The Metasploit framework is a hugely powerful open source security tool for penetration testing, and one which has won fans all over the world. But if there is one criticism of Metasploit, it’s that it is not that easy to use, especially for those who want something powerful, simple and free to carry out an occasional test on the security of their own network.
But that’s all changed thanks to Armitage, a free “graphical cyber attack management tool for Metasploit” that allows you to visualize your network and access the many features and functions of the Metasploit framework from a simple point and click graphical interface. Whether you already use Metasploit or you have put off trying it because of its complexity, there’s no doubt that it’s worth installing Armitage and giving it a spin.
Armitage works with the Linux or Windows versions of Metasploit, and for the purposes of this tutorial we’ll be concentrating on the Windows version. (If you are a Linux user, you can download a Linux Armitage tarball from http://www.fastandeasyhacking.com/download)
First off you’ll need:
- the Metasploit framework itself, version 3.5 or higher
- the latest Oracle Java SE
- and Armitage itself
Next, you’ll need to set things up:
- Install Metasploit (to C:framework) then run the Metasploit Update applet (from the Metasploit Framework program group in your start menu)
- Unzip the downloaded Armitage zip file into C:framework. To make life easier, add a desktop shortcut to C:frameworkarmitage.bat on your desktop. (You can change the default Windows icon to the Armitage one you’ll find in the Icons folder in C:framework)
- At this point it’s a good idea to reboot your system to avoid any problems in the following steps.
Getting Armitage up and running
- Start Metasploit by clicking on the Metasploit Console icon in your Metasploit Framework program group.
- When it’s running, load the Metasploit RPC daemon by typing:
and make a note of the XMLRPC password that is displayed – you’ll need it in the next step.
- Start Armitage by double clicking on your desktop shortcut, and overwrite the text in the Pass box with the password (from the previous step.) Then click connect.
The Armitage user interface should now appear:
The Armitage UI is divided into three sections. The top left pane shows a list of Metasploit exploits and modules that you might want to use. The bottom panel provides a window onto what is going on behind the scenes in Armitage, and provides a place to enter commands directly into Metasploit.
The most useful panel is the Targets panel in the top right, which will initially be empty. It’s here that you’ll find a graphical display of any hosts you discover on the network you are testing, and from here that you’ll launch many attacks.
Populating the Targets panel.
The first job in any penetration test is to do some reconnaissance and establish what hosts are present on the network, along with which operating systems they are running. Armitage makes this simple by enabling you to launch an Nmap scan directly from within Armitage itself.
To launch a scan:
- Select Nmap Scan from the Hosts menu, and then select the type of scan you wish to perform. Choices include Intense Scan, Quick Scan (OS detect) and Comprehensive.
- Select a range of IP addresses to scan
A few seconds after the scan is complete, Armitage will populate the Targets panel with icons representing any hosts that it finds, and the operating systems they are running (if it is able to identify them.) Further Nmap scans, or MSF scans (which can also be launched from the host menu) may be able to determine the operating systems of hosts that can’t immediately be ascertained.
Alternatively, host information can be imported, either from an Nmap scan carried out separately, or from other popular scanners including Nessus, Nexpose and Metasploit Express, using the Import Hosts command from the Hosts menu.
Choosing an attack
Once you have a list of hosts on your network, the tricky bit is knowing which attacks to attempt to test if any of these hosts are vulnerable. Armitage simplifies this by matching available Metasploit exploits to open ports (or vulnerabilities if a vulnerability scan has been imported.)
To find suitable attacks for a given host:
- Click on your chosen host to select it, then select “Find Attacks – by port” from the Attacks menu
- After a few seconds, an Attack Analysis Complete message will appear:
- An Attack option will appear when you right click on your chosen host, displaying suitable attacks organized into categories (such as http, iis, smb) that may be able to compromise the host, if the attacks are run.
Launch an attack:
- To launch an attack, simply click on it.
- Armitage will present an attack dialog box with the name of the attack, and with all the variables needed for the attack automatically filled in. Clicking Launch will start the attack.
Running “check exploit”
If a large number of possible attacks are presented to you for a given category (such as http,) you can also choose “check exploit” – the final entry in the Attack menu. This will check each attack – if it can – and report back either “The target is not exploitable”, “This exploit does not support check”, or “The target is vulnerable” with the name of the exploit in question.
Once you have run “check exploit” you can easily find any individual attacks that Armitage has determined will work by typing Ctrl F and searching for the word “vulnerable”.
Taking control when an exploit is successful
When an exploit is successful and a host is compromised, the host’s graphic turns red (with lighting marks through it for good measure.)
To take control, right click on the icon and select “Interact” to open an interactive shell to the compromised machine in the bottom panel of Armitage.
If the machine in question is running Microsoft Windows, you can start a Metasploit Meterpreter session, which gives you access to some powerful commands described in this guide to Meterpreter basics.
An exciting feature of Armitage is the ability to easily launch attacks on machines that you can’t access directly, via machines that you have already compromised – a technique known as pivoting. Armitage’s Targets panel provides a simple graphical way of visualizing how hosts are connected, and which ones can be reached via compromised machines.
The Metasploit framework has a feature called db_autopwn, which attempts to automate penetration testing very crudely by matching exploits in a database with open ports found on any discovered hosts, and launching all matching ones to see what happens. Armitage automates and refines db_autopwn using a feature called Hail Mary, found in the Attacks menu. Launching a Hail Mary starts the db_autopwn process, but matches exploits to suitable operating systems, and launches the “best” exploits first.
Hail Mary — like db_autopwn is not the best way to test network security, but it’s certainly quick, requires very little skill, and can give you a very quick idea of the scale of any security problems you might be facing.
There is far more to Armitage – and the Metasploit framework – than can be described here, but if you have never tried Metasploit before this introduction should be enough to get you started.
For more information and tutorials on Armitage visit www.fastandeasyhacking.com/
For more information on Metasploit visit the Metasploit homepage.