What is Armitage?
Armitage is a graphical user interface for the Metasploit Framework. At first glance, it may seem that Armitage is just a pretty front-end on top of Metasploit. That’s not quite true. Armitage is a scriptable red team collaboration tool. It has a server component to allow a team of hackers to share their accesses to compromised hosts.
Starting Kali Linux
The best way to start playing with Armitage is to download Kali Linux and run it in a virtual machine. For this guide, you should set your virtual machine to NAT networking. This is necessary because in a moment, I will ask you to download a target virtual machine and set it up.
To login to Kali Linux, use the username root, password toor. To request an IP address via DHCP, type dhclient. To start X Windows, type startx.
Use Java 1.7
Kali Linux ships with Java 1.6 and Java 1.7. Java 1.6 is the default though and for some people–this version of Java makes their menus stick or draw slowly. For the best Armitage experience, you should use Java 1.7. Fortunately, it’s one command to change the default.
If you have 32-bit Kali Linux, open a terminal and type:
update-java-alternatives --jre -s java-1.7.0-openjdk-i386
If you have 64-bit Kali Linux, open a terminal and type:
update-java-alternatives --jre -s java-1.7.0-openjdk-amd64
Installing Armitage
Your version of Kali Linux may not include Armitage. To install it, type:
apt-get install armitage
Next, you need to start the Metasploit service. Armitage does not use the Metasploit service, but starting it once will setup a database.yml file for your system. This is a necessary step. You only need to do this once:
service metasploit start service metasploit stop
Updating the Metasploit Framework
Use the msfupdate command to update the Metasploit Framework to the latest.
Starting Armitage
Before you can use Armitage, you must start the postgresql database. This does not happen on boot, so you must run this command each time you restart Kali:
service postgresql start
To start Armitage in Kali Linux, open a terminal and type:
armitage
Armitage will immediately pop up a dialog and ask where you would like to connect to. These parameters only matter if you want to connect to an Armitage team server. Since we’re getting started, we don’t care. Just press Connect.
Next, Armitage will try to connect to the Metasploit Framework. Big surprise, the Metasploit Framework is not running. Armitage will realize this and it will ask you if you would like it to start Metasploit for you. The correct answer is Yes. Press this button and wait.
You will see connection refused messages for up to a few minutes. If this is your first time starting the Metasploit Framework, this may take literally a few minutes. The Metasploit Framework is the largest Ruby codebase out there and it takes time to load all of its modules for the first time. Be patient.
If all went well, you will see a GUI that looks like this:
You’re now ready to use Armitage.
A Target
Every attacker needs a target. Since you’re just starting out, I recommend that you set up a target virtual machine made for learning the Metasploit Framework. If you need such a target virtual machine, look no further than Metasploitable 2.
Metasploitable 2 is a virtual machine maintained by the Metasploit project team. It’s an Ubuntu server with a lot of services and vulnerabilities.
You can download Metasploitable 2 at:
http://sourceforge.net/projects/metasploitable/files/Metasploitable2/
Set this virtual machine up. Make sure you set the networking for this virtual machine to NAT or host-only. You do not want to expose this virtual machine to the internet.
To learn its IP address, login as user msfadmin, password msfadmin when this virtual machine starts up. Type ifconfig to see the network configuration for this virtual machine. Once you have an IP address for this system, you’re now to ready to attack it.
Now, go RTFM
The Metasploit Framework has a lot of jargon and Armitage has a lot of conventions associated with it. Now that you’re up and running, I recommend that you take a few minutes and read the Armitage manual. You can skip the Getting Started portion if you like. Pay special attention to section 1.4 which details some of the vocabulary around the Metasploit Framework. I also recommend that you read the User Interface Tour, Exploitation, and Post Exploitation chapters.
The Armitage manual is not a tutorial, but it will help orient you around the tool. You want this orientation, because in the next part of this guide, you will attack the Metasploitable Virtual Machine that you setup a moment ago.
Armitage Labs:-
I spend a lot of time teaching folks how to use Armitage and its big brother Cobalt Strike. To start out right, I have my students go through several labs designed to help them experience the conventions in the Metasploit Framework first hand. Work through these labs and you will start to develop a mental model of what the Metasploit Framework can do and how it’s organized.
Scan
- Go to Hosts -> Nmap Scan -> Intense Scan, all TCP ports
- Type the IP address of the Metasploitable Virtual Machine
Wait for the scan to complete. It will take some time. - Right-click the Metasploitable host and select Services
Exploit
- Go to Attacks -> Find Attacks
- Wait for Attack Analysis complete dialog.
- Right-click the Metasploitable host and try various items from the Attack menu until one works. Something is bound to work.Right-click the Metasploitable host and select Shell 1 -> Interact. If you have a Meterpreter 1 menu, then keep searching. Meterpreter is a great post-exploitation tool, but we’re not ready to talk about it yet. Find an exploit that yields a shell.
- Type: whoami and press enter in the new Shell 1 tab.
Brute Force VNC
- Select the Metasploitable host in the target area
- Navigate to auxiliary -> scanner -> vnc -> vnc_login in the module browser. Double-click this module.
- Press Launch
- Open a Terminal and type: vncviewer metasploitable IP:5900. Use the password vnc_login helped you discover to connect.
Tomcat Manager Deploy Exploit
- Select the Metasploitable host in the target area
- Navigate to auxiliary-> scanner -> http -> tomcat_mgr_login in the module browser. Double-click this module.
- Double-click the RPORT value and change it to the correct port. Take a look at the services on the system. Which port is running Apache Tomcat?
- Press Launch
- Navigate to exploit -> multi -> http -> tomcat_mgr_deploy in the module browser. Double-click this module
- Change RPORT, USERNAME, and PASSWORD to their correct values. Step 4 should have yielded a valid username and password for you.
- Press Launch
Brute Force
Metasploit modules ending with _login are usually able to brute force credentials. Try mapping one of the open services to its login module and follow these steps:
- Type _login in the search box below the module browser
- Launch the *_login module you’re interested in. Type _login in the box below the module browser to search for these modules
- Find the USER_FILE option and double-click the black square. The black square indicates that there is a helper dialog to set this option
- Double-click on the wordlists folder
- Choose the unix_users.txt file
- Set the PASSWORD option to something silly, such as password. Or, set PASS_FILE to a juicy looking file (but then expect this to take a long time)
- Press Launch How many weak accounts did you find?
Postgres Ownership
Not all vulnerabilities will yield a shell. That’s OK. Sometimes there are other great opportunities:
- Try to brute force credentials to the postgres database running on the system
- Use the results of step 1 to read the contents of /etc/passwd through the postgres database. Hint: search for any postgres related modules. There may be one that can help you.
Before You Begin:-
Before you dive into Armitage, there’s a few things that you should know. While it’s possible to learn some basic tutorials in Armitage with little to no background in penetration testing, I’d highly recommend starting with Metasploit. If you’re not aware of Metasploit yet, understand that it is a console-driven application that requires working from the command line. Armitage does help alleviate some of this burden with graphical images, but you still need to know how to work from the command line to be a competent user.
Also, you need to be aware of how the Metsaploit framework is organized, particularly regarding its modules. After entering Metasploit, you can type help to view the modules included in the software. Every component of the software (and by extension, every component of Armitage) is divided up into modules – be it a scanning utility, malicious payload, or exploit.
Whenever you want to exploit a vulnerability on a given host, you first need to establish a connection with that host, which is called a session. Armitage is built to know how to handle sessions, and organizes sessions with graphics built on top of Meterpreter.
Meterpreter, however, is the portion of the code that allows you to run various operations on an exploited system.
Navigating User Interface:-
At first glance, the Armitage user interface can be pretty intimidating. But it really isn’t that complicated. There are basically three main areas of the user interface, which include the targets pane, the modules pane, and tabs on the bottom that provide access to the command line.
First off, let’s start with the modules pane on the left side. You’ll notice that it uses a tree structure much like a file system. It’s in this pain that you can find the module that allow you to execute a payload, exploit a system, and run various post-exploitation operations. Simply double click on the desired module to open a dialog, and Armitage will do the heavy lifting for you by configuring the module to target specified hosts.
Next, locate the main graphical window pane. Depending on the type of host (operating system, device type, etc.), Armitage will populate a different image. If you see an icon in red with electric tendrils, you are looking at a host in the graphical interface that has been successfully exploited. However, green lines between systems indicate a pivot, which just means you can use the exploited host to launch attacks on other systems. To select a host, simply left click on its icon. To select multiple systems, simply hold down the left mouse button and drag the mouse over all the systems you wish to select.
In addition, you can right click on a host to pull up a menu that will help you edit settings, login parameters, session options, and detailed information about the host in question. However, you won’t be able to see the login menu unless you have already used Metasploit to scan the host and identified open sockets on the remote system.
Also, depending on the type of computer you’re running Armitage on, you may want to select different hotkeys (or view them in the first place). To do so, simply click on the Armitage menu in the top left of the window, and then click on “Preferences.” You’ll then be able to see all of the currently configured hotkeys and their default values.
Setting Targets:-
Armitage’s strength (e.g. visualizing targets and hosts) is also its weakness. If you are trying to work with too many hosts, the GUI pane can become extremely cluttered, messy, and overwhelming. Fortunately, you can set target hosts via a table view. Simpy click on the Armitage menu in the top left, click on “Set Target View,” and then click on “Table View.” This will allow you to view and set target hosts with an interface that looks more like a clean spreadsheet.
Navigating the Bottom Pane: Tabs and Consoles
It’s also possible to open up multiple tabs in the bottom pane that will allow you to enter Metasploit commands and shell code. By right clicking on a tab, you can undock the tab into its own window for better management. In addition, you can move the sequence of tabs like you would in a web browser, and exit them by clicking on the “x.”
More interesting, however, is the fact that both Meterpreter and Metasploit occupy tabs in the interface. Those of you who have run Metasploit from the command line will feel at home in this pane, since each tab is essentially its own shell environment.
Importing Hosts:-
One of the great feature that makes Armitage so darn powerful is its ability to interface with other applications’ data – especially to important host data from other sources. It supports most of the popular scanners, so if you don’t want to run scans in Armitage, or just want to import data from a previous scan, you can load masses of data in a few quick seconds.
Some of the most popular scanners that it interfaces well with include Amap, NMAP, OpenVAS, and Nessus, though it also support IP360, Burp, NeXpose, Qualys, and several others. If you want to add a set of hosts from another scanner, simply click on the Hosts menu at the top and then click on the “Import Hosts” option.
Finding Exploits:-
Finding ways to exploit systems is no easy task. There are a number of countermeasures designed to mitigate the threat of exploitation, such as firewalls, code updates, and other similar tools. It’s almost more of an art than a science, and things are always changing. Some exploits are extremely temporal because antivirus and operating system developers are always trying to plug up the holes as quickly as possible.
And if you’re new to Metasploit or Armitage, it’s tough getting started if you aren’t aware of any existing exploits. The good news is that Armitage comes equipped with tools tools to help you find the latest and greatest system vulnerabilities. Basically, Armitage will create a session with a target host, and run some scanning and code-verification and checking utilities to gather information about the target. Then, it will list all known exploits, in much the same way as OpenVAS and Nessus scan for vulnerabilities.
To do a little bit of investigative work, click on a host’s icon, and then browse through the different protocols. For instance, one protocol listed for a host may be FTP. From the FTP menu, look for the very last option, labeled “Check exploits.” In the resulting output, simply check for exploits that are listed as “vulnerable.” You can use ctrl + f to easily find vulnerabilities and simplify the process.
Running an Exploit:-
You can also click on the Attacks menu and then click on “Find Attacks” to browse through the different attack modules residing in Armitage. If you have already checked to see that a system is vulnerable to a certain exploit, simply right click on a host’s icon, click on the “Attack” menu, and then select the exploit you wish to run.
It’s also worth noting that Armitage contains a ranking system for exploits, and by default, will only show exploits with a rank of “great.” You can click on the Armitage menu and then click on “Set Exploit Rank” so that the GUI interface populates exploits with a rank of “good.”
Comments
Post a Comment