Armitage

H acking Made Easy

Part -1
Author : r45c4l
Mail : infosecpirate@gmail.com
http://twitter.com/#!/r45c4l
Greetz and shouts to the entire ICW
team and every Indian hackers
Introduction
When I started writing this, I thought to keep it short and
simple as I am assuming that the readers are at-least a little bit
familiar hey Metasploit as well as Armitage. They don't need to
know everything, but at-least have an idea about the use and
purpose of these tools.
When I started writing this, I realized that it's really not
possible to cover the vast amount of features and the usability of
this tool, so I decided to continue this paper in series. I hope to
finish this in part 2 of this paper but again it depends on the
demands and requests of the readers if they want to add or go
into the detail of any of the topic or functions of this beautiful
tool Armitage.
There must be some mistakes so I request readers to please let
me know about those mistakes so that I can correct them and
give them a better stuff. My contact details are mentioned above.
UNDERSTANDING ARMITAGE AND AND IT'S ADVANTAGE
OVER METASPLOIT
Before starting this I am assuming that most of the readers are comfortable
or at-least familiar with Metasploit and its uses.
So what is Armitage ?
!ell in eas" terms we can sa" thats its an add-on for Metasploit with eas"
to use #$I which helps tp %isuali&e the targets' recommend e(ploits and
e(poses the post e(ploitation features in a platform.
)s this tool is basicall" designed *eeping in mind to help +enetration
,esters so that the" can use and share the same session.
)n"wa" its use is not limited to penetration testers and indi%iduals can
also use it and run it as per there re-uirement and needs.

.o still at this point of time is not feeling comfortable with the concept and
the use of the framewor*' I would re-uest them to go to
www.fastandeas"hac*ing.net .
)s this paper is written b" *eeping the pen testers in mind so we are not
going to continue it in the same manner.
/et us see first of all that how )rmitage gi%es us a upper hand in
comparison with Metasploit during a pen testing scenario.
,hrough 0ust one instance it helps user/team b"
1 $sing the same session
1 .hare host' captured data and
1 2ommunicate through a shared e%ent log
# How Armitage as e!tra "#$%tio$s a$ ma&es it more 'ower"#( a$
#ser "rie$() ?
3 4ne of the best and important feature is that it recommends and run
acti%e chec*s to all the e(ploits which will wor*.
5%er" pen tester/hac*er needs to follow certain protocols to get as much
possible information of the s"stem the s"stem/networ*s/targets/%ictims.
The %orre%t metho o" %o$#%ti$g a 'e$ test is *) "o((owi$g the r#(es +
a, Re%o$$aissa$%e
*, So%ia( E$gi$eeri$g a$ site-target re%o$$aissa$%e
%, IP a$ Networ& Re%o$$aissa$%e
, DNS Re%o$$aissa$%e
e, Ma''i$g Targets
", Networ& Ma''i$g .I/MP,
g, Port S%a$$i$g
h, V#($era*i(it) 0 *oth Networ& *ase OS a$ a''(i%atio$
i$terrogatio$1
i, Resear%hi$g a$ 'ro*i$g 2#($era*i(ities1
)nd in the most simple wa" we can 0ust sa" that we ha%e onl" 6 options
a, 3oot'ri$ti$g
*, S%a$$i$g
%, E$#meratio$

,o perform all these tas*s we ha%e to use different tools and it will
consume a lot of time too. ,his is where )rmitage come hand" to sol%e all
the problems under one framewor*. )lthough Metasploit is also capable of
performing almost all of these tas*s but the basic difference that )rmitage
has a user friendl" #$I almost li*e point and clic*.
NOTE + I wi(( *e #si$g Armitage o2er 4T56 so a(( the es%ri'tio$s wi((
*e simi(ar to 7$i! istros1
Starti$g #' Armitage +
)s I will be using )rmitage on B,5 so it is b" default installed on it' those
who are running different 4. can chec* the site for downloading and
installing )rmitage according to there 4..
,he %er" first screen "ou will see will loo* li*e this abo%e one which is the
path to start up )rmitage. 7ow when we clic* o%er the )rmitage option
we will mo%e on to the second stage :
4nce "ou clic* the connect option' "ou will be greeted with this second
windows. )s seen in this screen-shot )rmitage is as*ing to connect itself
with the Metasploit 8+2 ser%er which is not running as of now.
In the ne(t screen-shoot we can see it is tr"ing to connect to the default
address which will be 9:;.<.<.9 on the default port number 55556. ,he
error which it is showing here is o* as of now and we dont need to worr"
about it.
)fter the connection is established the main )rmitage window will come up. It will be li*e the one
shown in the following screen shot.
.o here we can see the main )rmitage window has three main panels :
Modules' ,argets and ,abs. !e can clic* on the indi%idual panels to resi&e
them according to our needs. ,he different machines which we can see in
the ,argets panel are there because m" old sees ion are open there' but
otherwise it will be blan*.
/et us ha%e a loo* about the different panels and some brief description
about them. /et us start with =Modules> ?
,he Module browser gi%es us the options to launch Metasploit au(ilar"
modules' throw an e(ploit' generate a pa"load and run a post-e(ploitation
module. B" clic*ing on the indi%idual modules we can see the tree to lauch
desired module. @ouble clic* a module to open a module launch dialog.
7ow lets come to the =,arget !indow>' here we ha%e two options to
arrange/%iew the targets.
9. #raph Aiew
:. ,able Aiew
In the following screens shot the targets are alread" selected as =#raph
Aiew> so this is what "our screen will loo* li*e when "ou select the targets
to be %iewed as =#raph Aiew>
7ow lets see how it will loo* li*e when we select the option of =,able
Aiew> -
,he following screen-shot shot shows how "our targets will loo* when "ou
select the option of =,able Aiew>
,here are couple of *e"board shortcuts are also a%ailable in the ,arget
pannel and to edit them we ha%e to go to )rmitage 3 +references t
# 2trl +lus ? &oom in
# 2trl Minus ? &oom out
# 2trl < ? reset the &oom le%el
# 2trl ) ? select all hosts
# 5scape ? clear selection
# 2trl 2 ? arrange hosts in a circle
# 2trl . ? arrange hosts in a stac*
# 2trl B ? arrange hosts in a hirearch"
# 2trl 8 ? refresh hosts from the database
# 2trl + ? e(port hosts in a image
7ow lets come to the %er" important and helpful feature of )rmitage
which is =,ags>.
)rmitage opens each dialog' console and table in a tab situated 0ust below
the Module and ,arget panels. ,abs helps us to perform multiple tas*s on
multiple targets at the same time b" *eeping e%er" result on one particular
tab which we can close b" clic*ing the C button on the right hand side of
the tab or mo%e between tabs -uic*l" to *eep a e"e on the result of the
tas*s/ running process on each tab.
/ets loo* at the following screen-shot to see how it loo*s li*e.
Bere we can see that I ha%e different tabs opened for different targets. In
the present tab which is open here ' it is eas" to notice that I am chec*ing
the ser%ices running on the particular target machine which I ha%e selected
here which is (((.94.;<.D6 and it shows us that the target machine which
is ob%iousl" a windows machine has : ser%ices running at this moment
E,+ and B,,+.
4ne more option we ha%e here with the ,abs is that we can drag and shift
them according to our con%enience.
Metas'(oit /o$so(e +
/et us come bac* to our =2onsole> tab.
Metasploit console' Meterpreter console and shell interfaces' the" all use a
console tab. 2onsole tab here lets "ou interact with all these interfaces
through )rmitage.
,he use of console tab is basicall" to ta*e trac* of "our command histor".
=up arrow> and =down arrow> is to c"cle through "our pre%ious and last
commands "ou t"pe. In the Metsploit console in )rmitagewe can use
=tab> to auto complete commands and parameter 0ust li*e the Metasploit
console outside of )rmitage.
,wo more added feature of )rmitage is /ogging and 5(port data which
ma*es it more powerful and helpful. /ets 0ust ha%e a -uic* loo* about
these two features :
/ogging : )rmitage logs all the console' shell and e%ent logs for the user.
,hese /ogs are organi&ed b" date and hosts. ,he logs are stored in
F/.armitage folder. #o to Aiew 3 8eporting 3 )cti%ities /ogs to open the
folder.
2opies of screen-shots and web-shots are also sa%ed in this folder b"
)rmitage.
7ow lets come to this 5(port @ata part of )rmitage :
5(port @ata : )rmitage and Metasploit share a database to trac* "our
hosts' ser%ices' %ulnerabilities' credentials' loots' and user-agent strings b"
browser e(ploit module.
!e can get this b" going to Aiew 3 8eporting 3 5(port @ata. ,his can
be used to e(port data into a easil" parsable CM/ and tab separates %alue
G,.AH files from Metasploit.
7ow comes the part of Host Ma$ageme$t
Bost Management is basicall" )rmitages d"namic wor*space feature to
create and %iew into the hosts database and -uic*l" switch between them.
!or*space 3 Manage will ta*e us to the window to manage our d"namic
wor*space. Bere we can see the different options we ha%e li*e )cti%ate'
)dd' 5dit and 8emo%e which we can use according to our need.
B" clic*ing the )dd button we can create a new d"namic wor*space. ,his
new d"namic wor*space can be gi%en an" name according to our
con%enience . !e can specif" a networ* description in the Bost field either
b" t"ping the I+ range as 9I:.9DJ.<.</9D or as 9I:.9DJ.<.<-
9I:.9DJ.:55.:55
+orts in the +orts field b" either specific ser%ices li*e :9'J<'99< etc
separated b" a comma and space.
4. field is used to see which 4perating ."stems we would li*e to see in
the wor*space. .eparate multiple 4. with a comma and a space.
.elect Bosts with sessions onl" to onl" include hosts with sessions in this
d"namic wor*space.
5ach wor*space will ha%e an item in the !or*space menu and we can use
these menu items to switch between wor*spaces.
,o displa" the entire database use !or*space 3 .how )ll
74,5 : )rmitage will onl" displa" 59: hosts at an" gi%en time' it dosent
matter how man" hosts are there in the database. If the number of hosts is
large' we can use this feature to segment our hosts into useful target sets.
Im'orti$g Hosts +
Bere we can import host information to Metasploit. ,o do that' as seen in
the abo%e screen shot Bosts 3 Import Bosts. ,his accepts the following
files :
# )cuneti( CM/
# )map /og
# )map /og-m
# )ppscan CM/
# Burp .ession CM/
# Eoundstone CM/
# I+6D< ).+/
# I+6D< CM/ %6
# Microsoft Baseline .ecurit" )nal"&er
# 7essus 7B5
# 7essus CM/ G%9 abd %:H
# 7et.par* CM/
# 7eCpose .imple CM/
# 7map CM/
# 4penA). 8eport
# Kual"s )sset CM/
# Kual"s .can CM/
# 8etina CM/
!e can add hosts b" Bosts 3 )dd Bosts...
,he ne(t option a%ailable is NMa' S%a$s
!e can launch a 7map scan with all those default 7Map options from
)rmitage to automaticall" import the results into Metasploit. In the abo%e
screenshot we can see the se%eral scanning options we ha%e there Hosts 8
Nma' S%a$
!e can also t"pe dbLnmap in the Metasploit console with the options
a%ailable which we choose.
7map scans do not use the pi%ots we ha%e set up.
Dis%o2er) S%a$
Metasploit ha%e different modules for scanning and fingerprinting hosts
which are %er" reliable and %er" acceurate and gi%es accurate fingerprints
when common ser%ices are a%ailable. Bighlight one or more hosts and
clic* .can to launch these modules which wor*s through a pi%ot.
!e can use Aiew 3 Mobs to see which modules are running as shown in
the below screenshot.
,his wa" )rmitage made it %er" simple and eas" to identif" the ser%ices
running on the selected host G in this case it is Microsoft II./D.< which is
running on port J<H and at the same time it can tell us b" %iewing the Mobs
that it has a multi/handler e(ploit on pot ::<:4 and the pa"load which can
be used is Gwindows/meterpreter/re%erseLtcpH.
7ow lets mo%e to a %er" important feature which is E9PLOITATION1
Before we mo%e further with our targets we need to choose our weapon
which is made %er" simple in )rmitage b" 0ust going to )ttac* 3 Eind
)ttac*s to generate a custom attac*. /ets loo* at the following screen-
shot.
4nce we go through this we will see another screen which will loo* li*e
something this :
Bere we can see that )ttac* )nal"sis has completed which can be seen as
an )ttac* menu attached to each host in the ,arget window.
/et us go bac* to our old target machine and see how it loo*s li*e there
.o here we can see that the )ttac* option has further more options
according to different ser%ices li*e http' iis' mss-l etc etc which are further
categori&ed with different e(ploit pa"loads it found during the scan.
)s the number of generated/suggested e(ploits can be %er" huge
sometimes so that what we can do to ma*e it eas" we can short out the
e(ploits under the categories of 5(cellent' #reat' 7ormal and +oor which
is shown in the screen shot.
7ow the -uestion comes that which e(ploit to use which comes with
e(perience or otherwise there is alwa"s #oogle to help "ou if "ou get
stuc* somewhere. .ome e(ploit in Metasploit implement a chec* function.
!hat these chec* functions do is connect to the host and chec* if the
e(ploit applies there or not. ,his is where )rmitage is helpful to use these
chec* e(ploits to help to choose the right e(ploit when there are man"
options. /i*e targets listening on port J<' li*e in our target also will show
se%eral web application after we Eind )ttac*s. 2lic* on 2hec* e(ploits...
menu to run the chec* command. 4nce all the chec*s are complete we can
use 2trl E and search for %ulnerable. ,his will lead us to the right e(ploit.
4* so we got our e(ploit' what now NN
!ell the ne(t step is La#$%hi$g E!'(oits1 .o here we go :
Bere the e(ploit launch dialogue bo( lets us configure options for a
module and choose whether to use a re%erse connect pa"load.
4nce we clic* the launch option the e(ploit will e(ecute itself to pwn the
target and the result can be seen on the e(ploit tab.
Bere we can easil" see that whats going on while our e(ploit is running
and whether it is successful or not.
)rmitage will ma*e the host red and surround it with lightning bolts.
Metasploit will also print a message to an" open console.
)rmitage has one more method of e(ploiting the target which is otherwise
called as =)utomatic 5(ploitation>.
A#tomati% E!'(oitatio$ In case our manual e(ploitation fails we ha%e
one more option to do it in an automatic manner which is also refereed as
=Bail Mar">.
Armitage's Hail Mary feature is a smart db_autopwn . It finds
exploits relevant to our targets, filters the exploits using known
information, and the sorts them into an optimal order.
This option may not get you a good result or find you a shell but
oin case if it's your lucky day this is the best thing to do when
you don't know that what to do next.
Now comes the part of Client Side Exploits
We can use Metasploit's client side exploits through Armitage.
To understand what a client side attack is, it's the one which
attacks the applications and not the client. In case if we fail to
execute a remote exploit, we have to use client side attack.
To launch client side attack we can use the modules browser to
search and execute them.
Client side Exploits and Payloads:
When we launch a client-side payload exploit, we have the option
of customizing the payload that goes with it.
To set the payload, double click on PAYLOAD in the option
column of the module launcher. This will open a option for you to
choose a payload. Let's see this in the following example
Here in the example Windows is chosen from the option column
of the module launcher to set the payload while double clicking
the PAYLOAD, which infact opened a dialog asking to choose a
payload.
Here we can highlight a payload and click Select. Armitage will
update the PAYLOAD, DisplayPayloadHandler,
ExitOnSession, LHOST, and RHOST values which we can
edit according to our needs.
Payload Handlers :
Payload handler is a server that runs in Metasploit to wait for a
payload to connect to the Metasploit and establish a session.
By navigating to Armitage Listeners we can quickly start a
payload handler. A blind listener attempts to connect to a
payload listening for a connection. A reverse listener waits for
the payload to connect back to you. Let's have a look at the
following screen shot where Listener can be run on both Bind
and Connect option.
This is the screen shot of Bind Listener and following is the
screenshot of Reverse Listener
Now we have almost reached to the end of our part 1 of this
paper, but before closing it, let us just have a look about one
more topic. In our previous topic we discussed about Payload
Handlers, now let's have a look about Generating a Payload.
Generate a Payload :
As long as there are targets to run a program, all we need is an
executable. Here Armitage comes handy by generating an
executable from any of Metasploit's payloads. All that we need to
do is just choose a payload in the module browser, double click it,
select the type of output , and set our options. Once we click
launch, a save dialog will ask where to save the file to.
Here we need to remember something that if we have a payload,
it needs a handler. Use the multi/handler output type to create
a haandler that waits for the payload to connect. This option is
far more powerfull than the Armitage > Listeners menu.
######################################################
This is the end of Part 1 of this paper. A lot more issues, topics,
features and functions will be discussed in the Part 2 which I
will be posting very soon.
If there is any mistake or something which I missed here, or
anything specific you want to know or want me to include, feel
free to ping me on infosecpirate[at]gmail[dot]com
./r45c4l