Chapter 3 Armitage: Easily Identify and Exploit Vulnerabilities
Technology is nothing. What’s important is that you have a faith in people, that they’re basically good and smart, and if you give them tools, they’ll do wonderful things with them . - Steve Jobs
Great so we can use netdiscover to find machines. But how do we know what vulnerabilities exist on these machines? In the previous lab we told you what vulnerabilities existed, but how do you discover and exploit these on your own. This is where Armitage comes in, Armitage is a GUI interface for Metasploit (a tool we will look at in a later lab). Armitage allows you easily scan hosts for vulnerabilities and exploit these vulnerabilities with only a few clicks.
3.2 Vulnerability Scanning Using Armitage
Goal:Scan the Metasploitable host for vulnerabilities and exploit one these vulnerabilities to gain access to the machine.
Step 1: Start the metasploitable server by clicking on the virtual box icon and select. Select the Metapsloitable virtual machine and press the play button.
Step 2: Click on the Armitage icon.
Step 3: You should see the setup screen show below. Click connect.
Step 4: If you get a pop up asking you start Metasploit RPC server. Click Yes. (Armitage communicates with Metasploit using the RPC server). If everything is working, well you should get the following screen.
Step 5: Once you have successfully setup Armitage, you will need to discover the machines that you would like scan for vulnerabilities. You can do this using the netdiscover tool from lab one. Or you can use armitage discovery tool. Click on Hosts→Scan→Quick Scan OS Detect.
Step 6 To ensure that we don’t attack unintented machines on our network we will manual add the ip-address our metasploitable machine to our armitage workspace.
Step A: You will get a pop up that asks you for the range of IP Addresses that you want scan. This takes IP Address in Cidar notation, for example 192.168.1.0/24. IP Version 4 Address are 32 bit address. This notation means that you should keep the first 24 bits static and vary the remaining 8 bits to search for hosts. Enter the following IP Address range in the box.[Your-Ipddress]/24. Remember from the first lab that it possible to get your IP-address by running the Ipconfig command.Step B: Once your scan has completed you notice that Armitage has discovered the metasploitable host.
Step 7 You will notice that one of the machines as the same address and the metasploitable host from the first lab. Write click on this machine and select scan. Once you have completed the scan you will see a list of open ports on the machine.
Step 8: Now that we have discovered some hosts and some open ports the ports. Let’s scan them for vulnerabilities. Click on the host that you want to scan. It will be highlighted by a green box. The click on Attacks→find Attacks.
A Hail Mary Attack tries every attack in an attempt to break into to the system.
Step 9: Once vulnerabilities scan has completed you will see the exploitable vulnerabilities by right clicking on the host and selecting Attacks. The image below shows the ftp attack from our first lab.
3.3 Exploiting a host using Armitage
Step 1: Click on the ftp attack. This will show you a description of the attack.
When Armitage attacks a host it uploads a play-load that allow you to control the host. This payload needs to be configured so that it can connect to your machine so you can control it and in turn control the infected host.
Each parameter in the table shown in the figure above is explained below
- LHOST : The IP Address of the controlling machine
- LPORT : The port on the controlling machine.
- RHOST : The IP Address of the host being attacked.
- RPORT : The port used by the payload
In a Reverse Connection The attacked host will start the connection
Step 2: Click launch to launch the attack. Once you host is comprised the host icon will change to
Step 3: You can now get shell access on the machine by right clicking on the host and selecting shell1→interact. A Linux shell will appear in the bottom section of Armitage.
Step 4 You should terminal open up at the bottom on the window. Type the ls command in this window.
Step 5: We have hidden a file in Metasploitable server called level002.txt. See if you can read the contents of file. It you are able to find this post the content to our Facebook wall.
Fix:Patch, Patch, Patch. The way to prevent attacks like the one above is ensure that your software is always update. So that the system does not contain any known vulnerabilities.