Hands-On Red Team Tactics
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Armitage and team server

We are all used to the console of msfconsole, which is extremely powerful as it is. However, let's make this even more efficient by using Armitage. This is a Java-based GUI built around Metasploit, which first came out in 2013. Being built on Java makes it cross-platform.

Armitage comes pre-installed in Kali and can easily be downloaded and installed. Before we jump into setting up and using these tools, let's get an understanding of team server and its purpose.

Team server allows us to manage our red-team activity in a single workspace. It acts as a server that connects and communicates with Metasploit and multiple Armitage clients can connect to it. This is handy when a team is doing a red-team activity, as all of the members can have the Armitage client running on their system and can connect to a single workspace in order to perform the activity. By default, team server is not supported on Windows unless you have bash installed. It also does not come with the default macOS DMG file. To run a team server on a macOS, we can download and install the archived file for Linux instead of DMG. Since team server is only a bash script and the archived file for Linux already has it, we can download and run it from there.

After this, we need to set the path of our Metasploit's database.yml using the following command:

export MSF_DATABASE_CONFIG=</path/to /.msf4/database.yml>

We can now run team server by browsing to the directory containing team server and running the following command:

Sudo -E  ./teamserver <local IP> <password>

Once team server is up and running, we can run the Armitage client and connect to our team server using the credentials we set:

It will also ask us to set a nickname that will help Armitage users to identify each other when they connect.

An Armitage window will now open up, giving us the beautiful GUI:

On the left menu, we can view the module browser, which shows a list of all the exploits, post modules, auxiliaries, and so on. We can either browse each folder by clicking on it or we can search the desired module in the search bar:

To run a module, we double-click on the module we wish to run. A new window will open up where we fill in the required details, such as RHOSTS, RPORT, and so on. This is the same as the show options command in msfconsole:

Next, we click Launch and we will see that Armitage automatically calls the Metasploit API, executes the commands, and runs the exploit for us:

The top menu has different options. Let's go through some of them:

  • New Connection: This allows us to connect to different team servers in parallel.
  • Preferences: We can set display preferences, color, and so on.
  • Set Target View: This has two options: Table View or Graph View. These allow us to view our added hosts in the desired manner.

The Table View looks like this:

The Graph View looks something like this:

  • Socks Proxy: This allows us to configure a SOCKS4 proxy to use our external tools, such as Nmap on the local network of a compromised server:
  • Listeners: This is used to quickly start a listener on a port, which can either be Bind or Reverse:

Coming to the View tab, we see this:

  • Console: This allows us to access msfconsole and run everything from the command line.
  • Event Log: This shows the logs of all the events happening on team server.
  • Credentials: This shows us the credentials we extracted during the activity in one place.
  • Downloads: This option allows us to view all the files that were downloaded from the target machines.
  • Jobs: This shows the list of active jobs being performed on team server.
  • Loot: This shows us whatever we looted from the target machines, including domain hashes, SQL hashes, and so on.
  • Script Console: This is used to run custom Cortana scripts that can be downloaded from https://github.com/rsmudge/cortana-scripts. Cortana is a scripting language for both Armitage and Cobalt Strike. The prebuilt scripts of Cortana can be loaded using this console and can be run to perform various tasks, such as automatically running automatic MSF Scans, logging out a user, auto discovery of new networks, and so on.
  • Reporting: This will open up the folders where the logs of Meterpreter sessions are saved, and we can use it for further reporting processes.

Coming to the Hosts tab, we see this:

  • Import Hosts: This allows us to import hosts from a previous Nmap scan, TXT, and so on.
  • Add Hosts: Through this, we can manually enter the IP/subnet and add hosts to our target list.
  • Nmap Scan: This is used to perform an Nmap scan on the added hosts. Multiple types of Nmap scans can be performed, such as Ping Scan, Intense Scan, all TCP Ports, Intense Scan UDP, and so on:
  • MSF Scans: This will use Metasploit modules, such as port scan and other auxiliaries based on the output of the port scan. By default, MSF Scans use the auxiliary/scanner/portscan/tcp module with a default list of ports to scan. Furthermore, the number of threads is 24 by default, which is a lot when it comes to scanning a compromised host network. Keep this number between 5-10; otherwise, there's a huge possibility that your session will die.
  • DNS Enumerate: This module is used to get information about a domain from the DNS server by performing various DNS queries, such as zone transfers, reverse lookups, SRV record brute forcing, and other techniques.
  • Clear Database: This clears the existing database of the current workspace being used, thereby deleting all the hosts in the target view and the data related to it.

Armitage allows a user to perform a lot of actions through the simple click of a button. This saves time and is more convenient. Once we have a Meterpreter connection on our hosts we can simply right-click on the compromised host and we will then see options such as interaction with the Meterpreter, listing processes, migrating to a different process, browsing a file, and so on, just by selecting and clicking on the desired option:

For example, if we want to log keystrokes, we can simply right-click on the host and go to Access | Explore | Log Keystrokes. This will directly open a new window where we will configure the module options. By clicking launch, we are then able to log keystrokes:

Upon clicking the options, a new window opens, as shown in the following screenshot:

We will now go a step further and explore another exploit usage through Armitage. To do this, we choose a host that has SMB running (Windows). We then right-click on the host, at which point we should see a Login menu option. From here, we choose psexec (psh). This module uses a valid login and password to execute a payload based on PowerShell. This payload is never written to disk:

Once we the module, we will see that we have a reverse connection on the machine just by logging in.

上一章目录下一章