There’s a seemingly endless number of free open-source tools for penetration testing, and most of them seem to gravitate around the Kali Linux distribution. But with so many free tools, it’s easy to miss out on some of the best ones.
So today we’re going to take a closer look at Armitage, define what it is, and define how it works. However, there’s a few things that you need to know before we start digging into the dirty details of how to use this tool. Naturally, I do have to give a brief warning before we get started, too. Don’t misuse or abuse any of the tools mentioned in this article for two reasons.
First of all, doing so would be unethical. And secondly, doing so can land you in a boatload of legal trouble with the authorities. Make sure that you only use Armitage in an environment that you own (such as wireless home network) or in an environment that you have the authority to test out new tools on (such as a network owned by an entity giving you permission to test).
Now that we’ve got that out of the way, let’s define what Armitage is and how it works. Armitage is a tool that works very closely with Metasploit. For those of you who don’t know, Metasploit is a hacker’s delight, and one of the coolest tools in a penetration tester’s tool belt. Metasploit is a framework, complete with a lot of modular code libraries, for designing custom payloads and attacks. Furthermore, it can be used to scan for vulnerabilities and to exploit weaknesses.
What Does Armitage Do?
Armitage, however, is really more of a scripting tool that “plugs in” to Metasploit. It helps users visualize the textual information that is presented through the standard Metasploit prompt, but it has a lot of other cool features too. First of all, it note that helps more than one person carry out an attack. Believe it or not, Armitage allows people to share the same session and instance information in Metasploit.
As they say, two heads are better than one, and the ability to share sessions opens the door for teamwork during an attack or penetration testing exercise. Team members can share the data that’s captured, files that are downloaded, and even control of captured hosts. Plus, there’s even a shared event log that keeps all the members of a team updated and informed on the status of an attack or test.
Furthermore, Armitage contains tools such as bots that help automate various tasks. It helps to encapsulate, aggregate, and organize the tools found within Metasploit into an interface that’s a lot more accessible. And as you would expect, there’s still all the old and familiar tools to help an attacker initiate a reconnaissance session, break into remote systems, and clean up and cover tracks after an attack has been carried out.
You see, Armitage uses the concept of a dynamic workspace as a sort of sandbox, or environment that allows you to rapidly change the target of an attack, as well as the type of attack you’re carrying out and various other parameters. Furthermore, it includes tools that help you better manage targets, which is useful for managing attacks and reconnaissance operations for large numbers of hosts. You can even segment large subnets of systems into smaller groups.
But wait, there’s more (as Billy Mays might say)! Armitage also includes functionality that allows it to import data sets from other sources, such as scanners. Often times when working with packet captures or scanning software, the idea is to capture the data and save it in a database for future manipulation with other programs. Armitage is one such program, and can import data from third-party tools for data manipulation. And it’s GUI interface also helps keep track of active targets by visualizing them and separating them into sessions.
Not only can Armitage import scan data, but it can run scans of its own, and then recommend different exploits based on the collected data (which is a similar function to Nessus and OpenVAS). And though it isn’t exactly the most sophisticated type of attack, Armitage comes armed with a smart automatic exploitation feature, which is adequately dubbed the “Hail Mary Mass Exploitation.”
After an exploit has been initiated successfully, Armitage makes a lot of post-exploitation tools available to the attacker or penetration tester, which are part of the Meterpreter agent. With the post-exploitation tools, an attacker can record a user’s keystrokes, mine password hashes, root around in the file system (pun intended), use command line commands, escalate privileges, take snapshots or video with a webcam, and much, much more.
Plus, after a host has been successfully compromised by an attacker, Armitage makes it possible to use that host as a launching pad for other attacks on systems local to the compromised host. These features allow an attacker to create “hops” through a network, and infect multiple systems on different subnets.
Before You Begin
Before you dive into Armitage, there’s a few things that you should know. While it’s possible to learn some basic tutorials in Armitage with little to no background in penetration testing, I’d highly recommend starting with Metasploit. If you’re not aware of Metasploit yet, understand that it is a console-driven application that requires working from the command line. Armitage does help alleviate some of this burden with graphical images, but you still need to know how to work from the command line to be a competent user.
Also, you need to be aware of how the Metsaploit framework is organized, particularly regarding its modules. After entering Metasploit, you can type help to view the modules included in the software. Every component of the software (and by extension, every component of Armitage) is divided up into modules – be it a scanning utility, malicious payload, or exploit.
Whenever you want to exploit a vulnerability on a given host, you first need to establish a connection with that host, which is called a session. Armitage is built to know how to handle sessions, and organizes sessions with graphics built on top of Meterpreter.
Meterpreter, however, is the portion of the code that allows you to run various operations on an exploited system.
Navigating User Interface
At first glance, the Armitage user interface can be pretty intimidating. But it really isn’t that complicated. There are basically three main areas of the user interface, which include the targets pane, the modules pane, and tabs on the bottom that provide access to the command line.
First off, let’s start with the modules pane on the left side. You’ll notice that it uses a tree structure much like a file system. It’s in this pain that you can find the module that allow you to execute a payload, exploit a system, and run various post-exploitation operations. Simply double click on the desired module to open a dialog, and Armitage will do the heavy lifting for you by configuring the module to target specified hosts.
Next, locate the main graphical window pane. Depending on the type of host (operating system, device type, etc.), Armitage will populate a different image. If you see an icon in red with electric tendrils, you are looking at a host in the graphical interface that has been successfully exploited. However, green lines between systems indicate a pivot, which just means you can use the exploited host to launch attacks on other systems. To select a host, simply left click on its icon. To select multiple systems, simply hold down the left mouse button and drag the mouse over all the systems you wish to select.
In addition, you can right click on a host to pull up a menu that will help you edit settings, login parameters, session options, and detailed information about the host in question. However, you won’t be able to see the login menu unless you have already used Metasploit to scan the host and identified open sockets on the remote system.
Also, depending on the type of computer you’re running Armitage on, you may want to select different hotkeys (or view them in the first place). To do so, simply click on the Armitage menu in the top left of the window, and then click on “Preferences.” You’ll then be able to see all of the currently configured hotkeys and their default values.
Armitage’s strength (e.g. visualizing targets and hosts) is also its weakness. If you are trying to work with too many hosts, the GUI pane can become extremely cluttered, messy, and overwhelming. Fortunately, you can set target hosts via a table view. Simpy click on the Armitage menu in the top left, click on “Set Target View,” and then click on “Table View.” This will allow you to view and set target hosts with an interface that looks more like a clean spreadsheet.
Navigating the Bottom Pane: Tabs and Consoles
It’s also possible to open up multiple tabs in the bottom pane that will allow you to enter Metasploit commands and shell code. By right clicking on a tab, you can undock the tab into its own window for better management. In addition, you can move the sequence of tabs like you would in a web browser, and exit them by clicking on the “x.”
More interesting, however, is the fact that both Meterpreter and Metasploit occupy tabs in the interface. Those of you who have run Metasploit from the command line will feel at home in this pane, since each tab is essentially its own shell environment.
One of the great feature that makes Armitage so darn powerful is its ability to interface with other applications’ data – especially to important host data from other sources. It supports most of the popular scanners, so if you don’t want to run scans in Armitage, or just want to import data from a previous scan, you can load masses of data in a few quick seconds.
Some of the most popular scanners that it interfaces well with include Amap, NMAP, OpenVAS, and Nessus, though it also support IP360, Burp, NeXpose, Qualys, and several others. If you want to add a set of hosts from another scanner, simply click on the Hosts menu at the top and then click on the “Import Hosts” option.
Finding ways to exploit systems is no easy task. There are a number of countermeasures designed to mitigate the threat of exploitation, such as firewalls, code updates, and other similar tools. It’s almost more of an art than a science, and things are always changing. Some exploits are extremely temporal because antivirus and operating system developers are always trying to plug up the holes as quickly as possible.
And if you’re new to Metasploit or Armitage, it’s tough getting started if you aren’t aware of any existing exploits. The good news is that Armitage comes equipped with tools tools to help you find the latest and greatest system vulnerabilities. Basically, Armitage will create a session with a target host, and run some scanning and code-verification and checking utilities to gather information about the target. Then, it will list all known exploits, in much the same way as OpenVAS and Nessus scan for vulnerabilities.
To do a little bit of investigative work, click on a host’s icon, and then browse through the different protocols. For instance, one protocol listed for a host may be FTP. From the FTP menu, look for the very last option, labeled “Check exploits.” In the resulting output, simply check for exploits that are listed as “vulnerable.” You can use ctrl + f to easily find vulnerabilities and simplify the process.
Running an Exploit
You can also click on the Attacks menu and then click on “Find Attacks” to browse through the different attack modules residing in Armitage. If you have already checked to see that a system is vulnerable to a certain exploit, simply right click on a host’s icon, click on the “Attack” menu, and then select the exploit you wish to run.
It’s also worth noting that Armitage contains a ranking system for exploits, and by default, will only show exploits with a rank of “great.” You can click on the Armitage menu and then click on “Set Exploit Rank” so that the GUI interface populates exploits with a rank of “good.”
This should give you a pretty good understanding of how the Armitage tool works, what it does, and how to use it. However, I must caution you once more to not try running these exploits on real-world targets. Instead, I’d recommend getting your feet wet in a home environment, so you can escape the ethical, moral, and legal complications of hacking into a remote system.