Armitage Introduction Lab
Prerequisites
This lab will help introduce you to Armitage for Metasploit. Before we begin, you
will need the following virtual machines:


Metasploitable Linux Virtual Machine
BackTrack 5r1 Virtual Machine
Set both Virtual Machine network adapters to the NAT setting.
Setup
BackTrack Linux
1. Login as username root, password toor
2. Type dhclient to request an IP address
3. Type startx to launch X-Windows
4. Open a Terminal
5. Type: msfupdate to update Metasploit and Armitage to the latest versions
Metasploitable
1. Login as username msfadmin, password msfadmin
2. Type sudo dhclient to request an IP address
Take note of the IP address of the Metasploitable virtual machine. You will need it
for the remainder of this lab.
Start Armitage
1. Open a terminal
2. Type: armitage and press enter
3. A dialog will ask if you'd like to start Metasploit's RPC server. Press Yes.
Wait for Armitage to connect to Metasploit. You will see Connection Refused
multiple for up to two minutes. This is normal. If something else happens, press
Cancel and then press Help to troubleshoot the issue.
Reconnaissance
These steps will show you how to perform reconnaissance against the
Metasploitable host. Remember that some scan techniques are more thorough than
others.
1. Go to Hosts -> MSF Scans
2. Type in the IP address of the Metasploitable VM and press Ok
3. Right-click the host that appears in Armitage and select Services
4. Wait 30 seconds and press Refresh
Do not close the Services tab, we're going to compare the existing results to the
results from another (more thorough) scan in a moment.
5. Go to Hosts -> Clear Database
6. Go to Hosts -> NMap -> Intense Scan, all TCP Ports
7. Type in the IP address of the Metasploit VM and press Ok
An NMap Tab will open. Wait for a dialog that says Scan complete before
proceeding.
8. Right-click the Metasploitable host and select Services
How do the results of the Intense NMap Scan compare to the results of the
Metasploit scan? Try to repeat this process for other scans to appreciate the
differences in the information they each provide.
Web Application Exploitation
These steps will show you how to check which exploits a service is vulnerable to.
1. Go to Attacks -> Find Attacks
2. Right-click Metasploitable and navigate to:
Attacks -> webapp -> Check Exploits
3. In the Check Exploits tab, press Control+F and search for "vulnerable"
without the quotes.
4. Right-click Metasploitable and navigate to:
Attacks -> webapp -> [an attack that Metasploitable is vulnerable to]
5. Press Launch
6. Right-click Metasploitable and navigate to:
Shell 1 -> Interact
7. To close the session, right-click Metasploitable -> Shell 1 -> Disconnect
Service Exploitation
These steps will guide you through finding another exploitable service and
obtaining another shell session.
1. Go to Attacks -> Find Attacks
If you did this for the Web Application Exploitation steps, you don't need to do
it again. Doing it again doesn't hurt anything though.
2. Right-click Metasploitable and navigate to the Attacks menu
3. Select an exploit, don't change any options, and click Launch. Repeat this step
until you find one that works.
Hint: there are two other exploits in the Attacks menu that will work without
any modification.
Do not close the Shells you receive from your service exploitation in this step.
Linux Shell Post Exploitation
To accomplish these steps, you must have root access to the Metasploitable system.
1. Right-click Metasploitable and go to Shell N -> Interact for each of your shell
sessions
2. In each shell type: whoami
3. Find the shell that has a root user. This is the shell that you will use for these
instructions.
4. Right-click Metasploitable and go to the root shell session:
Shell N -> Post Modules
5. Double-click the enum_linux module in the module browser.
6. Press Launch
7. Go to View -> Loot
8. Double-click an item to view it.
The enum_linux module automatically captures a lot of data about a Linux system.
Here are a few questions to answer as you go through all of this data:
1. Which version of apparmor is installed?
2. How many users with passwords and valid shells (e.g., /bin/bash or /bin/sh)
are on the system?
3. Which command did msfadmin use previously to reset the logs on the
system?
Tomcat Attack
These steps will walk you through attacking Apache Tomcat. You will learn how to
brute force a service, search for a relevant attack, and conduct post-exploitation
using the Java version of Meterpreter.
1. Search for the tomcat_mgr_login module in the module browser
2. Double-click tomcat_mgr_login
3. The default RPORT is 8080. Apache Tomcat is on Metasploitable, but it's not
this port. Change the RPORT value to the correct port.
Hint: Right-click Metasploitable and select Services.
4. Press Launch
5. Press Ctrl+F in the tomcat_mgr_login tab and search for "success"
Great, you now have credentials you may use to access the Apache Tomcat
service. Let's find out what you can do with these credentials...
6. Search for tomcat in the module browser.
7. Double-click the tomcat related exploit
8. Set USERNAME, PASSWORD, and RPORT to the values you discovered in
steps 1-5.
If everything is correct, you will now have a Java meterpreter session on the
Metasploitable host. Right-click Metasploitable -> Meterpreter and play with the
options to see what is available to you. Meterpreter has a lot more power than a
simple shell session. Exploring Windows Meterpreter is the subject of the bonus lab.
Bonus Lab: Post Exploitation
1. Prerequisites
To complete this lab, you will need a Windows target. The steps in this lab will work
for a Windows XP, Windows Vista, and Windows 7 target.
Your attack host should be BackTrack Linux 5r1 with the latest version of Armitage
and Metasploit.
2. Steps
Generate a Backdoor and Listener (BackTrack Linux):
Follow these steps to generate an executable version of Metasploit's super payload,
Meterpreter. These steps will have you save the executable in the default directory
for serving files over HTTP. These steps will also have you setup a multi/handler to
receive connections from Meterpreter.
1. Start Armitage
2. In the module browser navigate to:
payloads -> windows -> meterpreter -> reverse_tcp
3. Change RPORT to 9898
4. Change Output to exe
5. Hold the shift button and click Launch
6. Save the file to /var/www/backdoor.exe
7. Change Output to multi/handler
8. Click Launch
Start a webserver (BackTrack Linux)
Follow these steps to start the Apache webserver. You will also use need to learn the
IP address of your BackTrack host.
1. Open a terminal
2. Type: service start apache2
3. Use ifconfig to learn the ip address of your BackTrack Linux host.
Get in through the backdoor (Windows Victim)
Follow these steps to "exploit" your Windows host. Really, you're just downloading
the Meterpreter executable and running it.
1. Open Internet Explorer
2. Navigate to http://[ip address of BackTrack Linux host/backdoor.exe
3. Run the file
Post Exploitation (BackTrack Linux)
You should now see a red computer with lightning bolts around it in Armitage. This
is your Windows target. These steps will take you through various post-exploitation
actions with Armitage. After these steps, you will have an appreciation for how
much Meterpreter can do.
I see you...
1. Right-click the compromised host and navigate to:
Meterpreter 1 -> Explore -> Screenshot
2. Right-click the compromised host and navigate to:
Meterpreter 1 -> Explore -> Webcam Shot
This will only work if your Windows host has a webcam attached.
Remote Control
1. Right-click the compromised host and navigate to:
Meterpreter 1 -> Interact -> Desktop (VNC)
Armitage will open a dialog telling you the port and display number to connect
a VNC client to. Take note of the port number. Here I will use 53. It will be
something different for you.
2. Open a Terminal in BackTrack Linux
3. Type: vncviewer 127.0.0.1:53
Change 53 to the display number provided by Armitage.
Get the Data
1. Right-click the compromised host and navigate to:
Meterpreter 1 -> Explore -> File Browser
2. In the file path text field (top of the browser), type C:\ and hit Enter.
3. Navigate to your desktop
4. Download a file
5. Go to: View -> Downloads
6. Double-click the file to view it
Capture your Key Strokes
1. Right-click the compromised host and navigate to:
Meterpreter 1 -> Explore -> Log Keystrokes
2. Press Launch
3. From your Windows target: navigate to a website that you use, log out, and
log in by typing your credentials.
4. Take a look at the output of the Log Keystrokes tab.