Haking MetaSploit — Part 3

What is Armitage?
Armitage is a Java tool that uses Metasploit database and resources to visualize targets, recommend
exploits, and expose the advanced post-exploitation features in the framework. It makes the
penetration testing easier through its GUI interface.

Pre-Install Requirements
Armitage requires the following tools to be properly installed:

* Metasploit Framework
* PostgreSQL Database
* Nmap
* Oracle’s Java 1.7

Installation
In this section, we will present the step by step guide to properly install Armitage on different OS
platforms as the following:

Mac OSX
In order to conduct a successful installation please type the following commands:

curl -# -o /tmp/armitage.tgz http://www.fastandeasyhacking.com/download/armitagelatest.
tgz
tar -xvzf /tmp/armitage.tgz -C/usr/local/share
sh -c “echo java -jar /usr/local/share/armitage/armitage.jar $* > /usr/local/share/
armitage/armitage”
ln -s /usr/local/share/armitage/armitage /usr/local/bin/armitage
echo java -jar /usr/local/share/armitage/armitage.jar $* >/usr/local/bin/armitage
ln -s /usr/local/armitage/teamserver /usr/local/bin/teamserver
perl -pi-e ‘s/armitage.jar//usr/local/share/armitage/armitage.jar/g’ /usr/local/share/
armitage/teamserver
perl -pi-e ‘s/armitage.jar//usr/local/share/armitage/armitage.jar/g’ /usr/local/share/
armitage/teamserver
It is now installed and you should be able to lunch Armitage using this command “armitage” from
your terminal window.

curl -# -o /tmp/armitage.tgz http://www.fastandeasyhacking.com/download/armitage-latest.tgz
sudo tar -xvzf /tmp/armitage.tgz -C/usr/local/share
sudo sh -c “echo java -jar /usr/local/share/armitage/armitage.jar $* > /usr/local/
share/armitage/armitage”
sudo ln -s /usr/local/share/armitage/armitage /usr/local/bin/armitage
sudo ln -s /usr/local/share/armitage/teamserver /usr/local/bin/teamserver
Linux sudo perl -pi-e ‘s/armitage.jar//usr/local/share/armitage/armitage.jar/g’ /usr/local/
share/armitage/teamserver
You should now be able to start Armitage by typing “armitage” on your console.

Download the following zip file from here: http://www.fastandeasyhacking.com /download/
armitage140715.zip.

Then, extract it. You will then be presented with these files as in the following figure:

To launch Armitage, just double click on “armitage.exe”.

Utilization of Armitage
When starting Armitage, it will give you a window like this:

Asking you to provide the following:

* Host: It is the IP where the Metasploit is installed on. For instance, we’re going to use our localhost.
* Port: It is the default port to connect to, leave it to “5553”
* User, Pass: The database username and password that we first set on MSF installation

Once you supply the correct credentials, hit “Connect” and armitage should start initializing. But if
the Metasploit RPC server is not running, it will kindly ask you if you would like armitage to start it for you as follows.

Press “Yes” if it shows up. Now, the next window is going to show us the loading progress, don’t
panic if it says “Connection refused” it will eventually connect as follows:

Finally, we have Armitage up and running:

Armitage GUI Description
As in the previous figure, here is the list that describes all GUI sections shown:

1. This is the window space where the targets are going to show up
2. The console is where different sessions are going to be shown and you can play with different
exploits
3. This is the window space where you can browse through different modules and use them by a
simply double-click
4. This is the window space where you can search for a particular auxiliary, exploit, payload or postexploitation modules here by name

Scanning and Exploitation
To scan the network using Armitage, you should proceed as follows:

* Select “Hosts -> Nmap scan -> Quick scan (OS detect)”

* Then, Enter the IP range which you want to scan:

Now, if several hosts that we know they exist, didn’t show up in the results for some raisons, we can
always manually add them like so:

* Select “Hosts -> Add hosts”

* After that, Enter one host per line as follows:

So now, we added our target host, we can scan it using the following steps:

* Right click on the target host -> Scan

* We can see that a new tab named “scan” and a bunch of scanning things are showing up as follows:

When the scan is completed, a window is going to popup showing us a message “Scan Complete!”
as follows:

Once the scan is fully completed, we will find specific attacks on those open ports. For that, we select
the host and then proceed with the menus as follows:

“Attacks -> Find attacks” in order to give Armitage the ability to find proper exploits for this particular host:

And now, by right clicking we can see the “Attack” menus with a bunch of suggested exploits
under this host:

For example, we’re going to use “netapi” smb exploit this time for our Windows target.

Once we select the exploit, a new window is going to be opened so that we can chose from
different options as in the following figure:

Now hit Launch and the exploit should be sent!

Then, a new tab in the console named “exploit” will be added and we see a new session opened
up that means we had successfully exploited the host and now we have access to that host.

The host is now in red with some information about the current user we are presented with!

Now, we can see the meterpreter session when we right click on the compromised host as follows:

Up to this moment, we have the ability to (Interact, Explore, Access, Pivot).
Armitage recommends several exploits and will optionally run active checks like we did to notice
you which exploits will work properly. If those options fail, you may use the Hail Mary attack to
unleash Armitage’s smart automatic exploitation against your designated targets as follows:

* First, select the host by the left clicking on it and go to “Attacks->Hail Mary”:

It’s now warning you by flooding the host with exploits which may cause the target to crush, you
should press “Yes” in order to continue. However, if you are afraid that the target will shut down and
won’t be reachable then press “No” and the attack will be canceled.

If pressed “Yes”, it will load all the exploits and the handlers for them automatically as in the following figure:

And over the console, the opened sessions are going to show up. If two or more exploits were
working and successfully executed on the remote host, then it’s going to show sessions for them too:

And the host is going to show up in red (exploited), letting us know that we have access capabilities
to it.

And now, we’re going to move to the fun part which is Pivoting.
Pivoting
Once we get access to one host on the network, meterpreter provides us with the ability to use that
host as a pivot to go further into that network (scan, exploit .. etc)

We will use this methodology in order to attack another host in the network which is in a different
subnet rather than the previously compromised Windows computer.

Lets assume the networks’ addressing schemes are as flows:

Attacker Network:
* LAN: 192.168.0.2

Client Networks (Win XP):

* LAN1: 192.168.0.12
* LAN2: 192.168.1.0/24 (our second target network)

Obviously, the attacker can’t reach the 192.168.1.0/24 from its original IP of 192.168.0.0/24 network,
that’s why we will need to use pivoting in order to reach the target network.

* First, We need first to run an Address Resolution Protocol (ARP) Scan, this will reveal us existing

hosts that already had communicated with our compromised target.

* Secondly, we will need to add a route so that we can have access to the other subnet (192.168.1.x)
in our case as follows:

* Then, select the target subnet (192.168.1.0), as in our case

Once we added the route, a link will show up from the first compromised host to the second one that
we had discovered on a different subnet as in the following figure:

Once we finished scanning all the hosts, and then directing armitage to show us the available
exploits for those open ports, we should select the exploit and lunch it against the host. Armitage will
show the other host as compromised:) like so:

We have successfully pivoted to the host on the second subnet “192.168.1.101”. In the next
module, we will discuss more about pivoting and post-exploitation!

Originally published at https://learncybersec.blogspot.com.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store