This article serves as a demonstration cum tutorial to exploiting a Windows 7 x64 virtual machine/system using a GUI based tool called Armitage. But before we begin, we must know what Armitage actually is…
Armitage is a scriptable red team collaboration tool for Metasploit that visualizes targets, recommends exploits, and exposes the advanced post-exploitation features in the framework.
As we will soon see, Armitage is a really underrated tool. If you want to eliminate the technical details involved in penetrating a system, Armitage is your best bet. And in general, it’s relatively more convenient. We shall be performing our operations on a Windows 7 64 bit Virtual Machine (you can use any other Windows 7 System). We will be using Armitage on a Kali Linux Virtual Machine (which is typically preinstalled).
In case it isnt preinstalled, run the following commands on your terminal -
deb http://http.kali.org/kali kali main non-free contribdeb-src http://http.kali.org/kali kali main non-free contribapt-get updateapt-get install armitage
Since, this tool uses Metasploit as a backend, it is mandatory that it is installed on your attacking machine/system.
With all that done, Let’s begin with the main process.
Detection of System
Firstly, we shall check if our virtual machine is indeed active and vulnerable at the same time. To do this we run a Quick Scan using Zenmap (on our attacking Kali Device where we will be using Armitage).
We are able to see that the system is available since we are able to list the open services with their details.
Starting up Armitage
Before beginning Armitage itself, if you are on an older version of Kali Linux (2.x), we must run the following command -
Note — In case you run Armitage before doing this, you are notified on what solutions you have in order to start Armitage correctly. It necessarily needs a database.yml file to run so a GUI popup comes on and you can execute the solutions by yourself.
After all that, we just need to boot up Armitage. To do that we need to run the tool as root using the following commands -
service postgresql start
sudo ArmitageOnce we do that, a window should pop up.
Simply click on Connect here and proceed. After that you shall be prompted to start a RPC Server for Metasploit for accepting connections. Simply click Yes on that prompt.
Armitage GUI
Once we complete the above steps, we shall see the below GUI Program running.
Exploitation Stage
In the console we execute the typical Metasploit commands first. We execute “use exploit/multi/handler”, so that we can handle multiple payloads and meterpreter sessions at the same time. Since we know our Virtual Machine is a Windows 7 64 bit Operating System. We start with the simplest and most successful Remote Control Execution (RCE) “eternal blue”.
We search for it and use the exploit like we do in metasploit as we can see below.
Once we are in the exploit’s console, we set our payload to reverse_tcp in case it is reverse_https (if it isn’t we do not need to set the payload to reverse_tcp). Then we execute “show options” and check the parameters in concern as we can see below.
In the parameters, we can see a variable called RHOSTS. The RHOST must contain the IP address of the victim (we already know this to be 192.168.0.181).
In my case I had to set the LPORT to something else because the exploit wasn’t working on the default port set by Armitage. So I set my LPORT to 4444. You can set it to anything that works as long as it isn’t a reserved port like FTP. After we set the parameters, we simply run exploit.
If the exploit was successful, a new meterpreter session should open up. If a session opens up, we will see that the image for our host in the top right panel that was normal before, switches to an image that indicates that the system is broken into.
Post Exploitation
Since a meterpreter session is open now, to run any meterpreter exploits, all we need to do is right click the image on the top right panel and simply click on whatever we want to do. In this case I went to the category “explore” and clicked on “Browse Files”.
EternalBlue is a RCE (Remote Code Execution). Once we are inside the system’s shell (or a meterpreter session is opened up), we can run various LCEs (Local Code Execution) in order to gain escalated privileges (Control over UAC).
To open up the directory for LCEs, we go to the Meterpreter Category on right clicking. Go to “Access” and click on “Escalate Privileges”.
As we can see the directory /exploit/windows/local is displayed on the top left panel. We try as many UAC exploits we can to gain privileged access. To run a local exploit, all we do is double click on the exploit in the top left panel and a popup appears as shown below. We set the “Targets” to 1-> since our VM system is of a 64 bit architecture.
It is very much possible, that this kind of exploit fails since you are already in an elevated state. However, this session is still not at the level of an Administrator.
So to create a new session where we run with higher privileges, we run the windows/local/ask exploit and we simply click on launch as it is.
We can see that after running said exploit, we gain another meterpreter session with admin privileges. To access this sessions, all you need to do is type in “back” which transfers you to the multi handler. Since in this case the administrator session is numbered as “2”, we run the command “sessions -i 2” to access the elevated session.
Conclusion
While the initial exploiting stages are similiar to that of your typical Metasploit implementation, once we gain normal access, we are able to automate whatever we want. The list of exploits is relatively more organized and concise than your default CLI implementation. I hope, this tutorial cum demonstration served its purpose in educating you on this tool and hopefully motivate you to use for future endeavours.
