Live-Fire Security Testing with Armitage and Metasploit

Armitage and Metasploit let you attack your network like skilled criminals. Use these attacks to evaluate your security posture.
Password-Guessing Attacks

Metasploit also has modules to run a dictionary-based password-guessing attack against most services. Search for _login in the module browser to find these modules. To attack SSH, highlight several hosts in the targets view and double-click the ssh_login module.

Metasploit gives you a lot of flexibility for executing password-guessing attacks. Set the USERNAME and PASSWORD options if you want to try one user name and password. Set USERPASS_FILE to a file with “username password” entries on each line. Or set USER_FILE and PASS_FILE to attempt access using every user name from USER_FILE with every password from the PASS_FILE.

Metasploit comes with several user name and password word lists. On BackTrack, they're located in /pentest/exploits/framework3/data/wordlists. Double-click a file-expecting option name (for example, PASS_FILE) to set the option using a file-chooser dialog. Click Launch to begin the password-guessing attack. Armitage displays the attack's progress in a new tab.

Metasploit stores successful logins in its database. Go to View→Credentials to see them. You can use these credentials to log in to a host as well. Right-click a host, select Login, and choose the service to log in to. If the login yields a session, the host turns red with lightning bolts (just like a successful exploit). A session is an active shell or agent that you can interact with.

Password-guessing attacks are an important part of a penetration test. You should verify that common user name and password combinations do not give access to your network resources. Also, guessed credentials make other attacks possible. For example, the snmp_login module might find a community string that an attacker uses to write a new configuration file to your Cisco device.

Client-Side Exploitation

To use exploits and launch password-guessing attacks, attackers need network access to your services. A configured firewall will stop many attacks. However, attackers are not out of options. Determined attackers will use client-side exploits and social engineering to get inside your network's perimeter.

Go to Attacks→Browser Attacks→multi→java_signed_applet to launch a cross-platform client-side attack. This attack starts a Web server with a malicious Java applet. The applet asks visitors to grant the applet full rights to their local system. Disguise this applet as a neat game, and you may get access to a lot of hosts.

Use Attacks→Evil Files→windows→adobe_pdf_embedded_exe to generate a PDF file with an embedded executable that connects back to Metasploit. This attack asks users to take an action that runs this embedded executable. Most users are unaware of the security risks with opening a PDF file.

Click Attacks→Browser Autopwn to start a Web server that will use the browser fingerprint of each visitor to send an exploit. If you e-mail every user in your organization with this link, how many hosts would you compromise?

I recommend testing these client-side attacks on your workstations and seeing what's possible. User education is the best defense against these attacks. Consider demonstrating these attacks at your next training event. Users who can recognize attacks will add to your security posture.


One compromised host allows attackers to attack your network from the inside. Metasploit's pivoting feature allows you to bounce your attack traffic through a compromised host. Pivoting makes client-side attacks very dangerous.

Pivoting works like a router within Metasploit. You choose a network and set a compromised host as the gateway. Metasploit uses these routes for all of its attacks and scanning modules. Right-click a compromised host and navigate to Meterpreter→Pivoting→Setup to configure this feature. Armitage shows a green line between pivot hosts and their known targets (Figure 7).

Figure 7. Targets with Pivoting

Metasploit has a built-in proxy server. Use this if you want to use an external tool, like Firefox, through the pivots you have set up. Go to Armitage→SOCKS Proxy to launch this feature.


Post-exploitation is what happens after access. A successful attack gives you shell access on non-Windows hosts. Successful Windows exploitation gives you access to Meterpreter.

Meterpreter is a powerful post-exploitation agent built in to Metasploit. Meterpreter runs from the memory of the process you attacked. Through it, you can browse and download files, view processes, take screenshots, log keystrokes, run privilege escalation exploits and interact with a command shell.

Armitage provides an intuitive interface for much of Meterpreter's functionality. Figure 8 shows the file browser. Right-click a compromised host and navigate to the Meterpreter menu to explore these functions.

Figure 8. File Browser

Meterpreter is powerful, but Armitage has a few tricks for shell access too. Right-click a compromised host and navigate to the Shell menu. Select Interact to open the command shell in a tab. Use Upload to upload a file using the UNIX printf command. Choose Disconnect to close the session.