageMetasploit servers consider creating
a desktop shortcut that calls this --client option with a different properties file
for each server
7 User interface format(gui)The user interface can be very easy and friendly to a pentaster as also as a
hackerit is made so easy that without any help a user can manage the cyber
attack
71 Overview
The Armitage user interface has three main panels modules targets and tabs
You may click the area between these panels to resize them to your liking
24 | P a g e
711 modules
The module browser lets you launch a Metasploit auxiliary module throw an
exploit generate a payload and even run a post-exploitation script Click
through the tree to find the desired module Double click the module to bring up
a dialog with options
Armitage will place highlighted hosts from the targets panel into the RHOSTS
variable of any module launched from here
You can search for modules too Click in the search box below the tree type a
wildcard expression (eg ssh_) and hit enter The module tree will then show
your search results already expanded for quick viewing Clear the search box
and press enter to restore the module browser to its original state
712 Targets - Graph View
The targets panel shows all hosts in the current workspace Armitage represents
each target as a computer with its IP address and other information about it
below the computer The computer screen shows the operating system the
computer is runningA red computer with electrical jolts indicates a
compromised host Right click the computer to use any sessions related to the
host A directional green line indicates a pivot from one host to another
Pivoting allows Metasploit to route attacks and scans through intermediate
hosts A bright green line indicates the pivot communication path is in use
Click a host to select it You may select multiple hosts by clicking and dragging
a box over the desired hosts Where possible Armitage will try to apply an
action (eg launching an exploit) to all selected hosts
Right click a host to bring up a menu with available options The attached menu
will show attack and login options menus for existing sessions and options to
edit the host information
The login menu is only available after a port scan reveals open ports that
Metasploit can log in to The Attack menu is only
25 | P a g e
available after finding attacks through the Attacks menu bar Shell and
Meterpreter menus only show up when a shell or Meterpreter session exists on
the selected host Several keyboard shortcuts are available in the targets panel
You may edit these in the Armitage -gt Preferences menu
Ctrl Plus - zoom in
Ctrl Minus - zoom out
Ctrl 0 - reset the zoom level
Ctrl A - select all hosts
Escape - clear selection
Ctrl C - arrange hosts into a circle
Ctrl S - arrange hosts into a stack
Ctrl H - arrange hosts into a hierarchy This only works when a pivot is set up
Ctrl R - refresh hosts from the database
Ctrl P - export hosts into an image
Right click the targets area with no selected hosts to configure the layout and
zoom-level of the targets area
Targets - Table View
If you have a lot of hosts the graph view becomes difficult to work with For
this situation Armitage has a table view
Go to View
7121 Targets -gt Table View
to switch to this mode Armitage will remember your preference
Click any of the table headers to sort the hosts Highlight a row and right-click it
to bring up a menu with options for that host
Armitage will bold the IP address of any host with sessions If a pivot is in use
Armitage will make it bold as well
26 | P a g e
713 Tab
Armitage opens each dialog console and table in a tab below the module and
target panels Click the X button to close a tab
You may right-click the X button to open a tab in a window take a screenshot
of a tab or close all tabs with the same name
Hold shift and click X to close all tabs with the same name Hold shift + control
and click X to open the tab in its own window
You may drag and drop tabs to change their order
Armitage provides several keyboard shortcuts to make your tab management
experience as enjoyable as possible
Use Ctrl+T to take a screenshot of the active tab Use Ctrl+D to close the active
tab Try Ctrl+Left and Ctrl+Right to quickly switch tabs And Ctrl+W to open
the current tab in its own window
8console formatMetasploit console Meterpreter console and shell interfaces each use a console
tab A console tab lets you interact with these interfaces through Armitage
The console tab tracks your command history Use the up arrow to cycle
through previously typed commands The down arrow moves back to the last
command you typed
In the Metasploit console use the Tab key to complete commands and
parameters This works just like the Metasploit console outside of Armitage
27 | P a g e
Use of console panel to make the console font size larger Ctrl minus to make it
smaller and Ctrl 0 to reset it This change is local to the current
console only Visit Armitage -gt Preference to permanently change the font
Press ctrl F to show a panel that will let you search for text within the console
Use Ctrl A to select all text in the consoles buffer
Armitage sends ardquo u s e or a s e t P A Y L O A Drdquo command if you click a
module or a payload name in a console To open a Console go to View -gt
Console or press Ctrl+N
The Armitage console uses color to draw your attention to some information
To disable the colors set the consoleshow_colorsboolean preference to false
You may also edit the colors through Armitage -gt Preference Here is the
Armitage color palette and the preference associated with each color
9 Host management 91Dynamic workspace
Armitages dynamic workspaces feature allows you to create views into the
hosts database and quickly switch between them Use
Workspace -gt Manage to manage your dynamic workspaces Here you may
add edit and remove workspaces you create
28 | P a g e
To create a new dynamic workspace press Add You will see the following
dialog
Give your dynamic workspace a name It doesnt matter what you call it This
description is for you
If youd like to limit your workspace to hosts from a certain network type a
network description in the Hosts field A network description
might be 10100016 to display hosts between 101000-1010255255
Separate multiple networks with a comma and a space
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
3 | P a g e
About Armitage
Armitage is a graphical cyber-attack management tool for Metasploit
(httpwwwmetasploitcom) that visualizes your targets recommends exploits
and exposes the advanced capabilities of the framework Advanced users will
find Armitage valuable for managing remote Metasploit instances and
collaboration Armitages red team collaboration features allow your team to use
the same sessions share data and communicate through one Metasploit
instance
Armitage is a scriptable red team collaboration tool for Metasploit that
visualizes targets recommends exploits and exposes the advanced post-
exploitation features in the framework Through one Metasploit instance our
team will
Use the same sessions
Share hosts captured data and downloaded files
Communicate through a shared event log
Run bots to automate red team tasks
When metasploit and armitage meet to each other than they make a powerful
cyber management tool for doing pen testing on the network(s) Armitage allow
your team to use the same sessions share data and communicate through one
Metasploit instance It is very helpful tool to learn about the cyber security
because it provides a graphical interface instead of command line
Armitage makes Metasploit usable for security practitioners who understand
hacking but dont use Metasploit every day Armitage can help us by providing
following modules on cyber attack management which are
1commercial support
4 | P a g e
Armitage is open source software developed by Raphael Mudges company
Strategic Cyber LLC Cobalt Strike is the commercially supported big brother
of Armitage Cobalt Strike adds features to support professional penetration
testers and red teams including
Professional Reports
Spear Phishing
Web Drive-by Attacks
Client-side Reconnaissance
VPN Pivoting
Covert Command and Control
11Professional Reports
Professional Reports depends on the following hosts and vulnerabilities which
is based on host report
Hosts ReportMarch 1 2012This report shows host information gathered during this penetration test
Summary
Hosts 12
Services 30
Vulnerabilities 7
Compromises 11
1010101
Operating System Cisco IOS
Name
MAC Address 08002726ccf9
5 | P a g e
1010103
Operating System Microsoft Windows 2008 R2 SP0
Name DC
MAC Address 0800271c62e1
Servicesport proto name info
139 tcp
135 tcp
389 tcp
445 tcp smb Windows Server 2008 R2 Enterprise (Build 7600)
(languageUnknown) (nameDC) (domainCORP)
CredentialsUser passAdministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
Compromises
opened duration method03-01-12 092354 PM 1 minute Microsoft Windows Authenticated User
Code Execution
03-01-12 092128 PM 1 minute Microsoft Windows Authenticated User
Code Execution
Vulnerabilities
bull Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password
hash) to execute an arbitrary payload This module is similar to the psexec
utility provided by SysInternals This module is now able to clean up after itself
The service created by this tool uses a randomly chosen name and description
6 | P a g e
1010104
Operating System Microsoft Windows NET Server SP0
Name FILESERVER
MAC Address 0800275cd4ad
Servicesport proto name info139 tcp
135 tcp
445 tcp Windows 2003 No Service Pack (languageUnknown)
(nameFILESERVER)(domainCORP)
Credentialsuser passAdministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afe
ec7e3a37d05a81dc3b
SUPPORT_388945a0 aad3b435b51404eeaad3b435b51404ee5ace382672979
85b281184a14fc8ddcc
Guest aad3b435b51404eeaad3b435b51404ee31d6cfe0d16ae931
b73c59d7e0c089c0
Compromisesopened duration method
03-01-12 091446 PM unknown Microsoft Server Service Relative Path Stack
Corruption
Vulnerabilitiesbull Microsoft Server Service Relative Path Stack Corruption
7 | P a g e
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32dll through the Server Service This module is capable of bypassing
NX on some operating systems and service packs The correct target must be
used to prevent the Server Service (along with a dozen others in the same
process) from crashing Windows XP targets seem to handle multiple successful
exploitation events but 2003 targets will often crash or hang on subsequent
attempts This is just the first version of this module full support for NX bypass
on 2003 along with other platforms is still in development
1010105
Operating System Microsoft Windows NET Server SP0
Name MAIL
MAC Address 0800271f1d86
Servicesport proto name info25 tcp smtp 220 ACME Corporation Mail Server[hMailServer]
139 tcp
143 tcp imap OK IMAPrev1
110 tcp pop3 +OK POP3
135 tcp
445 tcp Windows 2003 No Service Pack (languageUnknown)
(nameMAIL) (domainCORP)
Credentialsuser pass
SUPPORT_388945a0 aad3b435b51404eeaad3b435b51404ee5ace38267297
985b281184a14fc8ddcc
Guest aad3b435b51404eeaad3b435b51404ee31d6cfe0d16ae9
31 b73c59d7e0c089c0
8 | P a g e
Administrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afe
ec7e3a37d05a81dc3b
Compromises
opened duration method
03-01-12 091446 PM unknown Microsoft Server Service Relative Path Stack
Corruption
Vulnerabilitiesbull Microsoft Server Service Relative Path Stack Corruption
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32dll through the Server Service This module is capable of bypassing
NX on some operating systems and service packs The correct target must be
used to prevent the Server Service (along with a dozen others in the same
process) from crashing Windows XP targets seem to handle multiple successful
exploitation events but 2003 targets will often crash or hang on subsequent
attempts This is just the first version of this module full support for NX bypass
on 2003 along with other platforms is still in development
10101018Operating System Microsoft Windows XP SP2
Name JOSHDEV
MAC Address 0800275a8629
Servicesport proto name info135 tcp139 tcp445 tcp Windows XP Service Pack 2 (language English) (nameJOSHDEV) (domainCORP)
Credentialsuser pass
9 | P a g e
joshsokol aad3b435b51404eeaad3b435b51404ee34c63bad990d7b7c
ffa64bf36f8ba19c
User aad3b435b51404eeaad3b435b51404ee31d6cfe0d16ae931
b73c59d7e0c089c0
Administrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 091449 PM unknown Microsoft Server Service Relative Path Stack
Corruption
Vulnerabilities
bull Microsoft Server Service Relative Path Stack Corruption
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32dll through the Server Service This module is capable of bypassing
NX on some operating systems and service packs The correct target must be
used to prevent the Server Service (along with a dozen others in the same
process) from crashing Windows XP targets seem to handle multiple successful
exploitation events but 2003 targets will often crash or hang on subsequent
Attempts This is just the first version of this module full support for NX
bypass on 2003 along with other platforms is still in development
10101021Operating System Linux Ubuntu
Name 10101021
MAC Address 0800279d3c64
Servicesport proto name info80 tcp http Apache2214 (Ubuntu)
10 | P a g e
22 tcp ssh SSH-20-OpenSSH_53p1 Debian-3ubuntu7
101010188Operating System Microsoft Windows 7 SP0
Name WS2
MAC Address 080027083f1d
Servicesport proto name info139 tcp
135 tcp
445 tcp smb Windows 7 Ultimate (Build 7600) (languageUnknown) (nameWS2)
(domainCORP)
Credentialsuser passadministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7 e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 092353 PM 1 minute Microsoft Windows Authenticated User Code
Execution
03-01-12 091142 PM unknown Generic Payload Handler
03-01-12 092126 PM 1 minute Microsoft Windows Authenticated User Code
Execution
Vulnerabilitiesbull Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password hash)
to execute an arbitrary payload This module is similar to the psexec utility provided
by SysInternals This module is now able to clean up after itself The service created
by this tool uses a randomly chosen name and description
11 | P a g e
101010189Operating System Microsoft Windows 7 SP0
Name CEOSBOX
MAC Address 0800277878fb
Servicesport proto name info
135 tcp
139 tcp
445 tcp smb Windows 7 Ultimate (Build 7600) (language
Unknown) (nameCEOSBOX) (domainCORP)
Credentialsuser pass
administrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
CORPadministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 092353 PM 1 minute Microsoft Windows Authenticated User Code
Execution
03-01-12 092128 PM 1 minute Microsoft Windows Authenticated User Code
Execution
Vulnerabilities
bull Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password
hash) to execute an arbitrary payload This module is similar to the psexec
utility provided by SysInternals This module is now able to clean up after itself
The service created by this tool uses a randomly chosen name and description
12 | P a g e
19216812110Operating System Microsoft Windows 7
Name
MAC Address
192168571Operating System Linux Ubuntu
Name 192168571
MAC Address 0a0027000001
192168578Operating System Microsoft Windows XP SP2
Name
MAC Address 0800273b3bdd
Services
Port proto name info
135 tcp
139 tcp
445 tcp smb Windows XP Service Pack 2 (languageEnglish)
(nameJOSHDEV) (domainCORP)
1921685718Operating System Linux Ubuntu
Name
MAC Address 080027e9f98e
Servicesport proto name info
22 tcp ssh SSH-20-OpenSSH_53p1 Debian-3ubuntu7
13 | P a g e
Credentials
user pass
jsokol joshrocks
Compromises
opened duration method
03-01-12 091658 PM unknown SSH Login Check Scanner
Vulnerabilities
bull SSH Login Check Scanner
This module will test ssh logins on a range of machines and report successful
logins If you have loaded a database pluginand connected to a database this
module will record successful logins and hosts so you can track your access
11 SPEAR PHISHING
Cobalt Strikes spear phishing tool allows you to send pixel perfect spear
phishing messages using an arbitrary message as a templateSet Targets to
import a list of targets You may import a flat text-file containing one email
address per line Import a file containing one email address and name separated
by a tab or comma for stronger message customization
Set Template to an email message template A Cobalt Strike message template
is simply a saved email message Cobalt Strike will strip unnecessary headers
remove attachments rewrite URLs re-encode themessage and rewrite it for
you Cobalt Strike does not give you a means to compose a message Use an
email client write a message and send it to yourself Most webmail clients
include a means to see the original message source In GMail click the down
arrow next to Reply and select Show original
You may customize a saved message with Cobalt Strike tokens Cobalt Strike
replaces these tokens when sending an email The tokens include
14 | P a g e
Token Description
To The email address of the person the message is sent to
To_Name The name of the person the message is sent to This token is only
available when importing a tab-separated file containing a name
URL The contents of the URL field in the spear phishing dialog
Set Embed URL to have Cobalt Strike rewrite each URL in the message
template to point to the embedded URL URLs added in this way will contain a
token that allows Cobalt Strike to trace any visitor back to this Press to
choose one of the Cobalt Strike hosted sites youve started
Set Mail Server to an open relay or the mail exchange server for your target
Set Bounce To to an email address where bounced messages should go This
value will not affect the message your targets see Press Preview to see an
assembled message to one of your recipients If the preview looks good press
Send to start your attack
Cobalt Strikes spear phishing capability sends messages from your local client
If youre managing a remote server know that messages will come from your
local host and not the remote server
13 Web-Drive-By Attacks
Firefox Addon Attack
This tool is available through Attacks -gt Web Drive-by -gt Firefox Addon Attack This
tool will start a Metasploitreg web-server that serves a dynamically created Firefox
Add-on
This is a great attack to embed in a cloned website Find a popular Firefox
addon clone its site and embed the Firefox Add-on Attack URL
14Client-side Reconnaissance
15 | P a g e
System Profiler
The system profiler is a reconnaissance tool for the client-side attack process
This tool starts a local web-server and fingerprints any one who visits it The
system profiler discovers the internal IP address of users behind a proxy along
with several applications and their version information
To start the system profiler go to Attacks -gt Web Drive-by -gt System Profiler
The start the profiler you must specify a URI to bind to and a port to start the
Cobalt Strike web-server from If you specify a Redirect URL Cobalt Strike
will redirect visitors to this URL once their profile is taken Click Launch to
start the system profiler
15VPN Pivoting
Covert VPNCobalt Strike offers VPN pivoting through its Covert VPN feature Covert VPN
creates a network interface on the Cobalt Strike system and bridges this
interface into the targets network
Through a Covert VPN interface your system may sniff traffic on
targetrsquos network act as a rogue server or perform man-in-the-middle attacks
normally reserved for internal assessments You may use external scanning and
attack tools to assess your target network as well
16 Covert Command and Control
What is Beacon
Beacon is Cobalt Strikes remote administration payload for long-term
engagements Beacon does not provide real-time control of a compromised host
Beacon is asynchronous It spends most of its time sleeping Occasionally
Beacon will contact Cobalt Strike to check for tasks
If a tasking is available Beacon will download its tasks and execute them
This style of command and control is common with sophisticated malware and
16 | P a g e
Advanced Persistent Threat actors Cobalt Strikes Beacon payload may attempt
to communicate through multiple domains
This makes your control10 20 12 Beaconing - Cobalt
Strike wwwadvancedpentest com help- beacon 2 2of a compromised host
more robust If a system administrator blocks one IP address or domain Beacon
maystill receive tasks through its other domains When tasks are available
Beacon downloads them and sends output using the HTTP protocol Beacon
maycheck for tasks through HTTP or DNS requests
2 CYBER ATTACK MANAGEMETArmitage organizes Metasploits capabilities around the hacking process There
are features for discovery access post-exploitation and maneuver This section
describes these features at a high-level the rest of this manual covers these
capabilities in detail
For discovery Armitage exposes several of Metasploits host management
features You can import hosts and launch scans to populate a database of
targets Armitage also visualizes the database of targets--youll always know
which hosts youre working with and where you have sessions
Armitage assists with remote exploitation--providing features to automatically
recommend exploits and even run active checks so you know which exploits
will work If these options fail you can use the Hail Mary approach and unleash
Armitages smarter db_autopwn against your target database
For those of you who are hacking post-2003 Armitage exposes the client-side
features of Metasploit You can launch browser exploits generate malicious
files and create Meterpreter executable
Once youre in Armitage provides several post-exploitation tools
built on the capabilities of the Meterpreter agent With the click of a menu you
17 | P a g e
will escalate your privileges dump password hashes to a local credentials
database browse the file system like youre local and launch command shells
Finally Armitage aids the process of setting up pivots a capability that lets you
use compromised hosts as a platform for attacking other hosts and further
investigating the target network Armitage also exposes Metasploits SOCKS
proxy module which allows external tools to take advantage of these pivots
With these tools you can further explore and maneuver through the network
The rest of this manual is organized around this process providing what you
need to know in the order youll need it
3NECESSARY THINGS TO KNOWTo use Armitage it helps to understand Metasploit Here are a few things you
absolutely must know before continuing
Metasploit (httpwwwmetasploitcom) is a console driven application
Anything you do in Armitage is translated into a command Metasploit
understands You can bypass Armitage and type commands yourself (covered
later) If youre ever lost in a console type help and hit enter
Metasploit presents its capabilities as modules Every scanner exploit and
even payload is available as a module If youre scanning a host you use an
auxiliary module Before launching a module you must set one or more
variables to configure the module The exploit process is similar To launch an
exploit you must choose an exploit module set one or more variables and
launch it
18 | P a g e
Armitage aims to make this process easier for youIf you successfully exploit a
host you will have a session on that host Armitage knows how to interact with
shell and Windows meterpreter sessions
Meterpreter is an advanced agent that makes a lot of post-exploitation
functionality available to you Armitage is built to take advantage of
Meterpreter Working with Meterpreter is covered later
4 installation
41 on windows
Here are the steps to install and run Armitage on Windows
1 Install Metasploit 44 or later
2 Install Oracles Java 17 (JRE or JDK)
3 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Update
4 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Console (do
this once to initialize the database)
5Make sure youre the Administrator user
To run Armitage
Start -gt Programs -gt Metasploit -gt Framework -gt Armitage
Click Conect
Click Yes when asked whether or not to start Metasploits RPC daemon
If asked where Metasploit is installed select the Metasploit directory You will
only need to do this once (eg cmetasploit)
The best Armitage user experience is on Linux If youre a Windows user
consider using Armitage from a BackTrack virtual machine
42 on linux
To install Armitage on Linux
1 Make sure youre the root user
19 | P a g e
Download and Install the Metasploit Framework from
httpwwwmetasploitcom (httpwwwmetasploitcom)
2Get the full package with all of the Linux dependencies
3 After installation type optframeworkappmsfupdate to update Metasploit
4 Install a VNC viewer (eg apt-get install vncviewer on Ubuntu)
You can get install armitage by a simple command but before execute this
application get command you need to be a root user to install armitage so open
terminal and type exactly
$ sudo su
apt-get install armitage
We need to enable RPC daemon for metasploit use this command on the
terminal
rootbt~ msfrpcd -f -U msf -P test -t Basic
Open a terminalAdd usrlocalbin to $PATH e x p o r t P A T H = $ P A T H u s r l o c a l
b i n
Since Metasploit 41 you now need to make sure you have a database startup scripte c h o e x e c o p t m e t a s p l o i t - 4 4 p o s t g r e s q l s c r i p t s c t l s h $ gt e t c i n i t d f r a m e w o r k - p o s t g r e s
c h m o d + x e t c i n i t d m e t a s p l o i t - p o s t g r e s e t c i n i t d m e t a s p l o i t - p o s t g r e s s t a r tu p d a t e - r c d m e t a s p l o i t - p o s t g r e s d e f a u l t
Now start MYSQL server so that Armitage stores results
rootbt1048673 etcinitdmysql start
This database startup script creation step isnt necessary if you opt to start Metasploit as a
service when the installer runs The downside being that the Metasploit as a service option
starts up the commercialcommunity edition of Metasploit on boot too If you use this
version--great If not its a waste of system resources
20 | P a g e
Now its time to run Armitage locate the directory and type
rootbtpentestexploitsarmitage armitagesh
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
The settings for Metasploits installed database are already set up for you You
not need to change the DB connect string
note
If youre using Armitage with a local Metasploit instance then Armitage must
also run as root Why Because Armitage needs root privileges to read the
databaseyml file created by Metasploits installer If Armitage cant read this
file it will not be able to connect to the database
43 on back-track r3
Armitage comes with BackTrack Linux 5r3 The latest Armitage release
requires BackTrack 5r3 5r25r0 and 5r1 are out If you uinstall Metasploit
(hint pathtometasploituninstall) and reinstall with the Metasploit installer
then you may use any version of BackTrack that you want
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
45 on mac os-x
Armitage works on MacOS X but its not a supported platform for Armitage
Metasploit does not have an official package for OS X
21 | P a g e
There is a lot of manual setup involved getting the pre-requisites working
CedricBaillet created a step-by-step guide
(httpwwwcedric-bailletfrIMGpdfarmitage_configuration_on_macosxpdf)
to configuring Postgres and Ruby for use with Armitage on MacOS X as well
Armitage on MacOS X works fine as a remote client to Metasploit Download
the MacOS X package extract it and double-click the Armitageapp file to get
started
Here are three MacOS X Armitage install guides that others have
produced these may help you Please dont ask me to provide support for them
though
The Black Matrix
(httptheblackmatrixnewsblogspotcom201111installing-armitage-on-
osx-by-defau1thtml)
Night Lions Guide to Installing Metasploit 4 and Armitage on Mac OSX
Lion (httpblognightlionsecuritycomguides201112guideto-
installing-metasploit-4-and-armitage-on-mac-osx-lion)
Faulty Logic Blog (httpbriancanfixitblogspotcom201112setting-up-
metasploit-and-armitage-onhtml)
Armitage is a fast moving project and these project may suggest methods for
starting the Metasploit Framework RPC daemon that are slightly dated The
correct way to start msfrpcd for Armitage to connect to is
m s f r p c d - U m s f - P p a s s w o r d - S - f
5 Manual setupSome crazy people choose to install Metasploit without the benefit of the full installer This method is not supported If you go this route here are some of the requirements
22 | P a g e
A PostgreSQL database No other database is supported msfrpcd is in $PATH $MSF_DATABASE_CONFIG points to a YAML file $MSF_DATABASE_CONFIG is available to msfrpcd and armitage the msgpack ruby gem
6Updating metasploitThe m s f u p d a t e command updates the Metasploit Framework by pulling
the latest source code from a subversion repository that is synced with the git
repository that developers commit to
When you run m s f u p d a t e its possible that you may break Armitage by
doing this The Metasploit team is cautious about what they commit to the
primary git repository and theyre extremely responsive to bug reports That said
things still break from time to time
If you run m s f u p d a t e and Armitage stops working you have a few options
1) You can run m s f u p d a t e later and hope the issue gets fixed Many
times this is a valid strategy
2) You can downgrade Metasploit to the last revision Take a look at the
change log file for the latest development release tested against Armitage
The revision number is located next to the release date To downgrade
Metasploit
c d p a t h t o m e t a s p l o i t m s f 3
s o u r c e s c r i p t s s e t e n v s h
s v n u p d a t e - r [revision number]
This step will downgrade the Armitage release included with Metasploit
too You can download the latest Armitage release from this site in the
mean time
3) Reinstall Metasploit using the installer provided by Rapid7 The
Metasploit installer includes the latest stable version of Metasploit
Usually this release is very stable
23 | P a g e
If youre preparing to use Armitage and Metasploit somewhere
important--do not run m s f u p d a t e and assume it will work Its very
important to stick with what you know works or test the functionality you
need to make sure it works When in doubt go with option (2) or (3)
61 quick connect
If youd like to quickly connect Armitage to a Metasploit server without filling
in the setup dialog use the - - c l i e n t option to specify a file with the
connection details
j a v a - j a r a r m i t a g e j a r - - c l i e n t c o n n e c t p r o p
Heres an example connectprop file
h o s t = 1 9 21 6 8 9 5 2 4 1
p o r t = 55553
u s e r = mister
p a s s = bojangles
If you have to manage multiple ArmitageMetasploit servers consider creating
a desktop shortcut that calls this --client option with a different properties file
for each server
7 User interface format(gui)The user interface can be very easy and friendly to a pentaster as also as a
hackerit is made so easy that without any help a user can manage the cyber
attack
71 Overview
The Armitage user interface has three main panels modules targets and tabs
You may click the area between these panels to resize them to your liking
24 | P a g e
711 modules
The module browser lets you launch a Metasploit auxiliary module throw an
exploit generate a payload and even run a post-exploitation script Click
through the tree to find the desired module Double click the module to bring up
a dialog with options
Armitage will place highlighted hosts from the targets panel into the RHOSTS
variable of any module launched from here
You can search for modules too Click in the search box below the tree type a
wildcard expression (eg ssh_) and hit enter The module tree will then show
your search results already expanded for quick viewing Clear the search box
and press enter to restore the module browser to its original state
712 Targets - Graph View
The targets panel shows all hosts in the current workspace Armitage represents
each target as a computer with its IP address and other information about it
below the computer The computer screen shows the operating system the
computer is runningA red computer with electrical jolts indicates a
compromised host Right click the computer to use any sessions related to the
host A directional green line indicates a pivot from one host to another
Pivoting allows Metasploit to route attacks and scans through intermediate
hosts A bright green line indicates the pivot communication path is in use
Click a host to select it You may select multiple hosts by clicking and dragging
a box over the desired hosts Where possible Armitage will try to apply an
action (eg launching an exploit) to all selected hosts
Right click a host to bring up a menu with available options The attached menu
will show attack and login options menus for existing sessions and options to
edit the host information
The login menu is only available after a port scan reveals open ports that
Metasploit can log in to The Attack menu is only
25 | P a g e
available after finding attacks through the Attacks menu bar Shell and
Meterpreter menus only show up when a shell or Meterpreter session exists on
the selected host Several keyboard shortcuts are available in the targets panel
You may edit these in the Armitage -gt Preferences menu
Ctrl Plus - zoom in
Ctrl Minus - zoom out
Ctrl 0 - reset the zoom level
Ctrl A - select all hosts
Escape - clear selection
Ctrl C - arrange hosts into a circle
Ctrl S - arrange hosts into a stack
Ctrl H - arrange hosts into a hierarchy This only works when a pivot is set up
Ctrl R - refresh hosts from the database
Ctrl P - export hosts into an image
Right click the targets area with no selected hosts to configure the layout and
zoom-level of the targets area
Targets - Table View
If you have a lot of hosts the graph view becomes difficult to work with For
this situation Armitage has a table view
Go to View
7121 Targets -gt Table View
to switch to this mode Armitage will remember your preference
Click any of the table headers to sort the hosts Highlight a row and right-click it
to bring up a menu with options for that host
Armitage will bold the IP address of any host with sessions If a pivot is in use
Armitage will make it bold as well
26 | P a g e
713 Tab
Armitage opens each dialog console and table in a tab below the module and
target panels Click the X button to close a tab
You may right-click the X button to open a tab in a window take a screenshot
of a tab or close all tabs with the same name
Hold shift and click X to close all tabs with the same name Hold shift + control
and click X to open the tab in its own window
You may drag and drop tabs to change their order
Armitage provides several keyboard shortcuts to make your tab management
experience as enjoyable as possible
Use Ctrl+T to take a screenshot of the active tab Use Ctrl+D to close the active
tab Try Ctrl+Left and Ctrl+Right to quickly switch tabs And Ctrl+W to open
the current tab in its own window
8console formatMetasploit console Meterpreter console and shell interfaces each use a console
tab A console tab lets you interact with these interfaces through Armitage
The console tab tracks your command history Use the up arrow to cycle
through previously typed commands The down arrow moves back to the last
command you typed
In the Metasploit console use the Tab key to complete commands and
parameters This works just like the Metasploit console outside of Armitage
27 | P a g e
Use of console panel to make the console font size larger Ctrl minus to make it
smaller and Ctrl 0 to reset it This change is local to the current
console only Visit Armitage -gt Preference to permanently change the font
Press ctrl F to show a panel that will let you search for text within the console
Use Ctrl A to select all text in the consoles buffer
Armitage sends ardquo u s e or a s e t P A Y L O A Drdquo command if you click a
module or a payload name in a console To open a Console go to View -gt
Console or press Ctrl+N
The Armitage console uses color to draw your attention to some information
To disable the colors set the consoleshow_colorsboolean preference to false
You may also edit the colors through Armitage -gt Preference Here is the
Armitage color palette and the preference associated with each color
9 Host management 91Dynamic workspace
Armitages dynamic workspaces feature allows you to create views into the
hosts database and quickly switch between them Use
Workspace -gt Manage to manage your dynamic workspaces Here you may
add edit and remove workspaces you create
28 | P a g e
To create a new dynamic workspace press Add You will see the following
dialog
Give your dynamic workspace a name It doesnt matter what you call it This
description is for you
If youd like to limit your workspace to hosts from a certain network type a
network description in the Hosts field A network description
might be 10100016 to display hosts between 101000-1010255255
Separate multiple networks with a comma and a space
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
4 | P a g e
Armitage is open source software developed by Raphael Mudges company
Strategic Cyber LLC Cobalt Strike is the commercially supported big brother
of Armitage Cobalt Strike adds features to support professional penetration
testers and red teams including
Professional Reports
Spear Phishing
Web Drive-by Attacks
Client-side Reconnaissance
VPN Pivoting
Covert Command and Control
11Professional Reports
Professional Reports depends on the following hosts and vulnerabilities which
is based on host report
Hosts ReportMarch 1 2012This report shows host information gathered during this penetration test
Summary
Hosts 12
Services 30
Vulnerabilities 7
Compromises 11
1010101
Operating System Cisco IOS
Name
MAC Address 08002726ccf9
5 | P a g e
1010103
Operating System Microsoft Windows 2008 R2 SP0
Name DC
MAC Address 0800271c62e1
Servicesport proto name info
139 tcp
135 tcp
389 tcp
445 tcp smb Windows Server 2008 R2 Enterprise (Build 7600)
(languageUnknown) (nameDC) (domainCORP)
CredentialsUser passAdministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
Compromises
opened duration method03-01-12 092354 PM 1 minute Microsoft Windows Authenticated User
Code Execution
03-01-12 092128 PM 1 minute Microsoft Windows Authenticated User
Code Execution
Vulnerabilities
bull Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password
hash) to execute an arbitrary payload This module is similar to the psexec
utility provided by SysInternals This module is now able to clean up after itself
The service created by this tool uses a randomly chosen name and description
6 | P a g e
1010104
Operating System Microsoft Windows NET Server SP0
Name FILESERVER
MAC Address 0800275cd4ad
Servicesport proto name info139 tcp
135 tcp
445 tcp Windows 2003 No Service Pack (languageUnknown)
(nameFILESERVER)(domainCORP)
Credentialsuser passAdministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afe
ec7e3a37d05a81dc3b
SUPPORT_388945a0 aad3b435b51404eeaad3b435b51404ee5ace382672979
85b281184a14fc8ddcc
Guest aad3b435b51404eeaad3b435b51404ee31d6cfe0d16ae931
b73c59d7e0c089c0
Compromisesopened duration method
03-01-12 091446 PM unknown Microsoft Server Service Relative Path Stack
Corruption
Vulnerabilitiesbull Microsoft Server Service Relative Path Stack Corruption
7 | P a g e
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32dll through the Server Service This module is capable of bypassing
NX on some operating systems and service packs The correct target must be
used to prevent the Server Service (along with a dozen others in the same
process) from crashing Windows XP targets seem to handle multiple successful
exploitation events but 2003 targets will often crash or hang on subsequent
attempts This is just the first version of this module full support for NX bypass
on 2003 along with other platforms is still in development
1010105
Operating System Microsoft Windows NET Server SP0
Name MAIL
MAC Address 0800271f1d86
Servicesport proto name info25 tcp smtp 220 ACME Corporation Mail Server[hMailServer]
139 tcp
143 tcp imap OK IMAPrev1
110 tcp pop3 +OK POP3
135 tcp
445 tcp Windows 2003 No Service Pack (languageUnknown)
(nameMAIL) (domainCORP)
Credentialsuser pass
SUPPORT_388945a0 aad3b435b51404eeaad3b435b51404ee5ace38267297
985b281184a14fc8ddcc
Guest aad3b435b51404eeaad3b435b51404ee31d6cfe0d16ae9
31 b73c59d7e0c089c0
8 | P a g e
Administrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afe
ec7e3a37d05a81dc3b
Compromises
opened duration method
03-01-12 091446 PM unknown Microsoft Server Service Relative Path Stack
Corruption
Vulnerabilitiesbull Microsoft Server Service Relative Path Stack Corruption
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32dll through the Server Service This module is capable of bypassing
NX on some operating systems and service packs The correct target must be
used to prevent the Server Service (along with a dozen others in the same
process) from crashing Windows XP targets seem to handle multiple successful
exploitation events but 2003 targets will often crash or hang on subsequent
attempts This is just the first version of this module full support for NX bypass
on 2003 along with other platforms is still in development
10101018Operating System Microsoft Windows XP SP2
Name JOSHDEV
MAC Address 0800275a8629
Servicesport proto name info135 tcp139 tcp445 tcp Windows XP Service Pack 2 (language English) (nameJOSHDEV) (domainCORP)
Credentialsuser pass
9 | P a g e
joshsokol aad3b435b51404eeaad3b435b51404ee34c63bad990d7b7c
ffa64bf36f8ba19c
User aad3b435b51404eeaad3b435b51404ee31d6cfe0d16ae931
b73c59d7e0c089c0
Administrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 091449 PM unknown Microsoft Server Service Relative Path Stack
Corruption
Vulnerabilities
bull Microsoft Server Service Relative Path Stack Corruption
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32dll through the Server Service This module is capable of bypassing
NX on some operating systems and service packs The correct target must be
used to prevent the Server Service (along with a dozen others in the same
process) from crashing Windows XP targets seem to handle multiple successful
exploitation events but 2003 targets will often crash or hang on subsequent
Attempts This is just the first version of this module full support for NX
bypass on 2003 along with other platforms is still in development
10101021Operating System Linux Ubuntu
Name 10101021
MAC Address 0800279d3c64
Servicesport proto name info80 tcp http Apache2214 (Ubuntu)
10 | P a g e
22 tcp ssh SSH-20-OpenSSH_53p1 Debian-3ubuntu7
101010188Operating System Microsoft Windows 7 SP0
Name WS2
MAC Address 080027083f1d
Servicesport proto name info139 tcp
135 tcp
445 tcp smb Windows 7 Ultimate (Build 7600) (languageUnknown) (nameWS2)
(domainCORP)
Credentialsuser passadministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7 e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 092353 PM 1 minute Microsoft Windows Authenticated User Code
Execution
03-01-12 091142 PM unknown Generic Payload Handler
03-01-12 092126 PM 1 minute Microsoft Windows Authenticated User Code
Execution
Vulnerabilitiesbull Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password hash)
to execute an arbitrary payload This module is similar to the psexec utility provided
by SysInternals This module is now able to clean up after itself The service created
by this tool uses a randomly chosen name and description
11 | P a g e
101010189Operating System Microsoft Windows 7 SP0
Name CEOSBOX
MAC Address 0800277878fb
Servicesport proto name info
135 tcp
139 tcp
445 tcp smb Windows 7 Ultimate (Build 7600) (language
Unknown) (nameCEOSBOX) (domainCORP)
Credentialsuser pass
administrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
CORPadministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 092353 PM 1 minute Microsoft Windows Authenticated User Code
Execution
03-01-12 092128 PM 1 minute Microsoft Windows Authenticated User Code
Execution
Vulnerabilities
bull Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password
hash) to execute an arbitrary payload This module is similar to the psexec
utility provided by SysInternals This module is now able to clean up after itself
The service created by this tool uses a randomly chosen name and description
12 | P a g e
19216812110Operating System Microsoft Windows 7
Name
MAC Address
192168571Operating System Linux Ubuntu
Name 192168571
MAC Address 0a0027000001
192168578Operating System Microsoft Windows XP SP2
Name
MAC Address 0800273b3bdd
Services
Port proto name info
135 tcp
139 tcp
445 tcp smb Windows XP Service Pack 2 (languageEnglish)
(nameJOSHDEV) (domainCORP)
1921685718Operating System Linux Ubuntu
Name
MAC Address 080027e9f98e
Servicesport proto name info
22 tcp ssh SSH-20-OpenSSH_53p1 Debian-3ubuntu7
13 | P a g e
Credentials
user pass
jsokol joshrocks
Compromises
opened duration method
03-01-12 091658 PM unknown SSH Login Check Scanner
Vulnerabilities
bull SSH Login Check Scanner
This module will test ssh logins on a range of machines and report successful
logins If you have loaded a database pluginand connected to a database this
module will record successful logins and hosts so you can track your access
11 SPEAR PHISHING
Cobalt Strikes spear phishing tool allows you to send pixel perfect spear
phishing messages using an arbitrary message as a templateSet Targets to
import a list of targets You may import a flat text-file containing one email
address per line Import a file containing one email address and name separated
by a tab or comma for stronger message customization
Set Template to an email message template A Cobalt Strike message template
is simply a saved email message Cobalt Strike will strip unnecessary headers
remove attachments rewrite URLs re-encode themessage and rewrite it for
you Cobalt Strike does not give you a means to compose a message Use an
email client write a message and send it to yourself Most webmail clients
include a means to see the original message source In GMail click the down
arrow next to Reply and select Show original
You may customize a saved message with Cobalt Strike tokens Cobalt Strike
replaces these tokens when sending an email The tokens include
14 | P a g e
Token Description
To The email address of the person the message is sent to
To_Name The name of the person the message is sent to This token is only
available when importing a tab-separated file containing a name
URL The contents of the URL field in the spear phishing dialog
Set Embed URL to have Cobalt Strike rewrite each URL in the message
template to point to the embedded URL URLs added in this way will contain a
token that allows Cobalt Strike to trace any visitor back to this Press to
choose one of the Cobalt Strike hosted sites youve started
Set Mail Server to an open relay or the mail exchange server for your target
Set Bounce To to an email address where bounced messages should go This
value will not affect the message your targets see Press Preview to see an
assembled message to one of your recipients If the preview looks good press
Send to start your attack
Cobalt Strikes spear phishing capability sends messages from your local client
If youre managing a remote server know that messages will come from your
local host and not the remote server
13 Web-Drive-By Attacks
Firefox Addon Attack
This tool is available through Attacks -gt Web Drive-by -gt Firefox Addon Attack This
tool will start a Metasploitreg web-server that serves a dynamically created Firefox
Add-on
This is a great attack to embed in a cloned website Find a popular Firefox
addon clone its site and embed the Firefox Add-on Attack URL
14Client-side Reconnaissance
15 | P a g e
System Profiler
The system profiler is a reconnaissance tool for the client-side attack process
This tool starts a local web-server and fingerprints any one who visits it The
system profiler discovers the internal IP address of users behind a proxy along
with several applications and their version information
To start the system profiler go to Attacks -gt Web Drive-by -gt System Profiler
The start the profiler you must specify a URI to bind to and a port to start the
Cobalt Strike web-server from If you specify a Redirect URL Cobalt Strike
will redirect visitors to this URL once their profile is taken Click Launch to
start the system profiler
15VPN Pivoting
Covert VPNCobalt Strike offers VPN pivoting through its Covert VPN feature Covert VPN
creates a network interface on the Cobalt Strike system and bridges this
interface into the targets network
Through a Covert VPN interface your system may sniff traffic on
targetrsquos network act as a rogue server or perform man-in-the-middle attacks
normally reserved for internal assessments You may use external scanning and
attack tools to assess your target network as well
16 Covert Command and Control
What is Beacon
Beacon is Cobalt Strikes remote administration payload for long-term
engagements Beacon does not provide real-time control of a compromised host
Beacon is asynchronous It spends most of its time sleeping Occasionally
Beacon will contact Cobalt Strike to check for tasks
If a tasking is available Beacon will download its tasks and execute them
This style of command and control is common with sophisticated malware and
16 | P a g e
Advanced Persistent Threat actors Cobalt Strikes Beacon payload may attempt
to communicate through multiple domains
This makes your control10 20 12 Beaconing - Cobalt
Strike wwwadvancedpentest com help- beacon 2 2of a compromised host
more robust If a system administrator blocks one IP address or domain Beacon
maystill receive tasks through its other domains When tasks are available
Beacon downloads them and sends output using the HTTP protocol Beacon
maycheck for tasks through HTTP or DNS requests
2 CYBER ATTACK MANAGEMETArmitage organizes Metasploits capabilities around the hacking process There
are features for discovery access post-exploitation and maneuver This section
describes these features at a high-level the rest of this manual covers these
capabilities in detail
For discovery Armitage exposes several of Metasploits host management
features You can import hosts and launch scans to populate a database of
targets Armitage also visualizes the database of targets--youll always know
which hosts youre working with and where you have sessions
Armitage assists with remote exploitation--providing features to automatically
recommend exploits and even run active checks so you know which exploits
will work If these options fail you can use the Hail Mary approach and unleash
Armitages smarter db_autopwn against your target database
For those of you who are hacking post-2003 Armitage exposes the client-side
features of Metasploit You can launch browser exploits generate malicious
files and create Meterpreter executable
Once youre in Armitage provides several post-exploitation tools
built on the capabilities of the Meterpreter agent With the click of a menu you
17 | P a g e
will escalate your privileges dump password hashes to a local credentials
database browse the file system like youre local and launch command shells
Finally Armitage aids the process of setting up pivots a capability that lets you
use compromised hosts as a platform for attacking other hosts and further
investigating the target network Armitage also exposes Metasploits SOCKS
proxy module which allows external tools to take advantage of these pivots
With these tools you can further explore and maneuver through the network
The rest of this manual is organized around this process providing what you
need to know in the order youll need it
3NECESSARY THINGS TO KNOWTo use Armitage it helps to understand Metasploit Here are a few things you
absolutely must know before continuing
Metasploit (httpwwwmetasploitcom) is a console driven application
Anything you do in Armitage is translated into a command Metasploit
understands You can bypass Armitage and type commands yourself (covered
later) If youre ever lost in a console type help and hit enter
Metasploit presents its capabilities as modules Every scanner exploit and
even payload is available as a module If youre scanning a host you use an
auxiliary module Before launching a module you must set one or more
variables to configure the module The exploit process is similar To launch an
exploit you must choose an exploit module set one or more variables and
launch it
18 | P a g e
Armitage aims to make this process easier for youIf you successfully exploit a
host you will have a session on that host Armitage knows how to interact with
shell and Windows meterpreter sessions
Meterpreter is an advanced agent that makes a lot of post-exploitation
functionality available to you Armitage is built to take advantage of
Meterpreter Working with Meterpreter is covered later
4 installation
41 on windows
Here are the steps to install and run Armitage on Windows
1 Install Metasploit 44 or later
2 Install Oracles Java 17 (JRE or JDK)
3 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Update
4 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Console (do
this once to initialize the database)
5Make sure youre the Administrator user
To run Armitage
Start -gt Programs -gt Metasploit -gt Framework -gt Armitage
Click Conect
Click Yes when asked whether or not to start Metasploits RPC daemon
If asked where Metasploit is installed select the Metasploit directory You will
only need to do this once (eg cmetasploit)
The best Armitage user experience is on Linux If youre a Windows user
consider using Armitage from a BackTrack virtual machine
42 on linux
To install Armitage on Linux
1 Make sure youre the root user
19 | P a g e
Download and Install the Metasploit Framework from
httpwwwmetasploitcom (httpwwwmetasploitcom)
2Get the full package with all of the Linux dependencies
3 After installation type optframeworkappmsfupdate to update Metasploit
4 Install a VNC viewer (eg apt-get install vncviewer on Ubuntu)
You can get install armitage by a simple command but before execute this
application get command you need to be a root user to install armitage so open
terminal and type exactly
$ sudo su
apt-get install armitage
We need to enable RPC daemon for metasploit use this command on the
terminal
rootbt~ msfrpcd -f -U msf -P test -t Basic
Open a terminalAdd usrlocalbin to $PATH e x p o r t P A T H = $ P A T H u s r l o c a l
b i n
Since Metasploit 41 you now need to make sure you have a database startup scripte c h o e x e c o p t m e t a s p l o i t - 4 4 p o s t g r e s q l s c r i p t s c t l s h $ gt e t c i n i t d f r a m e w o r k - p o s t g r e s
c h m o d + x e t c i n i t d m e t a s p l o i t - p o s t g r e s e t c i n i t d m e t a s p l o i t - p o s t g r e s s t a r tu p d a t e - r c d m e t a s p l o i t - p o s t g r e s d e f a u l t
Now start MYSQL server so that Armitage stores results
rootbt1048673 etcinitdmysql start
This database startup script creation step isnt necessary if you opt to start Metasploit as a
service when the installer runs The downside being that the Metasploit as a service option
starts up the commercialcommunity edition of Metasploit on boot too If you use this
version--great If not its a waste of system resources
20 | P a g e
Now its time to run Armitage locate the directory and type
rootbtpentestexploitsarmitage armitagesh
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
The settings for Metasploits installed database are already set up for you You
not need to change the DB connect string
note
If youre using Armitage with a local Metasploit instance then Armitage must
also run as root Why Because Armitage needs root privileges to read the
databaseyml file created by Metasploits installer If Armitage cant read this
file it will not be able to connect to the database
43 on back-track r3
Armitage comes with BackTrack Linux 5r3 The latest Armitage release
requires BackTrack 5r3 5r25r0 and 5r1 are out If you uinstall Metasploit
(hint pathtometasploituninstall) and reinstall with the Metasploit installer
then you may use any version of BackTrack that you want
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
45 on mac os-x
Armitage works on MacOS X but its not a supported platform for Armitage
Metasploit does not have an official package for OS X
21 | P a g e
There is a lot of manual setup involved getting the pre-requisites working
CedricBaillet created a step-by-step guide
(httpwwwcedric-bailletfrIMGpdfarmitage_configuration_on_macosxpdf)
to configuring Postgres and Ruby for use with Armitage on MacOS X as well
Armitage on MacOS X works fine as a remote client to Metasploit Download
the MacOS X package extract it and double-click the Armitageapp file to get
started
Here are three MacOS X Armitage install guides that others have
produced these may help you Please dont ask me to provide support for them
though
The Black Matrix
(httptheblackmatrixnewsblogspotcom201111installing-armitage-on-
osx-by-defau1thtml)
Night Lions Guide to Installing Metasploit 4 and Armitage on Mac OSX
Lion (httpblognightlionsecuritycomguides201112guideto-
installing-metasploit-4-and-armitage-on-mac-osx-lion)
Faulty Logic Blog (httpbriancanfixitblogspotcom201112setting-up-
metasploit-and-armitage-onhtml)
Armitage is a fast moving project and these project may suggest methods for
starting the Metasploit Framework RPC daemon that are slightly dated The
correct way to start msfrpcd for Armitage to connect to is
m s f r p c d - U m s f - P p a s s w o r d - S - f
5 Manual setupSome crazy people choose to install Metasploit without the benefit of the full installer This method is not supported If you go this route here are some of the requirements
22 | P a g e
A PostgreSQL database No other database is supported msfrpcd is in $PATH $MSF_DATABASE_CONFIG points to a YAML file $MSF_DATABASE_CONFIG is available to msfrpcd and armitage the msgpack ruby gem
6Updating metasploitThe m s f u p d a t e command updates the Metasploit Framework by pulling
the latest source code from a subversion repository that is synced with the git
repository that developers commit to
When you run m s f u p d a t e its possible that you may break Armitage by
doing this The Metasploit team is cautious about what they commit to the
primary git repository and theyre extremely responsive to bug reports That said
things still break from time to time
If you run m s f u p d a t e and Armitage stops working you have a few options
1) You can run m s f u p d a t e later and hope the issue gets fixed Many
times this is a valid strategy
2) You can downgrade Metasploit to the last revision Take a look at the
change log file for the latest development release tested against Armitage
The revision number is located next to the release date To downgrade
Metasploit
c d p a t h t o m e t a s p l o i t m s f 3
s o u r c e s c r i p t s s e t e n v s h
s v n u p d a t e - r [revision number]
This step will downgrade the Armitage release included with Metasploit
too You can download the latest Armitage release from this site in the
mean time
3) Reinstall Metasploit using the installer provided by Rapid7 The
Metasploit installer includes the latest stable version of Metasploit
Usually this release is very stable
23 | P a g e
If youre preparing to use Armitage and Metasploit somewhere
important--do not run m s f u p d a t e and assume it will work Its very
important to stick with what you know works or test the functionality you
need to make sure it works When in doubt go with option (2) or (3)
61 quick connect
If youd like to quickly connect Armitage to a Metasploit server without filling
in the setup dialog use the - - c l i e n t option to specify a file with the
connection details
j a v a - j a r a r m i t a g e j a r - - c l i e n t c o n n e c t p r o p
Heres an example connectprop file
h o s t = 1 9 21 6 8 9 5 2 4 1
p o r t = 55553
u s e r = mister
p a s s = bojangles
If you have to manage multiple ArmitageMetasploit servers consider creating
a desktop shortcut that calls this --client option with a different properties file
for each server
7 User interface format(gui)The user interface can be very easy and friendly to a pentaster as also as a
hackerit is made so easy that without any help a user can manage the cyber
attack
71 Overview
The Armitage user interface has three main panels modules targets and tabs
You may click the area between these panels to resize them to your liking
24 | P a g e
711 modules
The module browser lets you launch a Metasploit auxiliary module throw an
exploit generate a payload and even run a post-exploitation script Click
through the tree to find the desired module Double click the module to bring up
a dialog with options
Armitage will place highlighted hosts from the targets panel into the RHOSTS
variable of any module launched from here
You can search for modules too Click in the search box below the tree type a
wildcard expression (eg ssh_) and hit enter The module tree will then show
your search results already expanded for quick viewing Clear the search box
and press enter to restore the module browser to its original state
712 Targets - Graph View
The targets panel shows all hosts in the current workspace Armitage represents
each target as a computer with its IP address and other information about it
below the computer The computer screen shows the operating system the
computer is runningA red computer with electrical jolts indicates a
compromised host Right click the computer to use any sessions related to the
host A directional green line indicates a pivot from one host to another
Pivoting allows Metasploit to route attacks and scans through intermediate
hosts A bright green line indicates the pivot communication path is in use
Click a host to select it You may select multiple hosts by clicking and dragging
a box over the desired hosts Where possible Armitage will try to apply an
action (eg launching an exploit) to all selected hosts
Right click a host to bring up a menu with available options The attached menu
will show attack and login options menus for existing sessions and options to
edit the host information
The login menu is only available after a port scan reveals open ports that
Metasploit can log in to The Attack menu is only
25 | P a g e
available after finding attacks through the Attacks menu bar Shell and
Meterpreter menus only show up when a shell or Meterpreter session exists on
the selected host Several keyboard shortcuts are available in the targets panel
You may edit these in the Armitage -gt Preferences menu
Ctrl Plus - zoom in
Ctrl Minus - zoom out
Ctrl 0 - reset the zoom level
Ctrl A - select all hosts
Escape - clear selection
Ctrl C - arrange hosts into a circle
Ctrl S - arrange hosts into a stack
Ctrl H - arrange hosts into a hierarchy This only works when a pivot is set up
Ctrl R - refresh hosts from the database
Ctrl P - export hosts into an image
Right click the targets area with no selected hosts to configure the layout and
zoom-level of the targets area
Targets - Table View
If you have a lot of hosts the graph view becomes difficult to work with For
this situation Armitage has a table view
Go to View
7121 Targets -gt Table View
to switch to this mode Armitage will remember your preference
Click any of the table headers to sort the hosts Highlight a row and right-click it
to bring up a menu with options for that host
Armitage will bold the IP address of any host with sessions If a pivot is in use
Armitage will make it bold as well
26 | P a g e
713 Tab
Armitage opens each dialog console and table in a tab below the module and
target panels Click the X button to close a tab
You may right-click the X button to open a tab in a window take a screenshot
of a tab or close all tabs with the same name
Hold shift and click X to close all tabs with the same name Hold shift + control
and click X to open the tab in its own window
You may drag and drop tabs to change their order
Armitage provides several keyboard shortcuts to make your tab management
experience as enjoyable as possible
Use Ctrl+T to take a screenshot of the active tab Use Ctrl+D to close the active
tab Try Ctrl+Left and Ctrl+Right to quickly switch tabs And Ctrl+W to open
the current tab in its own window
8console formatMetasploit console Meterpreter console and shell interfaces each use a console
tab A console tab lets you interact with these interfaces through Armitage
The console tab tracks your command history Use the up arrow to cycle
through previously typed commands The down arrow moves back to the last
command you typed
In the Metasploit console use the Tab key to complete commands and
parameters This works just like the Metasploit console outside of Armitage
27 | P a g e
Use of console panel to make the console font size larger Ctrl minus to make it
smaller and Ctrl 0 to reset it This change is local to the current
console only Visit Armitage -gt Preference to permanently change the font
Press ctrl F to show a panel that will let you search for text within the console
Use Ctrl A to select all text in the consoles buffer
Armitage sends ardquo u s e or a s e t P A Y L O A Drdquo command if you click a
module or a payload name in a console To open a Console go to View -gt
Console or press Ctrl+N
The Armitage console uses color to draw your attention to some information
To disable the colors set the consoleshow_colorsboolean preference to false
You may also edit the colors through Armitage -gt Preference Here is the
Armitage color palette and the preference associated with each color
9 Host management 91Dynamic workspace
Armitages dynamic workspaces feature allows you to create views into the
hosts database and quickly switch between them Use
Workspace -gt Manage to manage your dynamic workspaces Here you may
add edit and remove workspaces you create
28 | P a g e
To create a new dynamic workspace press Add You will see the following
dialog
Give your dynamic workspace a name It doesnt matter what you call it This
description is for you
If youd like to limit your workspace to hosts from a certain network type a
network description in the Hosts field A network description
might be 10100016 to display hosts between 101000-1010255255
Separate multiple networks with a comma and a space
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
5 | P a g e
1010103
Operating System Microsoft Windows 2008 R2 SP0
Name DC
MAC Address 0800271c62e1
Servicesport proto name info
139 tcp
135 tcp
389 tcp
445 tcp smb Windows Server 2008 R2 Enterprise (Build 7600)
(languageUnknown) (nameDC) (domainCORP)
CredentialsUser passAdministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
Compromises
opened duration method03-01-12 092354 PM 1 minute Microsoft Windows Authenticated User
Code Execution
03-01-12 092128 PM 1 minute Microsoft Windows Authenticated User
Code Execution
Vulnerabilities
bull Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password
hash) to execute an arbitrary payload This module is similar to the psexec
utility provided by SysInternals This module is now able to clean up after itself
The service created by this tool uses a randomly chosen name and description
6 | P a g e
1010104
Operating System Microsoft Windows NET Server SP0
Name FILESERVER
MAC Address 0800275cd4ad
Servicesport proto name info139 tcp
135 tcp
445 tcp Windows 2003 No Service Pack (languageUnknown)
(nameFILESERVER)(domainCORP)
Credentialsuser passAdministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afe
ec7e3a37d05a81dc3b
SUPPORT_388945a0 aad3b435b51404eeaad3b435b51404ee5ace382672979
85b281184a14fc8ddcc
Guest aad3b435b51404eeaad3b435b51404ee31d6cfe0d16ae931
b73c59d7e0c089c0
Compromisesopened duration method
03-01-12 091446 PM unknown Microsoft Server Service Relative Path Stack
Corruption
Vulnerabilitiesbull Microsoft Server Service Relative Path Stack Corruption
7 | P a g e
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32dll through the Server Service This module is capable of bypassing
NX on some operating systems and service packs The correct target must be
used to prevent the Server Service (along with a dozen others in the same
process) from crashing Windows XP targets seem to handle multiple successful
exploitation events but 2003 targets will often crash or hang on subsequent
attempts This is just the first version of this module full support for NX bypass
on 2003 along with other platforms is still in development
1010105
Operating System Microsoft Windows NET Server SP0
Name MAIL
MAC Address 0800271f1d86
Servicesport proto name info25 tcp smtp 220 ACME Corporation Mail Server[hMailServer]
139 tcp
143 tcp imap OK IMAPrev1
110 tcp pop3 +OK POP3
135 tcp
445 tcp Windows 2003 No Service Pack (languageUnknown)
(nameMAIL) (domainCORP)
Credentialsuser pass
SUPPORT_388945a0 aad3b435b51404eeaad3b435b51404ee5ace38267297
985b281184a14fc8ddcc
Guest aad3b435b51404eeaad3b435b51404ee31d6cfe0d16ae9
31 b73c59d7e0c089c0
8 | P a g e
Administrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afe
ec7e3a37d05a81dc3b
Compromises
opened duration method
03-01-12 091446 PM unknown Microsoft Server Service Relative Path Stack
Corruption
Vulnerabilitiesbull Microsoft Server Service Relative Path Stack Corruption
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32dll through the Server Service This module is capable of bypassing
NX on some operating systems and service packs The correct target must be
used to prevent the Server Service (along with a dozen others in the same
process) from crashing Windows XP targets seem to handle multiple successful
exploitation events but 2003 targets will often crash or hang on subsequent
attempts This is just the first version of this module full support for NX bypass
on 2003 along with other platforms is still in development
10101018Operating System Microsoft Windows XP SP2
Name JOSHDEV
MAC Address 0800275a8629
Servicesport proto name info135 tcp139 tcp445 tcp Windows XP Service Pack 2 (language English) (nameJOSHDEV) (domainCORP)
Credentialsuser pass
9 | P a g e
joshsokol aad3b435b51404eeaad3b435b51404ee34c63bad990d7b7c
ffa64bf36f8ba19c
User aad3b435b51404eeaad3b435b51404ee31d6cfe0d16ae931
b73c59d7e0c089c0
Administrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 091449 PM unknown Microsoft Server Service Relative Path Stack
Corruption
Vulnerabilities
bull Microsoft Server Service Relative Path Stack Corruption
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32dll through the Server Service This module is capable of bypassing
NX on some operating systems and service packs The correct target must be
used to prevent the Server Service (along with a dozen others in the same
process) from crashing Windows XP targets seem to handle multiple successful
exploitation events but 2003 targets will often crash or hang on subsequent
Attempts This is just the first version of this module full support for NX
bypass on 2003 along with other platforms is still in development
10101021Operating System Linux Ubuntu
Name 10101021
MAC Address 0800279d3c64
Servicesport proto name info80 tcp http Apache2214 (Ubuntu)
10 | P a g e
22 tcp ssh SSH-20-OpenSSH_53p1 Debian-3ubuntu7
101010188Operating System Microsoft Windows 7 SP0
Name WS2
MAC Address 080027083f1d
Servicesport proto name info139 tcp
135 tcp
445 tcp smb Windows 7 Ultimate (Build 7600) (languageUnknown) (nameWS2)
(domainCORP)
Credentialsuser passadministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7 e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 092353 PM 1 minute Microsoft Windows Authenticated User Code
Execution
03-01-12 091142 PM unknown Generic Payload Handler
03-01-12 092126 PM 1 minute Microsoft Windows Authenticated User Code
Execution
Vulnerabilitiesbull Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password hash)
to execute an arbitrary payload This module is similar to the psexec utility provided
by SysInternals This module is now able to clean up after itself The service created
by this tool uses a randomly chosen name and description
11 | P a g e
101010189Operating System Microsoft Windows 7 SP0
Name CEOSBOX
MAC Address 0800277878fb
Servicesport proto name info
135 tcp
139 tcp
445 tcp smb Windows 7 Ultimate (Build 7600) (language
Unknown) (nameCEOSBOX) (domainCORP)
Credentialsuser pass
administrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
CORPadministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 092353 PM 1 minute Microsoft Windows Authenticated User Code
Execution
03-01-12 092128 PM 1 minute Microsoft Windows Authenticated User Code
Execution
Vulnerabilities
bull Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password
hash) to execute an arbitrary payload This module is similar to the psexec
utility provided by SysInternals This module is now able to clean up after itself
The service created by this tool uses a randomly chosen name and description
12 | P a g e
19216812110Operating System Microsoft Windows 7
Name
MAC Address
192168571Operating System Linux Ubuntu
Name 192168571
MAC Address 0a0027000001
192168578Operating System Microsoft Windows XP SP2
Name
MAC Address 0800273b3bdd
Services
Port proto name info
135 tcp
139 tcp
445 tcp smb Windows XP Service Pack 2 (languageEnglish)
(nameJOSHDEV) (domainCORP)
1921685718Operating System Linux Ubuntu
Name
MAC Address 080027e9f98e
Servicesport proto name info
22 tcp ssh SSH-20-OpenSSH_53p1 Debian-3ubuntu7
13 | P a g e
Credentials
user pass
jsokol joshrocks
Compromises
opened duration method
03-01-12 091658 PM unknown SSH Login Check Scanner
Vulnerabilities
bull SSH Login Check Scanner
This module will test ssh logins on a range of machines and report successful
logins If you have loaded a database pluginand connected to a database this
module will record successful logins and hosts so you can track your access
11 SPEAR PHISHING
Cobalt Strikes spear phishing tool allows you to send pixel perfect spear
phishing messages using an arbitrary message as a templateSet Targets to
import a list of targets You may import a flat text-file containing one email
address per line Import a file containing one email address and name separated
by a tab or comma for stronger message customization
Set Template to an email message template A Cobalt Strike message template
is simply a saved email message Cobalt Strike will strip unnecessary headers
remove attachments rewrite URLs re-encode themessage and rewrite it for
you Cobalt Strike does not give you a means to compose a message Use an
email client write a message and send it to yourself Most webmail clients
include a means to see the original message source In GMail click the down
arrow next to Reply and select Show original
You may customize a saved message with Cobalt Strike tokens Cobalt Strike
replaces these tokens when sending an email The tokens include
14 | P a g e
Token Description
To The email address of the person the message is sent to
To_Name The name of the person the message is sent to This token is only
available when importing a tab-separated file containing a name
URL The contents of the URL field in the spear phishing dialog
Set Embed URL to have Cobalt Strike rewrite each URL in the message
template to point to the embedded URL URLs added in this way will contain a
token that allows Cobalt Strike to trace any visitor back to this Press to
choose one of the Cobalt Strike hosted sites youve started
Set Mail Server to an open relay or the mail exchange server for your target
Set Bounce To to an email address where bounced messages should go This
value will not affect the message your targets see Press Preview to see an
assembled message to one of your recipients If the preview looks good press
Send to start your attack
Cobalt Strikes spear phishing capability sends messages from your local client
If youre managing a remote server know that messages will come from your
local host and not the remote server
13 Web-Drive-By Attacks
Firefox Addon Attack
This tool is available through Attacks -gt Web Drive-by -gt Firefox Addon Attack This
tool will start a Metasploitreg web-server that serves a dynamically created Firefox
Add-on
This is a great attack to embed in a cloned website Find a popular Firefox
addon clone its site and embed the Firefox Add-on Attack URL
14Client-side Reconnaissance
15 | P a g e
System Profiler
The system profiler is a reconnaissance tool for the client-side attack process
This tool starts a local web-server and fingerprints any one who visits it The
system profiler discovers the internal IP address of users behind a proxy along
with several applications and their version information
To start the system profiler go to Attacks -gt Web Drive-by -gt System Profiler
The start the profiler you must specify a URI to bind to and a port to start the
Cobalt Strike web-server from If you specify a Redirect URL Cobalt Strike
will redirect visitors to this URL once their profile is taken Click Launch to
start the system profiler
15VPN Pivoting
Covert VPNCobalt Strike offers VPN pivoting through its Covert VPN feature Covert VPN
creates a network interface on the Cobalt Strike system and bridges this
interface into the targets network
Through a Covert VPN interface your system may sniff traffic on
targetrsquos network act as a rogue server or perform man-in-the-middle attacks
normally reserved for internal assessments You may use external scanning and
attack tools to assess your target network as well
16 Covert Command and Control
What is Beacon
Beacon is Cobalt Strikes remote administration payload for long-term
engagements Beacon does not provide real-time control of a compromised host
Beacon is asynchronous It spends most of its time sleeping Occasionally
Beacon will contact Cobalt Strike to check for tasks
If a tasking is available Beacon will download its tasks and execute them
This style of command and control is common with sophisticated malware and
16 | P a g e
Advanced Persistent Threat actors Cobalt Strikes Beacon payload may attempt
to communicate through multiple domains
This makes your control10 20 12 Beaconing - Cobalt
Strike wwwadvancedpentest com help- beacon 2 2of a compromised host
more robust If a system administrator blocks one IP address or domain Beacon
maystill receive tasks through its other domains When tasks are available
Beacon downloads them and sends output using the HTTP protocol Beacon
maycheck for tasks through HTTP or DNS requests
2 CYBER ATTACK MANAGEMETArmitage organizes Metasploits capabilities around the hacking process There
are features for discovery access post-exploitation and maneuver This section
describes these features at a high-level the rest of this manual covers these
capabilities in detail
For discovery Armitage exposes several of Metasploits host management
features You can import hosts and launch scans to populate a database of
targets Armitage also visualizes the database of targets--youll always know
which hosts youre working with and where you have sessions
Armitage assists with remote exploitation--providing features to automatically
recommend exploits and even run active checks so you know which exploits
will work If these options fail you can use the Hail Mary approach and unleash
Armitages smarter db_autopwn against your target database
For those of you who are hacking post-2003 Armitage exposes the client-side
features of Metasploit You can launch browser exploits generate malicious
files and create Meterpreter executable
Once youre in Armitage provides several post-exploitation tools
built on the capabilities of the Meterpreter agent With the click of a menu you
17 | P a g e
will escalate your privileges dump password hashes to a local credentials
database browse the file system like youre local and launch command shells
Finally Armitage aids the process of setting up pivots a capability that lets you
use compromised hosts as a platform for attacking other hosts and further
investigating the target network Armitage also exposes Metasploits SOCKS
proxy module which allows external tools to take advantage of these pivots
With these tools you can further explore and maneuver through the network
The rest of this manual is organized around this process providing what you
need to know in the order youll need it
3NECESSARY THINGS TO KNOWTo use Armitage it helps to understand Metasploit Here are a few things you
absolutely must know before continuing
Metasploit (httpwwwmetasploitcom) is a console driven application
Anything you do in Armitage is translated into a command Metasploit
understands You can bypass Armitage and type commands yourself (covered
later) If youre ever lost in a console type help and hit enter
Metasploit presents its capabilities as modules Every scanner exploit and
even payload is available as a module If youre scanning a host you use an
auxiliary module Before launching a module you must set one or more
variables to configure the module The exploit process is similar To launch an
exploit you must choose an exploit module set one or more variables and
launch it
18 | P a g e
Armitage aims to make this process easier for youIf you successfully exploit a
host you will have a session on that host Armitage knows how to interact with
shell and Windows meterpreter sessions
Meterpreter is an advanced agent that makes a lot of post-exploitation
functionality available to you Armitage is built to take advantage of
Meterpreter Working with Meterpreter is covered later
4 installation
41 on windows
Here are the steps to install and run Armitage on Windows
1 Install Metasploit 44 or later
2 Install Oracles Java 17 (JRE or JDK)
3 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Update
4 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Console (do
this once to initialize the database)
5Make sure youre the Administrator user
To run Armitage
Start -gt Programs -gt Metasploit -gt Framework -gt Armitage
Click Conect
Click Yes when asked whether or not to start Metasploits RPC daemon
If asked where Metasploit is installed select the Metasploit directory You will
only need to do this once (eg cmetasploit)
The best Armitage user experience is on Linux If youre a Windows user
consider using Armitage from a BackTrack virtual machine
42 on linux
To install Armitage on Linux
1 Make sure youre the root user
19 | P a g e
Download and Install the Metasploit Framework from
httpwwwmetasploitcom (httpwwwmetasploitcom)
2Get the full package with all of the Linux dependencies
3 After installation type optframeworkappmsfupdate to update Metasploit
4 Install a VNC viewer (eg apt-get install vncviewer on Ubuntu)
You can get install armitage by a simple command but before execute this
application get command you need to be a root user to install armitage so open
terminal and type exactly
$ sudo su
apt-get install armitage
We need to enable RPC daemon for metasploit use this command on the
terminal
rootbt~ msfrpcd -f -U msf -P test -t Basic
Open a terminalAdd usrlocalbin to $PATH e x p o r t P A T H = $ P A T H u s r l o c a l
b i n
Since Metasploit 41 you now need to make sure you have a database startup scripte c h o e x e c o p t m e t a s p l o i t - 4 4 p o s t g r e s q l s c r i p t s c t l s h $ gt e t c i n i t d f r a m e w o r k - p o s t g r e s
c h m o d + x e t c i n i t d m e t a s p l o i t - p o s t g r e s e t c i n i t d m e t a s p l o i t - p o s t g r e s s t a r tu p d a t e - r c d m e t a s p l o i t - p o s t g r e s d e f a u l t
Now start MYSQL server so that Armitage stores results
rootbt1048673 etcinitdmysql start
This database startup script creation step isnt necessary if you opt to start Metasploit as a
service when the installer runs The downside being that the Metasploit as a service option
starts up the commercialcommunity edition of Metasploit on boot too If you use this
version--great If not its a waste of system resources
20 | P a g e
Now its time to run Armitage locate the directory and type
rootbtpentestexploitsarmitage armitagesh
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
The settings for Metasploits installed database are already set up for you You
not need to change the DB connect string
note
If youre using Armitage with a local Metasploit instance then Armitage must
also run as root Why Because Armitage needs root privileges to read the
databaseyml file created by Metasploits installer If Armitage cant read this
file it will not be able to connect to the database
43 on back-track r3
Armitage comes with BackTrack Linux 5r3 The latest Armitage release
requires BackTrack 5r3 5r25r0 and 5r1 are out If you uinstall Metasploit
(hint pathtometasploituninstall) and reinstall with the Metasploit installer
then you may use any version of BackTrack that you want
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
45 on mac os-x
Armitage works on MacOS X but its not a supported platform for Armitage
Metasploit does not have an official package for OS X
21 | P a g e
There is a lot of manual setup involved getting the pre-requisites working
CedricBaillet created a step-by-step guide
(httpwwwcedric-bailletfrIMGpdfarmitage_configuration_on_macosxpdf)
to configuring Postgres and Ruby for use with Armitage on MacOS X as well
Armitage on MacOS X works fine as a remote client to Metasploit Download
the MacOS X package extract it and double-click the Armitageapp file to get
started
Here are three MacOS X Armitage install guides that others have
produced these may help you Please dont ask me to provide support for them
though
The Black Matrix
(httptheblackmatrixnewsblogspotcom201111installing-armitage-on-
osx-by-defau1thtml)
Night Lions Guide to Installing Metasploit 4 and Armitage on Mac OSX
Lion (httpblognightlionsecuritycomguides201112guideto-
installing-metasploit-4-and-armitage-on-mac-osx-lion)
Faulty Logic Blog (httpbriancanfixitblogspotcom201112setting-up-
metasploit-and-armitage-onhtml)
Armitage is a fast moving project and these project may suggest methods for
starting the Metasploit Framework RPC daemon that are slightly dated The
correct way to start msfrpcd for Armitage to connect to is
m s f r p c d - U m s f - P p a s s w o r d - S - f
5 Manual setupSome crazy people choose to install Metasploit without the benefit of the full installer This method is not supported If you go this route here are some of the requirements
22 | P a g e
A PostgreSQL database No other database is supported msfrpcd is in $PATH $MSF_DATABASE_CONFIG points to a YAML file $MSF_DATABASE_CONFIG is available to msfrpcd and armitage the msgpack ruby gem
6Updating metasploitThe m s f u p d a t e command updates the Metasploit Framework by pulling
the latest source code from a subversion repository that is synced with the git
repository that developers commit to
When you run m s f u p d a t e its possible that you may break Armitage by
doing this The Metasploit team is cautious about what they commit to the
primary git repository and theyre extremely responsive to bug reports That said
things still break from time to time
If you run m s f u p d a t e and Armitage stops working you have a few options
1) You can run m s f u p d a t e later and hope the issue gets fixed Many
times this is a valid strategy
2) You can downgrade Metasploit to the last revision Take a look at the
change log file for the latest development release tested against Armitage
The revision number is located next to the release date To downgrade
Metasploit
c d p a t h t o m e t a s p l o i t m s f 3
s o u r c e s c r i p t s s e t e n v s h
s v n u p d a t e - r [revision number]
This step will downgrade the Armitage release included with Metasploit
too You can download the latest Armitage release from this site in the
mean time
3) Reinstall Metasploit using the installer provided by Rapid7 The
Metasploit installer includes the latest stable version of Metasploit
Usually this release is very stable
23 | P a g e
If youre preparing to use Armitage and Metasploit somewhere
important--do not run m s f u p d a t e and assume it will work Its very
important to stick with what you know works or test the functionality you
need to make sure it works When in doubt go with option (2) or (3)
61 quick connect
If youd like to quickly connect Armitage to a Metasploit server without filling
in the setup dialog use the - - c l i e n t option to specify a file with the
connection details
j a v a - j a r a r m i t a g e j a r - - c l i e n t c o n n e c t p r o p
Heres an example connectprop file
h o s t = 1 9 21 6 8 9 5 2 4 1
p o r t = 55553
u s e r = mister
p a s s = bojangles
If you have to manage multiple ArmitageMetasploit servers consider creating
a desktop shortcut that calls this --client option with a different properties file
for each server
7 User interface format(gui)The user interface can be very easy and friendly to a pentaster as also as a
hackerit is made so easy that without any help a user can manage the cyber
attack
71 Overview
The Armitage user interface has three main panels modules targets and tabs
You may click the area between these panels to resize them to your liking
24 | P a g e
711 modules
The module browser lets you launch a Metasploit auxiliary module throw an
exploit generate a payload and even run a post-exploitation script Click
through the tree to find the desired module Double click the module to bring up
a dialog with options
Armitage will place highlighted hosts from the targets panel into the RHOSTS
variable of any module launched from here
You can search for modules too Click in the search box below the tree type a
wildcard expression (eg ssh_) and hit enter The module tree will then show
your search results already expanded for quick viewing Clear the search box
and press enter to restore the module browser to its original state
712 Targets - Graph View
The targets panel shows all hosts in the current workspace Armitage represents
each target as a computer with its IP address and other information about it
below the computer The computer screen shows the operating system the
computer is runningA red computer with electrical jolts indicates a
compromised host Right click the computer to use any sessions related to the
host A directional green line indicates a pivot from one host to another
Pivoting allows Metasploit to route attacks and scans through intermediate
hosts A bright green line indicates the pivot communication path is in use
Click a host to select it You may select multiple hosts by clicking and dragging
a box over the desired hosts Where possible Armitage will try to apply an
action (eg launching an exploit) to all selected hosts
Right click a host to bring up a menu with available options The attached menu
will show attack and login options menus for existing sessions and options to
edit the host information
The login menu is only available after a port scan reveals open ports that
Metasploit can log in to The Attack menu is only
25 | P a g e
available after finding attacks through the Attacks menu bar Shell and
Meterpreter menus only show up when a shell or Meterpreter session exists on
the selected host Several keyboard shortcuts are available in the targets panel
You may edit these in the Armitage -gt Preferences menu
Ctrl Plus - zoom in
Ctrl Minus - zoom out
Ctrl 0 - reset the zoom level
Ctrl A - select all hosts
Escape - clear selection
Ctrl C - arrange hosts into a circle
Ctrl S - arrange hosts into a stack
Ctrl H - arrange hosts into a hierarchy This only works when a pivot is set up
Ctrl R - refresh hosts from the database
Ctrl P - export hosts into an image
Right click the targets area with no selected hosts to configure the layout and
zoom-level of the targets area
Targets - Table View
If you have a lot of hosts the graph view becomes difficult to work with For
this situation Armitage has a table view
Go to View
7121 Targets -gt Table View
to switch to this mode Armitage will remember your preference
Click any of the table headers to sort the hosts Highlight a row and right-click it
to bring up a menu with options for that host
Armitage will bold the IP address of any host with sessions If a pivot is in use
Armitage will make it bold as well
26 | P a g e
713 Tab
Armitage opens each dialog console and table in a tab below the module and
target panels Click the X button to close a tab
You may right-click the X button to open a tab in a window take a screenshot
of a tab or close all tabs with the same name
Hold shift and click X to close all tabs with the same name Hold shift + control
and click X to open the tab in its own window
You may drag and drop tabs to change their order
Armitage provides several keyboard shortcuts to make your tab management
experience as enjoyable as possible
Use Ctrl+T to take a screenshot of the active tab Use Ctrl+D to close the active
tab Try Ctrl+Left and Ctrl+Right to quickly switch tabs And Ctrl+W to open
the current tab in its own window
8console formatMetasploit console Meterpreter console and shell interfaces each use a console
tab A console tab lets you interact with these interfaces through Armitage
The console tab tracks your command history Use the up arrow to cycle
through previously typed commands The down arrow moves back to the last
command you typed
In the Metasploit console use the Tab key to complete commands and
parameters This works just like the Metasploit console outside of Armitage
27 | P a g e
Use of console panel to make the console font size larger Ctrl minus to make it
smaller and Ctrl 0 to reset it This change is local to the current
console only Visit Armitage -gt Preference to permanently change the font
Press ctrl F to show a panel that will let you search for text within the console
Use Ctrl A to select all text in the consoles buffer
Armitage sends ardquo u s e or a s e t P A Y L O A Drdquo command if you click a
module or a payload name in a console To open a Console go to View -gt
Console or press Ctrl+N
The Armitage console uses color to draw your attention to some information
To disable the colors set the consoleshow_colorsboolean preference to false
You may also edit the colors through Armitage -gt Preference Here is the
Armitage color palette and the preference associated with each color
9 Host management 91Dynamic workspace
Armitages dynamic workspaces feature allows you to create views into the
hosts database and quickly switch between them Use
Workspace -gt Manage to manage your dynamic workspaces Here you may
add edit and remove workspaces you create
28 | P a g e
To create a new dynamic workspace press Add You will see the following
dialog
Give your dynamic workspace a name It doesnt matter what you call it This
description is for you
If youd like to limit your workspace to hosts from a certain network type a
network description in the Hosts field A network description
might be 10100016 to display hosts between 101000-1010255255
Separate multiple networks with a comma and a space
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
6 | P a g e
1010104
Operating System Microsoft Windows NET Server SP0
Name FILESERVER
MAC Address 0800275cd4ad
Servicesport proto name info139 tcp
135 tcp
445 tcp Windows 2003 No Service Pack (languageUnknown)
(nameFILESERVER)(domainCORP)
Credentialsuser passAdministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afe
ec7e3a37d05a81dc3b
SUPPORT_388945a0 aad3b435b51404eeaad3b435b51404ee5ace382672979
85b281184a14fc8ddcc
Guest aad3b435b51404eeaad3b435b51404ee31d6cfe0d16ae931
b73c59d7e0c089c0
Compromisesopened duration method
03-01-12 091446 PM unknown Microsoft Server Service Relative Path Stack
Corruption
Vulnerabilitiesbull Microsoft Server Service Relative Path Stack Corruption
7 | P a g e
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32dll through the Server Service This module is capable of bypassing
NX on some operating systems and service packs The correct target must be
used to prevent the Server Service (along with a dozen others in the same
process) from crashing Windows XP targets seem to handle multiple successful
exploitation events but 2003 targets will often crash or hang on subsequent
attempts This is just the first version of this module full support for NX bypass
on 2003 along with other platforms is still in development
1010105
Operating System Microsoft Windows NET Server SP0
Name MAIL
MAC Address 0800271f1d86
Servicesport proto name info25 tcp smtp 220 ACME Corporation Mail Server[hMailServer]
139 tcp
143 tcp imap OK IMAPrev1
110 tcp pop3 +OK POP3
135 tcp
445 tcp Windows 2003 No Service Pack (languageUnknown)
(nameMAIL) (domainCORP)
Credentialsuser pass
SUPPORT_388945a0 aad3b435b51404eeaad3b435b51404ee5ace38267297
985b281184a14fc8ddcc
Guest aad3b435b51404eeaad3b435b51404ee31d6cfe0d16ae9
31 b73c59d7e0c089c0
8 | P a g e
Administrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afe
ec7e3a37d05a81dc3b
Compromises
opened duration method
03-01-12 091446 PM unknown Microsoft Server Service Relative Path Stack
Corruption
Vulnerabilitiesbull Microsoft Server Service Relative Path Stack Corruption
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32dll through the Server Service This module is capable of bypassing
NX on some operating systems and service packs The correct target must be
used to prevent the Server Service (along with a dozen others in the same
process) from crashing Windows XP targets seem to handle multiple successful
exploitation events but 2003 targets will often crash or hang on subsequent
attempts This is just the first version of this module full support for NX bypass
on 2003 along with other platforms is still in development
10101018Operating System Microsoft Windows XP SP2
Name JOSHDEV
MAC Address 0800275a8629
Servicesport proto name info135 tcp139 tcp445 tcp Windows XP Service Pack 2 (language English) (nameJOSHDEV) (domainCORP)
Credentialsuser pass
9 | P a g e
joshsokol aad3b435b51404eeaad3b435b51404ee34c63bad990d7b7c
ffa64bf36f8ba19c
User aad3b435b51404eeaad3b435b51404ee31d6cfe0d16ae931
b73c59d7e0c089c0
Administrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 091449 PM unknown Microsoft Server Service Relative Path Stack
Corruption
Vulnerabilities
bull Microsoft Server Service Relative Path Stack Corruption
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32dll through the Server Service This module is capable of bypassing
NX on some operating systems and service packs The correct target must be
used to prevent the Server Service (along with a dozen others in the same
process) from crashing Windows XP targets seem to handle multiple successful
exploitation events but 2003 targets will often crash or hang on subsequent
Attempts This is just the first version of this module full support for NX
bypass on 2003 along with other platforms is still in development
10101021Operating System Linux Ubuntu
Name 10101021
MAC Address 0800279d3c64
Servicesport proto name info80 tcp http Apache2214 (Ubuntu)
10 | P a g e
22 tcp ssh SSH-20-OpenSSH_53p1 Debian-3ubuntu7
101010188Operating System Microsoft Windows 7 SP0
Name WS2
MAC Address 080027083f1d
Servicesport proto name info139 tcp
135 tcp
445 tcp smb Windows 7 Ultimate (Build 7600) (languageUnknown) (nameWS2)
(domainCORP)
Credentialsuser passadministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7 e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 092353 PM 1 minute Microsoft Windows Authenticated User Code
Execution
03-01-12 091142 PM unknown Generic Payload Handler
03-01-12 092126 PM 1 minute Microsoft Windows Authenticated User Code
Execution
Vulnerabilitiesbull Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password hash)
to execute an arbitrary payload This module is similar to the psexec utility provided
by SysInternals This module is now able to clean up after itself The service created
by this tool uses a randomly chosen name and description
11 | P a g e
101010189Operating System Microsoft Windows 7 SP0
Name CEOSBOX
MAC Address 0800277878fb
Servicesport proto name info
135 tcp
139 tcp
445 tcp smb Windows 7 Ultimate (Build 7600) (language
Unknown) (nameCEOSBOX) (domainCORP)
Credentialsuser pass
administrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
CORPadministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 092353 PM 1 minute Microsoft Windows Authenticated User Code
Execution
03-01-12 092128 PM 1 minute Microsoft Windows Authenticated User Code
Execution
Vulnerabilities
bull Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password
hash) to execute an arbitrary payload This module is similar to the psexec
utility provided by SysInternals This module is now able to clean up after itself
The service created by this tool uses a randomly chosen name and description
12 | P a g e
19216812110Operating System Microsoft Windows 7
Name
MAC Address
192168571Operating System Linux Ubuntu
Name 192168571
MAC Address 0a0027000001
192168578Operating System Microsoft Windows XP SP2
Name
MAC Address 0800273b3bdd
Services
Port proto name info
135 tcp
139 tcp
445 tcp smb Windows XP Service Pack 2 (languageEnglish)
(nameJOSHDEV) (domainCORP)
1921685718Operating System Linux Ubuntu
Name
MAC Address 080027e9f98e
Servicesport proto name info
22 tcp ssh SSH-20-OpenSSH_53p1 Debian-3ubuntu7
13 | P a g e
Credentials
user pass
jsokol joshrocks
Compromises
opened duration method
03-01-12 091658 PM unknown SSH Login Check Scanner
Vulnerabilities
bull SSH Login Check Scanner
This module will test ssh logins on a range of machines and report successful
logins If you have loaded a database pluginand connected to a database this
module will record successful logins and hosts so you can track your access
11 SPEAR PHISHING
Cobalt Strikes spear phishing tool allows you to send pixel perfect spear
phishing messages using an arbitrary message as a templateSet Targets to
import a list of targets You may import a flat text-file containing one email
address per line Import a file containing one email address and name separated
by a tab or comma for stronger message customization
Set Template to an email message template A Cobalt Strike message template
is simply a saved email message Cobalt Strike will strip unnecessary headers
remove attachments rewrite URLs re-encode themessage and rewrite it for
you Cobalt Strike does not give you a means to compose a message Use an
email client write a message and send it to yourself Most webmail clients
include a means to see the original message source In GMail click the down
arrow next to Reply and select Show original
You may customize a saved message with Cobalt Strike tokens Cobalt Strike
replaces these tokens when sending an email The tokens include
14 | P a g e
Token Description
To The email address of the person the message is sent to
To_Name The name of the person the message is sent to This token is only
available when importing a tab-separated file containing a name
URL The contents of the URL field in the spear phishing dialog
Set Embed URL to have Cobalt Strike rewrite each URL in the message
template to point to the embedded URL URLs added in this way will contain a
token that allows Cobalt Strike to trace any visitor back to this Press to
choose one of the Cobalt Strike hosted sites youve started
Set Mail Server to an open relay or the mail exchange server for your target
Set Bounce To to an email address where bounced messages should go This
value will not affect the message your targets see Press Preview to see an
assembled message to one of your recipients If the preview looks good press
Send to start your attack
Cobalt Strikes spear phishing capability sends messages from your local client
If youre managing a remote server know that messages will come from your
local host and not the remote server
13 Web-Drive-By Attacks
Firefox Addon Attack
This tool is available through Attacks -gt Web Drive-by -gt Firefox Addon Attack This
tool will start a Metasploitreg web-server that serves a dynamically created Firefox
Add-on
This is a great attack to embed in a cloned website Find a popular Firefox
addon clone its site and embed the Firefox Add-on Attack URL
14Client-side Reconnaissance
15 | P a g e
System Profiler
The system profiler is a reconnaissance tool for the client-side attack process
This tool starts a local web-server and fingerprints any one who visits it The
system profiler discovers the internal IP address of users behind a proxy along
with several applications and their version information
To start the system profiler go to Attacks -gt Web Drive-by -gt System Profiler
The start the profiler you must specify a URI to bind to and a port to start the
Cobalt Strike web-server from If you specify a Redirect URL Cobalt Strike
will redirect visitors to this URL once their profile is taken Click Launch to
start the system profiler
15VPN Pivoting
Covert VPNCobalt Strike offers VPN pivoting through its Covert VPN feature Covert VPN
creates a network interface on the Cobalt Strike system and bridges this
interface into the targets network
Through a Covert VPN interface your system may sniff traffic on
targetrsquos network act as a rogue server or perform man-in-the-middle attacks
normally reserved for internal assessments You may use external scanning and
attack tools to assess your target network as well
16 Covert Command and Control
What is Beacon
Beacon is Cobalt Strikes remote administration payload for long-term
engagements Beacon does not provide real-time control of a compromised host
Beacon is asynchronous It spends most of its time sleeping Occasionally
Beacon will contact Cobalt Strike to check for tasks
If a tasking is available Beacon will download its tasks and execute them
This style of command and control is common with sophisticated malware and
16 | P a g e
Advanced Persistent Threat actors Cobalt Strikes Beacon payload may attempt
to communicate through multiple domains
This makes your control10 20 12 Beaconing - Cobalt
Strike wwwadvancedpentest com help- beacon 2 2of a compromised host
more robust If a system administrator blocks one IP address or domain Beacon
maystill receive tasks through its other domains When tasks are available
Beacon downloads them and sends output using the HTTP protocol Beacon
maycheck for tasks through HTTP or DNS requests
2 CYBER ATTACK MANAGEMETArmitage organizes Metasploits capabilities around the hacking process There
are features for discovery access post-exploitation and maneuver This section
describes these features at a high-level the rest of this manual covers these
capabilities in detail
For discovery Armitage exposes several of Metasploits host management
features You can import hosts and launch scans to populate a database of
targets Armitage also visualizes the database of targets--youll always know
which hosts youre working with and where you have sessions
Armitage assists with remote exploitation--providing features to automatically
recommend exploits and even run active checks so you know which exploits
will work If these options fail you can use the Hail Mary approach and unleash
Armitages smarter db_autopwn against your target database
For those of you who are hacking post-2003 Armitage exposes the client-side
features of Metasploit You can launch browser exploits generate malicious
files and create Meterpreter executable
Once youre in Armitage provides several post-exploitation tools
built on the capabilities of the Meterpreter agent With the click of a menu you
17 | P a g e
will escalate your privileges dump password hashes to a local credentials
database browse the file system like youre local and launch command shells
Finally Armitage aids the process of setting up pivots a capability that lets you
use compromised hosts as a platform for attacking other hosts and further
investigating the target network Armitage also exposes Metasploits SOCKS
proxy module which allows external tools to take advantage of these pivots
With these tools you can further explore and maneuver through the network
The rest of this manual is organized around this process providing what you
need to know in the order youll need it
3NECESSARY THINGS TO KNOWTo use Armitage it helps to understand Metasploit Here are a few things you
absolutely must know before continuing
Metasploit (httpwwwmetasploitcom) is a console driven application
Anything you do in Armitage is translated into a command Metasploit
understands You can bypass Armitage and type commands yourself (covered
later) If youre ever lost in a console type help and hit enter
Metasploit presents its capabilities as modules Every scanner exploit and
even payload is available as a module If youre scanning a host you use an
auxiliary module Before launching a module you must set one or more
variables to configure the module The exploit process is similar To launch an
exploit you must choose an exploit module set one or more variables and
launch it
18 | P a g e
Armitage aims to make this process easier for youIf you successfully exploit a
host you will have a session on that host Armitage knows how to interact with
shell and Windows meterpreter sessions
Meterpreter is an advanced agent that makes a lot of post-exploitation
functionality available to you Armitage is built to take advantage of
Meterpreter Working with Meterpreter is covered later
4 installation
41 on windows
Here are the steps to install and run Armitage on Windows
1 Install Metasploit 44 or later
2 Install Oracles Java 17 (JRE or JDK)
3 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Update
4 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Console (do
this once to initialize the database)
5Make sure youre the Administrator user
To run Armitage
Start -gt Programs -gt Metasploit -gt Framework -gt Armitage
Click Conect
Click Yes when asked whether or not to start Metasploits RPC daemon
If asked where Metasploit is installed select the Metasploit directory You will
only need to do this once (eg cmetasploit)
The best Armitage user experience is on Linux If youre a Windows user
consider using Armitage from a BackTrack virtual machine
42 on linux
To install Armitage on Linux
1 Make sure youre the root user
19 | P a g e
Download and Install the Metasploit Framework from
httpwwwmetasploitcom (httpwwwmetasploitcom)
2Get the full package with all of the Linux dependencies
3 After installation type optframeworkappmsfupdate to update Metasploit
4 Install a VNC viewer (eg apt-get install vncviewer on Ubuntu)
You can get install armitage by a simple command but before execute this
application get command you need to be a root user to install armitage so open
terminal and type exactly
$ sudo su
apt-get install armitage
We need to enable RPC daemon for metasploit use this command on the
terminal
rootbt~ msfrpcd -f -U msf -P test -t Basic
Open a terminalAdd usrlocalbin to $PATH e x p o r t P A T H = $ P A T H u s r l o c a l
b i n
Since Metasploit 41 you now need to make sure you have a database startup scripte c h o e x e c o p t m e t a s p l o i t - 4 4 p o s t g r e s q l s c r i p t s c t l s h $ gt e t c i n i t d f r a m e w o r k - p o s t g r e s
c h m o d + x e t c i n i t d m e t a s p l o i t - p o s t g r e s e t c i n i t d m e t a s p l o i t - p o s t g r e s s t a r tu p d a t e - r c d m e t a s p l o i t - p o s t g r e s d e f a u l t
Now start MYSQL server so that Armitage stores results
rootbt1048673 etcinitdmysql start
This database startup script creation step isnt necessary if you opt to start Metasploit as a
service when the installer runs The downside being that the Metasploit as a service option
starts up the commercialcommunity edition of Metasploit on boot too If you use this
version--great If not its a waste of system resources
20 | P a g e
Now its time to run Armitage locate the directory and type
rootbtpentestexploitsarmitage armitagesh
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
The settings for Metasploits installed database are already set up for you You
not need to change the DB connect string
note
If youre using Armitage with a local Metasploit instance then Armitage must
also run as root Why Because Armitage needs root privileges to read the
databaseyml file created by Metasploits installer If Armitage cant read this
file it will not be able to connect to the database
43 on back-track r3
Armitage comes with BackTrack Linux 5r3 The latest Armitage release
requires BackTrack 5r3 5r25r0 and 5r1 are out If you uinstall Metasploit
(hint pathtometasploituninstall) and reinstall with the Metasploit installer
then you may use any version of BackTrack that you want
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
45 on mac os-x
Armitage works on MacOS X but its not a supported platform for Armitage
Metasploit does not have an official package for OS X
21 | P a g e
There is a lot of manual setup involved getting the pre-requisites working
CedricBaillet created a step-by-step guide
(httpwwwcedric-bailletfrIMGpdfarmitage_configuration_on_macosxpdf)
to configuring Postgres and Ruby for use with Armitage on MacOS X as well
Armitage on MacOS X works fine as a remote client to Metasploit Download
the MacOS X package extract it and double-click the Armitageapp file to get
started
Here are three MacOS X Armitage install guides that others have
produced these may help you Please dont ask me to provide support for them
though
The Black Matrix
(httptheblackmatrixnewsblogspotcom201111installing-armitage-on-
osx-by-defau1thtml)
Night Lions Guide to Installing Metasploit 4 and Armitage on Mac OSX
Lion (httpblognightlionsecuritycomguides201112guideto-
installing-metasploit-4-and-armitage-on-mac-osx-lion)
Faulty Logic Blog (httpbriancanfixitblogspotcom201112setting-up-
metasploit-and-armitage-onhtml)
Armitage is a fast moving project and these project may suggest methods for
starting the Metasploit Framework RPC daemon that are slightly dated The
correct way to start msfrpcd for Armitage to connect to is
m s f r p c d - U m s f - P p a s s w o r d - S - f
5 Manual setupSome crazy people choose to install Metasploit without the benefit of the full installer This method is not supported If you go this route here are some of the requirements
22 | P a g e
A PostgreSQL database No other database is supported msfrpcd is in $PATH $MSF_DATABASE_CONFIG points to a YAML file $MSF_DATABASE_CONFIG is available to msfrpcd and armitage the msgpack ruby gem
6Updating metasploitThe m s f u p d a t e command updates the Metasploit Framework by pulling
the latest source code from a subversion repository that is synced with the git
repository that developers commit to
When you run m s f u p d a t e its possible that you may break Armitage by
doing this The Metasploit team is cautious about what they commit to the
primary git repository and theyre extremely responsive to bug reports That said
things still break from time to time
If you run m s f u p d a t e and Armitage stops working you have a few options
1) You can run m s f u p d a t e later and hope the issue gets fixed Many
times this is a valid strategy
2) You can downgrade Metasploit to the last revision Take a look at the
change log file for the latest development release tested against Armitage
The revision number is located next to the release date To downgrade
Metasploit
c d p a t h t o m e t a s p l o i t m s f 3
s o u r c e s c r i p t s s e t e n v s h
s v n u p d a t e - r [revision number]
This step will downgrade the Armitage release included with Metasploit
too You can download the latest Armitage release from this site in the
mean time
3) Reinstall Metasploit using the installer provided by Rapid7 The
Metasploit installer includes the latest stable version of Metasploit
Usually this release is very stable
23 | P a g e
If youre preparing to use Armitage and Metasploit somewhere
important--do not run m s f u p d a t e and assume it will work Its very
important to stick with what you know works or test the functionality you
need to make sure it works When in doubt go with option (2) or (3)
61 quick connect
If youd like to quickly connect Armitage to a Metasploit server without filling
in the setup dialog use the - - c l i e n t option to specify a file with the
connection details
j a v a - j a r a r m i t a g e j a r - - c l i e n t c o n n e c t p r o p
Heres an example connectprop file
h o s t = 1 9 21 6 8 9 5 2 4 1
p o r t = 55553
u s e r = mister
p a s s = bojangles
If you have to manage multiple ArmitageMetasploit servers consider creating
a desktop shortcut that calls this --client option with a different properties file
for each server
7 User interface format(gui)The user interface can be very easy and friendly to a pentaster as also as a
hackerit is made so easy that without any help a user can manage the cyber
attack
71 Overview
The Armitage user interface has three main panels modules targets and tabs
You may click the area between these panels to resize them to your liking
24 | P a g e
711 modules
The module browser lets you launch a Metasploit auxiliary module throw an
exploit generate a payload and even run a post-exploitation script Click
through the tree to find the desired module Double click the module to bring up
a dialog with options
Armitage will place highlighted hosts from the targets panel into the RHOSTS
variable of any module launched from here
You can search for modules too Click in the search box below the tree type a
wildcard expression (eg ssh_) and hit enter The module tree will then show
your search results already expanded for quick viewing Clear the search box
and press enter to restore the module browser to its original state
712 Targets - Graph View
The targets panel shows all hosts in the current workspace Armitage represents
each target as a computer with its IP address and other information about it
below the computer The computer screen shows the operating system the
computer is runningA red computer with electrical jolts indicates a
compromised host Right click the computer to use any sessions related to the
host A directional green line indicates a pivot from one host to another
Pivoting allows Metasploit to route attacks and scans through intermediate
hosts A bright green line indicates the pivot communication path is in use
Click a host to select it You may select multiple hosts by clicking and dragging
a box over the desired hosts Where possible Armitage will try to apply an
action (eg launching an exploit) to all selected hosts
Right click a host to bring up a menu with available options The attached menu
will show attack and login options menus for existing sessions and options to
edit the host information
The login menu is only available after a port scan reveals open ports that
Metasploit can log in to The Attack menu is only
25 | P a g e
available after finding attacks through the Attacks menu bar Shell and
Meterpreter menus only show up when a shell or Meterpreter session exists on
the selected host Several keyboard shortcuts are available in the targets panel
You may edit these in the Armitage -gt Preferences menu
Ctrl Plus - zoom in
Ctrl Minus - zoom out
Ctrl 0 - reset the zoom level
Ctrl A - select all hosts
Escape - clear selection
Ctrl C - arrange hosts into a circle
Ctrl S - arrange hosts into a stack
Ctrl H - arrange hosts into a hierarchy This only works when a pivot is set up
Ctrl R - refresh hosts from the database
Ctrl P - export hosts into an image
Right click the targets area with no selected hosts to configure the layout and
zoom-level of the targets area
Targets - Table View
If you have a lot of hosts the graph view becomes difficult to work with For
this situation Armitage has a table view
Go to View
7121 Targets -gt Table View
to switch to this mode Armitage will remember your preference
Click any of the table headers to sort the hosts Highlight a row and right-click it
to bring up a menu with options for that host
Armitage will bold the IP address of any host with sessions If a pivot is in use
Armitage will make it bold as well
26 | P a g e
713 Tab
Armitage opens each dialog console and table in a tab below the module and
target panels Click the X button to close a tab
You may right-click the X button to open a tab in a window take a screenshot
of a tab or close all tabs with the same name
Hold shift and click X to close all tabs with the same name Hold shift + control
and click X to open the tab in its own window
You may drag and drop tabs to change their order
Armitage provides several keyboard shortcuts to make your tab management
experience as enjoyable as possible
Use Ctrl+T to take a screenshot of the active tab Use Ctrl+D to close the active
tab Try Ctrl+Left and Ctrl+Right to quickly switch tabs And Ctrl+W to open
the current tab in its own window
8console formatMetasploit console Meterpreter console and shell interfaces each use a console
tab A console tab lets you interact with these interfaces through Armitage
The console tab tracks your command history Use the up arrow to cycle
through previously typed commands The down arrow moves back to the last
command you typed
In the Metasploit console use the Tab key to complete commands and
parameters This works just like the Metasploit console outside of Armitage
27 | P a g e
Use of console panel to make the console font size larger Ctrl minus to make it
smaller and Ctrl 0 to reset it This change is local to the current
console only Visit Armitage -gt Preference to permanently change the font
Press ctrl F to show a panel that will let you search for text within the console
Use Ctrl A to select all text in the consoles buffer
Armitage sends ardquo u s e or a s e t P A Y L O A Drdquo command if you click a
module or a payload name in a console To open a Console go to View -gt
Console or press Ctrl+N
The Armitage console uses color to draw your attention to some information
To disable the colors set the consoleshow_colorsboolean preference to false
You may also edit the colors through Armitage -gt Preference Here is the
Armitage color palette and the preference associated with each color
9 Host management 91Dynamic workspace
Armitages dynamic workspaces feature allows you to create views into the
hosts database and quickly switch between them Use
Workspace -gt Manage to manage your dynamic workspaces Here you may
add edit and remove workspaces you create
28 | P a g e
To create a new dynamic workspace press Add You will see the following
dialog
Give your dynamic workspace a name It doesnt matter what you call it This
description is for you
If youd like to limit your workspace to hosts from a certain network type a
network description in the Hosts field A network description
might be 10100016 to display hosts between 101000-1010255255
Separate multiple networks with a comma and a space
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
7 | P a g e
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32dll through the Server Service This module is capable of bypassing
NX on some operating systems and service packs The correct target must be
used to prevent the Server Service (along with a dozen others in the same
process) from crashing Windows XP targets seem to handle multiple successful
exploitation events but 2003 targets will often crash or hang on subsequent
attempts This is just the first version of this module full support for NX bypass
on 2003 along with other platforms is still in development
1010105
Operating System Microsoft Windows NET Server SP0
Name MAIL
MAC Address 0800271f1d86
Servicesport proto name info25 tcp smtp 220 ACME Corporation Mail Server[hMailServer]
139 tcp
143 tcp imap OK IMAPrev1
110 tcp pop3 +OK POP3
135 tcp
445 tcp Windows 2003 No Service Pack (languageUnknown)
(nameMAIL) (domainCORP)
Credentialsuser pass
SUPPORT_388945a0 aad3b435b51404eeaad3b435b51404ee5ace38267297
985b281184a14fc8ddcc
Guest aad3b435b51404eeaad3b435b51404ee31d6cfe0d16ae9
31 b73c59d7e0c089c0
8 | P a g e
Administrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afe
ec7e3a37d05a81dc3b
Compromises
opened duration method
03-01-12 091446 PM unknown Microsoft Server Service Relative Path Stack
Corruption
Vulnerabilitiesbull Microsoft Server Service Relative Path Stack Corruption
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32dll through the Server Service This module is capable of bypassing
NX on some operating systems and service packs The correct target must be
used to prevent the Server Service (along with a dozen others in the same
process) from crashing Windows XP targets seem to handle multiple successful
exploitation events but 2003 targets will often crash or hang on subsequent
attempts This is just the first version of this module full support for NX bypass
on 2003 along with other platforms is still in development
10101018Operating System Microsoft Windows XP SP2
Name JOSHDEV
MAC Address 0800275a8629
Servicesport proto name info135 tcp139 tcp445 tcp Windows XP Service Pack 2 (language English) (nameJOSHDEV) (domainCORP)
Credentialsuser pass
9 | P a g e
joshsokol aad3b435b51404eeaad3b435b51404ee34c63bad990d7b7c
ffa64bf36f8ba19c
User aad3b435b51404eeaad3b435b51404ee31d6cfe0d16ae931
b73c59d7e0c089c0
Administrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 091449 PM unknown Microsoft Server Service Relative Path Stack
Corruption
Vulnerabilities
bull Microsoft Server Service Relative Path Stack Corruption
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32dll through the Server Service This module is capable of bypassing
NX on some operating systems and service packs The correct target must be
used to prevent the Server Service (along with a dozen others in the same
process) from crashing Windows XP targets seem to handle multiple successful
exploitation events but 2003 targets will often crash or hang on subsequent
Attempts This is just the first version of this module full support for NX
bypass on 2003 along with other platforms is still in development
10101021Operating System Linux Ubuntu
Name 10101021
MAC Address 0800279d3c64
Servicesport proto name info80 tcp http Apache2214 (Ubuntu)
10 | P a g e
22 tcp ssh SSH-20-OpenSSH_53p1 Debian-3ubuntu7
101010188Operating System Microsoft Windows 7 SP0
Name WS2
MAC Address 080027083f1d
Servicesport proto name info139 tcp
135 tcp
445 tcp smb Windows 7 Ultimate (Build 7600) (languageUnknown) (nameWS2)
(domainCORP)
Credentialsuser passadministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7 e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 092353 PM 1 minute Microsoft Windows Authenticated User Code
Execution
03-01-12 091142 PM unknown Generic Payload Handler
03-01-12 092126 PM 1 minute Microsoft Windows Authenticated User Code
Execution
Vulnerabilitiesbull Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password hash)
to execute an arbitrary payload This module is similar to the psexec utility provided
by SysInternals This module is now able to clean up after itself The service created
by this tool uses a randomly chosen name and description
11 | P a g e
101010189Operating System Microsoft Windows 7 SP0
Name CEOSBOX
MAC Address 0800277878fb
Servicesport proto name info
135 tcp
139 tcp
445 tcp smb Windows 7 Ultimate (Build 7600) (language
Unknown) (nameCEOSBOX) (domainCORP)
Credentialsuser pass
administrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
CORPadministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 092353 PM 1 minute Microsoft Windows Authenticated User Code
Execution
03-01-12 092128 PM 1 minute Microsoft Windows Authenticated User Code
Execution
Vulnerabilities
bull Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password
hash) to execute an arbitrary payload This module is similar to the psexec
utility provided by SysInternals This module is now able to clean up after itself
The service created by this tool uses a randomly chosen name and description
12 | P a g e
19216812110Operating System Microsoft Windows 7
Name
MAC Address
192168571Operating System Linux Ubuntu
Name 192168571
MAC Address 0a0027000001
192168578Operating System Microsoft Windows XP SP2
Name
MAC Address 0800273b3bdd
Services
Port proto name info
135 tcp
139 tcp
445 tcp smb Windows XP Service Pack 2 (languageEnglish)
(nameJOSHDEV) (domainCORP)
1921685718Operating System Linux Ubuntu
Name
MAC Address 080027e9f98e
Servicesport proto name info
22 tcp ssh SSH-20-OpenSSH_53p1 Debian-3ubuntu7
13 | P a g e
Credentials
user pass
jsokol joshrocks
Compromises
opened duration method
03-01-12 091658 PM unknown SSH Login Check Scanner
Vulnerabilities
bull SSH Login Check Scanner
This module will test ssh logins on a range of machines and report successful
logins If you have loaded a database pluginand connected to a database this
module will record successful logins and hosts so you can track your access
11 SPEAR PHISHING
Cobalt Strikes spear phishing tool allows you to send pixel perfect spear
phishing messages using an arbitrary message as a templateSet Targets to
import a list of targets You may import a flat text-file containing one email
address per line Import a file containing one email address and name separated
by a tab or comma for stronger message customization
Set Template to an email message template A Cobalt Strike message template
is simply a saved email message Cobalt Strike will strip unnecessary headers
remove attachments rewrite URLs re-encode themessage and rewrite it for
you Cobalt Strike does not give you a means to compose a message Use an
email client write a message and send it to yourself Most webmail clients
include a means to see the original message source In GMail click the down
arrow next to Reply and select Show original
You may customize a saved message with Cobalt Strike tokens Cobalt Strike
replaces these tokens when sending an email The tokens include
14 | P a g e
Token Description
To The email address of the person the message is sent to
To_Name The name of the person the message is sent to This token is only
available when importing a tab-separated file containing a name
URL The contents of the URL field in the spear phishing dialog
Set Embed URL to have Cobalt Strike rewrite each URL in the message
template to point to the embedded URL URLs added in this way will contain a
token that allows Cobalt Strike to trace any visitor back to this Press to
choose one of the Cobalt Strike hosted sites youve started
Set Mail Server to an open relay or the mail exchange server for your target
Set Bounce To to an email address where bounced messages should go This
value will not affect the message your targets see Press Preview to see an
assembled message to one of your recipients If the preview looks good press
Send to start your attack
Cobalt Strikes spear phishing capability sends messages from your local client
If youre managing a remote server know that messages will come from your
local host and not the remote server
13 Web-Drive-By Attacks
Firefox Addon Attack
This tool is available through Attacks -gt Web Drive-by -gt Firefox Addon Attack This
tool will start a Metasploitreg web-server that serves a dynamically created Firefox
Add-on
This is a great attack to embed in a cloned website Find a popular Firefox
addon clone its site and embed the Firefox Add-on Attack URL
14Client-side Reconnaissance
15 | P a g e
System Profiler
The system profiler is a reconnaissance tool for the client-side attack process
This tool starts a local web-server and fingerprints any one who visits it The
system profiler discovers the internal IP address of users behind a proxy along
with several applications and their version information
To start the system profiler go to Attacks -gt Web Drive-by -gt System Profiler
The start the profiler you must specify a URI to bind to and a port to start the
Cobalt Strike web-server from If you specify a Redirect URL Cobalt Strike
will redirect visitors to this URL once their profile is taken Click Launch to
start the system profiler
15VPN Pivoting
Covert VPNCobalt Strike offers VPN pivoting through its Covert VPN feature Covert VPN
creates a network interface on the Cobalt Strike system and bridges this
interface into the targets network
Through a Covert VPN interface your system may sniff traffic on
targetrsquos network act as a rogue server or perform man-in-the-middle attacks
normally reserved for internal assessments You may use external scanning and
attack tools to assess your target network as well
16 Covert Command and Control
What is Beacon
Beacon is Cobalt Strikes remote administration payload for long-term
engagements Beacon does not provide real-time control of a compromised host
Beacon is asynchronous It spends most of its time sleeping Occasionally
Beacon will contact Cobalt Strike to check for tasks
If a tasking is available Beacon will download its tasks and execute them
This style of command and control is common with sophisticated malware and
16 | P a g e
Advanced Persistent Threat actors Cobalt Strikes Beacon payload may attempt
to communicate through multiple domains
This makes your control10 20 12 Beaconing - Cobalt
Strike wwwadvancedpentest com help- beacon 2 2of a compromised host
more robust If a system administrator blocks one IP address or domain Beacon
maystill receive tasks through its other domains When tasks are available
Beacon downloads them and sends output using the HTTP protocol Beacon
maycheck for tasks through HTTP or DNS requests
2 CYBER ATTACK MANAGEMETArmitage organizes Metasploits capabilities around the hacking process There
are features for discovery access post-exploitation and maneuver This section
describes these features at a high-level the rest of this manual covers these
capabilities in detail
For discovery Armitage exposes several of Metasploits host management
features You can import hosts and launch scans to populate a database of
targets Armitage also visualizes the database of targets--youll always know
which hosts youre working with and where you have sessions
Armitage assists with remote exploitation--providing features to automatically
recommend exploits and even run active checks so you know which exploits
will work If these options fail you can use the Hail Mary approach and unleash
Armitages smarter db_autopwn against your target database
For those of you who are hacking post-2003 Armitage exposes the client-side
features of Metasploit You can launch browser exploits generate malicious
files and create Meterpreter executable
Once youre in Armitage provides several post-exploitation tools
built on the capabilities of the Meterpreter agent With the click of a menu you
17 | P a g e
will escalate your privileges dump password hashes to a local credentials
database browse the file system like youre local and launch command shells
Finally Armitage aids the process of setting up pivots a capability that lets you
use compromised hosts as a platform for attacking other hosts and further
investigating the target network Armitage also exposes Metasploits SOCKS
proxy module which allows external tools to take advantage of these pivots
With these tools you can further explore and maneuver through the network
The rest of this manual is organized around this process providing what you
need to know in the order youll need it
3NECESSARY THINGS TO KNOWTo use Armitage it helps to understand Metasploit Here are a few things you
absolutely must know before continuing
Metasploit (httpwwwmetasploitcom) is a console driven application
Anything you do in Armitage is translated into a command Metasploit
understands You can bypass Armitage and type commands yourself (covered
later) If youre ever lost in a console type help and hit enter
Metasploit presents its capabilities as modules Every scanner exploit and
even payload is available as a module If youre scanning a host you use an
auxiliary module Before launching a module you must set one or more
variables to configure the module The exploit process is similar To launch an
exploit you must choose an exploit module set one or more variables and
launch it
18 | P a g e
Armitage aims to make this process easier for youIf you successfully exploit a
host you will have a session on that host Armitage knows how to interact with
shell and Windows meterpreter sessions
Meterpreter is an advanced agent that makes a lot of post-exploitation
functionality available to you Armitage is built to take advantage of
Meterpreter Working with Meterpreter is covered later
4 installation
41 on windows
Here are the steps to install and run Armitage on Windows
1 Install Metasploit 44 or later
2 Install Oracles Java 17 (JRE or JDK)
3 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Update
4 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Console (do
this once to initialize the database)
5Make sure youre the Administrator user
To run Armitage
Start -gt Programs -gt Metasploit -gt Framework -gt Armitage
Click Conect
Click Yes when asked whether or not to start Metasploits RPC daemon
If asked where Metasploit is installed select the Metasploit directory You will
only need to do this once (eg cmetasploit)
The best Armitage user experience is on Linux If youre a Windows user
consider using Armitage from a BackTrack virtual machine
42 on linux
To install Armitage on Linux
1 Make sure youre the root user
19 | P a g e
Download and Install the Metasploit Framework from
httpwwwmetasploitcom (httpwwwmetasploitcom)
2Get the full package with all of the Linux dependencies
3 After installation type optframeworkappmsfupdate to update Metasploit
4 Install a VNC viewer (eg apt-get install vncviewer on Ubuntu)
You can get install armitage by a simple command but before execute this
application get command you need to be a root user to install armitage so open
terminal and type exactly
$ sudo su
apt-get install armitage
We need to enable RPC daemon for metasploit use this command on the
terminal
rootbt~ msfrpcd -f -U msf -P test -t Basic
Open a terminalAdd usrlocalbin to $PATH e x p o r t P A T H = $ P A T H u s r l o c a l
b i n
Since Metasploit 41 you now need to make sure you have a database startup scripte c h o e x e c o p t m e t a s p l o i t - 4 4 p o s t g r e s q l s c r i p t s c t l s h $ gt e t c i n i t d f r a m e w o r k - p o s t g r e s
c h m o d + x e t c i n i t d m e t a s p l o i t - p o s t g r e s e t c i n i t d m e t a s p l o i t - p o s t g r e s s t a r tu p d a t e - r c d m e t a s p l o i t - p o s t g r e s d e f a u l t
Now start MYSQL server so that Armitage stores results
rootbt1048673 etcinitdmysql start
This database startup script creation step isnt necessary if you opt to start Metasploit as a
service when the installer runs The downside being that the Metasploit as a service option
starts up the commercialcommunity edition of Metasploit on boot too If you use this
version--great If not its a waste of system resources
20 | P a g e
Now its time to run Armitage locate the directory and type
rootbtpentestexploitsarmitage armitagesh
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
The settings for Metasploits installed database are already set up for you You
not need to change the DB connect string
note
If youre using Armitage with a local Metasploit instance then Armitage must
also run as root Why Because Armitage needs root privileges to read the
databaseyml file created by Metasploits installer If Armitage cant read this
file it will not be able to connect to the database
43 on back-track r3
Armitage comes with BackTrack Linux 5r3 The latest Armitage release
requires BackTrack 5r3 5r25r0 and 5r1 are out If you uinstall Metasploit
(hint pathtometasploituninstall) and reinstall with the Metasploit installer
then you may use any version of BackTrack that you want
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
45 on mac os-x
Armitage works on MacOS X but its not a supported platform for Armitage
Metasploit does not have an official package for OS X
21 | P a g e
There is a lot of manual setup involved getting the pre-requisites working
CedricBaillet created a step-by-step guide
(httpwwwcedric-bailletfrIMGpdfarmitage_configuration_on_macosxpdf)
to configuring Postgres and Ruby for use with Armitage on MacOS X as well
Armitage on MacOS X works fine as a remote client to Metasploit Download
the MacOS X package extract it and double-click the Armitageapp file to get
started
Here are three MacOS X Armitage install guides that others have
produced these may help you Please dont ask me to provide support for them
though
The Black Matrix
(httptheblackmatrixnewsblogspotcom201111installing-armitage-on-
osx-by-defau1thtml)
Night Lions Guide to Installing Metasploit 4 and Armitage on Mac OSX
Lion (httpblognightlionsecuritycomguides201112guideto-
installing-metasploit-4-and-armitage-on-mac-osx-lion)
Faulty Logic Blog (httpbriancanfixitblogspotcom201112setting-up-
metasploit-and-armitage-onhtml)
Armitage is a fast moving project and these project may suggest methods for
starting the Metasploit Framework RPC daemon that are slightly dated The
correct way to start msfrpcd for Armitage to connect to is
m s f r p c d - U m s f - P p a s s w o r d - S - f
5 Manual setupSome crazy people choose to install Metasploit without the benefit of the full installer This method is not supported If you go this route here are some of the requirements
22 | P a g e
A PostgreSQL database No other database is supported msfrpcd is in $PATH $MSF_DATABASE_CONFIG points to a YAML file $MSF_DATABASE_CONFIG is available to msfrpcd and armitage the msgpack ruby gem
6Updating metasploitThe m s f u p d a t e command updates the Metasploit Framework by pulling
the latest source code from a subversion repository that is synced with the git
repository that developers commit to
When you run m s f u p d a t e its possible that you may break Armitage by
doing this The Metasploit team is cautious about what they commit to the
primary git repository and theyre extremely responsive to bug reports That said
things still break from time to time
If you run m s f u p d a t e and Armitage stops working you have a few options
1) You can run m s f u p d a t e later and hope the issue gets fixed Many
times this is a valid strategy
2) You can downgrade Metasploit to the last revision Take a look at the
change log file for the latest development release tested against Armitage
The revision number is located next to the release date To downgrade
Metasploit
c d p a t h t o m e t a s p l o i t m s f 3
s o u r c e s c r i p t s s e t e n v s h
s v n u p d a t e - r [revision number]
This step will downgrade the Armitage release included with Metasploit
too You can download the latest Armitage release from this site in the
mean time
3) Reinstall Metasploit using the installer provided by Rapid7 The
Metasploit installer includes the latest stable version of Metasploit
Usually this release is very stable
23 | P a g e
If youre preparing to use Armitage and Metasploit somewhere
important--do not run m s f u p d a t e and assume it will work Its very
important to stick with what you know works or test the functionality you
need to make sure it works When in doubt go with option (2) or (3)
61 quick connect
If youd like to quickly connect Armitage to a Metasploit server without filling
in the setup dialog use the - - c l i e n t option to specify a file with the
connection details
j a v a - j a r a r m i t a g e j a r - - c l i e n t c o n n e c t p r o p
Heres an example connectprop file
h o s t = 1 9 21 6 8 9 5 2 4 1
p o r t = 55553
u s e r = mister
p a s s = bojangles
If you have to manage multiple ArmitageMetasploit servers consider creating
a desktop shortcut that calls this --client option with a different properties file
for each server
7 User interface format(gui)The user interface can be very easy and friendly to a pentaster as also as a
hackerit is made so easy that without any help a user can manage the cyber
attack
71 Overview
The Armitage user interface has three main panels modules targets and tabs
You may click the area between these panels to resize them to your liking
24 | P a g e
711 modules
The module browser lets you launch a Metasploit auxiliary module throw an
exploit generate a payload and even run a post-exploitation script Click
through the tree to find the desired module Double click the module to bring up
a dialog with options
Armitage will place highlighted hosts from the targets panel into the RHOSTS
variable of any module launched from here
You can search for modules too Click in the search box below the tree type a
wildcard expression (eg ssh_) and hit enter The module tree will then show
your search results already expanded for quick viewing Clear the search box
and press enter to restore the module browser to its original state
712 Targets - Graph View
The targets panel shows all hosts in the current workspace Armitage represents
each target as a computer with its IP address and other information about it
below the computer The computer screen shows the operating system the
computer is runningA red computer with electrical jolts indicates a
compromised host Right click the computer to use any sessions related to the
host A directional green line indicates a pivot from one host to another
Pivoting allows Metasploit to route attacks and scans through intermediate
hosts A bright green line indicates the pivot communication path is in use
Click a host to select it You may select multiple hosts by clicking and dragging
a box over the desired hosts Where possible Armitage will try to apply an
action (eg launching an exploit) to all selected hosts
Right click a host to bring up a menu with available options The attached menu
will show attack and login options menus for existing sessions and options to
edit the host information
The login menu is only available after a port scan reveals open ports that
Metasploit can log in to The Attack menu is only
25 | P a g e
available after finding attacks through the Attacks menu bar Shell and
Meterpreter menus only show up when a shell or Meterpreter session exists on
the selected host Several keyboard shortcuts are available in the targets panel
You may edit these in the Armitage -gt Preferences menu
Ctrl Plus - zoom in
Ctrl Minus - zoom out
Ctrl 0 - reset the zoom level
Ctrl A - select all hosts
Escape - clear selection
Ctrl C - arrange hosts into a circle
Ctrl S - arrange hosts into a stack
Ctrl H - arrange hosts into a hierarchy This only works when a pivot is set up
Ctrl R - refresh hosts from the database
Ctrl P - export hosts into an image
Right click the targets area with no selected hosts to configure the layout and
zoom-level of the targets area
Targets - Table View
If you have a lot of hosts the graph view becomes difficult to work with For
this situation Armitage has a table view
Go to View
7121 Targets -gt Table View
to switch to this mode Armitage will remember your preference
Click any of the table headers to sort the hosts Highlight a row and right-click it
to bring up a menu with options for that host
Armitage will bold the IP address of any host with sessions If a pivot is in use
Armitage will make it bold as well
26 | P a g e
713 Tab
Armitage opens each dialog console and table in a tab below the module and
target panels Click the X button to close a tab
You may right-click the X button to open a tab in a window take a screenshot
of a tab or close all tabs with the same name
Hold shift and click X to close all tabs with the same name Hold shift + control
and click X to open the tab in its own window
You may drag and drop tabs to change their order
Armitage provides several keyboard shortcuts to make your tab management
experience as enjoyable as possible
Use Ctrl+T to take a screenshot of the active tab Use Ctrl+D to close the active
tab Try Ctrl+Left and Ctrl+Right to quickly switch tabs And Ctrl+W to open
the current tab in its own window
8console formatMetasploit console Meterpreter console and shell interfaces each use a console
tab A console tab lets you interact with these interfaces through Armitage
The console tab tracks your command history Use the up arrow to cycle
through previously typed commands The down arrow moves back to the last
command you typed
In the Metasploit console use the Tab key to complete commands and
parameters This works just like the Metasploit console outside of Armitage
27 | P a g e
Use of console panel to make the console font size larger Ctrl minus to make it
smaller and Ctrl 0 to reset it This change is local to the current
console only Visit Armitage -gt Preference to permanently change the font
Press ctrl F to show a panel that will let you search for text within the console
Use Ctrl A to select all text in the consoles buffer
Armitage sends ardquo u s e or a s e t P A Y L O A Drdquo command if you click a
module or a payload name in a console To open a Console go to View -gt
Console or press Ctrl+N
The Armitage console uses color to draw your attention to some information
To disable the colors set the consoleshow_colorsboolean preference to false
You may also edit the colors through Armitage -gt Preference Here is the
Armitage color palette and the preference associated with each color
9 Host management 91Dynamic workspace
Armitages dynamic workspaces feature allows you to create views into the
hosts database and quickly switch between them Use
Workspace -gt Manage to manage your dynamic workspaces Here you may
add edit and remove workspaces you create
28 | P a g e
To create a new dynamic workspace press Add You will see the following
dialog
Give your dynamic workspace a name It doesnt matter what you call it This
description is for you
If youd like to limit your workspace to hosts from a certain network type a
network description in the Hosts field A network description
might be 10100016 to display hosts between 101000-1010255255
Separate multiple networks with a comma and a space
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
8 | P a g e
Administrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afe
ec7e3a37d05a81dc3b
Compromises
opened duration method
03-01-12 091446 PM unknown Microsoft Server Service Relative Path Stack
Corruption
Vulnerabilitiesbull Microsoft Server Service Relative Path Stack Corruption
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32dll through the Server Service This module is capable of bypassing
NX on some operating systems and service packs The correct target must be
used to prevent the Server Service (along with a dozen others in the same
process) from crashing Windows XP targets seem to handle multiple successful
exploitation events but 2003 targets will often crash or hang on subsequent
attempts This is just the first version of this module full support for NX bypass
on 2003 along with other platforms is still in development
10101018Operating System Microsoft Windows XP SP2
Name JOSHDEV
MAC Address 0800275a8629
Servicesport proto name info135 tcp139 tcp445 tcp Windows XP Service Pack 2 (language English) (nameJOSHDEV) (domainCORP)
Credentialsuser pass
9 | P a g e
joshsokol aad3b435b51404eeaad3b435b51404ee34c63bad990d7b7c
ffa64bf36f8ba19c
User aad3b435b51404eeaad3b435b51404ee31d6cfe0d16ae931
b73c59d7e0c089c0
Administrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 091449 PM unknown Microsoft Server Service Relative Path Stack
Corruption
Vulnerabilities
bull Microsoft Server Service Relative Path Stack Corruption
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32dll through the Server Service This module is capable of bypassing
NX on some operating systems and service packs The correct target must be
used to prevent the Server Service (along with a dozen others in the same
process) from crashing Windows XP targets seem to handle multiple successful
exploitation events but 2003 targets will often crash or hang on subsequent
Attempts This is just the first version of this module full support for NX
bypass on 2003 along with other platforms is still in development
10101021Operating System Linux Ubuntu
Name 10101021
MAC Address 0800279d3c64
Servicesport proto name info80 tcp http Apache2214 (Ubuntu)
10 | P a g e
22 tcp ssh SSH-20-OpenSSH_53p1 Debian-3ubuntu7
101010188Operating System Microsoft Windows 7 SP0
Name WS2
MAC Address 080027083f1d
Servicesport proto name info139 tcp
135 tcp
445 tcp smb Windows 7 Ultimate (Build 7600) (languageUnknown) (nameWS2)
(domainCORP)
Credentialsuser passadministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7 e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 092353 PM 1 minute Microsoft Windows Authenticated User Code
Execution
03-01-12 091142 PM unknown Generic Payload Handler
03-01-12 092126 PM 1 minute Microsoft Windows Authenticated User Code
Execution
Vulnerabilitiesbull Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password hash)
to execute an arbitrary payload This module is similar to the psexec utility provided
by SysInternals This module is now able to clean up after itself The service created
by this tool uses a randomly chosen name and description
11 | P a g e
101010189Operating System Microsoft Windows 7 SP0
Name CEOSBOX
MAC Address 0800277878fb
Servicesport proto name info
135 tcp
139 tcp
445 tcp smb Windows 7 Ultimate (Build 7600) (language
Unknown) (nameCEOSBOX) (domainCORP)
Credentialsuser pass
administrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
CORPadministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 092353 PM 1 minute Microsoft Windows Authenticated User Code
Execution
03-01-12 092128 PM 1 minute Microsoft Windows Authenticated User Code
Execution
Vulnerabilities
bull Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password
hash) to execute an arbitrary payload This module is similar to the psexec
utility provided by SysInternals This module is now able to clean up after itself
The service created by this tool uses a randomly chosen name and description
12 | P a g e
19216812110Operating System Microsoft Windows 7
Name
MAC Address
192168571Operating System Linux Ubuntu
Name 192168571
MAC Address 0a0027000001
192168578Operating System Microsoft Windows XP SP2
Name
MAC Address 0800273b3bdd
Services
Port proto name info
135 tcp
139 tcp
445 tcp smb Windows XP Service Pack 2 (languageEnglish)
(nameJOSHDEV) (domainCORP)
1921685718Operating System Linux Ubuntu
Name
MAC Address 080027e9f98e
Servicesport proto name info
22 tcp ssh SSH-20-OpenSSH_53p1 Debian-3ubuntu7
13 | P a g e
Credentials
user pass
jsokol joshrocks
Compromises
opened duration method
03-01-12 091658 PM unknown SSH Login Check Scanner
Vulnerabilities
bull SSH Login Check Scanner
This module will test ssh logins on a range of machines and report successful
logins If you have loaded a database pluginand connected to a database this
module will record successful logins and hosts so you can track your access
11 SPEAR PHISHING
Cobalt Strikes spear phishing tool allows you to send pixel perfect spear
phishing messages using an arbitrary message as a templateSet Targets to
import a list of targets You may import a flat text-file containing one email
address per line Import a file containing one email address and name separated
by a tab or comma for stronger message customization
Set Template to an email message template A Cobalt Strike message template
is simply a saved email message Cobalt Strike will strip unnecessary headers
remove attachments rewrite URLs re-encode themessage and rewrite it for
you Cobalt Strike does not give you a means to compose a message Use an
email client write a message and send it to yourself Most webmail clients
include a means to see the original message source In GMail click the down
arrow next to Reply and select Show original
You may customize a saved message with Cobalt Strike tokens Cobalt Strike
replaces these tokens when sending an email The tokens include
14 | P a g e
Token Description
To The email address of the person the message is sent to
To_Name The name of the person the message is sent to This token is only
available when importing a tab-separated file containing a name
URL The contents of the URL field in the spear phishing dialog
Set Embed URL to have Cobalt Strike rewrite each URL in the message
template to point to the embedded URL URLs added in this way will contain a
token that allows Cobalt Strike to trace any visitor back to this Press to
choose one of the Cobalt Strike hosted sites youve started
Set Mail Server to an open relay or the mail exchange server for your target
Set Bounce To to an email address where bounced messages should go This
value will not affect the message your targets see Press Preview to see an
assembled message to one of your recipients If the preview looks good press
Send to start your attack
Cobalt Strikes spear phishing capability sends messages from your local client
If youre managing a remote server know that messages will come from your
local host and not the remote server
13 Web-Drive-By Attacks
Firefox Addon Attack
This tool is available through Attacks -gt Web Drive-by -gt Firefox Addon Attack This
tool will start a Metasploitreg web-server that serves a dynamically created Firefox
Add-on
This is a great attack to embed in a cloned website Find a popular Firefox
addon clone its site and embed the Firefox Add-on Attack URL
14Client-side Reconnaissance
15 | P a g e
System Profiler
The system profiler is a reconnaissance tool for the client-side attack process
This tool starts a local web-server and fingerprints any one who visits it The
system profiler discovers the internal IP address of users behind a proxy along
with several applications and their version information
To start the system profiler go to Attacks -gt Web Drive-by -gt System Profiler
The start the profiler you must specify a URI to bind to and a port to start the
Cobalt Strike web-server from If you specify a Redirect URL Cobalt Strike
will redirect visitors to this URL once their profile is taken Click Launch to
start the system profiler
15VPN Pivoting
Covert VPNCobalt Strike offers VPN pivoting through its Covert VPN feature Covert VPN
creates a network interface on the Cobalt Strike system and bridges this
interface into the targets network
Through a Covert VPN interface your system may sniff traffic on
targetrsquos network act as a rogue server or perform man-in-the-middle attacks
normally reserved for internal assessments You may use external scanning and
attack tools to assess your target network as well
16 Covert Command and Control
What is Beacon
Beacon is Cobalt Strikes remote administration payload for long-term
engagements Beacon does not provide real-time control of a compromised host
Beacon is asynchronous It spends most of its time sleeping Occasionally
Beacon will contact Cobalt Strike to check for tasks
If a tasking is available Beacon will download its tasks and execute them
This style of command and control is common with sophisticated malware and
16 | P a g e
Advanced Persistent Threat actors Cobalt Strikes Beacon payload may attempt
to communicate through multiple domains
This makes your control10 20 12 Beaconing - Cobalt
Strike wwwadvancedpentest com help- beacon 2 2of a compromised host
more robust If a system administrator blocks one IP address or domain Beacon
maystill receive tasks through its other domains When tasks are available
Beacon downloads them and sends output using the HTTP protocol Beacon
maycheck for tasks through HTTP or DNS requests
2 CYBER ATTACK MANAGEMETArmitage organizes Metasploits capabilities around the hacking process There
are features for discovery access post-exploitation and maneuver This section
describes these features at a high-level the rest of this manual covers these
capabilities in detail
For discovery Armitage exposes several of Metasploits host management
features You can import hosts and launch scans to populate a database of
targets Armitage also visualizes the database of targets--youll always know
which hosts youre working with and where you have sessions
Armitage assists with remote exploitation--providing features to automatically
recommend exploits and even run active checks so you know which exploits
will work If these options fail you can use the Hail Mary approach and unleash
Armitages smarter db_autopwn against your target database
For those of you who are hacking post-2003 Armitage exposes the client-side
features of Metasploit You can launch browser exploits generate malicious
files and create Meterpreter executable
Once youre in Armitage provides several post-exploitation tools
built on the capabilities of the Meterpreter agent With the click of a menu you
17 | P a g e
will escalate your privileges dump password hashes to a local credentials
database browse the file system like youre local and launch command shells
Finally Armitage aids the process of setting up pivots a capability that lets you
use compromised hosts as a platform for attacking other hosts and further
investigating the target network Armitage also exposes Metasploits SOCKS
proxy module which allows external tools to take advantage of these pivots
With these tools you can further explore and maneuver through the network
The rest of this manual is organized around this process providing what you
need to know in the order youll need it
3NECESSARY THINGS TO KNOWTo use Armitage it helps to understand Metasploit Here are a few things you
absolutely must know before continuing
Metasploit (httpwwwmetasploitcom) is a console driven application
Anything you do in Armitage is translated into a command Metasploit
understands You can bypass Armitage and type commands yourself (covered
later) If youre ever lost in a console type help and hit enter
Metasploit presents its capabilities as modules Every scanner exploit and
even payload is available as a module If youre scanning a host you use an
auxiliary module Before launching a module you must set one or more
variables to configure the module The exploit process is similar To launch an
exploit you must choose an exploit module set one or more variables and
launch it
18 | P a g e
Armitage aims to make this process easier for youIf you successfully exploit a
host you will have a session on that host Armitage knows how to interact with
shell and Windows meterpreter sessions
Meterpreter is an advanced agent that makes a lot of post-exploitation
functionality available to you Armitage is built to take advantage of
Meterpreter Working with Meterpreter is covered later
4 installation
41 on windows
Here are the steps to install and run Armitage on Windows
1 Install Metasploit 44 or later
2 Install Oracles Java 17 (JRE or JDK)
3 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Update
4 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Console (do
this once to initialize the database)
5Make sure youre the Administrator user
To run Armitage
Start -gt Programs -gt Metasploit -gt Framework -gt Armitage
Click Conect
Click Yes when asked whether or not to start Metasploits RPC daemon
If asked where Metasploit is installed select the Metasploit directory You will
only need to do this once (eg cmetasploit)
The best Armitage user experience is on Linux If youre a Windows user
consider using Armitage from a BackTrack virtual machine
42 on linux
To install Armitage on Linux
1 Make sure youre the root user
19 | P a g e
Download and Install the Metasploit Framework from
httpwwwmetasploitcom (httpwwwmetasploitcom)
2Get the full package with all of the Linux dependencies
3 After installation type optframeworkappmsfupdate to update Metasploit
4 Install a VNC viewer (eg apt-get install vncviewer on Ubuntu)
You can get install armitage by a simple command but before execute this
application get command you need to be a root user to install armitage so open
terminal and type exactly
$ sudo su
apt-get install armitage
We need to enable RPC daemon for metasploit use this command on the
terminal
rootbt~ msfrpcd -f -U msf -P test -t Basic
Open a terminalAdd usrlocalbin to $PATH e x p o r t P A T H = $ P A T H u s r l o c a l
b i n
Since Metasploit 41 you now need to make sure you have a database startup scripte c h o e x e c o p t m e t a s p l o i t - 4 4 p o s t g r e s q l s c r i p t s c t l s h $ gt e t c i n i t d f r a m e w o r k - p o s t g r e s
c h m o d + x e t c i n i t d m e t a s p l o i t - p o s t g r e s e t c i n i t d m e t a s p l o i t - p o s t g r e s s t a r tu p d a t e - r c d m e t a s p l o i t - p o s t g r e s d e f a u l t
Now start MYSQL server so that Armitage stores results
rootbt1048673 etcinitdmysql start
This database startup script creation step isnt necessary if you opt to start Metasploit as a
service when the installer runs The downside being that the Metasploit as a service option
starts up the commercialcommunity edition of Metasploit on boot too If you use this
version--great If not its a waste of system resources
20 | P a g e
Now its time to run Armitage locate the directory and type
rootbtpentestexploitsarmitage armitagesh
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
The settings for Metasploits installed database are already set up for you You
not need to change the DB connect string
note
If youre using Armitage with a local Metasploit instance then Armitage must
also run as root Why Because Armitage needs root privileges to read the
databaseyml file created by Metasploits installer If Armitage cant read this
file it will not be able to connect to the database
43 on back-track r3
Armitage comes with BackTrack Linux 5r3 The latest Armitage release
requires BackTrack 5r3 5r25r0 and 5r1 are out If you uinstall Metasploit
(hint pathtometasploituninstall) and reinstall with the Metasploit installer
then you may use any version of BackTrack that you want
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
45 on mac os-x
Armitage works on MacOS X but its not a supported platform for Armitage
Metasploit does not have an official package for OS X
21 | P a g e
There is a lot of manual setup involved getting the pre-requisites working
CedricBaillet created a step-by-step guide
(httpwwwcedric-bailletfrIMGpdfarmitage_configuration_on_macosxpdf)
to configuring Postgres and Ruby for use with Armitage on MacOS X as well
Armitage on MacOS X works fine as a remote client to Metasploit Download
the MacOS X package extract it and double-click the Armitageapp file to get
started
Here are three MacOS X Armitage install guides that others have
produced these may help you Please dont ask me to provide support for them
though
The Black Matrix
(httptheblackmatrixnewsblogspotcom201111installing-armitage-on-
osx-by-defau1thtml)
Night Lions Guide to Installing Metasploit 4 and Armitage on Mac OSX
Lion (httpblognightlionsecuritycomguides201112guideto-
installing-metasploit-4-and-armitage-on-mac-osx-lion)
Faulty Logic Blog (httpbriancanfixitblogspotcom201112setting-up-
metasploit-and-armitage-onhtml)
Armitage is a fast moving project and these project may suggest methods for
starting the Metasploit Framework RPC daemon that are slightly dated The
correct way to start msfrpcd for Armitage to connect to is
m s f r p c d - U m s f - P p a s s w o r d - S - f
5 Manual setupSome crazy people choose to install Metasploit without the benefit of the full installer This method is not supported If you go this route here are some of the requirements
22 | P a g e
A PostgreSQL database No other database is supported msfrpcd is in $PATH $MSF_DATABASE_CONFIG points to a YAML file $MSF_DATABASE_CONFIG is available to msfrpcd and armitage the msgpack ruby gem
6Updating metasploitThe m s f u p d a t e command updates the Metasploit Framework by pulling
the latest source code from a subversion repository that is synced with the git
repository that developers commit to
When you run m s f u p d a t e its possible that you may break Armitage by
doing this The Metasploit team is cautious about what they commit to the
primary git repository and theyre extremely responsive to bug reports That said
things still break from time to time
If you run m s f u p d a t e and Armitage stops working you have a few options
1) You can run m s f u p d a t e later and hope the issue gets fixed Many
times this is a valid strategy
2) You can downgrade Metasploit to the last revision Take a look at the
change log file for the latest development release tested against Armitage
The revision number is located next to the release date To downgrade
Metasploit
c d p a t h t o m e t a s p l o i t m s f 3
s o u r c e s c r i p t s s e t e n v s h
s v n u p d a t e - r [revision number]
This step will downgrade the Armitage release included with Metasploit
too You can download the latest Armitage release from this site in the
mean time
3) Reinstall Metasploit using the installer provided by Rapid7 The
Metasploit installer includes the latest stable version of Metasploit
Usually this release is very stable
23 | P a g e
If youre preparing to use Armitage and Metasploit somewhere
important--do not run m s f u p d a t e and assume it will work Its very
important to stick with what you know works or test the functionality you
need to make sure it works When in doubt go with option (2) or (3)
61 quick connect
If youd like to quickly connect Armitage to a Metasploit server without filling
in the setup dialog use the - - c l i e n t option to specify a file with the
connection details
j a v a - j a r a r m i t a g e j a r - - c l i e n t c o n n e c t p r o p
Heres an example connectprop file
h o s t = 1 9 21 6 8 9 5 2 4 1
p o r t = 55553
u s e r = mister
p a s s = bojangles
If you have to manage multiple ArmitageMetasploit servers consider creating
a desktop shortcut that calls this --client option with a different properties file
for each server
7 User interface format(gui)The user interface can be very easy and friendly to a pentaster as also as a
hackerit is made so easy that without any help a user can manage the cyber
attack
71 Overview
The Armitage user interface has three main panels modules targets and tabs
You may click the area between these panels to resize them to your liking
24 | P a g e
711 modules
The module browser lets you launch a Metasploit auxiliary module throw an
exploit generate a payload and even run a post-exploitation script Click
through the tree to find the desired module Double click the module to bring up
a dialog with options
Armitage will place highlighted hosts from the targets panel into the RHOSTS
variable of any module launched from here
You can search for modules too Click in the search box below the tree type a
wildcard expression (eg ssh_) and hit enter The module tree will then show
your search results already expanded for quick viewing Clear the search box
and press enter to restore the module browser to its original state
712 Targets - Graph View
The targets panel shows all hosts in the current workspace Armitage represents
each target as a computer with its IP address and other information about it
below the computer The computer screen shows the operating system the
computer is runningA red computer with electrical jolts indicates a
compromised host Right click the computer to use any sessions related to the
host A directional green line indicates a pivot from one host to another
Pivoting allows Metasploit to route attacks and scans through intermediate
hosts A bright green line indicates the pivot communication path is in use
Click a host to select it You may select multiple hosts by clicking and dragging
a box over the desired hosts Where possible Armitage will try to apply an
action (eg launching an exploit) to all selected hosts
Right click a host to bring up a menu with available options The attached menu
will show attack and login options menus for existing sessions and options to
edit the host information
The login menu is only available after a port scan reveals open ports that
Metasploit can log in to The Attack menu is only
25 | P a g e
available after finding attacks through the Attacks menu bar Shell and
Meterpreter menus only show up when a shell or Meterpreter session exists on
the selected host Several keyboard shortcuts are available in the targets panel
You may edit these in the Armitage -gt Preferences menu
Ctrl Plus - zoom in
Ctrl Minus - zoom out
Ctrl 0 - reset the zoom level
Ctrl A - select all hosts
Escape - clear selection
Ctrl C - arrange hosts into a circle
Ctrl S - arrange hosts into a stack
Ctrl H - arrange hosts into a hierarchy This only works when a pivot is set up
Ctrl R - refresh hosts from the database
Ctrl P - export hosts into an image
Right click the targets area with no selected hosts to configure the layout and
zoom-level of the targets area
Targets - Table View
If you have a lot of hosts the graph view becomes difficult to work with For
this situation Armitage has a table view
Go to View
7121 Targets -gt Table View
to switch to this mode Armitage will remember your preference
Click any of the table headers to sort the hosts Highlight a row and right-click it
to bring up a menu with options for that host
Armitage will bold the IP address of any host with sessions If a pivot is in use
Armitage will make it bold as well
26 | P a g e
713 Tab
Armitage opens each dialog console and table in a tab below the module and
target panels Click the X button to close a tab
You may right-click the X button to open a tab in a window take a screenshot
of a tab or close all tabs with the same name
Hold shift and click X to close all tabs with the same name Hold shift + control
and click X to open the tab in its own window
You may drag and drop tabs to change their order
Armitage provides several keyboard shortcuts to make your tab management
experience as enjoyable as possible
Use Ctrl+T to take a screenshot of the active tab Use Ctrl+D to close the active
tab Try Ctrl+Left and Ctrl+Right to quickly switch tabs And Ctrl+W to open
the current tab in its own window
8console formatMetasploit console Meterpreter console and shell interfaces each use a console
tab A console tab lets you interact with these interfaces through Armitage
The console tab tracks your command history Use the up arrow to cycle
through previously typed commands The down arrow moves back to the last
command you typed
In the Metasploit console use the Tab key to complete commands and
parameters This works just like the Metasploit console outside of Armitage
27 | P a g e
Use of console panel to make the console font size larger Ctrl minus to make it
smaller and Ctrl 0 to reset it This change is local to the current
console only Visit Armitage -gt Preference to permanently change the font
Press ctrl F to show a panel that will let you search for text within the console
Use Ctrl A to select all text in the consoles buffer
Armitage sends ardquo u s e or a s e t P A Y L O A Drdquo command if you click a
module or a payload name in a console To open a Console go to View -gt
Console or press Ctrl+N
The Armitage console uses color to draw your attention to some information
To disable the colors set the consoleshow_colorsboolean preference to false
You may also edit the colors through Armitage -gt Preference Here is the
Armitage color palette and the preference associated with each color
9 Host management 91Dynamic workspace
Armitages dynamic workspaces feature allows you to create views into the
hosts database and quickly switch between them Use
Workspace -gt Manage to manage your dynamic workspaces Here you may
add edit and remove workspaces you create
28 | P a g e
To create a new dynamic workspace press Add You will see the following
dialog
Give your dynamic workspace a name It doesnt matter what you call it This
description is for you
If youd like to limit your workspace to hosts from a certain network type a
network description in the Hosts field A network description
might be 10100016 to display hosts between 101000-1010255255
Separate multiple networks with a comma and a space
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
9 | P a g e
joshsokol aad3b435b51404eeaad3b435b51404ee34c63bad990d7b7c
ffa64bf36f8ba19c
User aad3b435b51404eeaad3b435b51404ee31d6cfe0d16ae931
b73c59d7e0c089c0
Administrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 091449 PM unknown Microsoft Server Service Relative Path Stack
Corruption
Vulnerabilities
bull Microsoft Server Service Relative Path Stack Corruption
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32dll through the Server Service This module is capable of bypassing
NX on some operating systems and service packs The correct target must be
used to prevent the Server Service (along with a dozen others in the same
process) from crashing Windows XP targets seem to handle multiple successful
exploitation events but 2003 targets will often crash or hang on subsequent
Attempts This is just the first version of this module full support for NX
bypass on 2003 along with other platforms is still in development
10101021Operating System Linux Ubuntu
Name 10101021
MAC Address 0800279d3c64
Servicesport proto name info80 tcp http Apache2214 (Ubuntu)
10 | P a g e
22 tcp ssh SSH-20-OpenSSH_53p1 Debian-3ubuntu7
101010188Operating System Microsoft Windows 7 SP0
Name WS2
MAC Address 080027083f1d
Servicesport proto name info139 tcp
135 tcp
445 tcp smb Windows 7 Ultimate (Build 7600) (languageUnknown) (nameWS2)
(domainCORP)
Credentialsuser passadministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7 e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 092353 PM 1 minute Microsoft Windows Authenticated User Code
Execution
03-01-12 091142 PM unknown Generic Payload Handler
03-01-12 092126 PM 1 minute Microsoft Windows Authenticated User Code
Execution
Vulnerabilitiesbull Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password hash)
to execute an arbitrary payload This module is similar to the psexec utility provided
by SysInternals This module is now able to clean up after itself The service created
by this tool uses a randomly chosen name and description
11 | P a g e
101010189Operating System Microsoft Windows 7 SP0
Name CEOSBOX
MAC Address 0800277878fb
Servicesport proto name info
135 tcp
139 tcp
445 tcp smb Windows 7 Ultimate (Build 7600) (language
Unknown) (nameCEOSBOX) (domainCORP)
Credentialsuser pass
administrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
CORPadministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 092353 PM 1 minute Microsoft Windows Authenticated User Code
Execution
03-01-12 092128 PM 1 minute Microsoft Windows Authenticated User Code
Execution
Vulnerabilities
bull Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password
hash) to execute an arbitrary payload This module is similar to the psexec
utility provided by SysInternals This module is now able to clean up after itself
The service created by this tool uses a randomly chosen name and description
12 | P a g e
19216812110Operating System Microsoft Windows 7
Name
MAC Address
192168571Operating System Linux Ubuntu
Name 192168571
MAC Address 0a0027000001
192168578Operating System Microsoft Windows XP SP2
Name
MAC Address 0800273b3bdd
Services
Port proto name info
135 tcp
139 tcp
445 tcp smb Windows XP Service Pack 2 (languageEnglish)
(nameJOSHDEV) (domainCORP)
1921685718Operating System Linux Ubuntu
Name
MAC Address 080027e9f98e
Servicesport proto name info
22 tcp ssh SSH-20-OpenSSH_53p1 Debian-3ubuntu7
13 | P a g e
Credentials
user pass
jsokol joshrocks
Compromises
opened duration method
03-01-12 091658 PM unknown SSH Login Check Scanner
Vulnerabilities
bull SSH Login Check Scanner
This module will test ssh logins on a range of machines and report successful
logins If you have loaded a database pluginand connected to a database this
module will record successful logins and hosts so you can track your access
11 SPEAR PHISHING
Cobalt Strikes spear phishing tool allows you to send pixel perfect spear
phishing messages using an arbitrary message as a templateSet Targets to
import a list of targets You may import a flat text-file containing one email
address per line Import a file containing one email address and name separated
by a tab or comma for stronger message customization
Set Template to an email message template A Cobalt Strike message template
is simply a saved email message Cobalt Strike will strip unnecessary headers
remove attachments rewrite URLs re-encode themessage and rewrite it for
you Cobalt Strike does not give you a means to compose a message Use an
email client write a message and send it to yourself Most webmail clients
include a means to see the original message source In GMail click the down
arrow next to Reply and select Show original
You may customize a saved message with Cobalt Strike tokens Cobalt Strike
replaces these tokens when sending an email The tokens include
14 | P a g e
Token Description
To The email address of the person the message is sent to
To_Name The name of the person the message is sent to This token is only
available when importing a tab-separated file containing a name
URL The contents of the URL field in the spear phishing dialog
Set Embed URL to have Cobalt Strike rewrite each URL in the message
template to point to the embedded URL URLs added in this way will contain a
token that allows Cobalt Strike to trace any visitor back to this Press to
choose one of the Cobalt Strike hosted sites youve started
Set Mail Server to an open relay or the mail exchange server for your target
Set Bounce To to an email address where bounced messages should go This
value will not affect the message your targets see Press Preview to see an
assembled message to one of your recipients If the preview looks good press
Send to start your attack
Cobalt Strikes spear phishing capability sends messages from your local client
If youre managing a remote server know that messages will come from your
local host and not the remote server
13 Web-Drive-By Attacks
Firefox Addon Attack
This tool is available through Attacks -gt Web Drive-by -gt Firefox Addon Attack This
tool will start a Metasploitreg web-server that serves a dynamically created Firefox
Add-on
This is a great attack to embed in a cloned website Find a popular Firefox
addon clone its site and embed the Firefox Add-on Attack URL
14Client-side Reconnaissance
15 | P a g e
System Profiler
The system profiler is a reconnaissance tool for the client-side attack process
This tool starts a local web-server and fingerprints any one who visits it The
system profiler discovers the internal IP address of users behind a proxy along
with several applications and their version information
To start the system profiler go to Attacks -gt Web Drive-by -gt System Profiler
The start the profiler you must specify a URI to bind to and a port to start the
Cobalt Strike web-server from If you specify a Redirect URL Cobalt Strike
will redirect visitors to this URL once their profile is taken Click Launch to
start the system profiler
15VPN Pivoting
Covert VPNCobalt Strike offers VPN pivoting through its Covert VPN feature Covert VPN
creates a network interface on the Cobalt Strike system and bridges this
interface into the targets network
Through a Covert VPN interface your system may sniff traffic on
targetrsquos network act as a rogue server or perform man-in-the-middle attacks
normally reserved for internal assessments You may use external scanning and
attack tools to assess your target network as well
16 Covert Command and Control
What is Beacon
Beacon is Cobalt Strikes remote administration payload for long-term
engagements Beacon does not provide real-time control of a compromised host
Beacon is asynchronous It spends most of its time sleeping Occasionally
Beacon will contact Cobalt Strike to check for tasks
If a tasking is available Beacon will download its tasks and execute them
This style of command and control is common with sophisticated malware and
16 | P a g e
Advanced Persistent Threat actors Cobalt Strikes Beacon payload may attempt
to communicate through multiple domains
This makes your control10 20 12 Beaconing - Cobalt
Strike wwwadvancedpentest com help- beacon 2 2of a compromised host
more robust If a system administrator blocks one IP address or domain Beacon
maystill receive tasks through its other domains When tasks are available
Beacon downloads them and sends output using the HTTP protocol Beacon
maycheck for tasks through HTTP or DNS requests
2 CYBER ATTACK MANAGEMETArmitage organizes Metasploits capabilities around the hacking process There
are features for discovery access post-exploitation and maneuver This section
describes these features at a high-level the rest of this manual covers these
capabilities in detail
For discovery Armitage exposes several of Metasploits host management
features You can import hosts and launch scans to populate a database of
targets Armitage also visualizes the database of targets--youll always know
which hosts youre working with and where you have sessions
Armitage assists with remote exploitation--providing features to automatically
recommend exploits and even run active checks so you know which exploits
will work If these options fail you can use the Hail Mary approach and unleash
Armitages smarter db_autopwn against your target database
For those of you who are hacking post-2003 Armitage exposes the client-side
features of Metasploit You can launch browser exploits generate malicious
files and create Meterpreter executable
Once youre in Armitage provides several post-exploitation tools
built on the capabilities of the Meterpreter agent With the click of a menu you
17 | P a g e
will escalate your privileges dump password hashes to a local credentials
database browse the file system like youre local and launch command shells
Finally Armitage aids the process of setting up pivots a capability that lets you
use compromised hosts as a platform for attacking other hosts and further
investigating the target network Armitage also exposes Metasploits SOCKS
proxy module which allows external tools to take advantage of these pivots
With these tools you can further explore and maneuver through the network
The rest of this manual is organized around this process providing what you
need to know in the order youll need it
3NECESSARY THINGS TO KNOWTo use Armitage it helps to understand Metasploit Here are a few things you
absolutely must know before continuing
Metasploit (httpwwwmetasploitcom) is a console driven application
Anything you do in Armitage is translated into a command Metasploit
understands You can bypass Armitage and type commands yourself (covered
later) If youre ever lost in a console type help and hit enter
Metasploit presents its capabilities as modules Every scanner exploit and
even payload is available as a module If youre scanning a host you use an
auxiliary module Before launching a module you must set one or more
variables to configure the module The exploit process is similar To launch an
exploit you must choose an exploit module set one or more variables and
launch it
18 | P a g e
Armitage aims to make this process easier for youIf you successfully exploit a
host you will have a session on that host Armitage knows how to interact with
shell and Windows meterpreter sessions
Meterpreter is an advanced agent that makes a lot of post-exploitation
functionality available to you Armitage is built to take advantage of
Meterpreter Working with Meterpreter is covered later
4 installation
41 on windows
Here are the steps to install and run Armitage on Windows
1 Install Metasploit 44 or later
2 Install Oracles Java 17 (JRE or JDK)
3 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Update
4 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Console (do
this once to initialize the database)
5Make sure youre the Administrator user
To run Armitage
Start -gt Programs -gt Metasploit -gt Framework -gt Armitage
Click Conect
Click Yes when asked whether or not to start Metasploits RPC daemon
If asked where Metasploit is installed select the Metasploit directory You will
only need to do this once (eg cmetasploit)
The best Armitage user experience is on Linux If youre a Windows user
consider using Armitage from a BackTrack virtual machine
42 on linux
To install Armitage on Linux
1 Make sure youre the root user
19 | P a g e
Download and Install the Metasploit Framework from
httpwwwmetasploitcom (httpwwwmetasploitcom)
2Get the full package with all of the Linux dependencies
3 After installation type optframeworkappmsfupdate to update Metasploit
4 Install a VNC viewer (eg apt-get install vncviewer on Ubuntu)
You can get install armitage by a simple command but before execute this
application get command you need to be a root user to install armitage so open
terminal and type exactly
$ sudo su
apt-get install armitage
We need to enable RPC daemon for metasploit use this command on the
terminal
rootbt~ msfrpcd -f -U msf -P test -t Basic
Open a terminalAdd usrlocalbin to $PATH e x p o r t P A T H = $ P A T H u s r l o c a l
b i n
Since Metasploit 41 you now need to make sure you have a database startup scripte c h o e x e c o p t m e t a s p l o i t - 4 4 p o s t g r e s q l s c r i p t s c t l s h $ gt e t c i n i t d f r a m e w o r k - p o s t g r e s
c h m o d + x e t c i n i t d m e t a s p l o i t - p o s t g r e s e t c i n i t d m e t a s p l o i t - p o s t g r e s s t a r tu p d a t e - r c d m e t a s p l o i t - p o s t g r e s d e f a u l t
Now start MYSQL server so that Armitage stores results
rootbt1048673 etcinitdmysql start
This database startup script creation step isnt necessary if you opt to start Metasploit as a
service when the installer runs The downside being that the Metasploit as a service option
starts up the commercialcommunity edition of Metasploit on boot too If you use this
version--great If not its a waste of system resources
20 | P a g e
Now its time to run Armitage locate the directory and type
rootbtpentestexploitsarmitage armitagesh
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
The settings for Metasploits installed database are already set up for you You
not need to change the DB connect string
note
If youre using Armitage with a local Metasploit instance then Armitage must
also run as root Why Because Armitage needs root privileges to read the
databaseyml file created by Metasploits installer If Armitage cant read this
file it will not be able to connect to the database
43 on back-track r3
Armitage comes with BackTrack Linux 5r3 The latest Armitage release
requires BackTrack 5r3 5r25r0 and 5r1 are out If you uinstall Metasploit
(hint pathtometasploituninstall) and reinstall with the Metasploit installer
then you may use any version of BackTrack that you want
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
45 on mac os-x
Armitage works on MacOS X but its not a supported platform for Armitage
Metasploit does not have an official package for OS X
21 | P a g e
There is a lot of manual setup involved getting the pre-requisites working
CedricBaillet created a step-by-step guide
(httpwwwcedric-bailletfrIMGpdfarmitage_configuration_on_macosxpdf)
to configuring Postgres and Ruby for use with Armitage on MacOS X as well
Armitage on MacOS X works fine as a remote client to Metasploit Download
the MacOS X package extract it and double-click the Armitageapp file to get
started
Here are three MacOS X Armitage install guides that others have
produced these may help you Please dont ask me to provide support for them
though
The Black Matrix
(httptheblackmatrixnewsblogspotcom201111installing-armitage-on-
osx-by-defau1thtml)
Night Lions Guide to Installing Metasploit 4 and Armitage on Mac OSX
Lion (httpblognightlionsecuritycomguides201112guideto-
installing-metasploit-4-and-armitage-on-mac-osx-lion)
Faulty Logic Blog (httpbriancanfixitblogspotcom201112setting-up-
metasploit-and-armitage-onhtml)
Armitage is a fast moving project and these project may suggest methods for
starting the Metasploit Framework RPC daemon that are slightly dated The
correct way to start msfrpcd for Armitage to connect to is
m s f r p c d - U m s f - P p a s s w o r d - S - f
5 Manual setupSome crazy people choose to install Metasploit without the benefit of the full installer This method is not supported If you go this route here are some of the requirements
22 | P a g e
A PostgreSQL database No other database is supported msfrpcd is in $PATH $MSF_DATABASE_CONFIG points to a YAML file $MSF_DATABASE_CONFIG is available to msfrpcd and armitage the msgpack ruby gem
6Updating metasploitThe m s f u p d a t e command updates the Metasploit Framework by pulling
the latest source code from a subversion repository that is synced with the git
repository that developers commit to
When you run m s f u p d a t e its possible that you may break Armitage by
doing this The Metasploit team is cautious about what they commit to the
primary git repository and theyre extremely responsive to bug reports That said
things still break from time to time
If you run m s f u p d a t e and Armitage stops working you have a few options
1) You can run m s f u p d a t e later and hope the issue gets fixed Many
times this is a valid strategy
2) You can downgrade Metasploit to the last revision Take a look at the
change log file for the latest development release tested against Armitage
The revision number is located next to the release date To downgrade
Metasploit
c d p a t h t o m e t a s p l o i t m s f 3
s o u r c e s c r i p t s s e t e n v s h
s v n u p d a t e - r [revision number]
This step will downgrade the Armitage release included with Metasploit
too You can download the latest Armitage release from this site in the
mean time
3) Reinstall Metasploit using the installer provided by Rapid7 The
Metasploit installer includes the latest stable version of Metasploit
Usually this release is very stable
23 | P a g e
If youre preparing to use Armitage and Metasploit somewhere
important--do not run m s f u p d a t e and assume it will work Its very
important to stick with what you know works or test the functionality you
need to make sure it works When in doubt go with option (2) or (3)
61 quick connect
If youd like to quickly connect Armitage to a Metasploit server without filling
in the setup dialog use the - - c l i e n t option to specify a file with the
connection details
j a v a - j a r a r m i t a g e j a r - - c l i e n t c o n n e c t p r o p
Heres an example connectprop file
h o s t = 1 9 21 6 8 9 5 2 4 1
p o r t = 55553
u s e r = mister
p a s s = bojangles
If you have to manage multiple ArmitageMetasploit servers consider creating
a desktop shortcut that calls this --client option with a different properties file
for each server
7 User interface format(gui)The user interface can be very easy and friendly to a pentaster as also as a
hackerit is made so easy that without any help a user can manage the cyber
attack
71 Overview
The Armitage user interface has three main panels modules targets and tabs
You may click the area between these panels to resize them to your liking
24 | P a g e
711 modules
The module browser lets you launch a Metasploit auxiliary module throw an
exploit generate a payload and even run a post-exploitation script Click
through the tree to find the desired module Double click the module to bring up
a dialog with options
Armitage will place highlighted hosts from the targets panel into the RHOSTS
variable of any module launched from here
You can search for modules too Click in the search box below the tree type a
wildcard expression (eg ssh_) and hit enter The module tree will then show
your search results already expanded for quick viewing Clear the search box
and press enter to restore the module browser to its original state
712 Targets - Graph View
The targets panel shows all hosts in the current workspace Armitage represents
each target as a computer with its IP address and other information about it
below the computer The computer screen shows the operating system the
computer is runningA red computer with electrical jolts indicates a
compromised host Right click the computer to use any sessions related to the
host A directional green line indicates a pivot from one host to another
Pivoting allows Metasploit to route attacks and scans through intermediate
hosts A bright green line indicates the pivot communication path is in use
Click a host to select it You may select multiple hosts by clicking and dragging
a box over the desired hosts Where possible Armitage will try to apply an
action (eg launching an exploit) to all selected hosts
Right click a host to bring up a menu with available options The attached menu
will show attack and login options menus for existing sessions and options to
edit the host information
The login menu is only available after a port scan reveals open ports that
Metasploit can log in to The Attack menu is only
25 | P a g e
available after finding attacks through the Attacks menu bar Shell and
Meterpreter menus only show up when a shell or Meterpreter session exists on
the selected host Several keyboard shortcuts are available in the targets panel
You may edit these in the Armitage -gt Preferences menu
Ctrl Plus - zoom in
Ctrl Minus - zoom out
Ctrl 0 - reset the zoom level
Ctrl A - select all hosts
Escape - clear selection
Ctrl C - arrange hosts into a circle
Ctrl S - arrange hosts into a stack
Ctrl H - arrange hosts into a hierarchy This only works when a pivot is set up
Ctrl R - refresh hosts from the database
Ctrl P - export hosts into an image
Right click the targets area with no selected hosts to configure the layout and
zoom-level of the targets area
Targets - Table View
If you have a lot of hosts the graph view becomes difficult to work with For
this situation Armitage has a table view
Go to View
7121 Targets -gt Table View
to switch to this mode Armitage will remember your preference
Click any of the table headers to sort the hosts Highlight a row and right-click it
to bring up a menu with options for that host
Armitage will bold the IP address of any host with sessions If a pivot is in use
Armitage will make it bold as well
26 | P a g e
713 Tab
Armitage opens each dialog console and table in a tab below the module and
target panels Click the X button to close a tab
You may right-click the X button to open a tab in a window take a screenshot
of a tab or close all tabs with the same name
Hold shift and click X to close all tabs with the same name Hold shift + control
and click X to open the tab in its own window
You may drag and drop tabs to change their order
Armitage provides several keyboard shortcuts to make your tab management
experience as enjoyable as possible
Use Ctrl+T to take a screenshot of the active tab Use Ctrl+D to close the active
tab Try Ctrl+Left and Ctrl+Right to quickly switch tabs And Ctrl+W to open
the current tab in its own window
8console formatMetasploit console Meterpreter console and shell interfaces each use a console
tab A console tab lets you interact with these interfaces through Armitage
The console tab tracks your command history Use the up arrow to cycle
through previously typed commands The down arrow moves back to the last
command you typed
In the Metasploit console use the Tab key to complete commands and
parameters This works just like the Metasploit console outside of Armitage
27 | P a g e
Use of console panel to make the console font size larger Ctrl minus to make it
smaller and Ctrl 0 to reset it This change is local to the current
console only Visit Armitage -gt Preference to permanently change the font
Press ctrl F to show a panel that will let you search for text within the console
Use Ctrl A to select all text in the consoles buffer
Armitage sends ardquo u s e or a s e t P A Y L O A Drdquo command if you click a
module or a payload name in a console To open a Console go to View -gt
Console or press Ctrl+N
The Armitage console uses color to draw your attention to some information
To disable the colors set the consoleshow_colorsboolean preference to false
You may also edit the colors through Armitage -gt Preference Here is the
Armitage color palette and the preference associated with each color
9 Host management 91Dynamic workspace
Armitages dynamic workspaces feature allows you to create views into the
hosts database and quickly switch between them Use
Workspace -gt Manage to manage your dynamic workspaces Here you may
add edit and remove workspaces you create
28 | P a g e
To create a new dynamic workspace press Add You will see the following
dialog
Give your dynamic workspace a name It doesnt matter what you call it This
description is for you
If youd like to limit your workspace to hosts from a certain network type a
network description in the Hosts field A network description
might be 10100016 to display hosts between 101000-1010255255
Separate multiple networks with a comma and a space
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
10 | P a g e
22 tcp ssh SSH-20-OpenSSH_53p1 Debian-3ubuntu7
101010188Operating System Microsoft Windows 7 SP0
Name WS2
MAC Address 080027083f1d
Servicesport proto name info139 tcp
135 tcp
445 tcp smb Windows 7 Ultimate (Build 7600) (languageUnknown) (nameWS2)
(domainCORP)
Credentialsuser passadministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7 e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 092353 PM 1 minute Microsoft Windows Authenticated User Code
Execution
03-01-12 091142 PM unknown Generic Payload Handler
03-01-12 092126 PM 1 minute Microsoft Windows Authenticated User Code
Execution
Vulnerabilitiesbull Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password hash)
to execute an arbitrary payload This module is similar to the psexec utility provided
by SysInternals This module is now able to clean up after itself The service created
by this tool uses a randomly chosen name and description
11 | P a g e
101010189Operating System Microsoft Windows 7 SP0
Name CEOSBOX
MAC Address 0800277878fb
Servicesport proto name info
135 tcp
139 tcp
445 tcp smb Windows 7 Ultimate (Build 7600) (language
Unknown) (nameCEOSBOX) (domainCORP)
Credentialsuser pass
administrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
CORPadministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 092353 PM 1 minute Microsoft Windows Authenticated User Code
Execution
03-01-12 092128 PM 1 minute Microsoft Windows Authenticated User Code
Execution
Vulnerabilities
bull Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password
hash) to execute an arbitrary payload This module is similar to the psexec
utility provided by SysInternals This module is now able to clean up after itself
The service created by this tool uses a randomly chosen name and description
12 | P a g e
19216812110Operating System Microsoft Windows 7
Name
MAC Address
192168571Operating System Linux Ubuntu
Name 192168571
MAC Address 0a0027000001
192168578Operating System Microsoft Windows XP SP2
Name
MAC Address 0800273b3bdd
Services
Port proto name info
135 tcp
139 tcp
445 tcp smb Windows XP Service Pack 2 (languageEnglish)
(nameJOSHDEV) (domainCORP)
1921685718Operating System Linux Ubuntu
Name
MAC Address 080027e9f98e
Servicesport proto name info
22 tcp ssh SSH-20-OpenSSH_53p1 Debian-3ubuntu7
13 | P a g e
Credentials
user pass
jsokol joshrocks
Compromises
opened duration method
03-01-12 091658 PM unknown SSH Login Check Scanner
Vulnerabilities
bull SSH Login Check Scanner
This module will test ssh logins on a range of machines and report successful
logins If you have loaded a database pluginand connected to a database this
module will record successful logins and hosts so you can track your access
11 SPEAR PHISHING
Cobalt Strikes spear phishing tool allows you to send pixel perfect spear
phishing messages using an arbitrary message as a templateSet Targets to
import a list of targets You may import a flat text-file containing one email
address per line Import a file containing one email address and name separated
by a tab or comma for stronger message customization
Set Template to an email message template A Cobalt Strike message template
is simply a saved email message Cobalt Strike will strip unnecessary headers
remove attachments rewrite URLs re-encode themessage and rewrite it for
you Cobalt Strike does not give you a means to compose a message Use an
email client write a message and send it to yourself Most webmail clients
include a means to see the original message source In GMail click the down
arrow next to Reply and select Show original
You may customize a saved message with Cobalt Strike tokens Cobalt Strike
replaces these tokens when sending an email The tokens include
14 | P a g e
Token Description
To The email address of the person the message is sent to
To_Name The name of the person the message is sent to This token is only
available when importing a tab-separated file containing a name
URL The contents of the URL field in the spear phishing dialog
Set Embed URL to have Cobalt Strike rewrite each URL in the message
template to point to the embedded URL URLs added in this way will contain a
token that allows Cobalt Strike to trace any visitor back to this Press to
choose one of the Cobalt Strike hosted sites youve started
Set Mail Server to an open relay or the mail exchange server for your target
Set Bounce To to an email address where bounced messages should go This
value will not affect the message your targets see Press Preview to see an
assembled message to one of your recipients If the preview looks good press
Send to start your attack
Cobalt Strikes spear phishing capability sends messages from your local client
If youre managing a remote server know that messages will come from your
local host and not the remote server
13 Web-Drive-By Attacks
Firefox Addon Attack
This tool is available through Attacks -gt Web Drive-by -gt Firefox Addon Attack This
tool will start a Metasploitreg web-server that serves a dynamically created Firefox
Add-on
This is a great attack to embed in a cloned website Find a popular Firefox
addon clone its site and embed the Firefox Add-on Attack URL
14Client-side Reconnaissance
15 | P a g e
System Profiler
The system profiler is a reconnaissance tool for the client-side attack process
This tool starts a local web-server and fingerprints any one who visits it The
system profiler discovers the internal IP address of users behind a proxy along
with several applications and their version information
To start the system profiler go to Attacks -gt Web Drive-by -gt System Profiler
The start the profiler you must specify a URI to bind to and a port to start the
Cobalt Strike web-server from If you specify a Redirect URL Cobalt Strike
will redirect visitors to this URL once their profile is taken Click Launch to
start the system profiler
15VPN Pivoting
Covert VPNCobalt Strike offers VPN pivoting through its Covert VPN feature Covert VPN
creates a network interface on the Cobalt Strike system and bridges this
interface into the targets network
Through a Covert VPN interface your system may sniff traffic on
targetrsquos network act as a rogue server or perform man-in-the-middle attacks
normally reserved for internal assessments You may use external scanning and
attack tools to assess your target network as well
16 Covert Command and Control
What is Beacon
Beacon is Cobalt Strikes remote administration payload for long-term
engagements Beacon does not provide real-time control of a compromised host
Beacon is asynchronous It spends most of its time sleeping Occasionally
Beacon will contact Cobalt Strike to check for tasks
If a tasking is available Beacon will download its tasks and execute them
This style of command and control is common with sophisticated malware and
16 | P a g e
Advanced Persistent Threat actors Cobalt Strikes Beacon payload may attempt
to communicate through multiple domains
This makes your control10 20 12 Beaconing - Cobalt
Strike wwwadvancedpentest com help- beacon 2 2of a compromised host
more robust If a system administrator blocks one IP address or domain Beacon
maystill receive tasks through its other domains When tasks are available
Beacon downloads them and sends output using the HTTP protocol Beacon
maycheck for tasks through HTTP or DNS requests
2 CYBER ATTACK MANAGEMETArmitage organizes Metasploits capabilities around the hacking process There
are features for discovery access post-exploitation and maneuver This section
describes these features at a high-level the rest of this manual covers these
capabilities in detail
For discovery Armitage exposes several of Metasploits host management
features You can import hosts and launch scans to populate a database of
targets Armitage also visualizes the database of targets--youll always know
which hosts youre working with and where you have sessions
Armitage assists with remote exploitation--providing features to automatically
recommend exploits and even run active checks so you know which exploits
will work If these options fail you can use the Hail Mary approach and unleash
Armitages smarter db_autopwn against your target database
For those of you who are hacking post-2003 Armitage exposes the client-side
features of Metasploit You can launch browser exploits generate malicious
files and create Meterpreter executable
Once youre in Armitage provides several post-exploitation tools
built on the capabilities of the Meterpreter agent With the click of a menu you
17 | P a g e
will escalate your privileges dump password hashes to a local credentials
database browse the file system like youre local and launch command shells
Finally Armitage aids the process of setting up pivots a capability that lets you
use compromised hosts as a platform for attacking other hosts and further
investigating the target network Armitage also exposes Metasploits SOCKS
proxy module which allows external tools to take advantage of these pivots
With these tools you can further explore and maneuver through the network
The rest of this manual is organized around this process providing what you
need to know in the order youll need it
3NECESSARY THINGS TO KNOWTo use Armitage it helps to understand Metasploit Here are a few things you
absolutely must know before continuing
Metasploit (httpwwwmetasploitcom) is a console driven application
Anything you do in Armitage is translated into a command Metasploit
understands You can bypass Armitage and type commands yourself (covered
later) If youre ever lost in a console type help and hit enter
Metasploit presents its capabilities as modules Every scanner exploit and
even payload is available as a module If youre scanning a host you use an
auxiliary module Before launching a module you must set one or more
variables to configure the module The exploit process is similar To launch an
exploit you must choose an exploit module set one or more variables and
launch it
18 | P a g e
Armitage aims to make this process easier for youIf you successfully exploit a
host you will have a session on that host Armitage knows how to interact with
shell and Windows meterpreter sessions
Meterpreter is an advanced agent that makes a lot of post-exploitation
functionality available to you Armitage is built to take advantage of
Meterpreter Working with Meterpreter is covered later
4 installation
41 on windows
Here are the steps to install and run Armitage on Windows
1 Install Metasploit 44 or later
2 Install Oracles Java 17 (JRE or JDK)
3 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Update
4 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Console (do
this once to initialize the database)
5Make sure youre the Administrator user
To run Armitage
Start -gt Programs -gt Metasploit -gt Framework -gt Armitage
Click Conect
Click Yes when asked whether or not to start Metasploits RPC daemon
If asked where Metasploit is installed select the Metasploit directory You will
only need to do this once (eg cmetasploit)
The best Armitage user experience is on Linux If youre a Windows user
consider using Armitage from a BackTrack virtual machine
42 on linux
To install Armitage on Linux
1 Make sure youre the root user
19 | P a g e
Download and Install the Metasploit Framework from
httpwwwmetasploitcom (httpwwwmetasploitcom)
2Get the full package with all of the Linux dependencies
3 After installation type optframeworkappmsfupdate to update Metasploit
4 Install a VNC viewer (eg apt-get install vncviewer on Ubuntu)
You can get install armitage by a simple command but before execute this
application get command you need to be a root user to install armitage so open
terminal and type exactly
$ sudo su
apt-get install armitage
We need to enable RPC daemon for metasploit use this command on the
terminal
rootbt~ msfrpcd -f -U msf -P test -t Basic
Open a terminalAdd usrlocalbin to $PATH e x p o r t P A T H = $ P A T H u s r l o c a l
b i n
Since Metasploit 41 you now need to make sure you have a database startup scripte c h o e x e c o p t m e t a s p l o i t - 4 4 p o s t g r e s q l s c r i p t s c t l s h $ gt e t c i n i t d f r a m e w o r k - p o s t g r e s
c h m o d + x e t c i n i t d m e t a s p l o i t - p o s t g r e s e t c i n i t d m e t a s p l o i t - p o s t g r e s s t a r tu p d a t e - r c d m e t a s p l o i t - p o s t g r e s d e f a u l t
Now start MYSQL server so that Armitage stores results
rootbt1048673 etcinitdmysql start
This database startup script creation step isnt necessary if you opt to start Metasploit as a
service when the installer runs The downside being that the Metasploit as a service option
starts up the commercialcommunity edition of Metasploit on boot too If you use this
version--great If not its a waste of system resources
20 | P a g e
Now its time to run Armitage locate the directory and type
rootbtpentestexploitsarmitage armitagesh
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
The settings for Metasploits installed database are already set up for you You
not need to change the DB connect string
note
If youre using Armitage with a local Metasploit instance then Armitage must
also run as root Why Because Armitage needs root privileges to read the
databaseyml file created by Metasploits installer If Armitage cant read this
file it will not be able to connect to the database
43 on back-track r3
Armitage comes with BackTrack Linux 5r3 The latest Armitage release
requires BackTrack 5r3 5r25r0 and 5r1 are out If you uinstall Metasploit
(hint pathtometasploituninstall) and reinstall with the Metasploit installer
then you may use any version of BackTrack that you want
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
45 on mac os-x
Armitage works on MacOS X but its not a supported platform for Armitage
Metasploit does not have an official package for OS X
21 | P a g e
There is a lot of manual setup involved getting the pre-requisites working
CedricBaillet created a step-by-step guide
(httpwwwcedric-bailletfrIMGpdfarmitage_configuration_on_macosxpdf)
to configuring Postgres and Ruby for use with Armitage on MacOS X as well
Armitage on MacOS X works fine as a remote client to Metasploit Download
the MacOS X package extract it and double-click the Armitageapp file to get
started
Here are three MacOS X Armitage install guides that others have
produced these may help you Please dont ask me to provide support for them
though
The Black Matrix
(httptheblackmatrixnewsblogspotcom201111installing-armitage-on-
osx-by-defau1thtml)
Night Lions Guide to Installing Metasploit 4 and Armitage on Mac OSX
Lion (httpblognightlionsecuritycomguides201112guideto-
installing-metasploit-4-and-armitage-on-mac-osx-lion)
Faulty Logic Blog (httpbriancanfixitblogspotcom201112setting-up-
metasploit-and-armitage-onhtml)
Armitage is a fast moving project and these project may suggest methods for
starting the Metasploit Framework RPC daemon that are slightly dated The
correct way to start msfrpcd for Armitage to connect to is
m s f r p c d - U m s f - P p a s s w o r d - S - f
5 Manual setupSome crazy people choose to install Metasploit without the benefit of the full installer This method is not supported If you go this route here are some of the requirements
22 | P a g e
A PostgreSQL database No other database is supported msfrpcd is in $PATH $MSF_DATABASE_CONFIG points to a YAML file $MSF_DATABASE_CONFIG is available to msfrpcd and armitage the msgpack ruby gem
6Updating metasploitThe m s f u p d a t e command updates the Metasploit Framework by pulling
the latest source code from a subversion repository that is synced with the git
repository that developers commit to
When you run m s f u p d a t e its possible that you may break Armitage by
doing this The Metasploit team is cautious about what they commit to the
primary git repository and theyre extremely responsive to bug reports That said
things still break from time to time
If you run m s f u p d a t e and Armitage stops working you have a few options
1) You can run m s f u p d a t e later and hope the issue gets fixed Many
times this is a valid strategy
2) You can downgrade Metasploit to the last revision Take a look at the
change log file for the latest development release tested against Armitage
The revision number is located next to the release date To downgrade
Metasploit
c d p a t h t o m e t a s p l o i t m s f 3
s o u r c e s c r i p t s s e t e n v s h
s v n u p d a t e - r [revision number]
This step will downgrade the Armitage release included with Metasploit
too You can download the latest Armitage release from this site in the
mean time
3) Reinstall Metasploit using the installer provided by Rapid7 The
Metasploit installer includes the latest stable version of Metasploit
Usually this release is very stable
23 | P a g e
If youre preparing to use Armitage and Metasploit somewhere
important--do not run m s f u p d a t e and assume it will work Its very
important to stick with what you know works or test the functionality you
need to make sure it works When in doubt go with option (2) or (3)
61 quick connect
If youd like to quickly connect Armitage to a Metasploit server without filling
in the setup dialog use the - - c l i e n t option to specify a file with the
connection details
j a v a - j a r a r m i t a g e j a r - - c l i e n t c o n n e c t p r o p
Heres an example connectprop file
h o s t = 1 9 21 6 8 9 5 2 4 1
p o r t = 55553
u s e r = mister
p a s s = bojangles
If you have to manage multiple ArmitageMetasploit servers consider creating
a desktop shortcut that calls this --client option with a different properties file
for each server
7 User interface format(gui)The user interface can be very easy and friendly to a pentaster as also as a
hackerit is made so easy that without any help a user can manage the cyber
attack
71 Overview
The Armitage user interface has three main panels modules targets and tabs
You may click the area between these panels to resize them to your liking
24 | P a g e
711 modules
The module browser lets you launch a Metasploit auxiliary module throw an
exploit generate a payload and even run a post-exploitation script Click
through the tree to find the desired module Double click the module to bring up
a dialog with options
Armitage will place highlighted hosts from the targets panel into the RHOSTS
variable of any module launched from here
You can search for modules too Click in the search box below the tree type a
wildcard expression (eg ssh_) and hit enter The module tree will then show
your search results already expanded for quick viewing Clear the search box
and press enter to restore the module browser to its original state
712 Targets - Graph View
The targets panel shows all hosts in the current workspace Armitage represents
each target as a computer with its IP address and other information about it
below the computer The computer screen shows the operating system the
computer is runningA red computer with electrical jolts indicates a
compromised host Right click the computer to use any sessions related to the
host A directional green line indicates a pivot from one host to another
Pivoting allows Metasploit to route attacks and scans through intermediate
hosts A bright green line indicates the pivot communication path is in use
Click a host to select it You may select multiple hosts by clicking and dragging
a box over the desired hosts Where possible Armitage will try to apply an
action (eg launching an exploit) to all selected hosts
Right click a host to bring up a menu with available options The attached menu
will show attack and login options menus for existing sessions and options to
edit the host information
The login menu is only available after a port scan reveals open ports that
Metasploit can log in to The Attack menu is only
25 | P a g e
available after finding attacks through the Attacks menu bar Shell and
Meterpreter menus only show up when a shell or Meterpreter session exists on
the selected host Several keyboard shortcuts are available in the targets panel
You may edit these in the Armitage -gt Preferences menu
Ctrl Plus - zoom in
Ctrl Minus - zoom out
Ctrl 0 - reset the zoom level
Ctrl A - select all hosts
Escape - clear selection
Ctrl C - arrange hosts into a circle
Ctrl S - arrange hosts into a stack
Ctrl H - arrange hosts into a hierarchy This only works when a pivot is set up
Ctrl R - refresh hosts from the database
Ctrl P - export hosts into an image
Right click the targets area with no selected hosts to configure the layout and
zoom-level of the targets area
Targets - Table View
If you have a lot of hosts the graph view becomes difficult to work with For
this situation Armitage has a table view
Go to View
7121 Targets -gt Table View
to switch to this mode Armitage will remember your preference
Click any of the table headers to sort the hosts Highlight a row and right-click it
to bring up a menu with options for that host
Armitage will bold the IP address of any host with sessions If a pivot is in use
Armitage will make it bold as well
26 | P a g e
713 Tab
Armitage opens each dialog console and table in a tab below the module and
target panels Click the X button to close a tab
You may right-click the X button to open a tab in a window take a screenshot
of a tab or close all tabs with the same name
Hold shift and click X to close all tabs with the same name Hold shift + control
and click X to open the tab in its own window
You may drag and drop tabs to change their order
Armitage provides several keyboard shortcuts to make your tab management
experience as enjoyable as possible
Use Ctrl+T to take a screenshot of the active tab Use Ctrl+D to close the active
tab Try Ctrl+Left and Ctrl+Right to quickly switch tabs And Ctrl+W to open
the current tab in its own window
8console formatMetasploit console Meterpreter console and shell interfaces each use a console
tab A console tab lets you interact with these interfaces through Armitage
The console tab tracks your command history Use the up arrow to cycle
through previously typed commands The down arrow moves back to the last
command you typed
In the Metasploit console use the Tab key to complete commands and
parameters This works just like the Metasploit console outside of Armitage
27 | P a g e
Use of console panel to make the console font size larger Ctrl minus to make it
smaller and Ctrl 0 to reset it This change is local to the current
console only Visit Armitage -gt Preference to permanently change the font
Press ctrl F to show a panel that will let you search for text within the console
Use Ctrl A to select all text in the consoles buffer
Armitage sends ardquo u s e or a s e t P A Y L O A Drdquo command if you click a
module or a payload name in a console To open a Console go to View -gt
Console or press Ctrl+N
The Armitage console uses color to draw your attention to some information
To disable the colors set the consoleshow_colorsboolean preference to false
You may also edit the colors through Armitage -gt Preference Here is the
Armitage color palette and the preference associated with each color
9 Host management 91Dynamic workspace
Armitages dynamic workspaces feature allows you to create views into the
hosts database and quickly switch between them Use
Workspace -gt Manage to manage your dynamic workspaces Here you may
add edit and remove workspaces you create
28 | P a g e
To create a new dynamic workspace press Add You will see the following
dialog
Give your dynamic workspace a name It doesnt matter what you call it This
description is for you
If youd like to limit your workspace to hosts from a certain network type a
network description in the Hosts field A network description
might be 10100016 to display hosts between 101000-1010255255
Separate multiple networks with a comma and a space
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
11 | P a g e
101010189Operating System Microsoft Windows 7 SP0
Name CEOSBOX
MAC Address 0800277878fb
Servicesport proto name info
135 tcp
139 tcp
445 tcp smb Windows 7 Ultimate (Build 7600) (language
Unknown) (nameCEOSBOX) (domainCORP)
Credentialsuser pass
administrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
CORPadministrator e52cac67419a9a22d419bc5eacf63c9283414a69a47afeec7
e3a37d05a81dc3b
Compromisesopened duration method
03-01-12 092353 PM 1 minute Microsoft Windows Authenticated User Code
Execution
03-01-12 092128 PM 1 minute Microsoft Windows Authenticated User Code
Execution
Vulnerabilities
bull Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password
hash) to execute an arbitrary payload This module is similar to the psexec
utility provided by SysInternals This module is now able to clean up after itself
The service created by this tool uses a randomly chosen name and description
12 | P a g e
19216812110Operating System Microsoft Windows 7
Name
MAC Address
192168571Operating System Linux Ubuntu
Name 192168571
MAC Address 0a0027000001
192168578Operating System Microsoft Windows XP SP2
Name
MAC Address 0800273b3bdd
Services
Port proto name info
135 tcp
139 tcp
445 tcp smb Windows XP Service Pack 2 (languageEnglish)
(nameJOSHDEV) (domainCORP)
1921685718Operating System Linux Ubuntu
Name
MAC Address 080027e9f98e
Servicesport proto name info
22 tcp ssh SSH-20-OpenSSH_53p1 Debian-3ubuntu7
13 | P a g e
Credentials
user pass
jsokol joshrocks
Compromises
opened duration method
03-01-12 091658 PM unknown SSH Login Check Scanner
Vulnerabilities
bull SSH Login Check Scanner
This module will test ssh logins on a range of machines and report successful
logins If you have loaded a database pluginand connected to a database this
module will record successful logins and hosts so you can track your access
11 SPEAR PHISHING
Cobalt Strikes spear phishing tool allows you to send pixel perfect spear
phishing messages using an arbitrary message as a templateSet Targets to
import a list of targets You may import a flat text-file containing one email
address per line Import a file containing one email address and name separated
by a tab or comma for stronger message customization
Set Template to an email message template A Cobalt Strike message template
is simply a saved email message Cobalt Strike will strip unnecessary headers
remove attachments rewrite URLs re-encode themessage and rewrite it for
you Cobalt Strike does not give you a means to compose a message Use an
email client write a message and send it to yourself Most webmail clients
include a means to see the original message source In GMail click the down
arrow next to Reply and select Show original
You may customize a saved message with Cobalt Strike tokens Cobalt Strike
replaces these tokens when sending an email The tokens include
14 | P a g e
Token Description
To The email address of the person the message is sent to
To_Name The name of the person the message is sent to This token is only
available when importing a tab-separated file containing a name
URL The contents of the URL field in the spear phishing dialog
Set Embed URL to have Cobalt Strike rewrite each URL in the message
template to point to the embedded URL URLs added in this way will contain a
token that allows Cobalt Strike to trace any visitor back to this Press to
choose one of the Cobalt Strike hosted sites youve started
Set Mail Server to an open relay or the mail exchange server for your target
Set Bounce To to an email address where bounced messages should go This
value will not affect the message your targets see Press Preview to see an
assembled message to one of your recipients If the preview looks good press
Send to start your attack
Cobalt Strikes spear phishing capability sends messages from your local client
If youre managing a remote server know that messages will come from your
local host and not the remote server
13 Web-Drive-By Attacks
Firefox Addon Attack
This tool is available through Attacks -gt Web Drive-by -gt Firefox Addon Attack This
tool will start a Metasploitreg web-server that serves a dynamically created Firefox
Add-on
This is a great attack to embed in a cloned website Find a popular Firefox
addon clone its site and embed the Firefox Add-on Attack URL
14Client-side Reconnaissance
15 | P a g e
System Profiler
The system profiler is a reconnaissance tool for the client-side attack process
This tool starts a local web-server and fingerprints any one who visits it The
system profiler discovers the internal IP address of users behind a proxy along
with several applications and their version information
To start the system profiler go to Attacks -gt Web Drive-by -gt System Profiler
The start the profiler you must specify a URI to bind to and a port to start the
Cobalt Strike web-server from If you specify a Redirect URL Cobalt Strike
will redirect visitors to this URL once their profile is taken Click Launch to
start the system profiler
15VPN Pivoting
Covert VPNCobalt Strike offers VPN pivoting through its Covert VPN feature Covert VPN
creates a network interface on the Cobalt Strike system and bridges this
interface into the targets network
Through a Covert VPN interface your system may sniff traffic on
targetrsquos network act as a rogue server or perform man-in-the-middle attacks
normally reserved for internal assessments You may use external scanning and
attack tools to assess your target network as well
16 Covert Command and Control
What is Beacon
Beacon is Cobalt Strikes remote administration payload for long-term
engagements Beacon does not provide real-time control of a compromised host
Beacon is asynchronous It spends most of its time sleeping Occasionally
Beacon will contact Cobalt Strike to check for tasks
If a tasking is available Beacon will download its tasks and execute them
This style of command and control is common with sophisticated malware and
16 | P a g e
Advanced Persistent Threat actors Cobalt Strikes Beacon payload may attempt
to communicate through multiple domains
This makes your control10 20 12 Beaconing - Cobalt
Strike wwwadvancedpentest com help- beacon 2 2of a compromised host
more robust If a system administrator blocks one IP address or domain Beacon
maystill receive tasks through its other domains When tasks are available
Beacon downloads them and sends output using the HTTP protocol Beacon
maycheck for tasks through HTTP or DNS requests
2 CYBER ATTACK MANAGEMETArmitage organizes Metasploits capabilities around the hacking process There
are features for discovery access post-exploitation and maneuver This section
describes these features at a high-level the rest of this manual covers these
capabilities in detail
For discovery Armitage exposes several of Metasploits host management
features You can import hosts and launch scans to populate a database of
targets Armitage also visualizes the database of targets--youll always know
which hosts youre working with and where you have sessions
Armitage assists with remote exploitation--providing features to automatically
recommend exploits and even run active checks so you know which exploits
will work If these options fail you can use the Hail Mary approach and unleash
Armitages smarter db_autopwn against your target database
For those of you who are hacking post-2003 Armitage exposes the client-side
features of Metasploit You can launch browser exploits generate malicious
files and create Meterpreter executable
Once youre in Armitage provides several post-exploitation tools
built on the capabilities of the Meterpreter agent With the click of a menu you
17 | P a g e
will escalate your privileges dump password hashes to a local credentials
database browse the file system like youre local and launch command shells
Finally Armitage aids the process of setting up pivots a capability that lets you
use compromised hosts as a platform for attacking other hosts and further
investigating the target network Armitage also exposes Metasploits SOCKS
proxy module which allows external tools to take advantage of these pivots
With these tools you can further explore and maneuver through the network
The rest of this manual is organized around this process providing what you
need to know in the order youll need it
3NECESSARY THINGS TO KNOWTo use Armitage it helps to understand Metasploit Here are a few things you
absolutely must know before continuing
Metasploit (httpwwwmetasploitcom) is a console driven application
Anything you do in Armitage is translated into a command Metasploit
understands You can bypass Armitage and type commands yourself (covered
later) If youre ever lost in a console type help and hit enter
Metasploit presents its capabilities as modules Every scanner exploit and
even payload is available as a module If youre scanning a host you use an
auxiliary module Before launching a module you must set one or more
variables to configure the module The exploit process is similar To launch an
exploit you must choose an exploit module set one or more variables and
launch it
18 | P a g e
Armitage aims to make this process easier for youIf you successfully exploit a
host you will have a session on that host Armitage knows how to interact with
shell and Windows meterpreter sessions
Meterpreter is an advanced agent that makes a lot of post-exploitation
functionality available to you Armitage is built to take advantage of
Meterpreter Working with Meterpreter is covered later
4 installation
41 on windows
Here are the steps to install and run Armitage on Windows
1 Install Metasploit 44 or later
2 Install Oracles Java 17 (JRE or JDK)
3 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Update
4 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Console (do
this once to initialize the database)
5Make sure youre the Administrator user
To run Armitage
Start -gt Programs -gt Metasploit -gt Framework -gt Armitage
Click Conect
Click Yes when asked whether or not to start Metasploits RPC daemon
If asked where Metasploit is installed select the Metasploit directory You will
only need to do this once (eg cmetasploit)
The best Armitage user experience is on Linux If youre a Windows user
consider using Armitage from a BackTrack virtual machine
42 on linux
To install Armitage on Linux
1 Make sure youre the root user
19 | P a g e
Download and Install the Metasploit Framework from
httpwwwmetasploitcom (httpwwwmetasploitcom)
2Get the full package with all of the Linux dependencies
3 After installation type optframeworkappmsfupdate to update Metasploit
4 Install a VNC viewer (eg apt-get install vncviewer on Ubuntu)
You can get install armitage by a simple command but before execute this
application get command you need to be a root user to install armitage so open
terminal and type exactly
$ sudo su
apt-get install armitage
We need to enable RPC daemon for metasploit use this command on the
terminal
rootbt~ msfrpcd -f -U msf -P test -t Basic
Open a terminalAdd usrlocalbin to $PATH e x p o r t P A T H = $ P A T H u s r l o c a l
b i n
Since Metasploit 41 you now need to make sure you have a database startup scripte c h o e x e c o p t m e t a s p l o i t - 4 4 p o s t g r e s q l s c r i p t s c t l s h $ gt e t c i n i t d f r a m e w o r k - p o s t g r e s
c h m o d + x e t c i n i t d m e t a s p l o i t - p o s t g r e s e t c i n i t d m e t a s p l o i t - p o s t g r e s s t a r tu p d a t e - r c d m e t a s p l o i t - p o s t g r e s d e f a u l t
Now start MYSQL server so that Armitage stores results
rootbt1048673 etcinitdmysql start
This database startup script creation step isnt necessary if you opt to start Metasploit as a
service when the installer runs The downside being that the Metasploit as a service option
starts up the commercialcommunity edition of Metasploit on boot too If you use this
version--great If not its a waste of system resources
20 | P a g e
Now its time to run Armitage locate the directory and type
rootbtpentestexploitsarmitage armitagesh
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
The settings for Metasploits installed database are already set up for you You
not need to change the DB connect string
note
If youre using Armitage with a local Metasploit instance then Armitage must
also run as root Why Because Armitage needs root privileges to read the
databaseyml file created by Metasploits installer If Armitage cant read this
file it will not be able to connect to the database
43 on back-track r3
Armitage comes with BackTrack Linux 5r3 The latest Armitage release
requires BackTrack 5r3 5r25r0 and 5r1 are out If you uinstall Metasploit
(hint pathtometasploituninstall) and reinstall with the Metasploit installer
then you may use any version of BackTrack that you want
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
45 on mac os-x
Armitage works on MacOS X but its not a supported platform for Armitage
Metasploit does not have an official package for OS X
21 | P a g e
There is a lot of manual setup involved getting the pre-requisites working
CedricBaillet created a step-by-step guide
(httpwwwcedric-bailletfrIMGpdfarmitage_configuration_on_macosxpdf)
to configuring Postgres and Ruby for use with Armitage on MacOS X as well
Armitage on MacOS X works fine as a remote client to Metasploit Download
the MacOS X package extract it and double-click the Armitageapp file to get
started
Here are three MacOS X Armitage install guides that others have
produced these may help you Please dont ask me to provide support for them
though
The Black Matrix
(httptheblackmatrixnewsblogspotcom201111installing-armitage-on-
osx-by-defau1thtml)
Night Lions Guide to Installing Metasploit 4 and Armitage on Mac OSX
Lion (httpblognightlionsecuritycomguides201112guideto-
installing-metasploit-4-and-armitage-on-mac-osx-lion)
Faulty Logic Blog (httpbriancanfixitblogspotcom201112setting-up-
metasploit-and-armitage-onhtml)
Armitage is a fast moving project and these project may suggest methods for
starting the Metasploit Framework RPC daemon that are slightly dated The
correct way to start msfrpcd for Armitage to connect to is
m s f r p c d - U m s f - P p a s s w o r d - S - f
5 Manual setupSome crazy people choose to install Metasploit without the benefit of the full installer This method is not supported If you go this route here are some of the requirements
22 | P a g e
A PostgreSQL database No other database is supported msfrpcd is in $PATH $MSF_DATABASE_CONFIG points to a YAML file $MSF_DATABASE_CONFIG is available to msfrpcd and armitage the msgpack ruby gem
6Updating metasploitThe m s f u p d a t e command updates the Metasploit Framework by pulling
the latest source code from a subversion repository that is synced with the git
repository that developers commit to
When you run m s f u p d a t e its possible that you may break Armitage by
doing this The Metasploit team is cautious about what they commit to the
primary git repository and theyre extremely responsive to bug reports That said
things still break from time to time
If you run m s f u p d a t e and Armitage stops working you have a few options
1) You can run m s f u p d a t e later and hope the issue gets fixed Many
times this is a valid strategy
2) You can downgrade Metasploit to the last revision Take a look at the
change log file for the latest development release tested against Armitage
The revision number is located next to the release date To downgrade
Metasploit
c d p a t h t o m e t a s p l o i t m s f 3
s o u r c e s c r i p t s s e t e n v s h
s v n u p d a t e - r [revision number]
This step will downgrade the Armitage release included with Metasploit
too You can download the latest Armitage release from this site in the
mean time
3) Reinstall Metasploit using the installer provided by Rapid7 The
Metasploit installer includes the latest stable version of Metasploit
Usually this release is very stable
23 | P a g e
If youre preparing to use Armitage and Metasploit somewhere
important--do not run m s f u p d a t e and assume it will work Its very
important to stick with what you know works or test the functionality you
need to make sure it works When in doubt go with option (2) or (3)
61 quick connect
If youd like to quickly connect Armitage to a Metasploit server without filling
in the setup dialog use the - - c l i e n t option to specify a file with the
connection details
j a v a - j a r a r m i t a g e j a r - - c l i e n t c o n n e c t p r o p
Heres an example connectprop file
h o s t = 1 9 21 6 8 9 5 2 4 1
p o r t = 55553
u s e r = mister
p a s s = bojangles
If you have to manage multiple ArmitageMetasploit servers consider creating
a desktop shortcut that calls this --client option with a different properties file
for each server
7 User interface format(gui)The user interface can be very easy and friendly to a pentaster as also as a
hackerit is made so easy that without any help a user can manage the cyber
attack
71 Overview
The Armitage user interface has three main panels modules targets and tabs
You may click the area between these panels to resize them to your liking
24 | P a g e
711 modules
The module browser lets you launch a Metasploit auxiliary module throw an
exploit generate a payload and even run a post-exploitation script Click
through the tree to find the desired module Double click the module to bring up
a dialog with options
Armitage will place highlighted hosts from the targets panel into the RHOSTS
variable of any module launched from here
You can search for modules too Click in the search box below the tree type a
wildcard expression (eg ssh_) and hit enter The module tree will then show
your search results already expanded for quick viewing Clear the search box
and press enter to restore the module browser to its original state
712 Targets - Graph View
The targets panel shows all hosts in the current workspace Armitage represents
each target as a computer with its IP address and other information about it
below the computer The computer screen shows the operating system the
computer is runningA red computer with electrical jolts indicates a
compromised host Right click the computer to use any sessions related to the
host A directional green line indicates a pivot from one host to another
Pivoting allows Metasploit to route attacks and scans through intermediate
hosts A bright green line indicates the pivot communication path is in use
Click a host to select it You may select multiple hosts by clicking and dragging
a box over the desired hosts Where possible Armitage will try to apply an
action (eg launching an exploit) to all selected hosts
Right click a host to bring up a menu with available options The attached menu
will show attack and login options menus for existing sessions and options to
edit the host information
The login menu is only available after a port scan reveals open ports that
Metasploit can log in to The Attack menu is only
25 | P a g e
available after finding attacks through the Attacks menu bar Shell and
Meterpreter menus only show up when a shell or Meterpreter session exists on
the selected host Several keyboard shortcuts are available in the targets panel
You may edit these in the Armitage -gt Preferences menu
Ctrl Plus - zoom in
Ctrl Minus - zoom out
Ctrl 0 - reset the zoom level
Ctrl A - select all hosts
Escape - clear selection
Ctrl C - arrange hosts into a circle
Ctrl S - arrange hosts into a stack
Ctrl H - arrange hosts into a hierarchy This only works when a pivot is set up
Ctrl R - refresh hosts from the database
Ctrl P - export hosts into an image
Right click the targets area with no selected hosts to configure the layout and
zoom-level of the targets area
Targets - Table View
If you have a lot of hosts the graph view becomes difficult to work with For
this situation Armitage has a table view
Go to View
7121 Targets -gt Table View
to switch to this mode Armitage will remember your preference
Click any of the table headers to sort the hosts Highlight a row and right-click it
to bring up a menu with options for that host
Armitage will bold the IP address of any host with sessions If a pivot is in use
Armitage will make it bold as well
26 | P a g e
713 Tab
Armitage opens each dialog console and table in a tab below the module and
target panels Click the X button to close a tab
You may right-click the X button to open a tab in a window take a screenshot
of a tab or close all tabs with the same name
Hold shift and click X to close all tabs with the same name Hold shift + control
and click X to open the tab in its own window
You may drag and drop tabs to change their order
Armitage provides several keyboard shortcuts to make your tab management
experience as enjoyable as possible
Use Ctrl+T to take a screenshot of the active tab Use Ctrl+D to close the active
tab Try Ctrl+Left and Ctrl+Right to quickly switch tabs And Ctrl+W to open
the current tab in its own window
8console formatMetasploit console Meterpreter console and shell interfaces each use a console
tab A console tab lets you interact with these interfaces through Armitage
The console tab tracks your command history Use the up arrow to cycle
through previously typed commands The down arrow moves back to the last
command you typed
In the Metasploit console use the Tab key to complete commands and
parameters This works just like the Metasploit console outside of Armitage
27 | P a g e
Use of console panel to make the console font size larger Ctrl minus to make it
smaller and Ctrl 0 to reset it This change is local to the current
console only Visit Armitage -gt Preference to permanently change the font
Press ctrl F to show a panel that will let you search for text within the console
Use Ctrl A to select all text in the consoles buffer
Armitage sends ardquo u s e or a s e t P A Y L O A Drdquo command if you click a
module or a payload name in a console To open a Console go to View -gt
Console or press Ctrl+N
The Armitage console uses color to draw your attention to some information
To disable the colors set the consoleshow_colorsboolean preference to false
You may also edit the colors through Armitage -gt Preference Here is the
Armitage color palette and the preference associated with each color
9 Host management 91Dynamic workspace
Armitages dynamic workspaces feature allows you to create views into the
hosts database and quickly switch between them Use
Workspace -gt Manage to manage your dynamic workspaces Here you may
add edit and remove workspaces you create
28 | P a g e
To create a new dynamic workspace press Add You will see the following
dialog
Give your dynamic workspace a name It doesnt matter what you call it This
description is for you
If youd like to limit your workspace to hosts from a certain network type a
network description in the Hosts field A network description
might be 10100016 to display hosts between 101000-1010255255
Separate multiple networks with a comma and a space
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
12 | P a g e
19216812110Operating System Microsoft Windows 7
Name
MAC Address
192168571Operating System Linux Ubuntu
Name 192168571
MAC Address 0a0027000001
192168578Operating System Microsoft Windows XP SP2
Name
MAC Address 0800273b3bdd
Services
Port proto name info
135 tcp
139 tcp
445 tcp smb Windows XP Service Pack 2 (languageEnglish)
(nameJOSHDEV) (domainCORP)
1921685718Operating System Linux Ubuntu
Name
MAC Address 080027e9f98e
Servicesport proto name info
22 tcp ssh SSH-20-OpenSSH_53p1 Debian-3ubuntu7
13 | P a g e
Credentials
user pass
jsokol joshrocks
Compromises
opened duration method
03-01-12 091658 PM unknown SSH Login Check Scanner
Vulnerabilities
bull SSH Login Check Scanner
This module will test ssh logins on a range of machines and report successful
logins If you have loaded a database pluginand connected to a database this
module will record successful logins and hosts so you can track your access
11 SPEAR PHISHING
Cobalt Strikes spear phishing tool allows you to send pixel perfect spear
phishing messages using an arbitrary message as a templateSet Targets to
import a list of targets You may import a flat text-file containing one email
address per line Import a file containing one email address and name separated
by a tab or comma for stronger message customization
Set Template to an email message template A Cobalt Strike message template
is simply a saved email message Cobalt Strike will strip unnecessary headers
remove attachments rewrite URLs re-encode themessage and rewrite it for
you Cobalt Strike does not give you a means to compose a message Use an
email client write a message and send it to yourself Most webmail clients
include a means to see the original message source In GMail click the down
arrow next to Reply and select Show original
You may customize a saved message with Cobalt Strike tokens Cobalt Strike
replaces these tokens when sending an email The tokens include
14 | P a g e
Token Description
To The email address of the person the message is sent to
To_Name The name of the person the message is sent to This token is only
available when importing a tab-separated file containing a name
URL The contents of the URL field in the spear phishing dialog
Set Embed URL to have Cobalt Strike rewrite each URL in the message
template to point to the embedded URL URLs added in this way will contain a
token that allows Cobalt Strike to trace any visitor back to this Press to
choose one of the Cobalt Strike hosted sites youve started
Set Mail Server to an open relay or the mail exchange server for your target
Set Bounce To to an email address where bounced messages should go This
value will not affect the message your targets see Press Preview to see an
assembled message to one of your recipients If the preview looks good press
Send to start your attack
Cobalt Strikes spear phishing capability sends messages from your local client
If youre managing a remote server know that messages will come from your
local host and not the remote server
13 Web-Drive-By Attacks
Firefox Addon Attack
This tool is available through Attacks -gt Web Drive-by -gt Firefox Addon Attack This
tool will start a Metasploitreg web-server that serves a dynamically created Firefox
Add-on
This is a great attack to embed in a cloned website Find a popular Firefox
addon clone its site and embed the Firefox Add-on Attack URL
14Client-side Reconnaissance
15 | P a g e
System Profiler
The system profiler is a reconnaissance tool for the client-side attack process
This tool starts a local web-server and fingerprints any one who visits it The
system profiler discovers the internal IP address of users behind a proxy along
with several applications and their version information
To start the system profiler go to Attacks -gt Web Drive-by -gt System Profiler
The start the profiler you must specify a URI to bind to and a port to start the
Cobalt Strike web-server from If you specify a Redirect URL Cobalt Strike
will redirect visitors to this URL once their profile is taken Click Launch to
start the system profiler
15VPN Pivoting
Covert VPNCobalt Strike offers VPN pivoting through its Covert VPN feature Covert VPN
creates a network interface on the Cobalt Strike system and bridges this
interface into the targets network
Through a Covert VPN interface your system may sniff traffic on
targetrsquos network act as a rogue server or perform man-in-the-middle attacks
normally reserved for internal assessments You may use external scanning and
attack tools to assess your target network as well
16 Covert Command and Control
What is Beacon
Beacon is Cobalt Strikes remote administration payload for long-term
engagements Beacon does not provide real-time control of a compromised host
Beacon is asynchronous It spends most of its time sleeping Occasionally
Beacon will contact Cobalt Strike to check for tasks
If a tasking is available Beacon will download its tasks and execute them
This style of command and control is common with sophisticated malware and
16 | P a g e
Advanced Persistent Threat actors Cobalt Strikes Beacon payload may attempt
to communicate through multiple domains
This makes your control10 20 12 Beaconing - Cobalt
Strike wwwadvancedpentest com help- beacon 2 2of a compromised host
more robust If a system administrator blocks one IP address or domain Beacon
maystill receive tasks through its other domains When tasks are available
Beacon downloads them and sends output using the HTTP protocol Beacon
maycheck for tasks through HTTP or DNS requests
2 CYBER ATTACK MANAGEMETArmitage organizes Metasploits capabilities around the hacking process There
are features for discovery access post-exploitation and maneuver This section
describes these features at a high-level the rest of this manual covers these
capabilities in detail
For discovery Armitage exposes several of Metasploits host management
features You can import hosts and launch scans to populate a database of
targets Armitage also visualizes the database of targets--youll always know
which hosts youre working with and where you have sessions
Armitage assists with remote exploitation--providing features to automatically
recommend exploits and even run active checks so you know which exploits
will work If these options fail you can use the Hail Mary approach and unleash
Armitages smarter db_autopwn against your target database
For those of you who are hacking post-2003 Armitage exposes the client-side
features of Metasploit You can launch browser exploits generate malicious
files and create Meterpreter executable
Once youre in Armitage provides several post-exploitation tools
built on the capabilities of the Meterpreter agent With the click of a menu you
17 | P a g e
will escalate your privileges dump password hashes to a local credentials
database browse the file system like youre local and launch command shells
Finally Armitage aids the process of setting up pivots a capability that lets you
use compromised hosts as a platform for attacking other hosts and further
investigating the target network Armitage also exposes Metasploits SOCKS
proxy module which allows external tools to take advantage of these pivots
With these tools you can further explore and maneuver through the network
The rest of this manual is organized around this process providing what you
need to know in the order youll need it
3NECESSARY THINGS TO KNOWTo use Armitage it helps to understand Metasploit Here are a few things you
absolutely must know before continuing
Metasploit (httpwwwmetasploitcom) is a console driven application
Anything you do in Armitage is translated into a command Metasploit
understands You can bypass Armitage and type commands yourself (covered
later) If youre ever lost in a console type help and hit enter
Metasploit presents its capabilities as modules Every scanner exploit and
even payload is available as a module If youre scanning a host you use an
auxiliary module Before launching a module you must set one or more
variables to configure the module The exploit process is similar To launch an
exploit you must choose an exploit module set one or more variables and
launch it
18 | P a g e
Armitage aims to make this process easier for youIf you successfully exploit a
host you will have a session on that host Armitage knows how to interact with
shell and Windows meterpreter sessions
Meterpreter is an advanced agent that makes a lot of post-exploitation
functionality available to you Armitage is built to take advantage of
Meterpreter Working with Meterpreter is covered later
4 installation
41 on windows
Here are the steps to install and run Armitage on Windows
1 Install Metasploit 44 or later
2 Install Oracles Java 17 (JRE or JDK)
3 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Update
4 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Console (do
this once to initialize the database)
5Make sure youre the Administrator user
To run Armitage
Start -gt Programs -gt Metasploit -gt Framework -gt Armitage
Click Conect
Click Yes when asked whether or not to start Metasploits RPC daemon
If asked where Metasploit is installed select the Metasploit directory You will
only need to do this once (eg cmetasploit)
The best Armitage user experience is on Linux If youre a Windows user
consider using Armitage from a BackTrack virtual machine
42 on linux
To install Armitage on Linux
1 Make sure youre the root user
19 | P a g e
Download and Install the Metasploit Framework from
httpwwwmetasploitcom (httpwwwmetasploitcom)
2Get the full package with all of the Linux dependencies
3 After installation type optframeworkappmsfupdate to update Metasploit
4 Install a VNC viewer (eg apt-get install vncviewer on Ubuntu)
You can get install armitage by a simple command but before execute this
application get command you need to be a root user to install armitage so open
terminal and type exactly
$ sudo su
apt-get install armitage
We need to enable RPC daemon for metasploit use this command on the
terminal
rootbt~ msfrpcd -f -U msf -P test -t Basic
Open a terminalAdd usrlocalbin to $PATH e x p o r t P A T H = $ P A T H u s r l o c a l
b i n
Since Metasploit 41 you now need to make sure you have a database startup scripte c h o e x e c o p t m e t a s p l o i t - 4 4 p o s t g r e s q l s c r i p t s c t l s h $ gt e t c i n i t d f r a m e w o r k - p o s t g r e s
c h m o d + x e t c i n i t d m e t a s p l o i t - p o s t g r e s e t c i n i t d m e t a s p l o i t - p o s t g r e s s t a r tu p d a t e - r c d m e t a s p l o i t - p o s t g r e s d e f a u l t
Now start MYSQL server so that Armitage stores results
rootbt1048673 etcinitdmysql start
This database startup script creation step isnt necessary if you opt to start Metasploit as a
service when the installer runs The downside being that the Metasploit as a service option
starts up the commercialcommunity edition of Metasploit on boot too If you use this
version--great If not its a waste of system resources
20 | P a g e
Now its time to run Armitage locate the directory and type
rootbtpentestexploitsarmitage armitagesh
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
The settings for Metasploits installed database are already set up for you You
not need to change the DB connect string
note
If youre using Armitage with a local Metasploit instance then Armitage must
also run as root Why Because Armitage needs root privileges to read the
databaseyml file created by Metasploits installer If Armitage cant read this
file it will not be able to connect to the database
43 on back-track r3
Armitage comes with BackTrack Linux 5r3 The latest Armitage release
requires BackTrack 5r3 5r25r0 and 5r1 are out If you uinstall Metasploit
(hint pathtometasploituninstall) and reinstall with the Metasploit installer
then you may use any version of BackTrack that you want
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
45 on mac os-x
Armitage works on MacOS X but its not a supported platform for Armitage
Metasploit does not have an official package for OS X
21 | P a g e
There is a lot of manual setup involved getting the pre-requisites working
CedricBaillet created a step-by-step guide
(httpwwwcedric-bailletfrIMGpdfarmitage_configuration_on_macosxpdf)
to configuring Postgres and Ruby for use with Armitage on MacOS X as well
Armitage on MacOS X works fine as a remote client to Metasploit Download
the MacOS X package extract it and double-click the Armitageapp file to get
started
Here are three MacOS X Armitage install guides that others have
produced these may help you Please dont ask me to provide support for them
though
The Black Matrix
(httptheblackmatrixnewsblogspotcom201111installing-armitage-on-
osx-by-defau1thtml)
Night Lions Guide to Installing Metasploit 4 and Armitage on Mac OSX
Lion (httpblognightlionsecuritycomguides201112guideto-
installing-metasploit-4-and-armitage-on-mac-osx-lion)
Faulty Logic Blog (httpbriancanfixitblogspotcom201112setting-up-
metasploit-and-armitage-onhtml)
Armitage is a fast moving project and these project may suggest methods for
starting the Metasploit Framework RPC daemon that are slightly dated The
correct way to start msfrpcd for Armitage to connect to is
m s f r p c d - U m s f - P p a s s w o r d - S - f
5 Manual setupSome crazy people choose to install Metasploit without the benefit of the full installer This method is not supported If you go this route here are some of the requirements
22 | P a g e
A PostgreSQL database No other database is supported msfrpcd is in $PATH $MSF_DATABASE_CONFIG points to a YAML file $MSF_DATABASE_CONFIG is available to msfrpcd and armitage the msgpack ruby gem
6Updating metasploitThe m s f u p d a t e command updates the Metasploit Framework by pulling
the latest source code from a subversion repository that is synced with the git
repository that developers commit to
When you run m s f u p d a t e its possible that you may break Armitage by
doing this The Metasploit team is cautious about what they commit to the
primary git repository and theyre extremely responsive to bug reports That said
things still break from time to time
If you run m s f u p d a t e and Armitage stops working you have a few options
1) You can run m s f u p d a t e later and hope the issue gets fixed Many
times this is a valid strategy
2) You can downgrade Metasploit to the last revision Take a look at the
change log file for the latest development release tested against Armitage
The revision number is located next to the release date To downgrade
Metasploit
c d p a t h t o m e t a s p l o i t m s f 3
s o u r c e s c r i p t s s e t e n v s h
s v n u p d a t e - r [revision number]
This step will downgrade the Armitage release included with Metasploit
too You can download the latest Armitage release from this site in the
mean time
3) Reinstall Metasploit using the installer provided by Rapid7 The
Metasploit installer includes the latest stable version of Metasploit
Usually this release is very stable
23 | P a g e
If youre preparing to use Armitage and Metasploit somewhere
important--do not run m s f u p d a t e and assume it will work Its very
important to stick with what you know works or test the functionality you
need to make sure it works When in doubt go with option (2) or (3)
61 quick connect
If youd like to quickly connect Armitage to a Metasploit server without filling
in the setup dialog use the - - c l i e n t option to specify a file with the
connection details
j a v a - j a r a r m i t a g e j a r - - c l i e n t c o n n e c t p r o p
Heres an example connectprop file
h o s t = 1 9 21 6 8 9 5 2 4 1
p o r t = 55553
u s e r = mister
p a s s = bojangles
If you have to manage multiple ArmitageMetasploit servers consider creating
a desktop shortcut that calls this --client option with a different properties file
for each server
7 User interface format(gui)The user interface can be very easy and friendly to a pentaster as also as a
hackerit is made so easy that without any help a user can manage the cyber
attack
71 Overview
The Armitage user interface has three main panels modules targets and tabs
You may click the area between these panels to resize them to your liking
24 | P a g e
711 modules
The module browser lets you launch a Metasploit auxiliary module throw an
exploit generate a payload and even run a post-exploitation script Click
through the tree to find the desired module Double click the module to bring up
a dialog with options
Armitage will place highlighted hosts from the targets panel into the RHOSTS
variable of any module launched from here
You can search for modules too Click in the search box below the tree type a
wildcard expression (eg ssh_) and hit enter The module tree will then show
your search results already expanded for quick viewing Clear the search box
and press enter to restore the module browser to its original state
712 Targets - Graph View
The targets panel shows all hosts in the current workspace Armitage represents
each target as a computer with its IP address and other information about it
below the computer The computer screen shows the operating system the
computer is runningA red computer with electrical jolts indicates a
compromised host Right click the computer to use any sessions related to the
host A directional green line indicates a pivot from one host to another
Pivoting allows Metasploit to route attacks and scans through intermediate
hosts A bright green line indicates the pivot communication path is in use
Click a host to select it You may select multiple hosts by clicking and dragging
a box over the desired hosts Where possible Armitage will try to apply an
action (eg launching an exploit) to all selected hosts
Right click a host to bring up a menu with available options The attached menu
will show attack and login options menus for existing sessions and options to
edit the host information
The login menu is only available after a port scan reveals open ports that
Metasploit can log in to The Attack menu is only
25 | P a g e
available after finding attacks through the Attacks menu bar Shell and
Meterpreter menus only show up when a shell or Meterpreter session exists on
the selected host Several keyboard shortcuts are available in the targets panel
You may edit these in the Armitage -gt Preferences menu
Ctrl Plus - zoom in
Ctrl Minus - zoom out
Ctrl 0 - reset the zoom level
Ctrl A - select all hosts
Escape - clear selection
Ctrl C - arrange hosts into a circle
Ctrl S - arrange hosts into a stack
Ctrl H - arrange hosts into a hierarchy This only works when a pivot is set up
Ctrl R - refresh hosts from the database
Ctrl P - export hosts into an image
Right click the targets area with no selected hosts to configure the layout and
zoom-level of the targets area
Targets - Table View
If you have a lot of hosts the graph view becomes difficult to work with For
this situation Armitage has a table view
Go to View
7121 Targets -gt Table View
to switch to this mode Armitage will remember your preference
Click any of the table headers to sort the hosts Highlight a row and right-click it
to bring up a menu with options for that host
Armitage will bold the IP address of any host with sessions If a pivot is in use
Armitage will make it bold as well
26 | P a g e
713 Tab
Armitage opens each dialog console and table in a tab below the module and
target panels Click the X button to close a tab
You may right-click the X button to open a tab in a window take a screenshot
of a tab or close all tabs with the same name
Hold shift and click X to close all tabs with the same name Hold shift + control
and click X to open the tab in its own window
You may drag and drop tabs to change their order
Armitage provides several keyboard shortcuts to make your tab management
experience as enjoyable as possible
Use Ctrl+T to take a screenshot of the active tab Use Ctrl+D to close the active
tab Try Ctrl+Left and Ctrl+Right to quickly switch tabs And Ctrl+W to open
the current tab in its own window
8console formatMetasploit console Meterpreter console and shell interfaces each use a console
tab A console tab lets you interact with these interfaces through Armitage
The console tab tracks your command history Use the up arrow to cycle
through previously typed commands The down arrow moves back to the last
command you typed
In the Metasploit console use the Tab key to complete commands and
parameters This works just like the Metasploit console outside of Armitage
27 | P a g e
Use of console panel to make the console font size larger Ctrl minus to make it
smaller and Ctrl 0 to reset it This change is local to the current
console only Visit Armitage -gt Preference to permanently change the font
Press ctrl F to show a panel that will let you search for text within the console
Use Ctrl A to select all text in the consoles buffer
Armitage sends ardquo u s e or a s e t P A Y L O A Drdquo command if you click a
module or a payload name in a console To open a Console go to View -gt
Console or press Ctrl+N
The Armitage console uses color to draw your attention to some information
To disable the colors set the consoleshow_colorsboolean preference to false
You may also edit the colors through Armitage -gt Preference Here is the
Armitage color palette and the preference associated with each color
9 Host management 91Dynamic workspace
Armitages dynamic workspaces feature allows you to create views into the
hosts database and quickly switch between them Use
Workspace -gt Manage to manage your dynamic workspaces Here you may
add edit and remove workspaces you create
28 | P a g e
To create a new dynamic workspace press Add You will see the following
dialog
Give your dynamic workspace a name It doesnt matter what you call it This
description is for you
If youd like to limit your workspace to hosts from a certain network type a
network description in the Hosts field A network description
might be 10100016 to display hosts between 101000-1010255255
Separate multiple networks with a comma and a space
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
13 | P a g e
Credentials
user pass
jsokol joshrocks
Compromises
opened duration method
03-01-12 091658 PM unknown SSH Login Check Scanner
Vulnerabilities
bull SSH Login Check Scanner
This module will test ssh logins on a range of machines and report successful
logins If you have loaded a database pluginand connected to a database this
module will record successful logins and hosts so you can track your access
11 SPEAR PHISHING
Cobalt Strikes spear phishing tool allows you to send pixel perfect spear
phishing messages using an arbitrary message as a templateSet Targets to
import a list of targets You may import a flat text-file containing one email
address per line Import a file containing one email address and name separated
by a tab or comma for stronger message customization
Set Template to an email message template A Cobalt Strike message template
is simply a saved email message Cobalt Strike will strip unnecessary headers
remove attachments rewrite URLs re-encode themessage and rewrite it for
you Cobalt Strike does not give you a means to compose a message Use an
email client write a message and send it to yourself Most webmail clients
include a means to see the original message source In GMail click the down
arrow next to Reply and select Show original
You may customize a saved message with Cobalt Strike tokens Cobalt Strike
replaces these tokens when sending an email The tokens include
14 | P a g e
Token Description
To The email address of the person the message is sent to
To_Name The name of the person the message is sent to This token is only
available when importing a tab-separated file containing a name
URL The contents of the URL field in the spear phishing dialog
Set Embed URL to have Cobalt Strike rewrite each URL in the message
template to point to the embedded URL URLs added in this way will contain a
token that allows Cobalt Strike to trace any visitor back to this Press to
choose one of the Cobalt Strike hosted sites youve started
Set Mail Server to an open relay or the mail exchange server for your target
Set Bounce To to an email address where bounced messages should go This
value will not affect the message your targets see Press Preview to see an
assembled message to one of your recipients If the preview looks good press
Send to start your attack
Cobalt Strikes spear phishing capability sends messages from your local client
If youre managing a remote server know that messages will come from your
local host and not the remote server
13 Web-Drive-By Attacks
Firefox Addon Attack
This tool is available through Attacks -gt Web Drive-by -gt Firefox Addon Attack This
tool will start a Metasploitreg web-server that serves a dynamically created Firefox
Add-on
This is a great attack to embed in a cloned website Find a popular Firefox
addon clone its site and embed the Firefox Add-on Attack URL
14Client-side Reconnaissance
15 | P a g e
System Profiler
The system profiler is a reconnaissance tool for the client-side attack process
This tool starts a local web-server and fingerprints any one who visits it The
system profiler discovers the internal IP address of users behind a proxy along
with several applications and their version information
To start the system profiler go to Attacks -gt Web Drive-by -gt System Profiler
The start the profiler you must specify a URI to bind to and a port to start the
Cobalt Strike web-server from If you specify a Redirect URL Cobalt Strike
will redirect visitors to this URL once their profile is taken Click Launch to
start the system profiler
15VPN Pivoting
Covert VPNCobalt Strike offers VPN pivoting through its Covert VPN feature Covert VPN
creates a network interface on the Cobalt Strike system and bridges this
interface into the targets network
Through a Covert VPN interface your system may sniff traffic on
targetrsquos network act as a rogue server or perform man-in-the-middle attacks
normally reserved for internal assessments You may use external scanning and
attack tools to assess your target network as well
16 Covert Command and Control
What is Beacon
Beacon is Cobalt Strikes remote administration payload for long-term
engagements Beacon does not provide real-time control of a compromised host
Beacon is asynchronous It spends most of its time sleeping Occasionally
Beacon will contact Cobalt Strike to check for tasks
If a tasking is available Beacon will download its tasks and execute them
This style of command and control is common with sophisticated malware and
16 | P a g e
Advanced Persistent Threat actors Cobalt Strikes Beacon payload may attempt
to communicate through multiple domains
This makes your control10 20 12 Beaconing - Cobalt
Strike wwwadvancedpentest com help- beacon 2 2of a compromised host
more robust If a system administrator blocks one IP address or domain Beacon
maystill receive tasks through its other domains When tasks are available
Beacon downloads them and sends output using the HTTP protocol Beacon
maycheck for tasks through HTTP or DNS requests
2 CYBER ATTACK MANAGEMETArmitage organizes Metasploits capabilities around the hacking process There
are features for discovery access post-exploitation and maneuver This section
describes these features at a high-level the rest of this manual covers these
capabilities in detail
For discovery Armitage exposes several of Metasploits host management
features You can import hosts and launch scans to populate a database of
targets Armitage also visualizes the database of targets--youll always know
which hosts youre working with and where you have sessions
Armitage assists with remote exploitation--providing features to automatically
recommend exploits and even run active checks so you know which exploits
will work If these options fail you can use the Hail Mary approach and unleash
Armitages smarter db_autopwn against your target database
For those of you who are hacking post-2003 Armitage exposes the client-side
features of Metasploit You can launch browser exploits generate malicious
files and create Meterpreter executable
Once youre in Armitage provides several post-exploitation tools
built on the capabilities of the Meterpreter agent With the click of a menu you
17 | P a g e
will escalate your privileges dump password hashes to a local credentials
database browse the file system like youre local and launch command shells
Finally Armitage aids the process of setting up pivots a capability that lets you
use compromised hosts as a platform for attacking other hosts and further
investigating the target network Armitage also exposes Metasploits SOCKS
proxy module which allows external tools to take advantage of these pivots
With these tools you can further explore and maneuver through the network
The rest of this manual is organized around this process providing what you
need to know in the order youll need it
3NECESSARY THINGS TO KNOWTo use Armitage it helps to understand Metasploit Here are a few things you
absolutely must know before continuing
Metasploit (httpwwwmetasploitcom) is a console driven application
Anything you do in Armitage is translated into a command Metasploit
understands You can bypass Armitage and type commands yourself (covered
later) If youre ever lost in a console type help and hit enter
Metasploit presents its capabilities as modules Every scanner exploit and
even payload is available as a module If youre scanning a host you use an
auxiliary module Before launching a module you must set one or more
variables to configure the module The exploit process is similar To launch an
exploit you must choose an exploit module set one or more variables and
launch it
18 | P a g e
Armitage aims to make this process easier for youIf you successfully exploit a
host you will have a session on that host Armitage knows how to interact with
shell and Windows meterpreter sessions
Meterpreter is an advanced agent that makes a lot of post-exploitation
functionality available to you Armitage is built to take advantage of
Meterpreter Working with Meterpreter is covered later
4 installation
41 on windows
Here are the steps to install and run Armitage on Windows
1 Install Metasploit 44 or later
2 Install Oracles Java 17 (JRE or JDK)
3 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Update
4 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Console (do
this once to initialize the database)
5Make sure youre the Administrator user
To run Armitage
Start -gt Programs -gt Metasploit -gt Framework -gt Armitage
Click Conect
Click Yes when asked whether or not to start Metasploits RPC daemon
If asked where Metasploit is installed select the Metasploit directory You will
only need to do this once (eg cmetasploit)
The best Armitage user experience is on Linux If youre a Windows user
consider using Armitage from a BackTrack virtual machine
42 on linux
To install Armitage on Linux
1 Make sure youre the root user
19 | P a g e
Download and Install the Metasploit Framework from
httpwwwmetasploitcom (httpwwwmetasploitcom)
2Get the full package with all of the Linux dependencies
3 After installation type optframeworkappmsfupdate to update Metasploit
4 Install a VNC viewer (eg apt-get install vncviewer on Ubuntu)
You can get install armitage by a simple command but before execute this
application get command you need to be a root user to install armitage so open
terminal and type exactly
$ sudo su
apt-get install armitage
We need to enable RPC daemon for metasploit use this command on the
terminal
rootbt~ msfrpcd -f -U msf -P test -t Basic
Open a terminalAdd usrlocalbin to $PATH e x p o r t P A T H = $ P A T H u s r l o c a l
b i n
Since Metasploit 41 you now need to make sure you have a database startup scripte c h o e x e c o p t m e t a s p l o i t - 4 4 p o s t g r e s q l s c r i p t s c t l s h $ gt e t c i n i t d f r a m e w o r k - p o s t g r e s
c h m o d + x e t c i n i t d m e t a s p l o i t - p o s t g r e s e t c i n i t d m e t a s p l o i t - p o s t g r e s s t a r tu p d a t e - r c d m e t a s p l o i t - p o s t g r e s d e f a u l t
Now start MYSQL server so that Armitage stores results
rootbt1048673 etcinitdmysql start
This database startup script creation step isnt necessary if you opt to start Metasploit as a
service when the installer runs The downside being that the Metasploit as a service option
starts up the commercialcommunity edition of Metasploit on boot too If you use this
version--great If not its a waste of system resources
20 | P a g e
Now its time to run Armitage locate the directory and type
rootbtpentestexploitsarmitage armitagesh
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
The settings for Metasploits installed database are already set up for you You
not need to change the DB connect string
note
If youre using Armitage with a local Metasploit instance then Armitage must
also run as root Why Because Armitage needs root privileges to read the
databaseyml file created by Metasploits installer If Armitage cant read this
file it will not be able to connect to the database
43 on back-track r3
Armitage comes with BackTrack Linux 5r3 The latest Armitage release
requires BackTrack 5r3 5r25r0 and 5r1 are out If you uinstall Metasploit
(hint pathtometasploituninstall) and reinstall with the Metasploit installer
then you may use any version of BackTrack that you want
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
45 on mac os-x
Armitage works on MacOS X but its not a supported platform for Armitage
Metasploit does not have an official package for OS X
21 | P a g e
There is a lot of manual setup involved getting the pre-requisites working
CedricBaillet created a step-by-step guide
(httpwwwcedric-bailletfrIMGpdfarmitage_configuration_on_macosxpdf)
to configuring Postgres and Ruby for use with Armitage on MacOS X as well
Armitage on MacOS X works fine as a remote client to Metasploit Download
the MacOS X package extract it and double-click the Armitageapp file to get
started
Here are three MacOS X Armitage install guides that others have
produced these may help you Please dont ask me to provide support for them
though
The Black Matrix
(httptheblackmatrixnewsblogspotcom201111installing-armitage-on-
osx-by-defau1thtml)
Night Lions Guide to Installing Metasploit 4 and Armitage on Mac OSX
Lion (httpblognightlionsecuritycomguides201112guideto-
installing-metasploit-4-and-armitage-on-mac-osx-lion)
Faulty Logic Blog (httpbriancanfixitblogspotcom201112setting-up-
metasploit-and-armitage-onhtml)
Armitage is a fast moving project and these project may suggest methods for
starting the Metasploit Framework RPC daemon that are slightly dated The
correct way to start msfrpcd for Armitage to connect to is
m s f r p c d - U m s f - P p a s s w o r d - S - f
5 Manual setupSome crazy people choose to install Metasploit without the benefit of the full installer This method is not supported If you go this route here are some of the requirements
22 | P a g e
A PostgreSQL database No other database is supported msfrpcd is in $PATH $MSF_DATABASE_CONFIG points to a YAML file $MSF_DATABASE_CONFIG is available to msfrpcd and armitage the msgpack ruby gem
6Updating metasploitThe m s f u p d a t e command updates the Metasploit Framework by pulling
the latest source code from a subversion repository that is synced with the git
repository that developers commit to
When you run m s f u p d a t e its possible that you may break Armitage by
doing this The Metasploit team is cautious about what they commit to the
primary git repository and theyre extremely responsive to bug reports That said
things still break from time to time
If you run m s f u p d a t e and Armitage stops working you have a few options
1) You can run m s f u p d a t e later and hope the issue gets fixed Many
times this is a valid strategy
2) You can downgrade Metasploit to the last revision Take a look at the
change log file for the latest development release tested against Armitage
The revision number is located next to the release date To downgrade
Metasploit
c d p a t h t o m e t a s p l o i t m s f 3
s o u r c e s c r i p t s s e t e n v s h
s v n u p d a t e - r [revision number]
This step will downgrade the Armitage release included with Metasploit
too You can download the latest Armitage release from this site in the
mean time
3) Reinstall Metasploit using the installer provided by Rapid7 The
Metasploit installer includes the latest stable version of Metasploit
Usually this release is very stable
23 | P a g e
If youre preparing to use Armitage and Metasploit somewhere
important--do not run m s f u p d a t e and assume it will work Its very
important to stick with what you know works or test the functionality you
need to make sure it works When in doubt go with option (2) or (3)
61 quick connect
If youd like to quickly connect Armitage to a Metasploit server without filling
in the setup dialog use the - - c l i e n t option to specify a file with the
connection details
j a v a - j a r a r m i t a g e j a r - - c l i e n t c o n n e c t p r o p
Heres an example connectprop file
h o s t = 1 9 21 6 8 9 5 2 4 1
p o r t = 55553
u s e r = mister
p a s s = bojangles
If you have to manage multiple ArmitageMetasploit servers consider creating
a desktop shortcut that calls this --client option with a different properties file
for each server
7 User interface format(gui)The user interface can be very easy and friendly to a pentaster as also as a
hackerit is made so easy that without any help a user can manage the cyber
attack
71 Overview
The Armitage user interface has three main panels modules targets and tabs
You may click the area between these panels to resize them to your liking
24 | P a g e
711 modules
The module browser lets you launch a Metasploit auxiliary module throw an
exploit generate a payload and even run a post-exploitation script Click
through the tree to find the desired module Double click the module to bring up
a dialog with options
Armitage will place highlighted hosts from the targets panel into the RHOSTS
variable of any module launched from here
You can search for modules too Click in the search box below the tree type a
wildcard expression (eg ssh_) and hit enter The module tree will then show
your search results already expanded for quick viewing Clear the search box
and press enter to restore the module browser to its original state
712 Targets - Graph View
The targets panel shows all hosts in the current workspace Armitage represents
each target as a computer with its IP address and other information about it
below the computer The computer screen shows the operating system the
computer is runningA red computer with electrical jolts indicates a
compromised host Right click the computer to use any sessions related to the
host A directional green line indicates a pivot from one host to another
Pivoting allows Metasploit to route attacks and scans through intermediate
hosts A bright green line indicates the pivot communication path is in use
Click a host to select it You may select multiple hosts by clicking and dragging
a box over the desired hosts Where possible Armitage will try to apply an
action (eg launching an exploit) to all selected hosts
Right click a host to bring up a menu with available options The attached menu
will show attack and login options menus for existing sessions and options to
edit the host information
The login menu is only available after a port scan reveals open ports that
Metasploit can log in to The Attack menu is only
25 | P a g e
available after finding attacks through the Attacks menu bar Shell and
Meterpreter menus only show up when a shell or Meterpreter session exists on
the selected host Several keyboard shortcuts are available in the targets panel
You may edit these in the Armitage -gt Preferences menu
Ctrl Plus - zoom in
Ctrl Minus - zoom out
Ctrl 0 - reset the zoom level
Ctrl A - select all hosts
Escape - clear selection
Ctrl C - arrange hosts into a circle
Ctrl S - arrange hosts into a stack
Ctrl H - arrange hosts into a hierarchy This only works when a pivot is set up
Ctrl R - refresh hosts from the database
Ctrl P - export hosts into an image
Right click the targets area with no selected hosts to configure the layout and
zoom-level of the targets area
Targets - Table View
If you have a lot of hosts the graph view becomes difficult to work with For
this situation Armitage has a table view
Go to View
7121 Targets -gt Table View
to switch to this mode Armitage will remember your preference
Click any of the table headers to sort the hosts Highlight a row and right-click it
to bring up a menu with options for that host
Armitage will bold the IP address of any host with sessions If a pivot is in use
Armitage will make it bold as well
26 | P a g e
713 Tab
Armitage opens each dialog console and table in a tab below the module and
target panels Click the X button to close a tab
You may right-click the X button to open a tab in a window take a screenshot
of a tab or close all tabs with the same name
Hold shift and click X to close all tabs with the same name Hold shift + control
and click X to open the tab in its own window
You may drag and drop tabs to change their order
Armitage provides several keyboard shortcuts to make your tab management
experience as enjoyable as possible
Use Ctrl+T to take a screenshot of the active tab Use Ctrl+D to close the active
tab Try Ctrl+Left and Ctrl+Right to quickly switch tabs And Ctrl+W to open
the current tab in its own window
8console formatMetasploit console Meterpreter console and shell interfaces each use a console
tab A console tab lets you interact with these interfaces through Armitage
The console tab tracks your command history Use the up arrow to cycle
through previously typed commands The down arrow moves back to the last
command you typed
In the Metasploit console use the Tab key to complete commands and
parameters This works just like the Metasploit console outside of Armitage
27 | P a g e
Use of console panel to make the console font size larger Ctrl minus to make it
smaller and Ctrl 0 to reset it This change is local to the current
console only Visit Armitage -gt Preference to permanently change the font
Press ctrl F to show a panel that will let you search for text within the console
Use Ctrl A to select all text in the consoles buffer
Armitage sends ardquo u s e or a s e t P A Y L O A Drdquo command if you click a
module or a payload name in a console To open a Console go to View -gt
Console or press Ctrl+N
The Armitage console uses color to draw your attention to some information
To disable the colors set the consoleshow_colorsboolean preference to false
You may also edit the colors through Armitage -gt Preference Here is the
Armitage color palette and the preference associated with each color
9 Host management 91Dynamic workspace
Armitages dynamic workspaces feature allows you to create views into the
hosts database and quickly switch between them Use
Workspace -gt Manage to manage your dynamic workspaces Here you may
add edit and remove workspaces you create
28 | P a g e
To create a new dynamic workspace press Add You will see the following
dialog
Give your dynamic workspace a name It doesnt matter what you call it This
description is for you
If youd like to limit your workspace to hosts from a certain network type a
network description in the Hosts field A network description
might be 10100016 to display hosts between 101000-1010255255
Separate multiple networks with a comma and a space
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
14 | P a g e
Token Description
To The email address of the person the message is sent to
To_Name The name of the person the message is sent to This token is only
available when importing a tab-separated file containing a name
URL The contents of the URL field in the spear phishing dialog
Set Embed URL to have Cobalt Strike rewrite each URL in the message
template to point to the embedded URL URLs added in this way will contain a
token that allows Cobalt Strike to trace any visitor back to this Press to
choose one of the Cobalt Strike hosted sites youve started
Set Mail Server to an open relay or the mail exchange server for your target
Set Bounce To to an email address where bounced messages should go This
value will not affect the message your targets see Press Preview to see an
assembled message to one of your recipients If the preview looks good press
Send to start your attack
Cobalt Strikes spear phishing capability sends messages from your local client
If youre managing a remote server know that messages will come from your
local host and not the remote server
13 Web-Drive-By Attacks
Firefox Addon Attack
This tool is available through Attacks -gt Web Drive-by -gt Firefox Addon Attack This
tool will start a Metasploitreg web-server that serves a dynamically created Firefox
Add-on
This is a great attack to embed in a cloned website Find a popular Firefox
addon clone its site and embed the Firefox Add-on Attack URL
14Client-side Reconnaissance
15 | P a g e
System Profiler
The system profiler is a reconnaissance tool for the client-side attack process
This tool starts a local web-server and fingerprints any one who visits it The
system profiler discovers the internal IP address of users behind a proxy along
with several applications and their version information
To start the system profiler go to Attacks -gt Web Drive-by -gt System Profiler
The start the profiler you must specify a URI to bind to and a port to start the
Cobalt Strike web-server from If you specify a Redirect URL Cobalt Strike
will redirect visitors to this URL once their profile is taken Click Launch to
start the system profiler
15VPN Pivoting
Covert VPNCobalt Strike offers VPN pivoting through its Covert VPN feature Covert VPN
creates a network interface on the Cobalt Strike system and bridges this
interface into the targets network
Through a Covert VPN interface your system may sniff traffic on
targetrsquos network act as a rogue server or perform man-in-the-middle attacks
normally reserved for internal assessments You may use external scanning and
attack tools to assess your target network as well
16 Covert Command and Control
What is Beacon
Beacon is Cobalt Strikes remote administration payload for long-term
engagements Beacon does not provide real-time control of a compromised host
Beacon is asynchronous It spends most of its time sleeping Occasionally
Beacon will contact Cobalt Strike to check for tasks
If a tasking is available Beacon will download its tasks and execute them
This style of command and control is common with sophisticated malware and
16 | P a g e
Advanced Persistent Threat actors Cobalt Strikes Beacon payload may attempt
to communicate through multiple domains
This makes your control10 20 12 Beaconing - Cobalt
Strike wwwadvancedpentest com help- beacon 2 2of a compromised host
more robust If a system administrator blocks one IP address or domain Beacon
maystill receive tasks through its other domains When tasks are available
Beacon downloads them and sends output using the HTTP protocol Beacon
maycheck for tasks through HTTP or DNS requests
2 CYBER ATTACK MANAGEMETArmitage organizes Metasploits capabilities around the hacking process There
are features for discovery access post-exploitation and maneuver This section
describes these features at a high-level the rest of this manual covers these
capabilities in detail
For discovery Armitage exposes several of Metasploits host management
features You can import hosts and launch scans to populate a database of
targets Armitage also visualizes the database of targets--youll always know
which hosts youre working with and where you have sessions
Armitage assists with remote exploitation--providing features to automatically
recommend exploits and even run active checks so you know which exploits
will work If these options fail you can use the Hail Mary approach and unleash
Armitages smarter db_autopwn against your target database
For those of you who are hacking post-2003 Armitage exposes the client-side
features of Metasploit You can launch browser exploits generate malicious
files and create Meterpreter executable
Once youre in Armitage provides several post-exploitation tools
built on the capabilities of the Meterpreter agent With the click of a menu you
17 | P a g e
will escalate your privileges dump password hashes to a local credentials
database browse the file system like youre local and launch command shells
Finally Armitage aids the process of setting up pivots a capability that lets you
use compromised hosts as a platform for attacking other hosts and further
investigating the target network Armitage also exposes Metasploits SOCKS
proxy module which allows external tools to take advantage of these pivots
With these tools you can further explore and maneuver through the network
The rest of this manual is organized around this process providing what you
need to know in the order youll need it
3NECESSARY THINGS TO KNOWTo use Armitage it helps to understand Metasploit Here are a few things you
absolutely must know before continuing
Metasploit (httpwwwmetasploitcom) is a console driven application
Anything you do in Armitage is translated into a command Metasploit
understands You can bypass Armitage and type commands yourself (covered
later) If youre ever lost in a console type help and hit enter
Metasploit presents its capabilities as modules Every scanner exploit and
even payload is available as a module If youre scanning a host you use an
auxiliary module Before launching a module you must set one or more
variables to configure the module The exploit process is similar To launch an
exploit you must choose an exploit module set one or more variables and
launch it
18 | P a g e
Armitage aims to make this process easier for youIf you successfully exploit a
host you will have a session on that host Armitage knows how to interact with
shell and Windows meterpreter sessions
Meterpreter is an advanced agent that makes a lot of post-exploitation
functionality available to you Armitage is built to take advantage of
Meterpreter Working with Meterpreter is covered later
4 installation
41 on windows
Here are the steps to install and run Armitage on Windows
1 Install Metasploit 44 or later
2 Install Oracles Java 17 (JRE or JDK)
3 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Update
4 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Console (do
this once to initialize the database)
5Make sure youre the Administrator user
To run Armitage
Start -gt Programs -gt Metasploit -gt Framework -gt Armitage
Click Conect
Click Yes when asked whether or not to start Metasploits RPC daemon
If asked where Metasploit is installed select the Metasploit directory You will
only need to do this once (eg cmetasploit)
The best Armitage user experience is on Linux If youre a Windows user
consider using Armitage from a BackTrack virtual machine
42 on linux
To install Armitage on Linux
1 Make sure youre the root user
19 | P a g e
Download and Install the Metasploit Framework from
httpwwwmetasploitcom (httpwwwmetasploitcom)
2Get the full package with all of the Linux dependencies
3 After installation type optframeworkappmsfupdate to update Metasploit
4 Install a VNC viewer (eg apt-get install vncviewer on Ubuntu)
You can get install armitage by a simple command but before execute this
application get command you need to be a root user to install armitage so open
terminal and type exactly
$ sudo su
apt-get install armitage
We need to enable RPC daemon for metasploit use this command on the
terminal
rootbt~ msfrpcd -f -U msf -P test -t Basic
Open a terminalAdd usrlocalbin to $PATH e x p o r t P A T H = $ P A T H u s r l o c a l
b i n
Since Metasploit 41 you now need to make sure you have a database startup scripte c h o e x e c o p t m e t a s p l o i t - 4 4 p o s t g r e s q l s c r i p t s c t l s h $ gt e t c i n i t d f r a m e w o r k - p o s t g r e s
c h m o d + x e t c i n i t d m e t a s p l o i t - p o s t g r e s e t c i n i t d m e t a s p l o i t - p o s t g r e s s t a r tu p d a t e - r c d m e t a s p l o i t - p o s t g r e s d e f a u l t
Now start MYSQL server so that Armitage stores results
rootbt1048673 etcinitdmysql start
This database startup script creation step isnt necessary if you opt to start Metasploit as a
service when the installer runs The downside being that the Metasploit as a service option
starts up the commercialcommunity edition of Metasploit on boot too If you use this
version--great If not its a waste of system resources
20 | P a g e
Now its time to run Armitage locate the directory and type
rootbtpentestexploitsarmitage armitagesh
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
The settings for Metasploits installed database are already set up for you You
not need to change the DB connect string
note
If youre using Armitage with a local Metasploit instance then Armitage must
also run as root Why Because Armitage needs root privileges to read the
databaseyml file created by Metasploits installer If Armitage cant read this
file it will not be able to connect to the database
43 on back-track r3
Armitage comes with BackTrack Linux 5r3 The latest Armitage release
requires BackTrack 5r3 5r25r0 and 5r1 are out If you uinstall Metasploit
(hint pathtometasploituninstall) and reinstall with the Metasploit installer
then you may use any version of BackTrack that you want
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
45 on mac os-x
Armitage works on MacOS X but its not a supported platform for Armitage
Metasploit does not have an official package for OS X
21 | P a g e
There is a lot of manual setup involved getting the pre-requisites working
CedricBaillet created a step-by-step guide
(httpwwwcedric-bailletfrIMGpdfarmitage_configuration_on_macosxpdf)
to configuring Postgres and Ruby for use with Armitage on MacOS X as well
Armitage on MacOS X works fine as a remote client to Metasploit Download
the MacOS X package extract it and double-click the Armitageapp file to get
started
Here are three MacOS X Armitage install guides that others have
produced these may help you Please dont ask me to provide support for them
though
The Black Matrix
(httptheblackmatrixnewsblogspotcom201111installing-armitage-on-
osx-by-defau1thtml)
Night Lions Guide to Installing Metasploit 4 and Armitage on Mac OSX
Lion (httpblognightlionsecuritycomguides201112guideto-
installing-metasploit-4-and-armitage-on-mac-osx-lion)
Faulty Logic Blog (httpbriancanfixitblogspotcom201112setting-up-
metasploit-and-armitage-onhtml)
Armitage is a fast moving project and these project may suggest methods for
starting the Metasploit Framework RPC daemon that are slightly dated The
correct way to start msfrpcd for Armitage to connect to is
m s f r p c d - U m s f - P p a s s w o r d - S - f
5 Manual setupSome crazy people choose to install Metasploit without the benefit of the full installer This method is not supported If you go this route here are some of the requirements
22 | P a g e
A PostgreSQL database No other database is supported msfrpcd is in $PATH $MSF_DATABASE_CONFIG points to a YAML file $MSF_DATABASE_CONFIG is available to msfrpcd and armitage the msgpack ruby gem
6Updating metasploitThe m s f u p d a t e command updates the Metasploit Framework by pulling
the latest source code from a subversion repository that is synced with the git
repository that developers commit to
When you run m s f u p d a t e its possible that you may break Armitage by
doing this The Metasploit team is cautious about what they commit to the
primary git repository and theyre extremely responsive to bug reports That said
things still break from time to time
If you run m s f u p d a t e and Armitage stops working you have a few options
1) You can run m s f u p d a t e later and hope the issue gets fixed Many
times this is a valid strategy
2) You can downgrade Metasploit to the last revision Take a look at the
change log file for the latest development release tested against Armitage
The revision number is located next to the release date To downgrade
Metasploit
c d p a t h t o m e t a s p l o i t m s f 3
s o u r c e s c r i p t s s e t e n v s h
s v n u p d a t e - r [revision number]
This step will downgrade the Armitage release included with Metasploit
too You can download the latest Armitage release from this site in the
mean time
3) Reinstall Metasploit using the installer provided by Rapid7 The
Metasploit installer includes the latest stable version of Metasploit
Usually this release is very stable
23 | P a g e
If youre preparing to use Armitage and Metasploit somewhere
important--do not run m s f u p d a t e and assume it will work Its very
important to stick with what you know works or test the functionality you
need to make sure it works When in doubt go with option (2) or (3)
61 quick connect
If youd like to quickly connect Armitage to a Metasploit server without filling
in the setup dialog use the - - c l i e n t option to specify a file with the
connection details
j a v a - j a r a r m i t a g e j a r - - c l i e n t c o n n e c t p r o p
Heres an example connectprop file
h o s t = 1 9 21 6 8 9 5 2 4 1
p o r t = 55553
u s e r = mister
p a s s = bojangles
If you have to manage multiple ArmitageMetasploit servers consider creating
a desktop shortcut that calls this --client option with a different properties file
for each server
7 User interface format(gui)The user interface can be very easy and friendly to a pentaster as also as a
hackerit is made so easy that without any help a user can manage the cyber
attack
71 Overview
The Armitage user interface has three main panels modules targets and tabs
You may click the area between these panels to resize them to your liking
24 | P a g e
711 modules
The module browser lets you launch a Metasploit auxiliary module throw an
exploit generate a payload and even run a post-exploitation script Click
through the tree to find the desired module Double click the module to bring up
a dialog with options
Armitage will place highlighted hosts from the targets panel into the RHOSTS
variable of any module launched from here
You can search for modules too Click in the search box below the tree type a
wildcard expression (eg ssh_) and hit enter The module tree will then show
your search results already expanded for quick viewing Clear the search box
and press enter to restore the module browser to its original state
712 Targets - Graph View
The targets panel shows all hosts in the current workspace Armitage represents
each target as a computer with its IP address and other information about it
below the computer The computer screen shows the operating system the
computer is runningA red computer with electrical jolts indicates a
compromised host Right click the computer to use any sessions related to the
host A directional green line indicates a pivot from one host to another
Pivoting allows Metasploit to route attacks and scans through intermediate
hosts A bright green line indicates the pivot communication path is in use
Click a host to select it You may select multiple hosts by clicking and dragging
a box over the desired hosts Where possible Armitage will try to apply an
action (eg launching an exploit) to all selected hosts
Right click a host to bring up a menu with available options The attached menu
will show attack and login options menus for existing sessions and options to
edit the host information
The login menu is only available after a port scan reveals open ports that
Metasploit can log in to The Attack menu is only
25 | P a g e
available after finding attacks through the Attacks menu bar Shell and
Meterpreter menus only show up when a shell or Meterpreter session exists on
the selected host Several keyboard shortcuts are available in the targets panel
You may edit these in the Armitage -gt Preferences menu
Ctrl Plus - zoom in
Ctrl Minus - zoom out
Ctrl 0 - reset the zoom level
Ctrl A - select all hosts
Escape - clear selection
Ctrl C - arrange hosts into a circle
Ctrl S - arrange hosts into a stack
Ctrl H - arrange hosts into a hierarchy This only works when a pivot is set up
Ctrl R - refresh hosts from the database
Ctrl P - export hosts into an image
Right click the targets area with no selected hosts to configure the layout and
zoom-level of the targets area
Targets - Table View
If you have a lot of hosts the graph view becomes difficult to work with For
this situation Armitage has a table view
Go to View
7121 Targets -gt Table View
to switch to this mode Armitage will remember your preference
Click any of the table headers to sort the hosts Highlight a row and right-click it
to bring up a menu with options for that host
Armitage will bold the IP address of any host with sessions If a pivot is in use
Armitage will make it bold as well
26 | P a g e
713 Tab
Armitage opens each dialog console and table in a tab below the module and
target panels Click the X button to close a tab
You may right-click the X button to open a tab in a window take a screenshot
of a tab or close all tabs with the same name
Hold shift and click X to close all tabs with the same name Hold shift + control
and click X to open the tab in its own window
You may drag and drop tabs to change their order
Armitage provides several keyboard shortcuts to make your tab management
experience as enjoyable as possible
Use Ctrl+T to take a screenshot of the active tab Use Ctrl+D to close the active
tab Try Ctrl+Left and Ctrl+Right to quickly switch tabs And Ctrl+W to open
the current tab in its own window
8console formatMetasploit console Meterpreter console and shell interfaces each use a console
tab A console tab lets you interact with these interfaces through Armitage
The console tab tracks your command history Use the up arrow to cycle
through previously typed commands The down arrow moves back to the last
command you typed
In the Metasploit console use the Tab key to complete commands and
parameters This works just like the Metasploit console outside of Armitage
27 | P a g e
Use of console panel to make the console font size larger Ctrl minus to make it
smaller and Ctrl 0 to reset it This change is local to the current
console only Visit Armitage -gt Preference to permanently change the font
Press ctrl F to show a panel that will let you search for text within the console
Use Ctrl A to select all text in the consoles buffer
Armitage sends ardquo u s e or a s e t P A Y L O A Drdquo command if you click a
module or a payload name in a console To open a Console go to View -gt
Console or press Ctrl+N
The Armitage console uses color to draw your attention to some information
To disable the colors set the consoleshow_colorsboolean preference to false
You may also edit the colors through Armitage -gt Preference Here is the
Armitage color palette and the preference associated with each color
9 Host management 91Dynamic workspace
Armitages dynamic workspaces feature allows you to create views into the
hosts database and quickly switch between them Use
Workspace -gt Manage to manage your dynamic workspaces Here you may
add edit and remove workspaces you create
28 | P a g e
To create a new dynamic workspace press Add You will see the following
dialog
Give your dynamic workspace a name It doesnt matter what you call it This
description is for you
If youd like to limit your workspace to hosts from a certain network type a
network description in the Hosts field A network description
might be 10100016 to display hosts between 101000-1010255255
Separate multiple networks with a comma and a space
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
15 | P a g e
System Profiler
The system profiler is a reconnaissance tool for the client-side attack process
This tool starts a local web-server and fingerprints any one who visits it The
system profiler discovers the internal IP address of users behind a proxy along
with several applications and their version information
To start the system profiler go to Attacks -gt Web Drive-by -gt System Profiler
The start the profiler you must specify a URI to bind to and a port to start the
Cobalt Strike web-server from If you specify a Redirect URL Cobalt Strike
will redirect visitors to this URL once their profile is taken Click Launch to
start the system profiler
15VPN Pivoting
Covert VPNCobalt Strike offers VPN pivoting through its Covert VPN feature Covert VPN
creates a network interface on the Cobalt Strike system and bridges this
interface into the targets network
Through a Covert VPN interface your system may sniff traffic on
targetrsquos network act as a rogue server or perform man-in-the-middle attacks
normally reserved for internal assessments You may use external scanning and
attack tools to assess your target network as well
16 Covert Command and Control
What is Beacon
Beacon is Cobalt Strikes remote administration payload for long-term
engagements Beacon does not provide real-time control of a compromised host
Beacon is asynchronous It spends most of its time sleeping Occasionally
Beacon will contact Cobalt Strike to check for tasks
If a tasking is available Beacon will download its tasks and execute them
This style of command and control is common with sophisticated malware and
16 | P a g e
Advanced Persistent Threat actors Cobalt Strikes Beacon payload may attempt
to communicate through multiple domains
This makes your control10 20 12 Beaconing - Cobalt
Strike wwwadvancedpentest com help- beacon 2 2of a compromised host
more robust If a system administrator blocks one IP address or domain Beacon
maystill receive tasks through its other domains When tasks are available
Beacon downloads them and sends output using the HTTP protocol Beacon
maycheck for tasks through HTTP or DNS requests
2 CYBER ATTACK MANAGEMETArmitage organizes Metasploits capabilities around the hacking process There
are features for discovery access post-exploitation and maneuver This section
describes these features at a high-level the rest of this manual covers these
capabilities in detail
For discovery Armitage exposes several of Metasploits host management
features You can import hosts and launch scans to populate a database of
targets Armitage also visualizes the database of targets--youll always know
which hosts youre working with and where you have sessions
Armitage assists with remote exploitation--providing features to automatically
recommend exploits and even run active checks so you know which exploits
will work If these options fail you can use the Hail Mary approach and unleash
Armitages smarter db_autopwn against your target database
For those of you who are hacking post-2003 Armitage exposes the client-side
features of Metasploit You can launch browser exploits generate malicious
files and create Meterpreter executable
Once youre in Armitage provides several post-exploitation tools
built on the capabilities of the Meterpreter agent With the click of a menu you
17 | P a g e
will escalate your privileges dump password hashes to a local credentials
database browse the file system like youre local and launch command shells
Finally Armitage aids the process of setting up pivots a capability that lets you
use compromised hosts as a platform for attacking other hosts and further
investigating the target network Armitage also exposes Metasploits SOCKS
proxy module which allows external tools to take advantage of these pivots
With these tools you can further explore and maneuver through the network
The rest of this manual is organized around this process providing what you
need to know in the order youll need it
3NECESSARY THINGS TO KNOWTo use Armitage it helps to understand Metasploit Here are a few things you
absolutely must know before continuing
Metasploit (httpwwwmetasploitcom) is a console driven application
Anything you do in Armitage is translated into a command Metasploit
understands You can bypass Armitage and type commands yourself (covered
later) If youre ever lost in a console type help and hit enter
Metasploit presents its capabilities as modules Every scanner exploit and
even payload is available as a module If youre scanning a host you use an
auxiliary module Before launching a module you must set one or more
variables to configure the module The exploit process is similar To launch an
exploit you must choose an exploit module set one or more variables and
launch it
18 | P a g e
Armitage aims to make this process easier for youIf you successfully exploit a
host you will have a session on that host Armitage knows how to interact with
shell and Windows meterpreter sessions
Meterpreter is an advanced agent that makes a lot of post-exploitation
functionality available to you Armitage is built to take advantage of
Meterpreter Working with Meterpreter is covered later
4 installation
41 on windows
Here are the steps to install and run Armitage on Windows
1 Install Metasploit 44 or later
2 Install Oracles Java 17 (JRE or JDK)
3 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Update
4 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Console (do
this once to initialize the database)
5Make sure youre the Administrator user
To run Armitage
Start -gt Programs -gt Metasploit -gt Framework -gt Armitage
Click Conect
Click Yes when asked whether or not to start Metasploits RPC daemon
If asked where Metasploit is installed select the Metasploit directory You will
only need to do this once (eg cmetasploit)
The best Armitage user experience is on Linux If youre a Windows user
consider using Armitage from a BackTrack virtual machine
42 on linux
To install Armitage on Linux
1 Make sure youre the root user
19 | P a g e
Download and Install the Metasploit Framework from
httpwwwmetasploitcom (httpwwwmetasploitcom)
2Get the full package with all of the Linux dependencies
3 After installation type optframeworkappmsfupdate to update Metasploit
4 Install a VNC viewer (eg apt-get install vncviewer on Ubuntu)
You can get install armitage by a simple command but before execute this
application get command you need to be a root user to install armitage so open
terminal and type exactly
$ sudo su
apt-get install armitage
We need to enable RPC daemon for metasploit use this command on the
terminal
rootbt~ msfrpcd -f -U msf -P test -t Basic
Open a terminalAdd usrlocalbin to $PATH e x p o r t P A T H = $ P A T H u s r l o c a l
b i n
Since Metasploit 41 you now need to make sure you have a database startup scripte c h o e x e c o p t m e t a s p l o i t - 4 4 p o s t g r e s q l s c r i p t s c t l s h $ gt e t c i n i t d f r a m e w o r k - p o s t g r e s
c h m o d + x e t c i n i t d m e t a s p l o i t - p o s t g r e s e t c i n i t d m e t a s p l o i t - p o s t g r e s s t a r tu p d a t e - r c d m e t a s p l o i t - p o s t g r e s d e f a u l t
Now start MYSQL server so that Armitage stores results
rootbt1048673 etcinitdmysql start
This database startup script creation step isnt necessary if you opt to start Metasploit as a
service when the installer runs The downside being that the Metasploit as a service option
starts up the commercialcommunity edition of Metasploit on boot too If you use this
version--great If not its a waste of system resources
20 | P a g e
Now its time to run Armitage locate the directory and type
rootbtpentestexploitsarmitage armitagesh
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
The settings for Metasploits installed database are already set up for you You
not need to change the DB connect string
note
If youre using Armitage with a local Metasploit instance then Armitage must
also run as root Why Because Armitage needs root privileges to read the
databaseyml file created by Metasploits installer If Armitage cant read this
file it will not be able to connect to the database
43 on back-track r3
Armitage comes with BackTrack Linux 5r3 The latest Armitage release
requires BackTrack 5r3 5r25r0 and 5r1 are out If you uinstall Metasploit
(hint pathtometasploituninstall) and reinstall with the Metasploit installer
then you may use any version of BackTrack that you want
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
45 on mac os-x
Armitage works on MacOS X but its not a supported platform for Armitage
Metasploit does not have an official package for OS X
21 | P a g e
There is a lot of manual setup involved getting the pre-requisites working
CedricBaillet created a step-by-step guide
(httpwwwcedric-bailletfrIMGpdfarmitage_configuration_on_macosxpdf)
to configuring Postgres and Ruby for use with Armitage on MacOS X as well
Armitage on MacOS X works fine as a remote client to Metasploit Download
the MacOS X package extract it and double-click the Armitageapp file to get
started
Here are three MacOS X Armitage install guides that others have
produced these may help you Please dont ask me to provide support for them
though
The Black Matrix
(httptheblackmatrixnewsblogspotcom201111installing-armitage-on-
osx-by-defau1thtml)
Night Lions Guide to Installing Metasploit 4 and Armitage on Mac OSX
Lion (httpblognightlionsecuritycomguides201112guideto-
installing-metasploit-4-and-armitage-on-mac-osx-lion)
Faulty Logic Blog (httpbriancanfixitblogspotcom201112setting-up-
metasploit-and-armitage-onhtml)
Armitage is a fast moving project and these project may suggest methods for
starting the Metasploit Framework RPC daemon that are slightly dated The
correct way to start msfrpcd for Armitage to connect to is
m s f r p c d - U m s f - P p a s s w o r d - S - f
5 Manual setupSome crazy people choose to install Metasploit without the benefit of the full installer This method is not supported If you go this route here are some of the requirements
22 | P a g e
A PostgreSQL database No other database is supported msfrpcd is in $PATH $MSF_DATABASE_CONFIG points to a YAML file $MSF_DATABASE_CONFIG is available to msfrpcd and armitage the msgpack ruby gem
6Updating metasploitThe m s f u p d a t e command updates the Metasploit Framework by pulling
the latest source code from a subversion repository that is synced with the git
repository that developers commit to
When you run m s f u p d a t e its possible that you may break Armitage by
doing this The Metasploit team is cautious about what they commit to the
primary git repository and theyre extremely responsive to bug reports That said
things still break from time to time
If you run m s f u p d a t e and Armitage stops working you have a few options
1) You can run m s f u p d a t e later and hope the issue gets fixed Many
times this is a valid strategy
2) You can downgrade Metasploit to the last revision Take a look at the
change log file for the latest development release tested against Armitage
The revision number is located next to the release date To downgrade
Metasploit
c d p a t h t o m e t a s p l o i t m s f 3
s o u r c e s c r i p t s s e t e n v s h
s v n u p d a t e - r [revision number]
This step will downgrade the Armitage release included with Metasploit
too You can download the latest Armitage release from this site in the
mean time
3) Reinstall Metasploit using the installer provided by Rapid7 The
Metasploit installer includes the latest stable version of Metasploit
Usually this release is very stable
23 | P a g e
If youre preparing to use Armitage and Metasploit somewhere
important--do not run m s f u p d a t e and assume it will work Its very
important to stick with what you know works or test the functionality you
need to make sure it works When in doubt go with option (2) or (3)
61 quick connect
If youd like to quickly connect Armitage to a Metasploit server without filling
in the setup dialog use the - - c l i e n t option to specify a file with the
connection details
j a v a - j a r a r m i t a g e j a r - - c l i e n t c o n n e c t p r o p
Heres an example connectprop file
h o s t = 1 9 21 6 8 9 5 2 4 1
p o r t = 55553
u s e r = mister
p a s s = bojangles
If you have to manage multiple ArmitageMetasploit servers consider creating
a desktop shortcut that calls this --client option with a different properties file
for each server
7 User interface format(gui)The user interface can be very easy and friendly to a pentaster as also as a
hackerit is made so easy that without any help a user can manage the cyber
attack
71 Overview
The Armitage user interface has three main panels modules targets and tabs
You may click the area between these panels to resize them to your liking
24 | P a g e
711 modules
The module browser lets you launch a Metasploit auxiliary module throw an
exploit generate a payload and even run a post-exploitation script Click
through the tree to find the desired module Double click the module to bring up
a dialog with options
Armitage will place highlighted hosts from the targets panel into the RHOSTS
variable of any module launched from here
You can search for modules too Click in the search box below the tree type a
wildcard expression (eg ssh_) and hit enter The module tree will then show
your search results already expanded for quick viewing Clear the search box
and press enter to restore the module browser to its original state
712 Targets - Graph View
The targets panel shows all hosts in the current workspace Armitage represents
each target as a computer with its IP address and other information about it
below the computer The computer screen shows the operating system the
computer is runningA red computer with electrical jolts indicates a
compromised host Right click the computer to use any sessions related to the
host A directional green line indicates a pivot from one host to another
Pivoting allows Metasploit to route attacks and scans through intermediate
hosts A bright green line indicates the pivot communication path is in use
Click a host to select it You may select multiple hosts by clicking and dragging
a box over the desired hosts Where possible Armitage will try to apply an
action (eg launching an exploit) to all selected hosts
Right click a host to bring up a menu with available options The attached menu
will show attack and login options menus for existing sessions and options to
edit the host information
The login menu is only available after a port scan reveals open ports that
Metasploit can log in to The Attack menu is only
25 | P a g e
available after finding attacks through the Attacks menu bar Shell and
Meterpreter menus only show up when a shell or Meterpreter session exists on
the selected host Several keyboard shortcuts are available in the targets panel
You may edit these in the Armitage -gt Preferences menu
Ctrl Plus - zoom in
Ctrl Minus - zoom out
Ctrl 0 - reset the zoom level
Ctrl A - select all hosts
Escape - clear selection
Ctrl C - arrange hosts into a circle
Ctrl S - arrange hosts into a stack
Ctrl H - arrange hosts into a hierarchy This only works when a pivot is set up
Ctrl R - refresh hosts from the database
Ctrl P - export hosts into an image
Right click the targets area with no selected hosts to configure the layout and
zoom-level of the targets area
Targets - Table View
If you have a lot of hosts the graph view becomes difficult to work with For
this situation Armitage has a table view
Go to View
7121 Targets -gt Table View
to switch to this mode Armitage will remember your preference
Click any of the table headers to sort the hosts Highlight a row and right-click it
to bring up a menu with options for that host
Armitage will bold the IP address of any host with sessions If a pivot is in use
Armitage will make it bold as well
26 | P a g e
713 Tab
Armitage opens each dialog console and table in a tab below the module and
target panels Click the X button to close a tab
You may right-click the X button to open a tab in a window take a screenshot
of a tab or close all tabs with the same name
Hold shift and click X to close all tabs with the same name Hold shift + control
and click X to open the tab in its own window
You may drag and drop tabs to change their order
Armitage provides several keyboard shortcuts to make your tab management
experience as enjoyable as possible
Use Ctrl+T to take a screenshot of the active tab Use Ctrl+D to close the active
tab Try Ctrl+Left and Ctrl+Right to quickly switch tabs And Ctrl+W to open
the current tab in its own window
8console formatMetasploit console Meterpreter console and shell interfaces each use a console
tab A console tab lets you interact with these interfaces through Armitage
The console tab tracks your command history Use the up arrow to cycle
through previously typed commands The down arrow moves back to the last
command you typed
In the Metasploit console use the Tab key to complete commands and
parameters This works just like the Metasploit console outside of Armitage
27 | P a g e
Use of console panel to make the console font size larger Ctrl minus to make it
smaller and Ctrl 0 to reset it This change is local to the current
console only Visit Armitage -gt Preference to permanently change the font
Press ctrl F to show a panel that will let you search for text within the console
Use Ctrl A to select all text in the consoles buffer
Armitage sends ardquo u s e or a s e t P A Y L O A Drdquo command if you click a
module or a payload name in a console To open a Console go to View -gt
Console or press Ctrl+N
The Armitage console uses color to draw your attention to some information
To disable the colors set the consoleshow_colorsboolean preference to false
You may also edit the colors through Armitage -gt Preference Here is the
Armitage color palette and the preference associated with each color
9 Host management 91Dynamic workspace
Armitages dynamic workspaces feature allows you to create views into the
hosts database and quickly switch between them Use
Workspace -gt Manage to manage your dynamic workspaces Here you may
add edit and remove workspaces you create
28 | P a g e
To create a new dynamic workspace press Add You will see the following
dialog
Give your dynamic workspace a name It doesnt matter what you call it This
description is for you
If youd like to limit your workspace to hosts from a certain network type a
network description in the Hosts field A network description
might be 10100016 to display hosts between 101000-1010255255
Separate multiple networks with a comma and a space
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
16 | P a g e
Advanced Persistent Threat actors Cobalt Strikes Beacon payload may attempt
to communicate through multiple domains
This makes your control10 20 12 Beaconing - Cobalt
Strike wwwadvancedpentest com help- beacon 2 2of a compromised host
more robust If a system administrator blocks one IP address or domain Beacon
maystill receive tasks through its other domains When tasks are available
Beacon downloads them and sends output using the HTTP protocol Beacon
maycheck for tasks through HTTP or DNS requests
2 CYBER ATTACK MANAGEMETArmitage organizes Metasploits capabilities around the hacking process There
are features for discovery access post-exploitation and maneuver This section
describes these features at a high-level the rest of this manual covers these
capabilities in detail
For discovery Armitage exposes several of Metasploits host management
features You can import hosts and launch scans to populate a database of
targets Armitage also visualizes the database of targets--youll always know
which hosts youre working with and where you have sessions
Armitage assists with remote exploitation--providing features to automatically
recommend exploits and even run active checks so you know which exploits
will work If these options fail you can use the Hail Mary approach and unleash
Armitages smarter db_autopwn against your target database
For those of you who are hacking post-2003 Armitage exposes the client-side
features of Metasploit You can launch browser exploits generate malicious
files and create Meterpreter executable
Once youre in Armitage provides several post-exploitation tools
built on the capabilities of the Meterpreter agent With the click of a menu you
17 | P a g e
will escalate your privileges dump password hashes to a local credentials
database browse the file system like youre local and launch command shells
Finally Armitage aids the process of setting up pivots a capability that lets you
use compromised hosts as a platform for attacking other hosts and further
investigating the target network Armitage also exposes Metasploits SOCKS
proxy module which allows external tools to take advantage of these pivots
With these tools you can further explore and maneuver through the network
The rest of this manual is organized around this process providing what you
need to know in the order youll need it
3NECESSARY THINGS TO KNOWTo use Armitage it helps to understand Metasploit Here are a few things you
absolutely must know before continuing
Metasploit (httpwwwmetasploitcom) is a console driven application
Anything you do in Armitage is translated into a command Metasploit
understands You can bypass Armitage and type commands yourself (covered
later) If youre ever lost in a console type help and hit enter
Metasploit presents its capabilities as modules Every scanner exploit and
even payload is available as a module If youre scanning a host you use an
auxiliary module Before launching a module you must set one or more
variables to configure the module The exploit process is similar To launch an
exploit you must choose an exploit module set one or more variables and
launch it
18 | P a g e
Armitage aims to make this process easier for youIf you successfully exploit a
host you will have a session on that host Armitage knows how to interact with
shell and Windows meterpreter sessions
Meterpreter is an advanced agent that makes a lot of post-exploitation
functionality available to you Armitage is built to take advantage of
Meterpreter Working with Meterpreter is covered later
4 installation
41 on windows
Here are the steps to install and run Armitage on Windows
1 Install Metasploit 44 or later
2 Install Oracles Java 17 (JRE or JDK)
3 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Update
4 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Console (do
this once to initialize the database)
5Make sure youre the Administrator user
To run Armitage
Start -gt Programs -gt Metasploit -gt Framework -gt Armitage
Click Conect
Click Yes when asked whether or not to start Metasploits RPC daemon
If asked where Metasploit is installed select the Metasploit directory You will
only need to do this once (eg cmetasploit)
The best Armitage user experience is on Linux If youre a Windows user
consider using Armitage from a BackTrack virtual machine
42 on linux
To install Armitage on Linux
1 Make sure youre the root user
19 | P a g e
Download and Install the Metasploit Framework from
httpwwwmetasploitcom (httpwwwmetasploitcom)
2Get the full package with all of the Linux dependencies
3 After installation type optframeworkappmsfupdate to update Metasploit
4 Install a VNC viewer (eg apt-get install vncviewer on Ubuntu)
You can get install armitage by a simple command but before execute this
application get command you need to be a root user to install armitage so open
terminal and type exactly
$ sudo su
apt-get install armitage
We need to enable RPC daemon for metasploit use this command on the
terminal
rootbt~ msfrpcd -f -U msf -P test -t Basic
Open a terminalAdd usrlocalbin to $PATH e x p o r t P A T H = $ P A T H u s r l o c a l
b i n
Since Metasploit 41 you now need to make sure you have a database startup scripte c h o e x e c o p t m e t a s p l o i t - 4 4 p o s t g r e s q l s c r i p t s c t l s h $ gt e t c i n i t d f r a m e w o r k - p o s t g r e s
c h m o d + x e t c i n i t d m e t a s p l o i t - p o s t g r e s e t c i n i t d m e t a s p l o i t - p o s t g r e s s t a r tu p d a t e - r c d m e t a s p l o i t - p o s t g r e s d e f a u l t
Now start MYSQL server so that Armitage stores results
rootbt1048673 etcinitdmysql start
This database startup script creation step isnt necessary if you opt to start Metasploit as a
service when the installer runs The downside being that the Metasploit as a service option
starts up the commercialcommunity edition of Metasploit on boot too If you use this
version--great If not its a waste of system resources
20 | P a g e
Now its time to run Armitage locate the directory and type
rootbtpentestexploitsarmitage armitagesh
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
The settings for Metasploits installed database are already set up for you You
not need to change the DB connect string
note
If youre using Armitage with a local Metasploit instance then Armitage must
also run as root Why Because Armitage needs root privileges to read the
databaseyml file created by Metasploits installer If Armitage cant read this
file it will not be able to connect to the database
43 on back-track r3
Armitage comes with BackTrack Linux 5r3 The latest Armitage release
requires BackTrack 5r3 5r25r0 and 5r1 are out If you uinstall Metasploit
(hint pathtometasploituninstall) and reinstall with the Metasploit installer
then you may use any version of BackTrack that you want
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
45 on mac os-x
Armitage works on MacOS X but its not a supported platform for Armitage
Metasploit does not have an official package for OS X
21 | P a g e
There is a lot of manual setup involved getting the pre-requisites working
CedricBaillet created a step-by-step guide
(httpwwwcedric-bailletfrIMGpdfarmitage_configuration_on_macosxpdf)
to configuring Postgres and Ruby for use with Armitage on MacOS X as well
Armitage on MacOS X works fine as a remote client to Metasploit Download
the MacOS X package extract it and double-click the Armitageapp file to get
started
Here are three MacOS X Armitage install guides that others have
produced these may help you Please dont ask me to provide support for them
though
The Black Matrix
(httptheblackmatrixnewsblogspotcom201111installing-armitage-on-
osx-by-defau1thtml)
Night Lions Guide to Installing Metasploit 4 and Armitage on Mac OSX
Lion (httpblognightlionsecuritycomguides201112guideto-
installing-metasploit-4-and-armitage-on-mac-osx-lion)
Faulty Logic Blog (httpbriancanfixitblogspotcom201112setting-up-
metasploit-and-armitage-onhtml)
Armitage is a fast moving project and these project may suggest methods for
starting the Metasploit Framework RPC daemon that are slightly dated The
correct way to start msfrpcd for Armitage to connect to is
m s f r p c d - U m s f - P p a s s w o r d - S - f
5 Manual setupSome crazy people choose to install Metasploit without the benefit of the full installer This method is not supported If you go this route here are some of the requirements
22 | P a g e
A PostgreSQL database No other database is supported msfrpcd is in $PATH $MSF_DATABASE_CONFIG points to a YAML file $MSF_DATABASE_CONFIG is available to msfrpcd and armitage the msgpack ruby gem
6Updating metasploitThe m s f u p d a t e command updates the Metasploit Framework by pulling
the latest source code from a subversion repository that is synced with the git
repository that developers commit to
When you run m s f u p d a t e its possible that you may break Armitage by
doing this The Metasploit team is cautious about what they commit to the
primary git repository and theyre extremely responsive to bug reports That said
things still break from time to time
If you run m s f u p d a t e and Armitage stops working you have a few options
1) You can run m s f u p d a t e later and hope the issue gets fixed Many
times this is a valid strategy
2) You can downgrade Metasploit to the last revision Take a look at the
change log file for the latest development release tested against Armitage
The revision number is located next to the release date To downgrade
Metasploit
c d p a t h t o m e t a s p l o i t m s f 3
s o u r c e s c r i p t s s e t e n v s h
s v n u p d a t e - r [revision number]
This step will downgrade the Armitage release included with Metasploit
too You can download the latest Armitage release from this site in the
mean time
3) Reinstall Metasploit using the installer provided by Rapid7 The
Metasploit installer includes the latest stable version of Metasploit
Usually this release is very stable
23 | P a g e
If youre preparing to use Armitage and Metasploit somewhere
important--do not run m s f u p d a t e and assume it will work Its very
important to stick with what you know works or test the functionality you
need to make sure it works When in doubt go with option (2) or (3)
61 quick connect
If youd like to quickly connect Armitage to a Metasploit server without filling
in the setup dialog use the - - c l i e n t option to specify a file with the
connection details
j a v a - j a r a r m i t a g e j a r - - c l i e n t c o n n e c t p r o p
Heres an example connectprop file
h o s t = 1 9 21 6 8 9 5 2 4 1
p o r t = 55553
u s e r = mister
p a s s = bojangles
If you have to manage multiple ArmitageMetasploit servers consider creating
a desktop shortcut that calls this --client option with a different properties file
for each server
7 User interface format(gui)The user interface can be very easy and friendly to a pentaster as also as a
hackerit is made so easy that without any help a user can manage the cyber
attack
71 Overview
The Armitage user interface has three main panels modules targets and tabs
You may click the area between these panels to resize them to your liking
24 | P a g e
711 modules
The module browser lets you launch a Metasploit auxiliary module throw an
exploit generate a payload and even run a post-exploitation script Click
through the tree to find the desired module Double click the module to bring up
a dialog with options
Armitage will place highlighted hosts from the targets panel into the RHOSTS
variable of any module launched from here
You can search for modules too Click in the search box below the tree type a
wildcard expression (eg ssh_) and hit enter The module tree will then show
your search results already expanded for quick viewing Clear the search box
and press enter to restore the module browser to its original state
712 Targets - Graph View
The targets panel shows all hosts in the current workspace Armitage represents
each target as a computer with its IP address and other information about it
below the computer The computer screen shows the operating system the
computer is runningA red computer with electrical jolts indicates a
compromised host Right click the computer to use any sessions related to the
host A directional green line indicates a pivot from one host to another
Pivoting allows Metasploit to route attacks and scans through intermediate
hosts A bright green line indicates the pivot communication path is in use
Click a host to select it You may select multiple hosts by clicking and dragging
a box over the desired hosts Where possible Armitage will try to apply an
action (eg launching an exploit) to all selected hosts
Right click a host to bring up a menu with available options The attached menu
will show attack and login options menus for existing sessions and options to
edit the host information
The login menu is only available after a port scan reveals open ports that
Metasploit can log in to The Attack menu is only
25 | P a g e
available after finding attacks through the Attacks menu bar Shell and
Meterpreter menus only show up when a shell or Meterpreter session exists on
the selected host Several keyboard shortcuts are available in the targets panel
You may edit these in the Armitage -gt Preferences menu
Ctrl Plus - zoom in
Ctrl Minus - zoom out
Ctrl 0 - reset the zoom level
Ctrl A - select all hosts
Escape - clear selection
Ctrl C - arrange hosts into a circle
Ctrl S - arrange hosts into a stack
Ctrl H - arrange hosts into a hierarchy This only works when a pivot is set up
Ctrl R - refresh hosts from the database
Ctrl P - export hosts into an image
Right click the targets area with no selected hosts to configure the layout and
zoom-level of the targets area
Targets - Table View
If you have a lot of hosts the graph view becomes difficult to work with For
this situation Armitage has a table view
Go to View
7121 Targets -gt Table View
to switch to this mode Armitage will remember your preference
Click any of the table headers to sort the hosts Highlight a row and right-click it
to bring up a menu with options for that host
Armitage will bold the IP address of any host with sessions If a pivot is in use
Armitage will make it bold as well
26 | P a g e
713 Tab
Armitage opens each dialog console and table in a tab below the module and
target panels Click the X button to close a tab
You may right-click the X button to open a tab in a window take a screenshot
of a tab or close all tabs with the same name
Hold shift and click X to close all tabs with the same name Hold shift + control
and click X to open the tab in its own window
You may drag and drop tabs to change their order
Armitage provides several keyboard shortcuts to make your tab management
experience as enjoyable as possible
Use Ctrl+T to take a screenshot of the active tab Use Ctrl+D to close the active
tab Try Ctrl+Left and Ctrl+Right to quickly switch tabs And Ctrl+W to open
the current tab in its own window
8console formatMetasploit console Meterpreter console and shell interfaces each use a console
tab A console tab lets you interact with these interfaces through Armitage
The console tab tracks your command history Use the up arrow to cycle
through previously typed commands The down arrow moves back to the last
command you typed
In the Metasploit console use the Tab key to complete commands and
parameters This works just like the Metasploit console outside of Armitage
27 | P a g e
Use of console panel to make the console font size larger Ctrl minus to make it
smaller and Ctrl 0 to reset it This change is local to the current
console only Visit Armitage -gt Preference to permanently change the font
Press ctrl F to show a panel that will let you search for text within the console
Use Ctrl A to select all text in the consoles buffer
Armitage sends ardquo u s e or a s e t P A Y L O A Drdquo command if you click a
module or a payload name in a console To open a Console go to View -gt
Console or press Ctrl+N
The Armitage console uses color to draw your attention to some information
To disable the colors set the consoleshow_colorsboolean preference to false
You may also edit the colors through Armitage -gt Preference Here is the
Armitage color palette and the preference associated with each color
9 Host management 91Dynamic workspace
Armitages dynamic workspaces feature allows you to create views into the
hosts database and quickly switch between them Use
Workspace -gt Manage to manage your dynamic workspaces Here you may
add edit and remove workspaces you create
28 | P a g e
To create a new dynamic workspace press Add You will see the following
dialog
Give your dynamic workspace a name It doesnt matter what you call it This
description is for you
If youd like to limit your workspace to hosts from a certain network type a
network description in the Hosts field A network description
might be 10100016 to display hosts between 101000-1010255255
Separate multiple networks with a comma and a space
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
17 | P a g e
will escalate your privileges dump password hashes to a local credentials
database browse the file system like youre local and launch command shells
Finally Armitage aids the process of setting up pivots a capability that lets you
use compromised hosts as a platform for attacking other hosts and further
investigating the target network Armitage also exposes Metasploits SOCKS
proxy module which allows external tools to take advantage of these pivots
With these tools you can further explore and maneuver through the network
The rest of this manual is organized around this process providing what you
need to know in the order youll need it
3NECESSARY THINGS TO KNOWTo use Armitage it helps to understand Metasploit Here are a few things you
absolutely must know before continuing
Metasploit (httpwwwmetasploitcom) is a console driven application
Anything you do in Armitage is translated into a command Metasploit
understands You can bypass Armitage and type commands yourself (covered
later) If youre ever lost in a console type help and hit enter
Metasploit presents its capabilities as modules Every scanner exploit and
even payload is available as a module If youre scanning a host you use an
auxiliary module Before launching a module you must set one or more
variables to configure the module The exploit process is similar To launch an
exploit you must choose an exploit module set one or more variables and
launch it
18 | P a g e
Armitage aims to make this process easier for youIf you successfully exploit a
host you will have a session on that host Armitage knows how to interact with
shell and Windows meterpreter sessions
Meterpreter is an advanced agent that makes a lot of post-exploitation
functionality available to you Armitage is built to take advantage of
Meterpreter Working with Meterpreter is covered later
4 installation
41 on windows
Here are the steps to install and run Armitage on Windows
1 Install Metasploit 44 or later
2 Install Oracles Java 17 (JRE or JDK)
3 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Update
4 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Console (do
this once to initialize the database)
5Make sure youre the Administrator user
To run Armitage
Start -gt Programs -gt Metasploit -gt Framework -gt Armitage
Click Conect
Click Yes when asked whether or not to start Metasploits RPC daemon
If asked where Metasploit is installed select the Metasploit directory You will
only need to do this once (eg cmetasploit)
The best Armitage user experience is on Linux If youre a Windows user
consider using Armitage from a BackTrack virtual machine
42 on linux
To install Armitage on Linux
1 Make sure youre the root user
19 | P a g e
Download and Install the Metasploit Framework from
httpwwwmetasploitcom (httpwwwmetasploitcom)
2Get the full package with all of the Linux dependencies
3 After installation type optframeworkappmsfupdate to update Metasploit
4 Install a VNC viewer (eg apt-get install vncviewer on Ubuntu)
You can get install armitage by a simple command but before execute this
application get command you need to be a root user to install armitage so open
terminal and type exactly
$ sudo su
apt-get install armitage
We need to enable RPC daemon for metasploit use this command on the
terminal
rootbt~ msfrpcd -f -U msf -P test -t Basic
Open a terminalAdd usrlocalbin to $PATH e x p o r t P A T H = $ P A T H u s r l o c a l
b i n
Since Metasploit 41 you now need to make sure you have a database startup scripte c h o e x e c o p t m e t a s p l o i t - 4 4 p o s t g r e s q l s c r i p t s c t l s h $ gt e t c i n i t d f r a m e w o r k - p o s t g r e s
c h m o d + x e t c i n i t d m e t a s p l o i t - p o s t g r e s e t c i n i t d m e t a s p l o i t - p o s t g r e s s t a r tu p d a t e - r c d m e t a s p l o i t - p o s t g r e s d e f a u l t
Now start MYSQL server so that Armitage stores results
rootbt1048673 etcinitdmysql start
This database startup script creation step isnt necessary if you opt to start Metasploit as a
service when the installer runs The downside being that the Metasploit as a service option
starts up the commercialcommunity edition of Metasploit on boot too If you use this
version--great If not its a waste of system resources
20 | P a g e
Now its time to run Armitage locate the directory and type
rootbtpentestexploitsarmitage armitagesh
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
The settings for Metasploits installed database are already set up for you You
not need to change the DB connect string
note
If youre using Armitage with a local Metasploit instance then Armitage must
also run as root Why Because Armitage needs root privileges to read the
databaseyml file created by Metasploits installer If Armitage cant read this
file it will not be able to connect to the database
43 on back-track r3
Armitage comes with BackTrack Linux 5r3 The latest Armitage release
requires BackTrack 5r3 5r25r0 and 5r1 are out If you uinstall Metasploit
(hint pathtometasploituninstall) and reinstall with the Metasploit installer
then you may use any version of BackTrack that you want
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
45 on mac os-x
Armitage works on MacOS X but its not a supported platform for Armitage
Metasploit does not have an official package for OS X
21 | P a g e
There is a lot of manual setup involved getting the pre-requisites working
CedricBaillet created a step-by-step guide
(httpwwwcedric-bailletfrIMGpdfarmitage_configuration_on_macosxpdf)
to configuring Postgres and Ruby for use with Armitage on MacOS X as well
Armitage on MacOS X works fine as a remote client to Metasploit Download
the MacOS X package extract it and double-click the Armitageapp file to get
started
Here are three MacOS X Armitage install guides that others have
produced these may help you Please dont ask me to provide support for them
though
The Black Matrix
(httptheblackmatrixnewsblogspotcom201111installing-armitage-on-
osx-by-defau1thtml)
Night Lions Guide to Installing Metasploit 4 and Armitage on Mac OSX
Lion (httpblognightlionsecuritycomguides201112guideto-
installing-metasploit-4-and-armitage-on-mac-osx-lion)
Faulty Logic Blog (httpbriancanfixitblogspotcom201112setting-up-
metasploit-and-armitage-onhtml)
Armitage is a fast moving project and these project may suggest methods for
starting the Metasploit Framework RPC daemon that are slightly dated The
correct way to start msfrpcd for Armitage to connect to is
m s f r p c d - U m s f - P p a s s w o r d - S - f
5 Manual setupSome crazy people choose to install Metasploit without the benefit of the full installer This method is not supported If you go this route here are some of the requirements
22 | P a g e
A PostgreSQL database No other database is supported msfrpcd is in $PATH $MSF_DATABASE_CONFIG points to a YAML file $MSF_DATABASE_CONFIG is available to msfrpcd and armitage the msgpack ruby gem
6Updating metasploitThe m s f u p d a t e command updates the Metasploit Framework by pulling
the latest source code from a subversion repository that is synced with the git
repository that developers commit to
When you run m s f u p d a t e its possible that you may break Armitage by
doing this The Metasploit team is cautious about what they commit to the
primary git repository and theyre extremely responsive to bug reports That said
things still break from time to time
If you run m s f u p d a t e and Armitage stops working you have a few options
1) You can run m s f u p d a t e later and hope the issue gets fixed Many
times this is a valid strategy
2) You can downgrade Metasploit to the last revision Take a look at the
change log file for the latest development release tested against Armitage
The revision number is located next to the release date To downgrade
Metasploit
c d p a t h t o m e t a s p l o i t m s f 3
s o u r c e s c r i p t s s e t e n v s h
s v n u p d a t e - r [revision number]
This step will downgrade the Armitage release included with Metasploit
too You can download the latest Armitage release from this site in the
mean time
3) Reinstall Metasploit using the installer provided by Rapid7 The
Metasploit installer includes the latest stable version of Metasploit
Usually this release is very stable
23 | P a g e
If youre preparing to use Armitage and Metasploit somewhere
important--do not run m s f u p d a t e and assume it will work Its very
important to stick with what you know works or test the functionality you
need to make sure it works When in doubt go with option (2) or (3)
61 quick connect
If youd like to quickly connect Armitage to a Metasploit server without filling
in the setup dialog use the - - c l i e n t option to specify a file with the
connection details
j a v a - j a r a r m i t a g e j a r - - c l i e n t c o n n e c t p r o p
Heres an example connectprop file
h o s t = 1 9 21 6 8 9 5 2 4 1
p o r t = 55553
u s e r = mister
p a s s = bojangles
If you have to manage multiple ArmitageMetasploit servers consider creating
a desktop shortcut that calls this --client option with a different properties file
for each server
7 User interface format(gui)The user interface can be very easy and friendly to a pentaster as also as a
hackerit is made so easy that without any help a user can manage the cyber
attack
71 Overview
The Armitage user interface has three main panels modules targets and tabs
You may click the area between these panels to resize them to your liking
24 | P a g e
711 modules
The module browser lets you launch a Metasploit auxiliary module throw an
exploit generate a payload and even run a post-exploitation script Click
through the tree to find the desired module Double click the module to bring up
a dialog with options
Armitage will place highlighted hosts from the targets panel into the RHOSTS
variable of any module launched from here
You can search for modules too Click in the search box below the tree type a
wildcard expression (eg ssh_) and hit enter The module tree will then show
your search results already expanded for quick viewing Clear the search box
and press enter to restore the module browser to its original state
712 Targets - Graph View
The targets panel shows all hosts in the current workspace Armitage represents
each target as a computer with its IP address and other information about it
below the computer The computer screen shows the operating system the
computer is runningA red computer with electrical jolts indicates a
compromised host Right click the computer to use any sessions related to the
host A directional green line indicates a pivot from one host to another
Pivoting allows Metasploit to route attacks and scans through intermediate
hosts A bright green line indicates the pivot communication path is in use
Click a host to select it You may select multiple hosts by clicking and dragging
a box over the desired hosts Where possible Armitage will try to apply an
action (eg launching an exploit) to all selected hosts
Right click a host to bring up a menu with available options The attached menu
will show attack and login options menus for existing sessions and options to
edit the host information
The login menu is only available after a port scan reveals open ports that
Metasploit can log in to The Attack menu is only
25 | P a g e
available after finding attacks through the Attacks menu bar Shell and
Meterpreter menus only show up when a shell or Meterpreter session exists on
the selected host Several keyboard shortcuts are available in the targets panel
You may edit these in the Armitage -gt Preferences menu
Ctrl Plus - zoom in
Ctrl Minus - zoom out
Ctrl 0 - reset the zoom level
Ctrl A - select all hosts
Escape - clear selection
Ctrl C - arrange hosts into a circle
Ctrl S - arrange hosts into a stack
Ctrl H - arrange hosts into a hierarchy This only works when a pivot is set up
Ctrl R - refresh hosts from the database
Ctrl P - export hosts into an image
Right click the targets area with no selected hosts to configure the layout and
zoom-level of the targets area
Targets - Table View
If you have a lot of hosts the graph view becomes difficult to work with For
this situation Armitage has a table view
Go to View
7121 Targets -gt Table View
to switch to this mode Armitage will remember your preference
Click any of the table headers to sort the hosts Highlight a row and right-click it
to bring up a menu with options for that host
Armitage will bold the IP address of any host with sessions If a pivot is in use
Armitage will make it bold as well
26 | P a g e
713 Tab
Armitage opens each dialog console and table in a tab below the module and
target panels Click the X button to close a tab
You may right-click the X button to open a tab in a window take a screenshot
of a tab or close all tabs with the same name
Hold shift and click X to close all tabs with the same name Hold shift + control
and click X to open the tab in its own window
You may drag and drop tabs to change their order
Armitage provides several keyboard shortcuts to make your tab management
experience as enjoyable as possible
Use Ctrl+T to take a screenshot of the active tab Use Ctrl+D to close the active
tab Try Ctrl+Left and Ctrl+Right to quickly switch tabs And Ctrl+W to open
the current tab in its own window
8console formatMetasploit console Meterpreter console and shell interfaces each use a console
tab A console tab lets you interact with these interfaces through Armitage
The console tab tracks your command history Use the up arrow to cycle
through previously typed commands The down arrow moves back to the last
command you typed
In the Metasploit console use the Tab key to complete commands and
parameters This works just like the Metasploit console outside of Armitage
27 | P a g e
Use of console panel to make the console font size larger Ctrl minus to make it
smaller and Ctrl 0 to reset it This change is local to the current
console only Visit Armitage -gt Preference to permanently change the font
Press ctrl F to show a panel that will let you search for text within the console
Use Ctrl A to select all text in the consoles buffer
Armitage sends ardquo u s e or a s e t P A Y L O A Drdquo command if you click a
module or a payload name in a console To open a Console go to View -gt
Console or press Ctrl+N
The Armitage console uses color to draw your attention to some information
To disable the colors set the consoleshow_colorsboolean preference to false
You may also edit the colors through Armitage -gt Preference Here is the
Armitage color palette and the preference associated with each color
9 Host management 91Dynamic workspace
Armitages dynamic workspaces feature allows you to create views into the
hosts database and quickly switch between them Use
Workspace -gt Manage to manage your dynamic workspaces Here you may
add edit and remove workspaces you create
28 | P a g e
To create a new dynamic workspace press Add You will see the following
dialog
Give your dynamic workspace a name It doesnt matter what you call it This
description is for you
If youd like to limit your workspace to hosts from a certain network type a
network description in the Hosts field A network description
might be 10100016 to display hosts between 101000-1010255255
Separate multiple networks with a comma and a space
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
18 | P a g e
Armitage aims to make this process easier for youIf you successfully exploit a
host you will have a session on that host Armitage knows how to interact with
shell and Windows meterpreter sessions
Meterpreter is an advanced agent that makes a lot of post-exploitation
functionality available to you Armitage is built to take advantage of
Meterpreter Working with Meterpreter is covered later
4 installation
41 on windows
Here are the steps to install and run Armitage on Windows
1 Install Metasploit 44 or later
2 Install Oracles Java 17 (JRE or JDK)
3 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Update
4 Start -gt Programs -gt Metasploit -gt Framework -gt Framework Console (do
this once to initialize the database)
5Make sure youre the Administrator user
To run Armitage
Start -gt Programs -gt Metasploit -gt Framework -gt Armitage
Click Conect
Click Yes when asked whether or not to start Metasploits RPC daemon
If asked where Metasploit is installed select the Metasploit directory You will
only need to do this once (eg cmetasploit)
The best Armitage user experience is on Linux If youre a Windows user
consider using Armitage from a BackTrack virtual machine
42 on linux
To install Armitage on Linux
1 Make sure youre the root user
19 | P a g e
Download and Install the Metasploit Framework from
httpwwwmetasploitcom (httpwwwmetasploitcom)
2Get the full package with all of the Linux dependencies
3 After installation type optframeworkappmsfupdate to update Metasploit
4 Install a VNC viewer (eg apt-get install vncviewer on Ubuntu)
You can get install armitage by a simple command but before execute this
application get command you need to be a root user to install armitage so open
terminal and type exactly
$ sudo su
apt-get install armitage
We need to enable RPC daemon for metasploit use this command on the
terminal
rootbt~ msfrpcd -f -U msf -P test -t Basic
Open a terminalAdd usrlocalbin to $PATH e x p o r t P A T H = $ P A T H u s r l o c a l
b i n
Since Metasploit 41 you now need to make sure you have a database startup scripte c h o e x e c o p t m e t a s p l o i t - 4 4 p o s t g r e s q l s c r i p t s c t l s h $ gt e t c i n i t d f r a m e w o r k - p o s t g r e s
c h m o d + x e t c i n i t d m e t a s p l o i t - p o s t g r e s e t c i n i t d m e t a s p l o i t - p o s t g r e s s t a r tu p d a t e - r c d m e t a s p l o i t - p o s t g r e s d e f a u l t
Now start MYSQL server so that Armitage stores results
rootbt1048673 etcinitdmysql start
This database startup script creation step isnt necessary if you opt to start Metasploit as a
service when the installer runs The downside being that the Metasploit as a service option
starts up the commercialcommunity edition of Metasploit on boot too If you use this
version--great If not its a waste of system resources
20 | P a g e
Now its time to run Armitage locate the directory and type
rootbtpentestexploitsarmitage armitagesh
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
The settings for Metasploits installed database are already set up for you You
not need to change the DB connect string
note
If youre using Armitage with a local Metasploit instance then Armitage must
also run as root Why Because Armitage needs root privileges to read the
databaseyml file created by Metasploits installer If Armitage cant read this
file it will not be able to connect to the database
43 on back-track r3
Armitage comes with BackTrack Linux 5r3 The latest Armitage release
requires BackTrack 5r3 5r25r0 and 5r1 are out If you uinstall Metasploit
(hint pathtometasploituninstall) and reinstall with the Metasploit installer
then you may use any version of BackTrack that you want
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
45 on mac os-x
Armitage works on MacOS X but its not a supported platform for Armitage
Metasploit does not have an official package for OS X
21 | P a g e
There is a lot of manual setup involved getting the pre-requisites working
CedricBaillet created a step-by-step guide
(httpwwwcedric-bailletfrIMGpdfarmitage_configuration_on_macosxpdf)
to configuring Postgres and Ruby for use with Armitage on MacOS X as well
Armitage on MacOS X works fine as a remote client to Metasploit Download
the MacOS X package extract it and double-click the Armitageapp file to get
started
Here are three MacOS X Armitage install guides that others have
produced these may help you Please dont ask me to provide support for them
though
The Black Matrix
(httptheblackmatrixnewsblogspotcom201111installing-armitage-on-
osx-by-defau1thtml)
Night Lions Guide to Installing Metasploit 4 and Armitage on Mac OSX
Lion (httpblognightlionsecuritycomguides201112guideto-
installing-metasploit-4-and-armitage-on-mac-osx-lion)
Faulty Logic Blog (httpbriancanfixitblogspotcom201112setting-up-
metasploit-and-armitage-onhtml)
Armitage is a fast moving project and these project may suggest methods for
starting the Metasploit Framework RPC daemon that are slightly dated The
correct way to start msfrpcd for Armitage to connect to is
m s f r p c d - U m s f - P p a s s w o r d - S - f
5 Manual setupSome crazy people choose to install Metasploit without the benefit of the full installer This method is not supported If you go this route here are some of the requirements
22 | P a g e
A PostgreSQL database No other database is supported msfrpcd is in $PATH $MSF_DATABASE_CONFIG points to a YAML file $MSF_DATABASE_CONFIG is available to msfrpcd and armitage the msgpack ruby gem
6Updating metasploitThe m s f u p d a t e command updates the Metasploit Framework by pulling
the latest source code from a subversion repository that is synced with the git
repository that developers commit to
When you run m s f u p d a t e its possible that you may break Armitage by
doing this The Metasploit team is cautious about what they commit to the
primary git repository and theyre extremely responsive to bug reports That said
things still break from time to time
If you run m s f u p d a t e and Armitage stops working you have a few options
1) You can run m s f u p d a t e later and hope the issue gets fixed Many
times this is a valid strategy
2) You can downgrade Metasploit to the last revision Take a look at the
change log file for the latest development release tested against Armitage
The revision number is located next to the release date To downgrade
Metasploit
c d p a t h t o m e t a s p l o i t m s f 3
s o u r c e s c r i p t s s e t e n v s h
s v n u p d a t e - r [revision number]
This step will downgrade the Armitage release included with Metasploit
too You can download the latest Armitage release from this site in the
mean time
3) Reinstall Metasploit using the installer provided by Rapid7 The
Metasploit installer includes the latest stable version of Metasploit
Usually this release is very stable
23 | P a g e
If youre preparing to use Armitage and Metasploit somewhere
important--do not run m s f u p d a t e and assume it will work Its very
important to stick with what you know works or test the functionality you
need to make sure it works When in doubt go with option (2) or (3)
61 quick connect
If youd like to quickly connect Armitage to a Metasploit server without filling
in the setup dialog use the - - c l i e n t option to specify a file with the
connection details
j a v a - j a r a r m i t a g e j a r - - c l i e n t c o n n e c t p r o p
Heres an example connectprop file
h o s t = 1 9 21 6 8 9 5 2 4 1
p o r t = 55553
u s e r = mister
p a s s = bojangles
If you have to manage multiple ArmitageMetasploit servers consider creating
a desktop shortcut that calls this --client option with a different properties file
for each server
7 User interface format(gui)The user interface can be very easy and friendly to a pentaster as also as a
hackerit is made so easy that without any help a user can manage the cyber
attack
71 Overview
The Armitage user interface has three main panels modules targets and tabs
You may click the area between these panels to resize them to your liking
24 | P a g e
711 modules
The module browser lets you launch a Metasploit auxiliary module throw an
exploit generate a payload and even run a post-exploitation script Click
through the tree to find the desired module Double click the module to bring up
a dialog with options
Armitage will place highlighted hosts from the targets panel into the RHOSTS
variable of any module launched from here
You can search for modules too Click in the search box below the tree type a
wildcard expression (eg ssh_) and hit enter The module tree will then show
your search results already expanded for quick viewing Clear the search box
and press enter to restore the module browser to its original state
712 Targets - Graph View
The targets panel shows all hosts in the current workspace Armitage represents
each target as a computer with its IP address and other information about it
below the computer The computer screen shows the operating system the
computer is runningA red computer with electrical jolts indicates a
compromised host Right click the computer to use any sessions related to the
host A directional green line indicates a pivot from one host to another
Pivoting allows Metasploit to route attacks and scans through intermediate
hosts A bright green line indicates the pivot communication path is in use
Click a host to select it You may select multiple hosts by clicking and dragging
a box over the desired hosts Where possible Armitage will try to apply an
action (eg launching an exploit) to all selected hosts
Right click a host to bring up a menu with available options The attached menu
will show attack and login options menus for existing sessions and options to
edit the host information
The login menu is only available after a port scan reveals open ports that
Metasploit can log in to The Attack menu is only
25 | P a g e
available after finding attacks through the Attacks menu bar Shell and
Meterpreter menus only show up when a shell or Meterpreter session exists on
the selected host Several keyboard shortcuts are available in the targets panel
You may edit these in the Armitage -gt Preferences menu
Ctrl Plus - zoom in
Ctrl Minus - zoom out
Ctrl 0 - reset the zoom level
Ctrl A - select all hosts
Escape - clear selection
Ctrl C - arrange hosts into a circle
Ctrl S - arrange hosts into a stack
Ctrl H - arrange hosts into a hierarchy This only works when a pivot is set up
Ctrl R - refresh hosts from the database
Ctrl P - export hosts into an image
Right click the targets area with no selected hosts to configure the layout and
zoom-level of the targets area
Targets - Table View
If you have a lot of hosts the graph view becomes difficult to work with For
this situation Armitage has a table view
Go to View
7121 Targets -gt Table View
to switch to this mode Armitage will remember your preference
Click any of the table headers to sort the hosts Highlight a row and right-click it
to bring up a menu with options for that host
Armitage will bold the IP address of any host with sessions If a pivot is in use
Armitage will make it bold as well
26 | P a g e
713 Tab
Armitage opens each dialog console and table in a tab below the module and
target panels Click the X button to close a tab
You may right-click the X button to open a tab in a window take a screenshot
of a tab or close all tabs with the same name
Hold shift and click X to close all tabs with the same name Hold shift + control
and click X to open the tab in its own window
You may drag and drop tabs to change their order
Armitage provides several keyboard shortcuts to make your tab management
experience as enjoyable as possible
Use Ctrl+T to take a screenshot of the active tab Use Ctrl+D to close the active
tab Try Ctrl+Left and Ctrl+Right to quickly switch tabs And Ctrl+W to open
the current tab in its own window
8console formatMetasploit console Meterpreter console and shell interfaces each use a console
tab A console tab lets you interact with these interfaces through Armitage
The console tab tracks your command history Use the up arrow to cycle
through previously typed commands The down arrow moves back to the last
command you typed
In the Metasploit console use the Tab key to complete commands and
parameters This works just like the Metasploit console outside of Armitage
27 | P a g e
Use of console panel to make the console font size larger Ctrl minus to make it
smaller and Ctrl 0 to reset it This change is local to the current
console only Visit Armitage -gt Preference to permanently change the font
Press ctrl F to show a panel that will let you search for text within the console
Use Ctrl A to select all text in the consoles buffer
Armitage sends ardquo u s e or a s e t P A Y L O A Drdquo command if you click a
module or a payload name in a console To open a Console go to View -gt
Console or press Ctrl+N
The Armitage console uses color to draw your attention to some information
To disable the colors set the consoleshow_colorsboolean preference to false
You may also edit the colors through Armitage -gt Preference Here is the
Armitage color palette and the preference associated with each color
9 Host management 91Dynamic workspace
Armitages dynamic workspaces feature allows you to create views into the
hosts database and quickly switch between them Use
Workspace -gt Manage to manage your dynamic workspaces Here you may
add edit and remove workspaces you create
28 | P a g e
To create a new dynamic workspace press Add You will see the following
dialog
Give your dynamic workspace a name It doesnt matter what you call it This
description is for you
If youd like to limit your workspace to hosts from a certain network type a
network description in the Hosts field A network description
might be 10100016 to display hosts between 101000-1010255255
Separate multiple networks with a comma and a space
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
19 | P a g e
Download and Install the Metasploit Framework from
httpwwwmetasploitcom (httpwwwmetasploitcom)
2Get the full package with all of the Linux dependencies
3 After installation type optframeworkappmsfupdate to update Metasploit
4 Install a VNC viewer (eg apt-get install vncviewer on Ubuntu)
You can get install armitage by a simple command but before execute this
application get command you need to be a root user to install armitage so open
terminal and type exactly
$ sudo su
apt-get install armitage
We need to enable RPC daemon for metasploit use this command on the
terminal
rootbt~ msfrpcd -f -U msf -P test -t Basic
Open a terminalAdd usrlocalbin to $PATH e x p o r t P A T H = $ P A T H u s r l o c a l
b i n
Since Metasploit 41 you now need to make sure you have a database startup scripte c h o e x e c o p t m e t a s p l o i t - 4 4 p o s t g r e s q l s c r i p t s c t l s h $ gt e t c i n i t d f r a m e w o r k - p o s t g r e s
c h m o d + x e t c i n i t d m e t a s p l o i t - p o s t g r e s e t c i n i t d m e t a s p l o i t - p o s t g r e s s t a r tu p d a t e - r c d m e t a s p l o i t - p o s t g r e s d e f a u l t
Now start MYSQL server so that Armitage stores results
rootbt1048673 etcinitdmysql start
This database startup script creation step isnt necessary if you opt to start Metasploit as a
service when the installer runs The downside being that the Metasploit as a service option
starts up the commercialcommunity edition of Metasploit on boot too If you use this
version--great If not its a waste of system resources
20 | P a g e
Now its time to run Armitage locate the directory and type
rootbtpentestexploitsarmitage armitagesh
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
The settings for Metasploits installed database are already set up for you You
not need to change the DB connect string
note
If youre using Armitage with a local Metasploit instance then Armitage must
also run as root Why Because Armitage needs root privileges to read the
databaseyml file created by Metasploits installer If Armitage cant read this
file it will not be able to connect to the database
43 on back-track r3
Armitage comes with BackTrack Linux 5r3 The latest Armitage release
requires BackTrack 5r3 5r25r0 and 5r1 are out If you uinstall Metasploit
(hint pathtometasploituninstall) and reinstall with the Metasploit installer
then you may use any version of BackTrack that you want
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
45 on mac os-x
Armitage works on MacOS X but its not a supported platform for Armitage
Metasploit does not have an official package for OS X
21 | P a g e
There is a lot of manual setup involved getting the pre-requisites working
CedricBaillet created a step-by-step guide
(httpwwwcedric-bailletfrIMGpdfarmitage_configuration_on_macosxpdf)
to configuring Postgres and Ruby for use with Armitage on MacOS X as well
Armitage on MacOS X works fine as a remote client to Metasploit Download
the MacOS X package extract it and double-click the Armitageapp file to get
started
Here are three MacOS X Armitage install guides that others have
produced these may help you Please dont ask me to provide support for them
though
The Black Matrix
(httptheblackmatrixnewsblogspotcom201111installing-armitage-on-
osx-by-defau1thtml)
Night Lions Guide to Installing Metasploit 4 and Armitage on Mac OSX
Lion (httpblognightlionsecuritycomguides201112guideto-
installing-metasploit-4-and-armitage-on-mac-osx-lion)
Faulty Logic Blog (httpbriancanfixitblogspotcom201112setting-up-
metasploit-and-armitage-onhtml)
Armitage is a fast moving project and these project may suggest methods for
starting the Metasploit Framework RPC daemon that are slightly dated The
correct way to start msfrpcd for Armitage to connect to is
m s f r p c d - U m s f - P p a s s w o r d - S - f
5 Manual setupSome crazy people choose to install Metasploit without the benefit of the full installer This method is not supported If you go this route here are some of the requirements
22 | P a g e
A PostgreSQL database No other database is supported msfrpcd is in $PATH $MSF_DATABASE_CONFIG points to a YAML file $MSF_DATABASE_CONFIG is available to msfrpcd and armitage the msgpack ruby gem
6Updating metasploitThe m s f u p d a t e command updates the Metasploit Framework by pulling
the latest source code from a subversion repository that is synced with the git
repository that developers commit to
When you run m s f u p d a t e its possible that you may break Armitage by
doing this The Metasploit team is cautious about what they commit to the
primary git repository and theyre extremely responsive to bug reports That said
things still break from time to time
If you run m s f u p d a t e and Armitage stops working you have a few options
1) You can run m s f u p d a t e later and hope the issue gets fixed Many
times this is a valid strategy
2) You can downgrade Metasploit to the last revision Take a look at the
change log file for the latest development release tested against Armitage
The revision number is located next to the release date To downgrade
Metasploit
c d p a t h t o m e t a s p l o i t m s f 3
s o u r c e s c r i p t s s e t e n v s h
s v n u p d a t e - r [revision number]
This step will downgrade the Armitage release included with Metasploit
too You can download the latest Armitage release from this site in the
mean time
3) Reinstall Metasploit using the installer provided by Rapid7 The
Metasploit installer includes the latest stable version of Metasploit
Usually this release is very stable
23 | P a g e
If youre preparing to use Armitage and Metasploit somewhere
important--do not run m s f u p d a t e and assume it will work Its very
important to stick with what you know works or test the functionality you
need to make sure it works When in doubt go with option (2) or (3)
61 quick connect
If youd like to quickly connect Armitage to a Metasploit server without filling
in the setup dialog use the - - c l i e n t option to specify a file with the
connection details
j a v a - j a r a r m i t a g e j a r - - c l i e n t c o n n e c t p r o p
Heres an example connectprop file
h o s t = 1 9 21 6 8 9 5 2 4 1
p o r t = 55553
u s e r = mister
p a s s = bojangles
If you have to manage multiple ArmitageMetasploit servers consider creating
a desktop shortcut that calls this --client option with a different properties file
for each server
7 User interface format(gui)The user interface can be very easy and friendly to a pentaster as also as a
hackerit is made so easy that without any help a user can manage the cyber
attack
71 Overview
The Armitage user interface has three main panels modules targets and tabs
You may click the area between these panels to resize them to your liking
24 | P a g e
711 modules
The module browser lets you launch a Metasploit auxiliary module throw an
exploit generate a payload and even run a post-exploitation script Click
through the tree to find the desired module Double click the module to bring up
a dialog with options
Armitage will place highlighted hosts from the targets panel into the RHOSTS
variable of any module launched from here
You can search for modules too Click in the search box below the tree type a
wildcard expression (eg ssh_) and hit enter The module tree will then show
your search results already expanded for quick viewing Clear the search box
and press enter to restore the module browser to its original state
712 Targets - Graph View
The targets panel shows all hosts in the current workspace Armitage represents
each target as a computer with its IP address and other information about it
below the computer The computer screen shows the operating system the
computer is runningA red computer with electrical jolts indicates a
compromised host Right click the computer to use any sessions related to the
host A directional green line indicates a pivot from one host to another
Pivoting allows Metasploit to route attacks and scans through intermediate
hosts A bright green line indicates the pivot communication path is in use
Click a host to select it You may select multiple hosts by clicking and dragging
a box over the desired hosts Where possible Armitage will try to apply an
action (eg launching an exploit) to all selected hosts
Right click a host to bring up a menu with available options The attached menu
will show attack and login options menus for existing sessions and options to
edit the host information
The login menu is only available after a port scan reveals open ports that
Metasploit can log in to The Attack menu is only
25 | P a g e
available after finding attacks through the Attacks menu bar Shell and
Meterpreter menus only show up when a shell or Meterpreter session exists on
the selected host Several keyboard shortcuts are available in the targets panel
You may edit these in the Armitage -gt Preferences menu
Ctrl Plus - zoom in
Ctrl Minus - zoom out
Ctrl 0 - reset the zoom level
Ctrl A - select all hosts
Escape - clear selection
Ctrl C - arrange hosts into a circle
Ctrl S - arrange hosts into a stack
Ctrl H - arrange hosts into a hierarchy This only works when a pivot is set up
Ctrl R - refresh hosts from the database
Ctrl P - export hosts into an image
Right click the targets area with no selected hosts to configure the layout and
zoom-level of the targets area
Targets - Table View
If you have a lot of hosts the graph view becomes difficult to work with For
this situation Armitage has a table view
Go to View
7121 Targets -gt Table View
to switch to this mode Armitage will remember your preference
Click any of the table headers to sort the hosts Highlight a row and right-click it
to bring up a menu with options for that host
Armitage will bold the IP address of any host with sessions If a pivot is in use
Armitage will make it bold as well
26 | P a g e
713 Tab
Armitage opens each dialog console and table in a tab below the module and
target panels Click the X button to close a tab
You may right-click the X button to open a tab in a window take a screenshot
of a tab or close all tabs with the same name
Hold shift and click X to close all tabs with the same name Hold shift + control
and click X to open the tab in its own window
You may drag and drop tabs to change their order
Armitage provides several keyboard shortcuts to make your tab management
experience as enjoyable as possible
Use Ctrl+T to take a screenshot of the active tab Use Ctrl+D to close the active
tab Try Ctrl+Left and Ctrl+Right to quickly switch tabs And Ctrl+W to open
the current tab in its own window
8console formatMetasploit console Meterpreter console and shell interfaces each use a console
tab A console tab lets you interact with these interfaces through Armitage
The console tab tracks your command history Use the up arrow to cycle
through previously typed commands The down arrow moves back to the last
command you typed
In the Metasploit console use the Tab key to complete commands and
parameters This works just like the Metasploit console outside of Armitage
27 | P a g e
Use of console panel to make the console font size larger Ctrl minus to make it
smaller and Ctrl 0 to reset it This change is local to the current
console only Visit Armitage -gt Preference to permanently change the font
Press ctrl F to show a panel that will let you search for text within the console
Use Ctrl A to select all text in the consoles buffer
Armitage sends ardquo u s e or a s e t P A Y L O A Drdquo command if you click a
module or a payload name in a console To open a Console go to View -gt
Console or press Ctrl+N
The Armitage console uses color to draw your attention to some information
To disable the colors set the consoleshow_colorsboolean preference to false
You may also edit the colors through Armitage -gt Preference Here is the
Armitage color palette and the preference associated with each color
9 Host management 91Dynamic workspace
Armitages dynamic workspaces feature allows you to create views into the
hosts database and quickly switch between them Use
Workspace -gt Manage to manage your dynamic workspaces Here you may
add edit and remove workspaces you create
28 | P a g e
To create a new dynamic workspace press Add You will see the following
dialog
Give your dynamic workspace a name It doesnt matter what you call it This
description is for you
If youd like to limit your workspace to hosts from a certain network type a
network description in the Hosts field A network description
might be 10100016 to display hosts between 101000-1010255255
Separate multiple networks with a comma and a space
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
20 | P a g e
Now its time to run Armitage locate the directory and type
rootbtpentestexploitsarmitage armitagesh
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
The settings for Metasploits installed database are already set up for you You
not need to change the DB connect string
note
If youre using Armitage with a local Metasploit instance then Armitage must
also run as root Why Because Armitage needs root privileges to read the
databaseyml file created by Metasploits installer If Armitage cant read this
file it will not be able to connect to the database
43 on back-track r3
Armitage comes with BackTrack Linux 5r3 The latest Armitage release
requires BackTrack 5r3 5r25r0 and 5r1 are out If you uinstall Metasploit
(hint pathtometasploituninstall) and reinstall with the Metasploit installer
then you may use any version of BackTrack that you want
To start Armitage
Open a terminal
Type a r m i t a g e
Click Connect
Press Yes if asked to start msfrpcd
45 on mac os-x
Armitage works on MacOS X but its not a supported platform for Armitage
Metasploit does not have an official package for OS X
21 | P a g e
There is a lot of manual setup involved getting the pre-requisites working
CedricBaillet created a step-by-step guide
(httpwwwcedric-bailletfrIMGpdfarmitage_configuration_on_macosxpdf)
to configuring Postgres and Ruby for use with Armitage on MacOS X as well
Armitage on MacOS X works fine as a remote client to Metasploit Download
the MacOS X package extract it and double-click the Armitageapp file to get
started
Here are three MacOS X Armitage install guides that others have
produced these may help you Please dont ask me to provide support for them
though
The Black Matrix
(httptheblackmatrixnewsblogspotcom201111installing-armitage-on-
osx-by-defau1thtml)
Night Lions Guide to Installing Metasploit 4 and Armitage on Mac OSX
Lion (httpblognightlionsecuritycomguides201112guideto-
installing-metasploit-4-and-armitage-on-mac-osx-lion)
Faulty Logic Blog (httpbriancanfixitblogspotcom201112setting-up-
metasploit-and-armitage-onhtml)
Armitage is a fast moving project and these project may suggest methods for
starting the Metasploit Framework RPC daemon that are slightly dated The
correct way to start msfrpcd for Armitage to connect to is
m s f r p c d - U m s f - P p a s s w o r d - S - f
5 Manual setupSome crazy people choose to install Metasploit without the benefit of the full installer This method is not supported If you go this route here are some of the requirements
22 | P a g e
A PostgreSQL database No other database is supported msfrpcd is in $PATH $MSF_DATABASE_CONFIG points to a YAML file $MSF_DATABASE_CONFIG is available to msfrpcd and armitage the msgpack ruby gem
6Updating metasploitThe m s f u p d a t e command updates the Metasploit Framework by pulling
the latest source code from a subversion repository that is synced with the git
repository that developers commit to
When you run m s f u p d a t e its possible that you may break Armitage by
doing this The Metasploit team is cautious about what they commit to the
primary git repository and theyre extremely responsive to bug reports That said
things still break from time to time
If you run m s f u p d a t e and Armitage stops working you have a few options
1) You can run m s f u p d a t e later and hope the issue gets fixed Many
times this is a valid strategy
2) You can downgrade Metasploit to the last revision Take a look at the
change log file for the latest development release tested against Armitage
The revision number is located next to the release date To downgrade
Metasploit
c d p a t h t o m e t a s p l o i t m s f 3
s o u r c e s c r i p t s s e t e n v s h
s v n u p d a t e - r [revision number]
This step will downgrade the Armitage release included with Metasploit
too You can download the latest Armitage release from this site in the
mean time
3) Reinstall Metasploit using the installer provided by Rapid7 The
Metasploit installer includes the latest stable version of Metasploit
Usually this release is very stable
23 | P a g e
If youre preparing to use Armitage and Metasploit somewhere
important--do not run m s f u p d a t e and assume it will work Its very
important to stick with what you know works or test the functionality you
need to make sure it works When in doubt go with option (2) or (3)
61 quick connect
If youd like to quickly connect Armitage to a Metasploit server without filling
in the setup dialog use the - - c l i e n t option to specify a file with the
connection details
j a v a - j a r a r m i t a g e j a r - - c l i e n t c o n n e c t p r o p
Heres an example connectprop file
h o s t = 1 9 21 6 8 9 5 2 4 1
p o r t = 55553
u s e r = mister
p a s s = bojangles
If you have to manage multiple ArmitageMetasploit servers consider creating
a desktop shortcut that calls this --client option with a different properties file
for each server
7 User interface format(gui)The user interface can be very easy and friendly to a pentaster as also as a
hackerit is made so easy that without any help a user can manage the cyber
attack
71 Overview
The Armitage user interface has three main panels modules targets and tabs
You may click the area between these panels to resize them to your liking
24 | P a g e
711 modules
The module browser lets you launch a Metasploit auxiliary module throw an
exploit generate a payload and even run a post-exploitation script Click
through the tree to find the desired module Double click the module to bring up
a dialog with options
Armitage will place highlighted hosts from the targets panel into the RHOSTS
variable of any module launched from here
You can search for modules too Click in the search box below the tree type a
wildcard expression (eg ssh_) and hit enter The module tree will then show
your search results already expanded for quick viewing Clear the search box
and press enter to restore the module browser to its original state
712 Targets - Graph View
The targets panel shows all hosts in the current workspace Armitage represents
each target as a computer with its IP address and other information about it
below the computer The computer screen shows the operating system the
computer is runningA red computer with electrical jolts indicates a
compromised host Right click the computer to use any sessions related to the
host A directional green line indicates a pivot from one host to another
Pivoting allows Metasploit to route attacks and scans through intermediate
hosts A bright green line indicates the pivot communication path is in use
Click a host to select it You may select multiple hosts by clicking and dragging
a box over the desired hosts Where possible Armitage will try to apply an
action (eg launching an exploit) to all selected hosts
Right click a host to bring up a menu with available options The attached menu
will show attack and login options menus for existing sessions and options to
edit the host information
The login menu is only available after a port scan reveals open ports that
Metasploit can log in to The Attack menu is only
25 | P a g e
available after finding attacks through the Attacks menu bar Shell and
Meterpreter menus only show up when a shell or Meterpreter session exists on
the selected host Several keyboard shortcuts are available in the targets panel
You may edit these in the Armitage -gt Preferences menu
Ctrl Plus - zoom in
Ctrl Minus - zoom out
Ctrl 0 - reset the zoom level
Ctrl A - select all hosts
Escape - clear selection
Ctrl C - arrange hosts into a circle
Ctrl S - arrange hosts into a stack
Ctrl H - arrange hosts into a hierarchy This only works when a pivot is set up
Ctrl R - refresh hosts from the database
Ctrl P - export hosts into an image
Right click the targets area with no selected hosts to configure the layout and
zoom-level of the targets area
Targets - Table View
If you have a lot of hosts the graph view becomes difficult to work with For
this situation Armitage has a table view
Go to View
7121 Targets -gt Table View
to switch to this mode Armitage will remember your preference
Click any of the table headers to sort the hosts Highlight a row and right-click it
to bring up a menu with options for that host
Armitage will bold the IP address of any host with sessions If a pivot is in use
Armitage will make it bold as well
26 | P a g e
713 Tab
Armitage opens each dialog console and table in a tab below the module and
target panels Click the X button to close a tab
You may right-click the X button to open a tab in a window take a screenshot
of a tab or close all tabs with the same name
Hold shift and click X to close all tabs with the same name Hold shift + control
and click X to open the tab in its own window
You may drag and drop tabs to change their order
Armitage provides several keyboard shortcuts to make your tab management
experience as enjoyable as possible
Use Ctrl+T to take a screenshot of the active tab Use Ctrl+D to close the active
tab Try Ctrl+Left and Ctrl+Right to quickly switch tabs And Ctrl+W to open
the current tab in its own window
8console formatMetasploit console Meterpreter console and shell interfaces each use a console
tab A console tab lets you interact with these interfaces through Armitage
The console tab tracks your command history Use the up arrow to cycle
through previously typed commands The down arrow moves back to the last
command you typed
In the Metasploit console use the Tab key to complete commands and
parameters This works just like the Metasploit console outside of Armitage
27 | P a g e
Use of console panel to make the console font size larger Ctrl minus to make it
smaller and Ctrl 0 to reset it This change is local to the current
console only Visit Armitage -gt Preference to permanently change the font
Press ctrl F to show a panel that will let you search for text within the console
Use Ctrl A to select all text in the consoles buffer
Armitage sends ardquo u s e or a s e t P A Y L O A Drdquo command if you click a
module or a payload name in a console To open a Console go to View -gt
Console or press Ctrl+N
The Armitage console uses color to draw your attention to some information
To disable the colors set the consoleshow_colorsboolean preference to false
You may also edit the colors through Armitage -gt Preference Here is the
Armitage color palette and the preference associated with each color
9 Host management 91Dynamic workspace
Armitages dynamic workspaces feature allows you to create views into the
hosts database and quickly switch between them Use
Workspace -gt Manage to manage your dynamic workspaces Here you may
add edit and remove workspaces you create
28 | P a g e
To create a new dynamic workspace press Add You will see the following
dialog
Give your dynamic workspace a name It doesnt matter what you call it This
description is for you
If youd like to limit your workspace to hosts from a certain network type a
network description in the Hosts field A network description
might be 10100016 to display hosts between 101000-1010255255
Separate multiple networks with a comma and a space
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
21 | P a g e
There is a lot of manual setup involved getting the pre-requisites working
CedricBaillet created a step-by-step guide
(httpwwwcedric-bailletfrIMGpdfarmitage_configuration_on_macosxpdf)
to configuring Postgres and Ruby for use with Armitage on MacOS X as well
Armitage on MacOS X works fine as a remote client to Metasploit Download
the MacOS X package extract it and double-click the Armitageapp file to get
started
Here are three MacOS X Armitage install guides that others have
produced these may help you Please dont ask me to provide support for them
though
The Black Matrix
(httptheblackmatrixnewsblogspotcom201111installing-armitage-on-
osx-by-defau1thtml)
Night Lions Guide to Installing Metasploit 4 and Armitage on Mac OSX
Lion (httpblognightlionsecuritycomguides201112guideto-
installing-metasploit-4-and-armitage-on-mac-osx-lion)
Faulty Logic Blog (httpbriancanfixitblogspotcom201112setting-up-
metasploit-and-armitage-onhtml)
Armitage is a fast moving project and these project may suggest methods for
starting the Metasploit Framework RPC daemon that are slightly dated The
correct way to start msfrpcd for Armitage to connect to is
m s f r p c d - U m s f - P p a s s w o r d - S - f
5 Manual setupSome crazy people choose to install Metasploit without the benefit of the full installer This method is not supported If you go this route here are some of the requirements
22 | P a g e
A PostgreSQL database No other database is supported msfrpcd is in $PATH $MSF_DATABASE_CONFIG points to a YAML file $MSF_DATABASE_CONFIG is available to msfrpcd and armitage the msgpack ruby gem
6Updating metasploitThe m s f u p d a t e command updates the Metasploit Framework by pulling
the latest source code from a subversion repository that is synced with the git
repository that developers commit to
When you run m s f u p d a t e its possible that you may break Armitage by
doing this The Metasploit team is cautious about what they commit to the
primary git repository and theyre extremely responsive to bug reports That said
things still break from time to time
If you run m s f u p d a t e and Armitage stops working you have a few options
1) You can run m s f u p d a t e later and hope the issue gets fixed Many
times this is a valid strategy
2) You can downgrade Metasploit to the last revision Take a look at the
change log file for the latest development release tested against Armitage
The revision number is located next to the release date To downgrade
Metasploit
c d p a t h t o m e t a s p l o i t m s f 3
s o u r c e s c r i p t s s e t e n v s h
s v n u p d a t e - r [revision number]
This step will downgrade the Armitage release included with Metasploit
too You can download the latest Armitage release from this site in the
mean time
3) Reinstall Metasploit using the installer provided by Rapid7 The
Metasploit installer includes the latest stable version of Metasploit
Usually this release is very stable
23 | P a g e
If youre preparing to use Armitage and Metasploit somewhere
important--do not run m s f u p d a t e and assume it will work Its very
important to stick with what you know works or test the functionality you
need to make sure it works When in doubt go with option (2) or (3)
61 quick connect
If youd like to quickly connect Armitage to a Metasploit server without filling
in the setup dialog use the - - c l i e n t option to specify a file with the
connection details
j a v a - j a r a r m i t a g e j a r - - c l i e n t c o n n e c t p r o p
Heres an example connectprop file
h o s t = 1 9 21 6 8 9 5 2 4 1
p o r t = 55553
u s e r = mister
p a s s = bojangles
If you have to manage multiple ArmitageMetasploit servers consider creating
a desktop shortcut that calls this --client option with a different properties file
for each server
7 User interface format(gui)The user interface can be very easy and friendly to a pentaster as also as a
hackerit is made so easy that without any help a user can manage the cyber
attack
71 Overview
The Armitage user interface has three main panels modules targets and tabs
You may click the area between these panels to resize them to your liking
24 | P a g e
711 modules
The module browser lets you launch a Metasploit auxiliary module throw an
exploit generate a payload and even run a post-exploitation script Click
through the tree to find the desired module Double click the module to bring up
a dialog with options
Armitage will place highlighted hosts from the targets panel into the RHOSTS
variable of any module launched from here
You can search for modules too Click in the search box below the tree type a
wildcard expression (eg ssh_) and hit enter The module tree will then show
your search results already expanded for quick viewing Clear the search box
and press enter to restore the module browser to its original state
712 Targets - Graph View
The targets panel shows all hosts in the current workspace Armitage represents
each target as a computer with its IP address and other information about it
below the computer The computer screen shows the operating system the
computer is runningA red computer with electrical jolts indicates a
compromised host Right click the computer to use any sessions related to the
host A directional green line indicates a pivot from one host to another
Pivoting allows Metasploit to route attacks and scans through intermediate
hosts A bright green line indicates the pivot communication path is in use
Click a host to select it You may select multiple hosts by clicking and dragging
a box over the desired hosts Where possible Armitage will try to apply an
action (eg launching an exploit) to all selected hosts
Right click a host to bring up a menu with available options The attached menu
will show attack and login options menus for existing sessions and options to
edit the host information
The login menu is only available after a port scan reveals open ports that
Metasploit can log in to The Attack menu is only
25 | P a g e
available after finding attacks through the Attacks menu bar Shell and
Meterpreter menus only show up when a shell or Meterpreter session exists on
the selected host Several keyboard shortcuts are available in the targets panel
You may edit these in the Armitage -gt Preferences menu
Ctrl Plus - zoom in
Ctrl Minus - zoom out
Ctrl 0 - reset the zoom level
Ctrl A - select all hosts
Escape - clear selection
Ctrl C - arrange hosts into a circle
Ctrl S - arrange hosts into a stack
Ctrl H - arrange hosts into a hierarchy This only works when a pivot is set up
Ctrl R - refresh hosts from the database
Ctrl P - export hosts into an image
Right click the targets area with no selected hosts to configure the layout and
zoom-level of the targets area
Targets - Table View
If you have a lot of hosts the graph view becomes difficult to work with For
this situation Armitage has a table view
Go to View
7121 Targets -gt Table View
to switch to this mode Armitage will remember your preference
Click any of the table headers to sort the hosts Highlight a row and right-click it
to bring up a menu with options for that host
Armitage will bold the IP address of any host with sessions If a pivot is in use
Armitage will make it bold as well
26 | P a g e
713 Tab
Armitage opens each dialog console and table in a tab below the module and
target panels Click the X button to close a tab
You may right-click the X button to open a tab in a window take a screenshot
of a tab or close all tabs with the same name
Hold shift and click X to close all tabs with the same name Hold shift + control
and click X to open the tab in its own window
You may drag and drop tabs to change their order
Armitage provides several keyboard shortcuts to make your tab management
experience as enjoyable as possible
Use Ctrl+T to take a screenshot of the active tab Use Ctrl+D to close the active
tab Try Ctrl+Left and Ctrl+Right to quickly switch tabs And Ctrl+W to open
the current tab in its own window
8console formatMetasploit console Meterpreter console and shell interfaces each use a console
tab A console tab lets you interact with these interfaces through Armitage
The console tab tracks your command history Use the up arrow to cycle
through previously typed commands The down arrow moves back to the last
command you typed
In the Metasploit console use the Tab key to complete commands and
parameters This works just like the Metasploit console outside of Armitage
27 | P a g e
Use of console panel to make the console font size larger Ctrl minus to make it
smaller and Ctrl 0 to reset it This change is local to the current
console only Visit Armitage -gt Preference to permanently change the font
Press ctrl F to show a panel that will let you search for text within the console
Use Ctrl A to select all text in the consoles buffer
Armitage sends ardquo u s e or a s e t P A Y L O A Drdquo command if you click a
module or a payload name in a console To open a Console go to View -gt
Console or press Ctrl+N
The Armitage console uses color to draw your attention to some information
To disable the colors set the consoleshow_colorsboolean preference to false
You may also edit the colors through Armitage -gt Preference Here is the
Armitage color palette and the preference associated with each color
9 Host management 91Dynamic workspace
Armitages dynamic workspaces feature allows you to create views into the
hosts database and quickly switch between them Use
Workspace -gt Manage to manage your dynamic workspaces Here you may
add edit and remove workspaces you create
28 | P a g e
To create a new dynamic workspace press Add You will see the following
dialog
Give your dynamic workspace a name It doesnt matter what you call it This
description is for you
If youd like to limit your workspace to hosts from a certain network type a
network description in the Hosts field A network description
might be 10100016 to display hosts between 101000-1010255255
Separate multiple networks with a comma and a space
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
22 | P a g e
A PostgreSQL database No other database is supported msfrpcd is in $PATH $MSF_DATABASE_CONFIG points to a YAML file $MSF_DATABASE_CONFIG is available to msfrpcd and armitage the msgpack ruby gem
6Updating metasploitThe m s f u p d a t e command updates the Metasploit Framework by pulling
the latest source code from a subversion repository that is synced with the git
repository that developers commit to
When you run m s f u p d a t e its possible that you may break Armitage by
doing this The Metasploit team is cautious about what they commit to the
primary git repository and theyre extremely responsive to bug reports That said
things still break from time to time
If you run m s f u p d a t e and Armitage stops working you have a few options
1) You can run m s f u p d a t e later and hope the issue gets fixed Many
times this is a valid strategy
2) You can downgrade Metasploit to the last revision Take a look at the
change log file for the latest development release tested against Armitage
The revision number is located next to the release date To downgrade
Metasploit
c d p a t h t o m e t a s p l o i t m s f 3
s o u r c e s c r i p t s s e t e n v s h
s v n u p d a t e - r [revision number]
This step will downgrade the Armitage release included with Metasploit
too You can download the latest Armitage release from this site in the
mean time
3) Reinstall Metasploit using the installer provided by Rapid7 The
Metasploit installer includes the latest stable version of Metasploit
Usually this release is very stable
23 | P a g e
If youre preparing to use Armitage and Metasploit somewhere
important--do not run m s f u p d a t e and assume it will work Its very
important to stick with what you know works or test the functionality you
need to make sure it works When in doubt go with option (2) or (3)
61 quick connect
If youd like to quickly connect Armitage to a Metasploit server without filling
in the setup dialog use the - - c l i e n t option to specify a file with the
connection details
j a v a - j a r a r m i t a g e j a r - - c l i e n t c o n n e c t p r o p
Heres an example connectprop file
h o s t = 1 9 21 6 8 9 5 2 4 1
p o r t = 55553
u s e r = mister
p a s s = bojangles
If you have to manage multiple ArmitageMetasploit servers consider creating
a desktop shortcut that calls this --client option with a different properties file
for each server
7 User interface format(gui)The user interface can be very easy and friendly to a pentaster as also as a
hackerit is made so easy that without any help a user can manage the cyber
attack
71 Overview
The Armitage user interface has three main panels modules targets and tabs
You may click the area between these panels to resize them to your liking
24 | P a g e
711 modules
The module browser lets you launch a Metasploit auxiliary module throw an
exploit generate a payload and even run a post-exploitation script Click
through the tree to find the desired module Double click the module to bring up
a dialog with options
Armitage will place highlighted hosts from the targets panel into the RHOSTS
variable of any module launched from here
You can search for modules too Click in the search box below the tree type a
wildcard expression (eg ssh_) and hit enter The module tree will then show
your search results already expanded for quick viewing Clear the search box
and press enter to restore the module browser to its original state
712 Targets - Graph View
The targets panel shows all hosts in the current workspace Armitage represents
each target as a computer with its IP address and other information about it
below the computer The computer screen shows the operating system the
computer is runningA red computer with electrical jolts indicates a
compromised host Right click the computer to use any sessions related to the
host A directional green line indicates a pivot from one host to another
Pivoting allows Metasploit to route attacks and scans through intermediate
hosts A bright green line indicates the pivot communication path is in use
Click a host to select it You may select multiple hosts by clicking and dragging
a box over the desired hosts Where possible Armitage will try to apply an
action (eg launching an exploit) to all selected hosts
Right click a host to bring up a menu with available options The attached menu
will show attack and login options menus for existing sessions and options to
edit the host information
The login menu is only available after a port scan reveals open ports that
Metasploit can log in to The Attack menu is only
25 | P a g e
available after finding attacks through the Attacks menu bar Shell and
Meterpreter menus only show up when a shell or Meterpreter session exists on
the selected host Several keyboard shortcuts are available in the targets panel
You may edit these in the Armitage -gt Preferences menu
Ctrl Plus - zoom in
Ctrl Minus - zoom out
Ctrl 0 - reset the zoom level
Ctrl A - select all hosts
Escape - clear selection
Ctrl C - arrange hosts into a circle
Ctrl S - arrange hosts into a stack
Ctrl H - arrange hosts into a hierarchy This only works when a pivot is set up
Ctrl R - refresh hosts from the database
Ctrl P - export hosts into an image
Right click the targets area with no selected hosts to configure the layout and
zoom-level of the targets area
Targets - Table View
If you have a lot of hosts the graph view becomes difficult to work with For
this situation Armitage has a table view
Go to View
7121 Targets -gt Table View
to switch to this mode Armitage will remember your preference
Click any of the table headers to sort the hosts Highlight a row and right-click it
to bring up a menu with options for that host
Armitage will bold the IP address of any host with sessions If a pivot is in use
Armitage will make it bold as well
26 | P a g e
713 Tab
Armitage opens each dialog console and table in a tab below the module and
target panels Click the X button to close a tab
You may right-click the X button to open a tab in a window take a screenshot
of a tab or close all tabs with the same name
Hold shift and click X to close all tabs with the same name Hold shift + control
and click X to open the tab in its own window
You may drag and drop tabs to change their order
Armitage provides several keyboard shortcuts to make your tab management
experience as enjoyable as possible
Use Ctrl+T to take a screenshot of the active tab Use Ctrl+D to close the active
tab Try Ctrl+Left and Ctrl+Right to quickly switch tabs And Ctrl+W to open
the current tab in its own window
8console formatMetasploit console Meterpreter console and shell interfaces each use a console
tab A console tab lets you interact with these interfaces through Armitage
The console tab tracks your command history Use the up arrow to cycle
through previously typed commands The down arrow moves back to the last
command you typed
In the Metasploit console use the Tab key to complete commands and
parameters This works just like the Metasploit console outside of Armitage
27 | P a g e
Use of console panel to make the console font size larger Ctrl minus to make it
smaller and Ctrl 0 to reset it This change is local to the current
console only Visit Armitage -gt Preference to permanently change the font
Press ctrl F to show a panel that will let you search for text within the console
Use Ctrl A to select all text in the consoles buffer
Armitage sends ardquo u s e or a s e t P A Y L O A Drdquo command if you click a
module or a payload name in a console To open a Console go to View -gt
Console or press Ctrl+N
The Armitage console uses color to draw your attention to some information
To disable the colors set the consoleshow_colorsboolean preference to false
You may also edit the colors through Armitage -gt Preference Here is the
Armitage color palette and the preference associated with each color
9 Host management 91Dynamic workspace
Armitages dynamic workspaces feature allows you to create views into the
hosts database and quickly switch between them Use
Workspace -gt Manage to manage your dynamic workspaces Here you may
add edit and remove workspaces you create
28 | P a g e
To create a new dynamic workspace press Add You will see the following
dialog
Give your dynamic workspace a name It doesnt matter what you call it This
description is for you
If youd like to limit your workspace to hosts from a certain network type a
network description in the Hosts field A network description
might be 10100016 to display hosts between 101000-1010255255
Separate multiple networks with a comma and a space
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
23 | P a g e
If youre preparing to use Armitage and Metasploit somewhere
important--do not run m s f u p d a t e and assume it will work Its very
important to stick with what you know works or test the functionality you
need to make sure it works When in doubt go with option (2) or (3)
61 quick connect
If youd like to quickly connect Armitage to a Metasploit server without filling
in the setup dialog use the - - c l i e n t option to specify a file with the
connection details
j a v a - j a r a r m i t a g e j a r - - c l i e n t c o n n e c t p r o p
Heres an example connectprop file
h o s t = 1 9 21 6 8 9 5 2 4 1
p o r t = 55553
u s e r = mister
p a s s = bojangles
If you have to manage multiple ArmitageMetasploit servers consider creating
a desktop shortcut that calls this --client option with a different properties file
for each server
7 User interface format(gui)The user interface can be very easy and friendly to a pentaster as also as a
hackerit is made so easy that without any help a user can manage the cyber
attack
71 Overview
The Armitage user interface has three main panels modules targets and tabs
You may click the area between these panels to resize them to your liking
24 | P a g e
711 modules
The module browser lets you launch a Metasploit auxiliary module throw an
exploit generate a payload and even run a post-exploitation script Click
through the tree to find the desired module Double click the module to bring up
a dialog with options
Armitage will place highlighted hosts from the targets panel into the RHOSTS
variable of any module launched from here
You can search for modules too Click in the search box below the tree type a
wildcard expression (eg ssh_) and hit enter The module tree will then show
your search results already expanded for quick viewing Clear the search box
and press enter to restore the module browser to its original state
712 Targets - Graph View
The targets panel shows all hosts in the current workspace Armitage represents
each target as a computer with its IP address and other information about it
below the computer The computer screen shows the operating system the
computer is runningA red computer with electrical jolts indicates a
compromised host Right click the computer to use any sessions related to the
host A directional green line indicates a pivot from one host to another
Pivoting allows Metasploit to route attacks and scans through intermediate
hosts A bright green line indicates the pivot communication path is in use
Click a host to select it You may select multiple hosts by clicking and dragging
a box over the desired hosts Where possible Armitage will try to apply an
action (eg launching an exploit) to all selected hosts
Right click a host to bring up a menu with available options The attached menu
will show attack and login options menus for existing sessions and options to
edit the host information
The login menu is only available after a port scan reveals open ports that
Metasploit can log in to The Attack menu is only
25 | P a g e
available after finding attacks through the Attacks menu bar Shell and
Meterpreter menus only show up when a shell or Meterpreter session exists on
the selected host Several keyboard shortcuts are available in the targets panel
You may edit these in the Armitage -gt Preferences menu
Ctrl Plus - zoom in
Ctrl Minus - zoom out
Ctrl 0 - reset the zoom level
Ctrl A - select all hosts
Escape - clear selection
Ctrl C - arrange hosts into a circle
Ctrl S - arrange hosts into a stack
Ctrl H - arrange hosts into a hierarchy This only works when a pivot is set up
Ctrl R - refresh hosts from the database
Ctrl P - export hosts into an image
Right click the targets area with no selected hosts to configure the layout and
zoom-level of the targets area
Targets - Table View
If you have a lot of hosts the graph view becomes difficult to work with For
this situation Armitage has a table view
Go to View
7121 Targets -gt Table View
to switch to this mode Armitage will remember your preference
Click any of the table headers to sort the hosts Highlight a row and right-click it
to bring up a menu with options for that host
Armitage will bold the IP address of any host with sessions If a pivot is in use
Armitage will make it bold as well
26 | P a g e
713 Tab
Armitage opens each dialog console and table in a tab below the module and
target panels Click the X button to close a tab
You may right-click the X button to open a tab in a window take a screenshot
of a tab or close all tabs with the same name
Hold shift and click X to close all tabs with the same name Hold shift + control
and click X to open the tab in its own window
You may drag and drop tabs to change their order
Armitage provides several keyboard shortcuts to make your tab management
experience as enjoyable as possible
Use Ctrl+T to take a screenshot of the active tab Use Ctrl+D to close the active
tab Try Ctrl+Left and Ctrl+Right to quickly switch tabs And Ctrl+W to open
the current tab in its own window
8console formatMetasploit console Meterpreter console and shell interfaces each use a console
tab A console tab lets you interact with these interfaces through Armitage
The console tab tracks your command history Use the up arrow to cycle
through previously typed commands The down arrow moves back to the last
command you typed
In the Metasploit console use the Tab key to complete commands and
parameters This works just like the Metasploit console outside of Armitage
27 | P a g e
Use of console panel to make the console font size larger Ctrl minus to make it
smaller and Ctrl 0 to reset it This change is local to the current
console only Visit Armitage -gt Preference to permanently change the font
Press ctrl F to show a panel that will let you search for text within the console
Use Ctrl A to select all text in the consoles buffer
Armitage sends ardquo u s e or a s e t P A Y L O A Drdquo command if you click a
module or a payload name in a console To open a Console go to View -gt
Console or press Ctrl+N
The Armitage console uses color to draw your attention to some information
To disable the colors set the consoleshow_colorsboolean preference to false
You may also edit the colors through Armitage -gt Preference Here is the
Armitage color palette and the preference associated with each color
9 Host management 91Dynamic workspace
Armitages dynamic workspaces feature allows you to create views into the
hosts database and quickly switch between them Use
Workspace -gt Manage to manage your dynamic workspaces Here you may
add edit and remove workspaces you create
28 | P a g e
To create a new dynamic workspace press Add You will see the following
dialog
Give your dynamic workspace a name It doesnt matter what you call it This
description is for you
If youd like to limit your workspace to hosts from a certain network type a
network description in the Hosts field A network description
might be 10100016 to display hosts between 101000-1010255255
Separate multiple networks with a comma and a space
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
24 | P a g e
711 modules
The module browser lets you launch a Metasploit auxiliary module throw an
exploit generate a payload and even run a post-exploitation script Click
through the tree to find the desired module Double click the module to bring up
a dialog with options
Armitage will place highlighted hosts from the targets panel into the RHOSTS
variable of any module launched from here
You can search for modules too Click in the search box below the tree type a
wildcard expression (eg ssh_) and hit enter The module tree will then show
your search results already expanded for quick viewing Clear the search box
and press enter to restore the module browser to its original state
712 Targets - Graph View
The targets panel shows all hosts in the current workspace Armitage represents
each target as a computer with its IP address and other information about it
below the computer The computer screen shows the operating system the
computer is runningA red computer with electrical jolts indicates a
compromised host Right click the computer to use any sessions related to the
host A directional green line indicates a pivot from one host to another
Pivoting allows Metasploit to route attacks and scans through intermediate
hosts A bright green line indicates the pivot communication path is in use
Click a host to select it You may select multiple hosts by clicking and dragging
a box over the desired hosts Where possible Armitage will try to apply an
action (eg launching an exploit) to all selected hosts
Right click a host to bring up a menu with available options The attached menu
will show attack and login options menus for existing sessions and options to
edit the host information
The login menu is only available after a port scan reveals open ports that
Metasploit can log in to The Attack menu is only
25 | P a g e
available after finding attacks through the Attacks menu bar Shell and
Meterpreter menus only show up when a shell or Meterpreter session exists on
the selected host Several keyboard shortcuts are available in the targets panel
You may edit these in the Armitage -gt Preferences menu
Ctrl Plus - zoom in
Ctrl Minus - zoom out
Ctrl 0 - reset the zoom level
Ctrl A - select all hosts
Escape - clear selection
Ctrl C - arrange hosts into a circle
Ctrl S - arrange hosts into a stack
Ctrl H - arrange hosts into a hierarchy This only works when a pivot is set up
Ctrl R - refresh hosts from the database
Ctrl P - export hosts into an image
Right click the targets area with no selected hosts to configure the layout and
zoom-level of the targets area
Targets - Table View
If you have a lot of hosts the graph view becomes difficult to work with For
this situation Armitage has a table view
Go to View
7121 Targets -gt Table View
to switch to this mode Armitage will remember your preference
Click any of the table headers to sort the hosts Highlight a row and right-click it
to bring up a menu with options for that host
Armitage will bold the IP address of any host with sessions If a pivot is in use
Armitage will make it bold as well
26 | P a g e
713 Tab
Armitage opens each dialog console and table in a tab below the module and
target panels Click the X button to close a tab
You may right-click the X button to open a tab in a window take a screenshot
of a tab or close all tabs with the same name
Hold shift and click X to close all tabs with the same name Hold shift + control
and click X to open the tab in its own window
You may drag and drop tabs to change their order
Armitage provides several keyboard shortcuts to make your tab management
experience as enjoyable as possible
Use Ctrl+T to take a screenshot of the active tab Use Ctrl+D to close the active
tab Try Ctrl+Left and Ctrl+Right to quickly switch tabs And Ctrl+W to open
the current tab in its own window
8console formatMetasploit console Meterpreter console and shell interfaces each use a console
tab A console tab lets you interact with these interfaces through Armitage
The console tab tracks your command history Use the up arrow to cycle
through previously typed commands The down arrow moves back to the last
command you typed
In the Metasploit console use the Tab key to complete commands and
parameters This works just like the Metasploit console outside of Armitage
27 | P a g e
Use of console panel to make the console font size larger Ctrl minus to make it
smaller and Ctrl 0 to reset it This change is local to the current
console only Visit Armitage -gt Preference to permanently change the font
Press ctrl F to show a panel that will let you search for text within the console
Use Ctrl A to select all text in the consoles buffer
Armitage sends ardquo u s e or a s e t P A Y L O A Drdquo command if you click a
module or a payload name in a console To open a Console go to View -gt
Console or press Ctrl+N
The Armitage console uses color to draw your attention to some information
To disable the colors set the consoleshow_colorsboolean preference to false
You may also edit the colors through Armitage -gt Preference Here is the
Armitage color palette and the preference associated with each color
9 Host management 91Dynamic workspace
Armitages dynamic workspaces feature allows you to create views into the
hosts database and quickly switch between them Use
Workspace -gt Manage to manage your dynamic workspaces Here you may
add edit and remove workspaces you create
28 | P a g e
To create a new dynamic workspace press Add You will see the following
dialog
Give your dynamic workspace a name It doesnt matter what you call it This
description is for you
If youd like to limit your workspace to hosts from a certain network type a
network description in the Hosts field A network description
might be 10100016 to display hosts between 101000-1010255255
Separate multiple networks with a comma and a space
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
25 | P a g e
available after finding attacks through the Attacks menu bar Shell and
Meterpreter menus only show up when a shell or Meterpreter session exists on
the selected host Several keyboard shortcuts are available in the targets panel
You may edit these in the Armitage -gt Preferences menu
Ctrl Plus - zoom in
Ctrl Minus - zoom out
Ctrl 0 - reset the zoom level
Ctrl A - select all hosts
Escape - clear selection
Ctrl C - arrange hosts into a circle
Ctrl S - arrange hosts into a stack
Ctrl H - arrange hosts into a hierarchy This only works when a pivot is set up
Ctrl R - refresh hosts from the database
Ctrl P - export hosts into an image
Right click the targets area with no selected hosts to configure the layout and
zoom-level of the targets area
Targets - Table View
If you have a lot of hosts the graph view becomes difficult to work with For
this situation Armitage has a table view
Go to View
7121 Targets -gt Table View
to switch to this mode Armitage will remember your preference
Click any of the table headers to sort the hosts Highlight a row and right-click it
to bring up a menu with options for that host
Armitage will bold the IP address of any host with sessions If a pivot is in use
Armitage will make it bold as well
26 | P a g e
713 Tab
Armitage opens each dialog console and table in a tab below the module and
target panels Click the X button to close a tab
You may right-click the X button to open a tab in a window take a screenshot
of a tab or close all tabs with the same name
Hold shift and click X to close all tabs with the same name Hold shift + control
and click X to open the tab in its own window
You may drag and drop tabs to change their order
Armitage provides several keyboard shortcuts to make your tab management
experience as enjoyable as possible
Use Ctrl+T to take a screenshot of the active tab Use Ctrl+D to close the active
tab Try Ctrl+Left and Ctrl+Right to quickly switch tabs And Ctrl+W to open
the current tab in its own window
8console formatMetasploit console Meterpreter console and shell interfaces each use a console
tab A console tab lets you interact with these interfaces through Armitage
The console tab tracks your command history Use the up arrow to cycle
through previously typed commands The down arrow moves back to the last
command you typed
In the Metasploit console use the Tab key to complete commands and
parameters This works just like the Metasploit console outside of Armitage
27 | P a g e
Use of console panel to make the console font size larger Ctrl minus to make it
smaller and Ctrl 0 to reset it This change is local to the current
console only Visit Armitage -gt Preference to permanently change the font
Press ctrl F to show a panel that will let you search for text within the console
Use Ctrl A to select all text in the consoles buffer
Armitage sends ardquo u s e or a s e t P A Y L O A Drdquo command if you click a
module or a payload name in a console To open a Console go to View -gt
Console or press Ctrl+N
The Armitage console uses color to draw your attention to some information
To disable the colors set the consoleshow_colorsboolean preference to false
You may also edit the colors through Armitage -gt Preference Here is the
Armitage color palette and the preference associated with each color
9 Host management 91Dynamic workspace
Armitages dynamic workspaces feature allows you to create views into the
hosts database and quickly switch between them Use
Workspace -gt Manage to manage your dynamic workspaces Here you may
add edit and remove workspaces you create
28 | P a g e
To create a new dynamic workspace press Add You will see the following
dialog
Give your dynamic workspace a name It doesnt matter what you call it This
description is for you
If youd like to limit your workspace to hosts from a certain network type a
network description in the Hosts field A network description
might be 10100016 to display hosts between 101000-1010255255
Separate multiple networks with a comma and a space
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
26 | P a g e
713 Tab
Armitage opens each dialog console and table in a tab below the module and
target panels Click the X button to close a tab
You may right-click the X button to open a tab in a window take a screenshot
of a tab or close all tabs with the same name
Hold shift and click X to close all tabs with the same name Hold shift + control
and click X to open the tab in its own window
You may drag and drop tabs to change their order
Armitage provides several keyboard shortcuts to make your tab management
experience as enjoyable as possible
Use Ctrl+T to take a screenshot of the active tab Use Ctrl+D to close the active
tab Try Ctrl+Left and Ctrl+Right to quickly switch tabs And Ctrl+W to open
the current tab in its own window
8console formatMetasploit console Meterpreter console and shell interfaces each use a console
tab A console tab lets you interact with these interfaces through Armitage
The console tab tracks your command history Use the up arrow to cycle
through previously typed commands The down arrow moves back to the last
command you typed
In the Metasploit console use the Tab key to complete commands and
parameters This works just like the Metasploit console outside of Armitage
27 | P a g e
Use of console panel to make the console font size larger Ctrl minus to make it
smaller and Ctrl 0 to reset it This change is local to the current
console only Visit Armitage -gt Preference to permanently change the font
Press ctrl F to show a panel that will let you search for text within the console
Use Ctrl A to select all text in the consoles buffer
Armitage sends ardquo u s e or a s e t P A Y L O A Drdquo command if you click a
module or a payload name in a console To open a Console go to View -gt
Console or press Ctrl+N
The Armitage console uses color to draw your attention to some information
To disable the colors set the consoleshow_colorsboolean preference to false
You may also edit the colors through Armitage -gt Preference Here is the
Armitage color palette and the preference associated with each color
9 Host management 91Dynamic workspace
Armitages dynamic workspaces feature allows you to create views into the
hosts database and quickly switch between them Use
Workspace -gt Manage to manage your dynamic workspaces Here you may
add edit and remove workspaces you create
28 | P a g e
To create a new dynamic workspace press Add You will see the following
dialog
Give your dynamic workspace a name It doesnt matter what you call it This
description is for you
If youd like to limit your workspace to hosts from a certain network type a
network description in the Hosts field A network description
might be 10100016 to display hosts between 101000-1010255255
Separate multiple networks with a comma and a space
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
27 | P a g e
Use of console panel to make the console font size larger Ctrl minus to make it
smaller and Ctrl 0 to reset it This change is local to the current
console only Visit Armitage -gt Preference to permanently change the font
Press ctrl F to show a panel that will let you search for text within the console
Use Ctrl A to select all text in the consoles buffer
Armitage sends ardquo u s e or a s e t P A Y L O A Drdquo command if you click a
module or a payload name in a console To open a Console go to View -gt
Console or press Ctrl+N
The Armitage console uses color to draw your attention to some information
To disable the colors set the consoleshow_colorsboolean preference to false
You may also edit the colors through Armitage -gt Preference Here is the
Armitage color palette and the preference associated with each color
9 Host management 91Dynamic workspace
Armitages dynamic workspaces feature allows you to create views into the
hosts database and quickly switch between them Use
Workspace -gt Manage to manage your dynamic workspaces Here you may
add edit and remove workspaces you create
28 | P a g e
To create a new dynamic workspace press Add You will see the following
dialog
Give your dynamic workspace a name It doesnt matter what you call it This
description is for you
If youd like to limit your workspace to hosts from a certain network type a
network description in the Hosts field A network description
might be 10100016 to display hosts between 101000-1010255255
Separate multiple networks with a comma and a space
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
28 | P a g e
To create a new dynamic workspace press Add You will see the following
dialog
Give your dynamic workspace a name It doesnt matter what you call it This
description is for you
If youd like to limit your workspace to hosts from a certain network type a
network description in the Hosts field A network description
might be 10100016 to display hosts between 101000-1010255255
Separate multiple networks with a comma and a space
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
29 | P a g e
You can cheat with the network descriptions a little If you type
192168950 Armitage will assume you mean 192168950-255 If you type
19216800 Armitage will assume you mean 19216800-192168255255
Fill out the Ports field to include hosts with certain services Separate multiple
ports using a comma and a space Use the OS field to specify which operating
system youd like to see in this workspace You may type a partial name such
as indowsArmitage will only include hosts whose OS name includes the partial
name This value is not case sensitive Separate multiple operating
systems with a comma and a space Select Hosts with sessions only to only
include hosts with sessions in this dynamic workspace You may specify any
combination of these items when you create your dynamic workspace Each
workspace will have an item in the Workspace menu Use these menu items to
switch between workspaces You may also use Ctrl+1 through Ctrl+9 to switch
between your first nine workspaces
Use Work space -gt Show All or Ctrl+Back space to display the entire database
Use Work space -gt Show all or Ctrl+Backspace to display the entire database
92 Importing hostsTo add host information to Metasploit you may import it The Host -gt Import
Host menu accepts the following files
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
30 | P a g e
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XM
93 NMap Scan
You may also launch an NMap scan from Armitage and automatically import
the results into Metasploit The Host -gt NMap Scan menu
has several scanning options
Optionally you may type d b _ n m a p in a console to launch NMap with the
options you choose
NMap scans do not use the pivots you have set up
94 MSF Scan
Armitage bundles several Metasploit scans into one feature called MSF Scans
This feature will scan for a handful of open ports It then enumerates several
common services using Metasploit auxiliary modules built for the purpose
Highlight one or more hosts right-click and click Scan to launch this feature
You may also go to Host -gt MSF Scan to launch these as
well These scans work through a pivot and against IPv6 hosts as well These
scans do not attempt to discover if a host is alive before scanning
To save time you should do host discovery first (eg an ARP scan ping sweep
or DNS enumeration) and then launch these scans to enumerate the discovered
hosts
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
31 | P a g e
95 DNS Enumeration
Another host discovery option is to enumerate a DNS server Go to Host -gt
DNS Enum to do this Armitage will present a module launcher dialog with
several options You will need to set the DOMAIN option to the domain you
want to enumerate You may also want to set NS to the IP address of the DNS
server youre enumerating If youre attacking an IPv6 network DNS
enumeration is one option to discover the IPv6 hosts on the network
96 Database maintenance
Metasploit logs everything you do to a database Over time your database will
become full of stuff If you have a performance problem with Armitage try
clearing your database To do this go to Host -gt Create Database
10 Exploitation101 Remote Exploitation
Before you can attack you must choose your weapon Armitage makes this
process easy Use Attack -gt Find Attack to generate a custom Attack menu for
each host
To exploit a host right-click it navigate to Attack and choose an exploit To
show the right attacks make sure the operating system is set for the host
104 Automatic exploitation
If manual exploitation fails you have the hail mary option Attack -gt Hail Mary
launches this feature Armitages Hail Mary feature is a smart db_autopwn It
finds exploits relevant to your targets filters the exploits using known
information and then sorts them into an optimal order
This feature wont find every possible shell but its a good option if you dont
know what else to try
105 client side exploitation
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
32 | P a g e
Through Armitage you may use Metasploits client-side exploits A client-side
attack is one that attacks an application and not a remote service If you cant get
a remote exploit to work youll have to use a client-side attack Use the module
browser to find and launch client-side exploits Search for file format to find
exploits that trigger when a user opens a malicious file Search for browser to
find exploits that server browser attacks from a web server built into Metasploit
105 client side exploitation and payloads
If you launch an individual client-side exploit you have the option of
customizing the payload that goes with it Armitage picks sane defaults To set
the payload double-click PAYLOAD in the option column of the module
launcher This will open a dialog asking you to choose a Payload
Highlight a payload and click Select Armitage will update the PAYLOAD
DisablePayloadHandler ExitOnSession LHOST and LPORT values for you
Youre welcome to edit these values as you see fit
If you select the Start a handler for this payload option Armitage will set the
payload options to launch a payload handler when the exploit launches If you
did not select this value youre responsible for setting up a multihandler for the
payload
11 Post Exploitation111 Managing sessions
Armitage makes it easy to manage the meterpreter agent once you successfully
exploit a host Hosts running a meterpreter payload will have a Meterpreter N
menu for each Meterpreter session
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
33 | P a g e
If you have shell access to a host you will see a Shell N menu for each shell
session Right click the host to access this menu If you have a Windows shell
session you may go to Sheell N -gt Meterpreter to upgrade the session to a
Meterpreter session If you have a UNIX shell go to Shell N -gt Upload to
upload a file using the UNIX printf command
112 Privilege Escalation
Some exploits result in administrative access to the host Other times you need
to escalate privileges yourself To do this use the Meterpreter N -gt Access -gt
Escalation privilege menu This will highlight the privilege escalation modules
in the module browser Try the getsystem post module against Windows
XP2003 era hosts
12 Maneuver
121 Pivoting
Metasploit can launch attacks from a compromised host and receive sessions on
the same host This ability is called pivoting
To create a pivot go to Meterpreter N -gt Pivoting -gt Setup A dialog will ask
you to choose which subnet you want to pivot through the session Once youve
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
34 | P a g e
set up pivoting Armitage will draw a green line from the pivot host to all
targets reachable by the pivot you created The line will become bright green
when the pivot is in use
122 Scanning and external tools
Once you have access a host its good to explore and see what else is on the
same network If youve set up pivoting Metasploit will tunnel TCP
connections to eligible hosts through the pivot host These connections must
come from Metasploit
To find hosts on the same network as a compromised host right-click the
compromised host and go to Meterpreter N -gt ARP Scan or Ping sweep This
will show you which hosts are alive Highlight the hosts that appear right-click
and select Scan to scan these hosts using Armitages MSF Scan feature These
scans will honor the pivot you set up External tools (eg nmap) will not use
the pivots youve set up You may use your pivots with external tools through a
SOCKS proxy though Go to Armitage -gt SOCKS PROXY to launch the
SOCKS proxy server
13 remote metasploit
131 remote connection
You can use Armitage to connect to an existing Metasploit instance on another
host Working with a remote Metasploit instance is similar to working with a
local instance Some Armitage features require read and write access to local
files to work Armitages deconfliction server adds these features and makes it
possible for Armitage clients to use Metaspoit remotely Connecting to a remote
Metasploit requires starting a Metasploit RPC server and Armitages
deconfliction server With these two servers set up your use of Metasploit will
look like this diagram
The SOCKS4 proxy server is one of the most useful features in Metasploit
Launch this option and you can set up your web browser to connect to websites
through Metasploit This allows you to browse internal sites on a network like
yoursquore local
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
35 | P a g e
131 multi-player metasploit setup
The Armitage Linux package comes with a teamserver script that you may use
to start Metasploits RPC daemon and Armitages deconfliction server with one
command To run it
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e t e a m s e r
v e r [ external ip address ] [ password ]
This script assumes armitagejar is in the current folder Make sure the external
IP address is correct (Armitage doesnt check it) and that your team can reach
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
36 | P a g e
port 55553 on your attack host Thats it Metasploits RPC daemon and the
Armitage deconfliction server are not GUI programs You may run these over
SSH The Armitage team server communicates over SSL When you start the
team server it will present a server fingerprint This is a SHA-1hash of the
servers SSL certificate When your team members connect Armitage will
present the hash of the certificate the server presented to them They should
verify that these hashes match Do not connect to 127001 when a teamserver
is running Armitage uses the IP address youre connecting to determine whether
it should use SSL (teamserver remote address) or non-SSL (msfrpcd
localhost) You may connect Armitage to your teamserver locally use the
[external IP address] in the Host field Armitages red team collaboration setup
is CPU sensitive and it likes RAM Make sure you have 15GB of RAM in your
team server
132 multi-player metasploit
Armitages red team collaboration mode adds a few new features These are
described here
View -gt Event Log opens a shared event log You may type into this log and
communicate as if youre using an IRC chat room In a penetration test this
event log will help you reconstruct major events
Multiple users may use any Meterpreter session at the same time Each user
may open one or more command shells browse files and take screenshots of
the compromised host Metasploit shell sessions are automatically locked and
unlocked when in use If another user is interacting with a shell Armitage will
warn you that its in use Some Metasploit modules require you to specify one or
more files If a file option has a next to it then you may double-click that option
name to choose a local file to use Armitage will upload the chosen local file
and set the option to its remote location for you Generally Armitage will do its
best to move files between you and the shared Metasploit server to create the
illusion that youre using Metasploit locally Some meterpreter commands may
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
37 | P a g e
have shortened output Multi-player Armitage takes the initial output from a
command and delivers it to the client that sent the command Additional output
is ignored (although the command still executes normally) This limitation
primarily affects long running meterpreter scripts
14 Scripting armitage
141 Cortana
Armitage includes Cortana a scripting technology developed through DARPAs
Cyber Fast Track program With Cortana you may write red team bots and
extend Armitage with new features You may also make use of scripts written
by others Cortana is based on Sleep an extensible Perl-like language Cortana
scripts have a cna suffix
142 standalone bots
A stand-alone version of Cortana is distributed with Armitage You may
connect the stand-alone Cortana interpreter to an Armitage team server
Heres a helloworldcna Cortana script
o n r e a d y
p r i n t l n ( H e l l o W o r l d )
q u i t ( )
To run this script you will need to start Cortana First stand-alone Cortana
must connect to a team server The team server is required because Cortana bots
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
38 | P a g e
are another red team member If you want to connect multiple users to
Metasploit you have to start a team server Next you will need to create a
connectprop file to tell Cortana how to connect to the team server you started
Heres an example
connectprop file
h o s t = 1 2 7 0 0 1
p o r t = 5 5 5 5 3
u s e r = m s f
p a s s = p a s s w o r d
n i c k = M y B o t
Now to launch your bot
c d p a t h t o m e t a s p l o i t m s f 3 d a t a a r m i t a g e
j a v a - j a r c o r t a n a j a r c o n n e c t p r o p h e l l o w o r l d can
143 Script management
You dont have to run Cortana bots stand-alone You may load any bot into
Armitage directly When you load a bot into Armitage you do not need to start
a teamserver Armitage is able to deconflict its actions from any loaded bots on
its own You may also use Cortana scripts to extend Armitage and add new
features to it Cortana scripts may define keyboard shortcuts insert menus into
Armitage and create simple user interfaces
To load a script into Armitage go to Armitage -gt script Press Load and
choose the script you would like to load Scripts loaded in this way will be
available each time Armitage starts Output generated by bots and Cortana
commands are available in the Cortana console Go to View -gt script console
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you
39 | P a g e
Conclusion
Advanced users will find Armitage valuable for managing remote
Metasploit instances and collaboration Armitages red team
collaboration features allow your team to use the same sessions share
data and communicate through one Metasploit instance
Armitage aims to make Metasploit usable for security practitioners who
Understand hacking but dont use Metasploit every day If you want to
learn Metasploit and grow into the advanced features Armitage can help
you