Skip to main content

Haking _ MetaSploit - Part 3

Armitage

What is Armitage?

 Armitage is a Java tool that uses Metasploit database and resources to visualize targets, recommend
exploits, and expose the advanced post-exploitation features in the framework. It makes the
penetration testing easier through its GUI interface.

Pre-Install Requirements

 Armitage requires the following tools to be properly installed:

• Metasploit Framework
• PostgreSQL Database
• Nmap
• Oracle’s Java 1.7

Installation

 In this section, we will present the step by step guide to properly install Armitage on different OS
platforms as the following:

Mac OSX

 In order to conduct a successful installation please type the following commands:

curl -# -o /tmp/armitage.tgz http://www.fastandeasyhacking.com/download/armitagelatest.
tgz
tar -xvzf /tmp/armitage.tgz -C/usr/local/share
sh -c “echo java -jar /usr/local/share/armitage/armitage.jar $* > /usr/local/share/
armitage/armitage”
ln -s /usr/local/share/armitage/armitage /usr/local/bin/armitage
echo java -jar /usr/local/share/armitage/armitage.jar $* >/usr/local/bin/armitage
ln -s /usr/local/armitage/teamserver /usr/local/bin/teamserver
perl -pi-e ‘s/armitage.jar//usr/local/share/armitage/armitage.jar/g’ /usr/local/share/
armitage/teamserver
perl -pi-e ‘s/armitage.jar//usr/local/share/armitage/armitage.jar/g’ /usr/local/share/
armitage/teamserver

 It is now installed and you should be able to lunch Armitage using this command “armitage” from
your terminal window.

 Linux

 curl -# -o /tmp/armitage.tgz http://www.fastandeasyhacking.com/download/armitage-latest.tgz
sudo tar -xvzf /tmp/armitage.tgz -C/usr/local/share
sudo sh -c “echo java -jar /usr/local/share/armitage/armitage.jar $* > /usr/local/
share/armitage/armitage”
sudo ln -s /usr/local/share/armitage/armitage /usr/local/bin/armitage
sudo ln -s /usr/local/share/armitage/teamserver /usr/local/bin/teamserver
sudo perl -pi-e ‘s/armitage.jar//usr/local/share/armitage/armitage.jar/g’ /usr/local/
share/armitage/teamserver

 You should now be able to start Armitage by typing “armitage” on your console.


Windows OS


Download the following zip file from here: http://www.fastandeasyhacking.com /download/
armitage140715.zip.


Then, extract it. You will then be presented with these files as in the following figure:
















To launch Armitage, just double click on “armitage.exe”.

Utilization of Armitage

 When starting Armitage, it will give you a window like this:


















Asking you to provide the following:

Host: It is the IP where the Metasploit is installed on. For instance, we’re going to use our localhost.
Port: It is the default port to connect to, leave it to “5553”
User, Pass: The database username and password that we first set on MSF installation

Once you supply the correct credentials, hit “Connect” and armitage should start initializing. But if
the Metasploit RPC server is not running, it will kindly ask you if you would like armitage to start it for you as follows.














Press “Yes” if it shows up. Now, the next window is going to show us the loading progress, don’t
panic if it says “Connection refused” it will eventually connect as follows:













Finally, we have Armitage up and running:




















Armitage GUI Description

 As in the previous figure, here is the list that describes all GUI sections shown:

1. This is the window space where the targets are going to show up
2. The console is where different sessions are going to be shown and you can play with different
    exploits
3. This is the window space where you can browse through different modules and use them by a
    simply double-click
4. This is the window space where you can search for a particular auxiliary, exploit, payload or                postexploitation modules here by name

Scanning and Exploitation

 To scan the network using Armitage, you should proceed as follows:

• Select “Hosts -> Nmap scan -> Quick scan (OS detect)“




















• Then, Enter the IP range which you want to scan:














Now, if several hosts that we know they exist, didn’t show up in the results for some raisons, we can
always manually add them like so:

• Select “Hosts -> Add hosts”


















• After that, Enter one host per line as follows:


















So now, we added our target host, we can scan it using the following steps:

• Right click on the target host -> Scan















• We can see that a new tab named “scan” and a bunch of scanning things are showing up as follows:

















When the scan is completed, a window is going to popup showing us a message “Scan Complete!”
as follows:



















Once the scan is fully completed, we will find specific attacks on those open ports. For that, we select
the host and then proceed with the menus as follows:

“Attacks -> Find attacks” in order to give Armitage the ability to find proper exploits for this particular host:












And now, by right clicking we can see the “Attack” menus with a bunch of suggested exploits
under this host:





















For example, we’re going to use “netapi” smb exploit this time for our Windows target.

Once we select the exploit, a new window is going to be opened so that we can chose from
different options as in the following figure:























Now hit Launch and the exploit should be sent!

Then, a new tab in the console named “exploit” will be added and we see a new session opened
up that means we had successfully exploited the host and now we have access to that host.















The host is now in red with some information about the current user we are presented with!














Now, we can see the meterpreter session when we right click on the compromised host as follows:



















Up to this moment, we have the ability to (Interact, Explore, Access, Pivot).

 Armitage recommends several exploits and will optionally run active checks like we did to notice
you which exploits will work properly. If those options fail, you may use the Hail Mary attack to
unleash Armitage’s smart automatic exploitation against your designated targets as follows:

• First, select the host by the left clicking on it and go to “Attacks->Hail Mary”:


















It’s now warning you by flooding the host with exploits which may cause the target to crush, you
should press “Yes” in order to continue. However, if you are afraid that the target will shut down and
won’t be reachable then press “No” and the attack will be canceled.
















If pressed “Yes”, it will load all the exploits and the handlers for them automatically as in the following figure:

















And over the console, the opened sessions are going to show up. If two or more exploits were
working and successfully executed on the remote host, then it’s going to show sessions for them too:









And the host is going to show up in red (exploited), letting us know that we have access capabilities
to it.















And now, we’re going to move to the fun part which is Pivoting.

 Pivoting

 Once we get access to one host on the network, meterpreter provides us with the ability to use that
host as a pivot to go further into that network (scan, exploit .. etc)

We will use this methodology in order to attack another host in the network which is in a different
subnet rather than the previously compromised Windows computer.

Lets assume the networks’ addressing schemes are as flows:

Attacker Network:

 • LAN: 192.168.0.2

Client Networks (Win XP):

• LAN1: 192.168.0.12
• LAN2: 192.168.1.0/24 (our second target network)

Obviously, the attacker can’t reach the 192.168.1.0/24 from its original IP of 192.168.0.0/24 network,
that’s why we will need to use pivoting in order to reach the target network.

• First, We need first to run an Address Resolution Protocol (ARP) Scan, this will reveal us existing

  hosts that already had communicated with our compromised target.


















• Secondly, we will need to add a route so that we can have access to the other subnet (192.168.1.x)
in our case as follows:














• Then, select the target subnet (192.168.1.0), as in our case











Once we added the route, a link will show up from the first compromised host to the second one that
we had discovered on a different subnet as in the following figure:















Once we finished scanning all the hosts, and then directing armitage to show us the available
exploits for those open ports, we should select the exploit and lunch it against the host. Armitage will
show the other host as compromised:) like so:















We have successfully pivoted to the host on the second subnet “192.168.1.101”. In the next
module, we will discuss more about pivoting and post-exploitation!

Popular posts from this blog

Haking On Demand_WireShark - Part 5

Detect/Analyze Scanning Traffic Using Wireshark “Wireshark”, the world’s most popular Network Protocol Analyzer is a multipurpose tool. It can be used as a Packet Sniffer, Network Analyser, Protocol Analyser & Forensic tool. Through this article my focus is on how to use Wireshark to detect/analyze any scanning & suspect traffic. Let’s start with Scanning first. As a thief studies surroundings before stealing something from a target, similarly attackers or hackers also perform foot printing and scanning before the actual attack. In this phase, they want to collect all possible information about the target so that they can plan their attack accordingly. If we talk about scanning here they want to collect details like: • Which IP addresses are in use? • Which port/services are active on those IPs? • Which platform (Operating System) is in use? • What are the vulnerabilities & other similar kinds of information. • Now moving to some popular scan methods and ho...
Read more

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes:  •Override existing hardcoded HTTP parameters  •Modify the application behaviors   •Access and potentially exploit uncontrollable variables  • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP   WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the pa...
Read more

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was ...
Read more