Armitage Manual

8/10/2019 Armitage Manual

1/17

I. Table of Contents

1. About Armitage2. Getting Started3. User Interface Tour4. Host Management5. Exploitation

6. Post-Exploitation7. Maneuvering8. Remote Metasploit

1. About Armitage

1.1 What is Armitage?

Armitage is a graphical cyber attack management tool for Metasploit (http://www.metasploit.com) that visualizes your targets,recommends exploits, and exposes the advanced capabilities of the framework.

Advanced users will find Armitage valuable for managing remote Metasploit instances and collaboration. Armitage's red teamcollaboration featuresallow your team to use the same sessions, share data, and communicate through one Metasploit instance.

Armitage makes Metasploit usable for security practitioners who understand hacking but don't use Metasploit every day. If you wto learn Metasploit and grow into the advanced features, Armitage can help you.

1.2 Cyber Attack Management

Armitage organizes Metasploit's capabilities around the hacking process. There are features for discovery, access, post-exploitatioand manuver. This section describes these features at a high-level, the rest of this manual covers these capabilities in detail.

For discovery, Armitage exposes several of Metasploit's host managementfeatures. You can import hosts and launch scans topopulate a database of targets. Armitage also visualizes the databaseof targets--you'll always know which hosts you're working wand where you have sessions.

Armitage assists with remote exploitation--providing features to automatically recommend exploits and even run active checks so know which exploits will work. If these options fail, you can use the Hail Mary approach and unleash Armitage's smarter


2/17

db_autopwn against your target database.

For those of you who are hacking post-2003, Armitage exposes the client-side features of Metasploit. You can launch browserexploits, generate malicious files, and create Meterpreter executables.

Once you're in, Armitage provides several post-exploitationtools built on the capabilities of the Meterpreter agent. With the click menu you will escalate your privileges, dump password hashes to a local credentials database, browse the file system like you're land launch command shells.

Finally, Armitage aids the process of setting up pivots, a capability that lets you use compromised hosts as a platform for attackingother hosts and further investigating the target network. Armitage also exposes Metasploit's SOCKS proxy module which allowsexternal tools to take advantage of these pivots. With these tools, you can further explore and maneuverthrough the network.

The rest of this manual is organized around this process, providing what you need to know in the order you'll need it.

1.3 Necessary Vocabulary

To use Armitage, it helps to understand Metasploit. Here are a few things you absolutely must know before continuing:

Metasploit (http://www.metasploit.com/) is a console driven application. Anything you do in Armitage is translated into a commandMetasploit understands. You can bypass Armitage and type commands yourself (covered later). If you're ever lost in a console, tyhelpand hit enter.

Metasploit presents its capabilities as modules. Every scanner, exploit, and even payload is available as a module. If you're scanna host, you use an auxiliary module. Before launching a module, you must set one or more variables to configure the module. Theexploit process is similar. To launch an exploit, you must choose an exploit module, set one or more variables, and launch it.Armitage aims to make this process easier for you.

If you successfully exploit a host, you will have a sessionon that host. Armitage knows how to interact with shell and Windowsmeterpreter sessions.

Meterpreteris an advanced agent that makes a lot of post-exploitation functionality available to you. Armitage is built to takeadvantage of Meterpreter. Working with Meterpreter is covered later.

The Metasploit Unleashed course (http://www.offensive-security.com/metasploit-

unleashed/Metasploit_Unleashed_Information_Security_Training) maintained by the Offensive Security(http://www.offensive-security.com/) folks is excellent. I recommend reading it before going further.

2. Getting Started

2.1 Prerequisites

Armitage is installed with the Metasploit 4.0.0 full install package. It has all of the prerequisites you'll need, including:

Java 1.6.0+ (http://java.sun.com)Metasploit 4.0.0+ (http://www.metasploit.com)

A database and the information to connect to it

Make sure you use the official Sun Oracle Java. This project does not support other Java environments.

You want the latest version of the Metasploit Framework. Armitage is tested against the latest Metasploit with no goal of supportinolder versions. Use subversion to check out the latest version of Metasploit and keep it up to date by running msfupdateregularly

Finally, you must have a database for Metasploit to connect to. Armitage requires you to know the username, password, hostnameand database before connecting.

I highly recommend that you use PostgreSQL instead of MySQL. There is an unresolved issue in Metasploit causingMySQL databases to break when Metasploit chooses to change a database schema. The Metasploit team also testswith Postgres. The full setup installers for Metasploit on Windows and Linux set up Postgres for you.


3/17

2.2 Getting Started: Linux

To install Armitage on Linux:

1. Make sure you're the root user2. Download and Install the Metasploit Framework from http://www.metasploit.com/ (http://www.metasploit.com/) .

Get the full package with all of the Linux dependencies.3. After installation, type: /opt/framework/app/msfupdateto update Metasploit.

4. Install a VNC viewer (e.g., apt-get install vncvieweron Ubuntu)

To launch Armitage:

sudo armitage

Click Start MSFto launch Metasploit's RPC daemon and connect to it. The settings for Metasploit's installed database are alreadup for you. You do not need to change the DB connect string.

2.3 Getting Started: BackTrack Linux

BackTrack Linux 5 (http://www.backtrack-linux.org) includes Metasploit and Armitage--ready for your use.

Open a terminal and type armitageto start Armitage.

Click the Start MSFbutton to launch Metasploit and connect Armitage to it.

If you want to use Armitage, BackTrack Linux is the easiest way to get started.

2.4 Getting Started: Windows

To install Armitage on Windows:

1. Make sure you're the Administrator user (enable it if you have to (http://lifehacker.com/#!341521/enable-vistas-administrator-acco)

2. Download and Install the Metasploit Framework from http://www.metasploit.com/ (http://www.metasploit.com/) .

Get the package with all of the dependencies.3. Go to Start-> All Programs-> Metasploit Framework-> Metasploit Update

To use Armitage:

Navigate to Start-> All Programs-> Metasploit Framework-> ArmitageClick Start MSFand wait for a connection

If something goes wrong, press Ctrl-Alt-Deland kill any ruby processes that you see.

2.5 Getting Started: MacOS X

Armitage works on MacOS X but it's not a supported platform for Armitage. Metasploit does not have an official package for OS

There is a lot of manual setupinvolved getting the pre-requisites working. Cedric Baillet created a step-by-step guide(http://www.cedric-baillet.fr/IMG/pdf/armitage_configuration_on_macosx.pdf) to configuring Postgres and Ruby for use with Armitage MacOS X as well.

I put a lot of energy into Armitage and supporting Windows takes a lot out of me as it is. I'm happy to fix MacOS Xspecific bugs in Armitage but I will not help you troubleshoot your Metasploit or database installation on MacOS X.I'm not withholding the secret from you--I do notuse Metasploit on MacOS X and I have no idea how to help you.

Armitage on MacOS X works fine as a remote clientto Metasploit. Download the MacOS X package, extract it, and double-clickArmitage.app file to get started.

3. User Interface Tour


4/17

3.1 Overview

The Armitage user interface has three main panels: modules, targets, and tabs. You may click the area between these panels to resthem to your liking.

3.2 Modules

The module browser lets you launch a Metasploit auxiliary module, throw an exploit, generate a payload, and even run a post-exploitation script. Click through the tree to find the desired module. Double click the module to bring up a dialog with options.

Armitage will place highlighted hosts from the targets panel into the RHOSTSvariable of any module launched from here.

You can search for modules too. Click in the search box below the tree, type a wildcard expression (e.g., ssh_*), and hit enter. Thmodule tree will then show your search results, already expanded for quick viewing. Clear the search box and press enter to restorthe module browser to its original state.

3.3 Targets - Graph View

The targets panel shows all hosts in the current workspace. Armitage represents each target as a computer with its IP address andother information about it below the computer. The computer screen shows the operating system the computer is running.


5/17

A red computer with electrical jolts indicates a compromised host. Right click the computer to use any sessions related to the host.

A directional green line indicates a pivot from one host to another. Pivoting allows Metasploit to route attacks and scans throughintermediate hosts. A bright green line indicates the pivot communication path is in use.

Click a host to select it. You may select multiple hosts by clicking and dragging a box over the desired hosts. Where possible,Armitage will try to apply an action (e.g., launching an exploit) to all selected hosts.

Right click a host to bring up a menu with available options. The attached menu will show attack and login options, menus forexisting sessions, and options to edit the host information.

The loginmenu is only available after a port scan reveals open ports that Metasploit can log in to. The Attackmenu is only availaafter finding attacks through the Attacksmenu bar. Shelland Meterpretermenus only show up when a shell or Meterpreter sessexists on the selected host.

Several keyboard shortcuts are available in the targets panel. You may edit these in the Armitage-> Preferencesmenu.

Ctrl Plus- zoom inCtrl Minus- zoom outCtrl 0- reset the zoom levelCtrl A- select all hostsEscape- clear selectionCtrl C- arrange hosts into a circle

Ctrl S- arrange hosts into a stackCtrl H- arrange hosts into a hierarchy. This only works when a pivot is set up.Ctrl R- refresh hosts from the databaseCtrl P- export hosts into an image

Right click the targets area with no selected hosts to configure the layout and zoom-level of the targets area.

3.4 Targets - Table View

If you have a lot of hosts, the graph view becomes difficult to work with. For this situation Armitage has a table view. Go to ViewTargets-> Table Viewto switch to this mode. Armitage will remember your preference.


6/17

Click any of the table headers to sort the hosts. Highlight a row and right-click it to bring up a menu with options for that host.

Armitage will bold the IP address of any host with sessions. If a pivot is in use, Armitage will make it bold as well.

3.5 Tabs

All functionality in Armitage is made available below the targets and module area. Each panel you open is presented in its own taThis is where you will spend most of your time when working with Armitage. There are several panels.

3.6 Consoles

A console panel lets you interact with a command line interface through Armitage. The Metasploit console, Meterpreter console, shell session interfaces all use a console panel.

The console panel features a command history. Use the up arrowto cycle through previously typed commands. The down arromoves back to the last command you typed.

In the Metasploit console, use the Tabkey to complete commands and parameters. This works just like the Metasploit consoleoutside of Armitage.

Use Ctrl Plusto make the console font size larger, Ctrl Minusto make it smaller, and Ctrl 0to reset it. This change is local to thcurrent console only. Visit Armitage-> Preferencesto permanently change the font.

Press Ctrl Fto show a panel that will let you search for text within the console.

Use Ctrl Ato select all text in the console's buffer.

Armitage sends a useor a set PAYLOADcommand if you click a module or a payload name in a console.

3.7 Logging

Armitage logs all console, shell, and event log output for you. Armitage organizes these logs by date and host. You'll find these loin the ~/.armitagefolder. Go to View-> Acitivity Logsto open this folder.

Armitage also saves copies of screenshots, webcam shots, and files downloaded through the GUI to this folder.

Change the armitage.log_everything.booleanpreference key to falseto disable this feature.

4. Host Management

4.1 Workspaces

Use the Hostsmenu to add hosts to Metasploit's database. Hosts added to Metasploit are kept in workspaces. A workspace is like


7/17

separate database. Workspaces allow you to organize hosts into groups and switch between them.

Use the Workspacesmenu to create, switch, and remove workspaces.

4.2 Importing Hosts

To add host information to Metasploit, you can import it. Metasploit lets you import Nessus scans, NMap output, and more. TheHosts-> Import Hostsmenu exposes this capability to you.

You may add hosts one IP address at a time through Hosts-> Add Hosts...

4.3 NMap Scans

You may also launch an NMap scan from Armitage and automatically import the results into Metasploit. The Hosts-> NMap Scmenu has several scanning options.

NMap scans do not take advantage of pivots you have set up.

4.4 MSF Scans

Metasploit has many modules for scanning and fingerprinting hosts. These modules work quite well and result in accurate fingerpwhen common services are available.

Armitage makes it easy to launch many of these at once through the Hosts-> MSF Scansmenu item. Click this item, type in a raof IP addresses, and watch the magic happen.

Armitage uses all auxiliary modules that fingerprint a service. Type _versioninto the Module search box and hit enter to see a lithese modules.

You can watch the progress of an MSF Scan through View-> Jobs

You may also highlight one or most hosts, right-click, and select Scanto launch MSF scans.

5. Exploitation

5.1 Remote Exploits

Before you can attack, you must choose your weapon. Armitage makes this process easy. Use Attacks-> Find Attacksto genercustom Attack menu for each host. This process uses Metasploit's db_autopwn feature to recommend the best exploits on a host bhost basis. Use the by vulnerabilityoption only if you've imported a vulnerability scan.

You can exploit a host by right-clicking it, selecting Attack, and choosing an exploit. To show the most appropriate attacks, makesure the operating system is set for the host. The Attackmenu is limited to exploits with a rating of greator excellent.

Some useful exploits (e.g., lsass) are ranked goodand they don't show in the attack menu. You can still launch them using the mo

browser. Highlight the host (or hosts) that you want to exploit and navigate to the desired exploit in the module browser. Double cthe exploit and you will see the launch dialog.

Under Armitage-> Preferencesthere is an option to change the minimal exploit ranking. Try goodor normalif you want moreexploits in the Attackmenu.

5.2 Which exploit?

Learning which exploits to use and when comes with experience. Some exploits in Metasploit implement a check function. Thesecheck functions connect to a host and check if the exploit applies. Armitage can use these check functions to help you choose theright exploit when there are many options. For example, targets listening on port 80 will show several web application exploits aftyou use Find Attacks. Click the Check exploits...menu to run the check command against each of these. Once all the checks arecomplete, press Ctrl Fand search for vulnerable. This will lead you to the right exploit.


8/17

Clicking a host and selecting Servicesis another way to find an exploit. If you have NMap scan results, look at the information fieand guess which server software is in use. Use the module browser to search for any Metasploit modules related to that software. module may help you find information required by another exploit. Apache Tomcat is an example of this. The tomcat_mgr_loginmodule will search for a username and password that you can use. Once you have this, you can launch the tomcat_mgr_deployexploit to get a shell on the host.

If all this fails, you have the hail mary option. Attacks-> Hail Marylaunches this feature. Armitage's hail mary option is a smartedb_autopwn. It first finds exploits relevant to your target set. It then filters these exploits using known information about the targetFor example, Hail Mary won't launch a Linux exploit against a Windows target. These exploits are then sorted so the best ones arlaunched first. Once this preparation is complete, Armitage launches these exploits against your targets. This feature won't give yo

every possible shell, but it's a good option if you don't know what else to do.

5.3 Launching Exploits

Armitage uses this dialog to launch exploits:

The exploit launch dialog lets you configure variables for a module and choose whether to use a reverse connect payload.

Variables are presented in a table. Double click a value to edit it. If a variable requires a filename, double click the variable name tbring up a file chooser dialog. You may also view and set advanced options by checking Show advanced options.

Armitage chooses a payload for you. Windows exploits will use a Meterpreter payload. UNIX exploits will launch a command sh

Click Launchto launch the exploit. If the exploit is successful, the host's computer will change color in the targets panel. Metasplwill also print a message to any open consoles.

5.4 Client-side Exploits


9/17

Armitage makes it easy to configure client-side exploits available with Metasploit. The Attacksmenu has options to set up browsattacks, email client attacks, and even generate malicious files.

Attacks set up in this way are pre-configured to connect back to your current Metasploit instance. The exploit handler is alreadyconfigured for you.

Browser Autopwncreates a URL that uses JavaScript to fingerprint anyone who connects and launches an appropriate browserexploit against them.

File Autopwnsets up a URL serving many malicious files, generated for your viewing pleasure. Visit the URL, download a filesend it to your target. Or get them to download it directly.

Hosts compromised via client-side exploits will show up in the targets panel when they connect back. Armitage does not need toknow about these hosts beforehand.

You may also use the module browser to find and launch client-side exploits. Search for *fileformat*or *browser*.

5.5 Client-side Exploits and Payloads

If you launch an individual client-side exploit, you have the option of customizing the payload that goes with it. Armitage picks sadefaults for you.

In a penetration test, it's usually easy to get someone to run your evil package. The hard part is to get past networkdevices that limit outgoing traffic. For these situations, it helps to be aware of Metasploit's different payloadcommunication options. There are payloads that speak HTTP, HTTPS, and even communicate to IPv6 hosts. Thesepayloads give you options in a tough egress situation.

To set the payload, double-click PAYLOADin the option column of the module launcher. This will open a dialog asking you tochoose a payload.

If you see SOMETHING !in a table, this means you can double-click that item to launch a dialog to help youconfigure its value. This convention applies to the module launcher and preferences dialogs.

Highlight a payload and click Select. Armitage will update the PAYLOAD, DisablePayloadHandler, ExitOnSession, LHOSTand LPORTvalues for you. You're welcome to edit these values as you see fit.

If you chose to select the Start a handler for this payloadoption, Armitage will set the payload-related values to instruct Metasplolaunch a handler for the payload when the exploit launches. If you did not select this value, you're responsible for setting up a


10/17

multi/handler for the payload. Go to View-> Jobsto see which handlers are running.

5.6 Generate a Payload

Exploits are great, but don't ignore the simple stuff. If you can get a target to run a program, then all you need is an executable.Armitage can help you generate an executable from any of Metasploit's payloads. Choose a payload in the module browser, doubclick it, select the type of output, and set your options. Once you click launch, a save dialog will ask you where to save the file to.

When you generate a payload, you're responsible for setting up a listener to interact with it. Select the multi/handleroutput type the payload dialog to set up a handler for the payload with your desired options.

For Meterpreter and shell payloads, you may also go to Armitage-> Listenersto quickly launch a multi/handler. Choose a bindlistener to connect to a listening payload or a reverse listener to wait for a payload to connect.

6. Post Exploitation

6.1 Managing Sessions

Armitage makes it easy to manage the Windows Meterpreter agent once you successfully exploit a host. Hosts running theMeterpreter payload will have a Meterpreter Nmenu for each Meterpreter session.


11/17

If you have shell access to a host, you will see a Shell Nmenu for each shell session. Right click the host to access this menu. If yhave a Windows shell session, you may go to Shell N-> Meterpreter...to upgrade the session to a Meterpreter session. If you ha UNIX shell, go to Shell N-> Uploadto upload a file using the UNIX printf command.

6.2 Access

Once you exploit a host, duplicating your access should be a first priority. Meterpreter N-> Access-> Duplicatewill generate ameterpreter executable, upload, and run it on the host for you. If you lose the original session, this will give you a fall back.

Some exploits result in administrative access to the host. Other times, you need to escalate privileges yourself. To do this, use theMeterpreter N-> Access-> Escalate Privilegesoption to try several Windows privilege escalation options.

6.3 Session Passing

If you have a friend with Metasploit, you may use the Meterpreter N-> Access-> Pass Sessionoption to send a meterpreter sesto them. Tell your friend to configure a Metasploit multi/handler for the meterpreter/payload/reverse_tcp payload. Armitage will ayou for the host:port of the meterpreter multi/handler.

If your friend is using Armitage, have them type setin a Console tab and report the LHOSTand LPORTvalues to you. Thesevalues are set by Armitage when it creates the default meterpreter listener.

6.4 File Browser

Meterpreter gives you several options for exploring a host once you've exploited it. One of them is the file browser. This tool will you upload, download, and delete files.

Right-click a file to download or delete it. If you want to delete a directory, make sure it's empty first.

If you have system privileges, you may modify the file timestamps using the File Browser. Right-click a file or directory and go toTimestompmenu. This features works like a clipboard. Use Get MACE Valuesto capture the timestamps of the current file. Rigclick another file and use Set MACE Valuesto update the timestamps of that file.

Go to Meterpreter N-> Explore-> Browse Filesto access the File Browser.

6.5 Command Shell

You can reach a command shell for a host through Meterpreter N-> Interact-> Command Shell. The Meterpreter shell is alsoavailable under the same parent menu.

Navigating to the Meterpreter Nmenu for each action gets old fast. Right-click inside the Meterpreter shell windowto see the Meterpreter Nmenu items right away.

Close the command shell tab to kill the process associated with the command shell.

6.6 Post-exploitation Modules

Metasploit has several post-exploitation modules too. Navigate the postbranch in the module browser. Double-click a module andArmitage will show a launch dialog. Armitage will populate the module's SESSIONvariable if a compromised host is highlighteEach post-exploitation module will execute in its own tab and present its output to you there.

To find out which post-modules apply for a session: right-click a compromised host and navigate to Meterpreter N-> Explore-Post Modulesor Shell N-> Post Modules. Clicking this menu item will show all applicable post-modules in the module browse

Metasploit saves post-exploitation data into a Loot database. To view this data go to View-> Loot.

You may highlight multiple hosts and Armitage will attempt to run the selected post module against all of them. Armitage will openew tab for the post module output of each session. This may lead to a lot of tabs. Hold down shift and click Xon one of the tabsclose all tabs with the same name.


12/17

7. Maneuvering

7.1 Pivoting

Metasploit can launch attacks from a compromised host and receive sessions on the same host. This ability is called pivoting.

To create a pivot, go to Meterpreter N-> Pivoting-> Setup.... A dialog will ask you to choose which subnet you want to pivotthrough the session.

Once you've set up pivoting, Armitage will draw a green line from the pivot host to all targets reachable by the pivot you created. line will become bright green when the pivot is in use.

To use a pivot host for a reverse connection, set the LHOSTvariable in the exploit launch dialog to the IP address of the pivot ho

7.2 Scanning and External Tools

Once you have access a host, it's good to explore and see what else is on the same network. If you've set up pivoting, Metasploit wtunnel TCP connections to eligible hosts through the pivot host. These connections must come from Metasploit.

To find hosts on the same network as a compromised host, right-click the compromised host and go to Meterpreter N-> ARP SCreate a pivot to route traffic to these internal hosts through the existing Meterpreter session. Highlight the hosts that appear, right-click, and select Scanto scan these hosts using Metasploit's built-in discovery scans. These scans will honor the pivot you set up.

External tools (e.g., nmap) will not use the pivots you've set up. You may use your pivots with external tools through a SOCKSproxy though. Go to Armitage-> SOCKS Proxy...to launch the SOCKS proxy server.

The SOCKS4 proxy server is one of the most useful features in Metasploit. Launch this option and you can set upyour web browser to connect to websites through Metasploit. This allows you to browse internal sites on a networklike you're local. You may also configure proxychains (http://proxychains.sourceforge.net/howto.html) on Linux to usealmost any program through a proxy pivot.

7.3 Pass-the-Hash

When you login to a Windows host, your password is hashed and compared to a stored hash of your password. If they match, youin. When you attempt to access a resource on the same Windows domain, the stored hash is sent to the other host and used toauthenticate you. With access to these hashes, you can use this mechanism to take over other hosts on the same domain. This is caa pass-the-hash attack.

To collect hashes, visit Meterpreter N-> Access-> Dump Hashes. You need administrative privileges to do this. Armitage willstore the collected hashes in a database for your use later.

You may view collected hashes through View-> Credentials. For your cracking pleasure, the Exportbutton in this tab will expcredentials in pwdump format. You may also use the Crack Passwordsbutton to run John the Ripper against the hashes in thecredentials database.

To install Meterpreter on another Windows host, right-click the host and go to Login-> psexec. This will present a dialog where can select which hash to login with.

Your hosts must be on the same active directory domain for this attack to work.

7.4 Netcat Listeners

A popular technique for creating a quick backdoor is to use netcat to launch a command shell on connection. Netcat can either listfor a connection or connect back to you.

Armitage can take advantage of these sessions. Go to Armitage-> Listenersand choose bind to connect to a listening netcat sesChoose reverse to wait for netcat to connect back to you. This is one way to receive a shell from a friend who has alreadycompromised a host.


13/17

7.5 Password Brute Force

Metasploit can attempt to guess a username and password for a service for you. This capability is easy to use through the modulebrowser.

Metasploit supports brute forcing through the auxiliary modules named service_login. Type loginin the module browser to searcfor them.

To brute force a username and password over SSH, browse to auxiliary/scanner/ssh/ssh_loginin the modules panel and double cit.

If you know the username, set the USERNAMEvariable. If you'd like Metasploit to brute force the username, select a value forUSER_FILE. Double click the USER_FILEvariable to bring up a file chooser where you can select a text file containing a listusernames.

Metasploit has many files related to brute forcing in the [metasploit install]/data/wordlistsdirectory.

Set the PASS_FILEvariable to a text file containing a list of passwords to try.

If you're only brute forcing one host and you have a lot of usernames/passwords to try, I recommend using anexternal tool like Hydra. Metasploit does not make several parallel connections to a single host to speed up the

process. This lesson can be taken one step further--use the right tool for each job.

8. Remote Metasploit

8.1 Remote Connections

You can use Armitage to connect to an existing Metasploit instance on another host. Working with a remote Metasploit instance isimilar to working with a local instance. Some Armitage features require read and write access to local files to work. Armitage offa deconfliction server to make these features available when managing a remote Metasploit instance.

Connecting to a remote Metasploit requires starting a Metasploit RPC server. You may start a brand new one or launch the RPCserver from a running Metasploit console. The next two sections show you how to do this. Section 8.4shows you how to startArmitage's deconfliction server for teaming.

With these two servers set up, your use of Metasploit will look like this diagram:

It's possible to connect Armitage to a Metasploit RPC server without the deconfliction server. If you do this, remember that somefeatures will not work and only one person should connect at a time.

8.2 Launching Metasploit's RPC Daemon


14/17

Metasploit's RPC daemon accepts local and remote connections from Armitage. To start the daemon:

sudo msfrpcd -S -U msf -P wiggles -f

This will start msfrpcd with the user msf, password wiggles, no SSL listener, on the default port 55553.

I recommend disabling SSL, with the -Sflag, when using msfrpcd. The Java package distributed with Metasploit3.7.0 has a weird problem with the crypto. You may get an "RSA Premaster secret error" if you try to connect

Armitage to a Metasploit with SSL enabled.

Once this daemon is started: start Armitage, type the correct username and password into Armitage, and click Connect. Armitagenow connect to this running daemon. If the daemon is not running (or you got one of the parameters wrong!), Armitage will keeptrying to connect until you close it.

I recommend using the Metasploit RPC server if you're using Armitage locally. If something happens to Armitage,you can reconnect without losing your data and sessions. If you want to connect to a Metasploit RPC serverremotely, set up the deconfliction server. Once started, the deconfliction server will tell you the information you needto connect Armitage to Metasploit, including the remote Metasploit server's database connect string.

8.3 Launching the RPC Server from a running Metasploit Console

If you have a running Metasploit instance, you may launch the RPC server without quitting. To do this:

load xmlrpc ServerHost=0.0.0.0 ServerPort=port

The value of 0.0.0.0 for ServerHost forces Metasploit to accept connections from any address. You may change this to somethingmore specific. Be sure to provide a numerical value, say 55553, for port.

If you don't specify ServerHost=0.0.0.0 then the RPC server will only listen for connections from 127.0.0.1. Youwill see a connection refused message from Armitage when this happens.

Once the RPC daemon launches, you will see a username and password. Take note of these. You will need them when you launcArmitage.


15/17

Once the RPC server is loaded you can connect Armitage to it. Make sure Use SSLis not checked.

If you launch the Metasploit RPC server this way AND Metasploit was installed using the full setup package then the database isconnected already. Type db_statusto verify this. If the database is connected, then you do not need to worry about the DB ConnStringwhen connecting with Armitage from a remote host.

This process works on Windows and Linux.

When emulating a social engineering attack or using client-side exploits, it's helpful to set up Metasploit on a remoteserver to receive sessions. I configure my listeners through Metasploit's console. Once the attack is launched, I loadxmlrpc and I have the option to connect with Armitage to manage the post-exploitation process.

8.4 Multi-Player Metasploit: Getting Started

Armitage's deconfliction server allows your team to collaborate using Metasploit. First, you must start a Metasploit RPC instance ashown in the previous sections. Then, on the same system and from the same directory, run Armitage's deconfliction server:

armitage --server host port user password ssl?

The deconfliction server is not a GUI program. You may run it over SSH. This command will start the deconfliction server andconnect it to Metasploit on the specified port using the Metasploit RPC username and password you provide. Use 1for ssl?if youlike Armitage to connect to Metasploit using SSL. Set this value to 0for no SSL. For the host value, specify the IP address remotArmitage users will use to connect to your Metasploit instance.

Be aware that the Armitage deconfliction server binds the Metasploit port you specify + 1. If you use port 55553 for Metasploit,Armitage will bind 55554 for the deconfliction server. Armitage clients need to connect to your attack host on both of these ports.

It helps to see an example. This command starts a Metasploit RPC server with the username msf and the passwordwiggles. The default listening port for Metasploit is 55553. The -S parameter disables SSL.

msfrpcd -U msf -P wiggles -S -f

This command connects Armitage's network attack deconfliction server to the Metasploit RPC server located on


16/17

192.168.95.3, listening on port 55553. The username is msf and the password is wiggles. SSL is disabled.

armitage --server 192.168.95.3 55553 msf wiggles 0

Optionally, you may specify a message of the day file. The message of the day file is displayed to users when they connect toMetasploit with Armitage. Use the following options to specify the message of the day file:

armitage --motd /path/to/motd.txt--server host port user password ssl?

You do not need to run a local Armitage client on the Metasploit server.

When the deconfliction server starts, Armitage will try to provide you with a database string and other connection details. Use thisinformation to fill out the set up dialog when Armitage starts. Click Connect. The first client to connect must have the correctdatabase string. Future clients don't need it.

Once you connect, Armitage will ask for your nickname. Provide it. When you're connected and the database is set up, invite the of your team to connect. Make sure your teammates are using the latest Armitage client. Teammates may connect from differentoperating systems, so long as they have the same version of Java (e.g, 1.6). Your team members do not need to know the databaseinformation.

Make sure your team is on the same page before allowing them to connect with Armitage. It will help greatly ifeveryone reads this documentation. I've had teammates launch Hail Maryattacks and use Clear Hostson a shared

Armitage server. Armitage makes it easy to collaborate, but it also allows untrained team members to hurt the currentoperation. I recommend taking advantage of the --motd [file]option to spell out the rules of engagement for using ashared Metasploit instance with Armitage.

Finally, be aware that connecting a team to Metasploit consumes resources. Make sure you have a decent amount of RAM (at lea1GB) on your attack server. Your attack server should be a Linux host too.

8.5 Multi-Player Metasploit

Armitage's deconfliction server adds extra features to Armitage clients connecting to Metasploit remotely. Most of the featuresdegraded during a plain remote connection are now present.

Multiple users can now connect to one Metasploit instance and collaborate with each other. Host information, scan data, and sessiare shared using Metasploit's database.

View-> Event Loglets you communicate with users connected to the same Metasploit instance. You should always have this tabopen. In a penetration test this event log will help you reconstruct major events.

Multiple users may now use any Meterpreter session at the same time. Each user may open one or more command shells, browsefiles, and take screenshots of the compromised host.


17/17

Metasploit shell sessions are automatically locked and unlocked when in use. If a user is interacting with a shell, Armitage will wayou that it's in use.

The file browser download feature will download from your target to the Metasploit server. If a file downloads quickly enough (lethan ten seconds), Armitage will grab it from the Metasploit server for you. The upload feature will upload your file to Metasploitand then upload it to the target host.

Penetration testers will find this feature invaluable. Imagine you're working on a pen test and come across a system

you don't know much about. You can reach back to your company and ask your local expert to load Armitage andconnect to the same Metasploit instance. They will immediately have access to your scan data and they can interactwith your existing sessions... seamlessly.

Or, imagine that you're simulating a phishing attack and you get access to a host. Your whole team can now work onthe same host. One person can search for data, another can set up a pivot and search for internal hosts to attack, andanother can work on persistence. The sky is the limit here.

Some meterpreter commands may have shortened output. Multi-player Armitage takes the initial output from a command and deliit to the client that sent the command. Additional output is ignored (although the command still executes normally). This limitationprimarily affects long running meterpreter scripts.

This document is licensed under a Creative Commons Attribution 3.0 Unported License(http://creativecommons.org/licenses/by/3.0/)

2010-2011 Raphael Mudge(http://www.hick.org/~raffi/)Connect: Twitter (http://twitter.com/armitagehacker) | Facebook (http://www.facebook.com/pages/Armitage/188508384501166?v=wall) | IR

Documents

Armitage Manual