Live-Fire Security Testing with Armitage and Metasploit

Armitage and Metasploit let you attack your network like skilled criminals. Use these attacks to evaluate your security posture.
Pass the Hash

After post-exploitation, you'll want to compromise more hosts. Pass the hash is a technique for further compromising a Windows network.

Windows hosts do not pass your network credentials in the clear. Rather, they use a challenge-response scheme to generate a hash. Windows uses this hash to authenticate you on the Active Directory domain. Windows hosts cache and re-use hashes to authenticate to other hosts on the network. This saves you the trouble of retyping your password when you access a file share. Attackers use stolen hashes to get access to other hosts on your active directory domain.

Dumping cached hashes requires local administrator access. Use Meterpreter→Access→Escalate Privileges to try several local exploits to increase your privileges. Go to Meterpreter→Access→Dump Hashes to steal the local cached credentials.

Now you need targets. Use the auxiliary/windows/smb/smb_version module to find other Windows hosts on the Active Directory domain.

Go to Attacks→Find Attacks to generate an Attack menu for each host. Highlight several Windows hosts, right-click, and use Attacks→smb→pass the hash. Armitage lets you choose which set of credentials to try. Pick a pair and click Launch. You've passed the hash. Each successful login will give you a Meterpreter session.

Patches exist for Metasploit's Windows privilege escalation exploits. Attackers who compromise a patched system don't have to stop though. They may scan for an unpatched host, exploit it and then carry out these steps.

Evaluating the Risk

Earlier, I defined a penetration test as a way to learn how attackers may get access to key systems and files. I suspect you did not find a working exploit for your key servers. Before you conclude your network penetration test, I'd like you to think like an attacker for a moment.

Attackers will use social engineering and client-side attacks to get a foothold. Attackers then will try to exploit a workstation to collect hashes. Using pass-the-hash, your patched Windows systems are no longer safe. What happens if attackers access your workstation, install a key logger and download your SSH keys? One vulnerable host can lead to a total compromise of your otherwise secure assets.

Next Steps

In this article, I've shown you the techniques attackers use against your network. You learned how to scan your network, exploit hosts and carry out post-exploitation actions. You also learned how to maneuver deeper into your network using the pass-the-hash technique. The next step is to apply what you have learned.

I recommend that you download the Metasploitable virtual machine. Metasploitable has many services you can exploit for shell access and information. Attack Metasploitable to become familiar with Armitage and Metasploit before you start your first penetration test.

Raphael Mudge is the developer of Armitage. He lives in Washington, DC. Contact him at


White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState