Armitage is a GUI for Metasploit which makes penetration testing easier. It was developed by Raphael Mudge. This tool helps to reduce the time and also gives a good understanding of Metasploit to various security professionals. The major advantages of using this tool are that it recommends the exploits, has advanced post-exploitation features, and is a very good visualization of the targets.
We can scan a particular target or import data from other security scanners, which can then be used in Armitage for further attacks. The following is a list of a few security scanners file formats which are supported currently for adding the hosts to Armitage:
- Acunetix XML
- Amap Log
- Amap Log -m
- Appscan XML
- Burp Session XML
- Foundstone XML
- IP360 ASPL
- IP360 XML v3
- Microsoft Baseline Security Analyzer
- Nessus NBE
- Nessus XML (v1 and v2)
- NetSparker XML
- NeXpose Simple XML
- NeXpose XML Report
- Nmap XML
- OpenVAS Report
- Qualys Asset XML
- Qualys Scan XML
- Retina XML
The number of targets scanned or connected will be shown in a visual manner, which makes it more comfortable. Time is also reduced while doing a PT as Armitage recommends the exploits and also lets us know which exploit will work. Once the target is compromised, we can escalate the privileges or browse the files, dump the hashes, etc.
You can download Armitage from the following site http://www.fastandeasyhacking.com/download. It’s available in BackTrack 5 in the “Exploitation tools” section.
Once selected, we just need to click the “start MSF” button. If you want to change the settings, then you are free to, but here I am accepting the defaults settings.
Note: Proceed with Armitage by running the mysql start service command, if not started.
You should be getting an interface like the below image. The button has been clicked.
The Module window allows us to select exploits, payloads, and auxiliary, allows performing post-exploitation. Another advantage is we can search the required exploit or payload, etc by using the help of wildcard.
The Target window shows the target systems. There are two types of view:
- Graph view
- Table view
To change the view go to Armitage -> Set Target View -> Table View/Graph View
This is another major advantage of using Armitage. The compromised targets will be represented in Red. Right clicking on the compromised target will give you various options like attack options, logins options, and various other options from the session.
The Console window lets you interact or show information Armitage. Various consoles are like Metasploit, Meterpreter, NMAP, shell interfaces, etc.
There are two types of scans. One is NMAP scan which basically scans the target for open ports and services. The NMAP scan results can then be imported to Metasploit. Another method is by using msfscans. With the help of Metasploit auxiliary modules, it enumerates several common services
Once the target is selected and scanned, the next stage would be attacking. In Armitage, we can find two options in Attack tab. One is “by port” and another one is “by vulnerability”.
So let’s select the “by port” option in the attack tab and scan the target. Once the attack analysis is completed, Armitage generates a list of attacks possible on the target.
Here I am going to select the dcerpc stack buffer overflow exploit to attack the target.
Once the target is compromised and the session is established, we get various options like dump hashes, browse files, escalate privilege, perform a key scan, etc.
This functionality is very useful in this tool. It allows us to download, upload and delete files. To browse files go to Meterpreter ->Explore -> Browse Files.
To interact with the target host, go to Meterpreter -> Interact -> Desktop (VNC). This will stage a VNC server into the memory and tunnel the connection through Meterpreter.
Spy using webcams and screenshots:
Once the target has been compromised, we can use Armitage to spy or take screenshots of the target host. To take a screenshot, go to Meterpreter -> Explore -> Screenshot. Similarly we have the option for webcam in the same location. Click “Watch” for a particular time period to automatically snap a picture for every desired time period.
To perform key logging, highlight a process and click “Log Keystrokes” to launch the module that migrates Meterpreter. This starts capturing keystrokes.
When you want to perform further attacks on the target, you may sometimes need administrative rights. In order to escalate the privilege, go to Meterpreter -> Access -> Escalate Privileges menu. This will highlight the privilege escalation modules.
Dump Password hashes:
To dump the Windows password hashes, go to Meterpreter -> Access -> Dump Hashes. The hashes can be dumped using two methods-lsass method and the other is the registry method. In Lsass method, the password hashes are grabbed from the memory and work against Windows XP/2003; whereas in registry method, it works for all modern windows systems. Once the hashes are dumped, it can be exported to pwdump format and can be cracked by using various tools.
Brute forcing Passwords:
We can brute force passwords using the auxiliary module found in the modules tab. If you want to brute force logins, then search in the modules tab using the keyword “login”. For example lotus_domino_login is a module for brute forcing lotus domino logins. Now Metasploit can brute force the username and passwords by selecting the username file and password file .
Another option of attack in Armitage is Browser based attacks. We can either select the exploit from the drop down list which can be found in the Attack tab->Browser attacks or we can directly browse for the exploits from the “exploit” tab found inside the modules tab. In this example, let’s select the recent IE exploit named Internet Explorer CSS recursive import. This exploit basically exploits memory corruption vulnerability within MS HTML engine (mshtml).
There are few parameters which can be set like LHOST, SRVPORT and URIPATH. The exploit launches a server attacker system, and waits for a connection from the victim. Once the victim connects to the malicious URL http://192.168.X.X:8080/ from Internet Explorer, the attacker gains control of the victim and gets the post-exploitation attack options to further attacks.
All these options are available in Metasploit, but Armitage makes it easier for us by automating most of the actions.
Another Attack which we will see in this paper is the “Browser Autopwn” from the attack tab. Once the module is launched, it uses a combination of client side and server side techniques to fingerprint HTTP clients and then automatically exploit them. This module generates various exploits for the browser and once the victim opens the malicious link, the particular exploit for the victim’s browser will be executed and the attacker gains control of the victim.
Armitage comes with another option called “Hail Mary”. This is an automated exploitation and can be used when manual exploitation fails. This is a smart db_autopwn where it finds relevant exploits for the targets, filter them accordingly, etc. If the host is scanned and if you don’t know what the next step should be, then at that moment you can use this automated exploitation. Select “Hail Mary” from Attacks tab and the Armitage will find all the exploits via db_autopwn, sort them and launch the exploits against the host and then will give the session for further exploitation.
Client side Exploitation:
Metasploit has various client-side exploits and with the help of Armitage, we can easily use these exploit against the targets. It’s clear from the name itself that we will be targeting the application in the remote target rather than its service.
The client side exploitation can be performed either by using browser exploits or file format exploits.
Armitage is just a GUI version of Metasploit which visualizes the targets, recommend the exploits and also makes most of the task automated. Armitage just organizes the functionalities of Metasploit and hence having a better knowledge of Metasploit is also required to perform advanced attacks.