BSWJ: Armitage - Exploitation

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

11 minutes
Video Transcription
Hello, everyone. Welcome back to Joe I, as always in your eponymous host, Joe Perry. And today, for the third time, we're talking about Armitage Armitage. If you haven't seen the previous videos, I recommend you go back and watch them. But if you don't have time or desire, and you just want to learn about exploitation or Armitage, stay here.
And I'll explain that Armitage is an incredibly useful, gooey front end for the medicine. What framework, which allows for collaborative work with multiple
pen testers and members of the red team and guide you toe every step of the hacking process from the very beginning of reconnaissance, all the way to the very end of covering your tracks in the post exploitation face. So there's just a ton of utility. It's a great tool, and one of the use cases, the one we're talking about today
is that Armitage will actually guide you through the exploitation process. So once you've completed the previous video
or the previous use case of Armitage and you understand how to perform host discovery and you know sort of how to get all of the network map set up the way you want them and how you can use that.
What? You have that information. You can use today's video on what you're gonna learn here to actually exploit those host. Maybe one by 1 may be in a batch. You're gonna learn about selecting the specific exploit you want to use. You learn about launching those exploits, and you're gonna learn about my personal favorite use of medicine plate, which is the Hail Mary option. And I don't want to spoil anything,
but it is
spectacular, absolutely ridiculous functionality, and I personally just love it. So that's what today's when you're going to be about, we're gonna have our final Armitage video. We're gonna learn how to explain the hosts that we discovered in our previous video, and hopefully you're gonna learn a lot about it. I certainly as always, really enjoyed creating it.
So stay tuned. Watch for the next eight minutes or so, and you're gonna learn how you can use Armitage exploitation
to break stuff every day.
So picking up right where we left off in our last breaking stuff with Joe Video, we're in our tally. Be in with the armed. It's already up and running and an imported host scan complete. So what we want to talk about here, like I said, is selecting in launching exploits and then examining our Hail Mary option. And you can finally find out exactly what that means
and get a little bit of an anecdote to go along with it.
So selecting exploits is a scrape forward. As it seems when we're working in Armitage, we simply
go over heat or exploit menu. We expand that menu out, and then we look at something that might be appropriate. Forgiven target.
So in this case, the one Terry that we've identified is a Lenox box, and we can see here we have a bunch of different options for targeting Lennox. Well, we can recall that we tried to Le Guin against http earlier, and it popped up a menu for us to do that because of the fact that HDP was enabled
so we can look at our http auctions for exploitation
and you can see that there are just an absolute ton of them just for a bunch of different options. You know, obviously, Lennox is not as popular to attack its windows, but it's certainly still there,
but we don't really know too much about that machine right now because all we've really done is that initial scan. So what we might want to do?
Let's have a look at this scan option here
and see that we can run an option to find out what the devices and perform and figure out every single service that's running on it. In every bit of information we confined.
We got our host Discovery scans. We got back some information we can see here that they're two ports that are definitely open on TCP.
And before that
we can see that all of the different options that were being set in medicine.
So we've done our scan. We know that they're two ports that are open.
Now let's try a little bit more of an in depth look at our service is we could see that one of those ports is the Cisco s CCP auction, which is something that we might want to consider, and the 2nd 1 is HDP on an Apache server sent off. So
one of the things that's not a bad idea, one that I tends to do pretty often you're doing a scan like this is before you even start throwing exploits at it, just go and look at that target.
So what?
Let's see what we had that it was 10.0 dot to 0.15 on Port 3000
Slow loading Firefox.
You do. There we go,
tend up
10 2.15
and pork 3000
and should just take a few seconds to load whatever page that might be.
There we go. You could see that there's an Apache test page powered by scent offs, and even better, you can see that
this is just a generic Apache page, which is usually a great sign. What that means is that whoever has this system set up doesn't actually have anything set up for the page. They don't have any security in place. They just have a server. Ah,
Web server that's just stood up facing the Internet. And you can see here the message. If you're a member of the general public, something has gone terribly, terribly wrong. So we could take advantage of that when we're doing this exploit
or what we're looking for exploits to throw simply by going up here
and seeing if we have anything for Apache,
and you can see we have two different options for Apache.
We have this couch D B. We're gonna look at
couch to be administrative users can configure the database server.
So this allows you to This allows an admin user to execute arbitrary shelter. That's the actual t about exports. That something that you might be able to do by throwing in an Apache serving again. You could gain code execution against your target. Alternatively, we can look at this option here and we can see it. Exploits commanded injection
in Apache. Continual. So those are the two Apache targets that to Apache tools we have right now
for targeting http against Linens. And if we actually wanted to run one of those, all we would have to do
is drag and drop,
and you can see it's going to say the module, it's gonna give you that module explanation again for what it does you're going to see down here all of the different options you can enable and the target that you select, you could ask for reverse connection, and you can again look at the advanced options for medicine
and then all you have to do is launch Now, I'm not going to launch this because the specific system that these computers are set up on will throw me out if I start throwing exploits across the wire right now. But if you were to it, if your goal is to exploit your target, all you have to do is hit that launch button.
So that's the walker of how we select and launch attacks against the given target.
But we actually have one last option is one that I've teased a couple of times
and it's the Hail Mary.
Now I love the Hail Mary.
It is my absolute favorite thing ever created in an exploit tool. And we're not going to launch it again because I'm gonna get I would get in a ton of trouble.
But I personally have to take time to talk about this menu and to tell you a little bit of an anecdote. So here you can see that the name of this pain of this panel that pops up is really one started. The Hail Mary will launch a flood of exploits that hosts in the current workspace. There is nothing stealthy about this action
and if clumsily launching hundreds of exploits is what you would like to do
than press. Yes, and that's a great summary. What Hail Mary does is it looks at every target is identified or whether or not it knows what that target is. Just if it's found a target on the in the network and it says Okay, what exploits might potentially work against this target throw.
All of it is almost Adidas by itself, just for the sheer number of attacks that it is launching and the number of things that could go wrong. There is no subtlety. There is no care. There's no caution if you run Hail Mary, you're going to blow something up. But
it will
probably work
if that target could be exploited by anything that Armitage has access to your going to get that exploit in.
But you're going to make a lot of noise and almost incredible amount of noise. So the anecdote that I want to tell and I'll go ahead and leave this up actually don't click on it just yet. Uh,
years and years ago when I was in training to learn howto work with tools like this and I was in a class about medicine playing about Armitage.
We were given a task of, you know,
targeting a specific BM and basically just trying to find a way to exploit into that BM network, you know, pivot around, do all sort of the general hacking process, the reconnaissance, infiltration, data, exfiltration all the sort of standard hacking process.
And everything was going fine for the first, maybe 15 minutes of the class. And then all of a sudden, the system stopped working. We couldn't get access to the target. Bm we couldn't get into any of our systems. We couldn't make our own computers work, right. We couldn't get anything toe happen. And so I raised my hands. And, you know, uh,
excuse me. I think there's a problem with your system. I think that b m nets down. I don't know what happened,
but I can't exploit into it anymore.
The instructor looks and can't figure out what's wrong with the system, and everybody's kind of running around trying to figure out what happened until I noticed on the computer screen in front of me
uh, what looks like absolute mayhem.
And out of curiosity, I load up on end maps. Can not an mm skin a wire short scan and start looking at all the packets on the network?
And then I discover that someone has launched Hail Mary not once, not twice, but a bare minimum of 50 times.
I asked the person who was sitting in front of me who explained that Well, yes, I hit the Hail Mary button and nothing happened. So I hit it again, and I kept clicking it until something started to happen.
And that's when we found out that they had thrown so many exploits so quickly with so many different targets that not only had our class been shut down, but every single network in the entire building that was connected to any of the routers had been blown away. Even though we were operating on a V M net. The sheer volume of traffic
was shutting down routers throughout the building,
so we got a ton of trouble. Everything you know is a huge mess. We had to spend all day trying to fix everything and reboot all of the systems. But that's one of the many sort of cautionary tales that I will give about Hail Mary. It's my favorite option because it is absolutely ludicrous. But you almost certainly should not use it against a real system that is in production.
So there you go. That's the exploitation process. Once you found your target, you go through and you select based on the export you want to launch. And if there's a payload, you want to attach to it. Of course. Select that as well. You figure out what you want to do. You determine whether or not it will be useful against your given target. And then you can just drag and drop. And if all else fails and you're fine taking down the whole system,
then it's time to hail Mary.
That's gonna be all there is for this video. Thank you, as always for watching. I enjoy doing this a lot, and I enjoy getting this kind of sprinkling anecdotes like of that one, please. By all means. Take sometime. Use Armitage. Get familiar with it. It is one of the greatest collaborative tools. Four Red Team's and four pen testers in the world strongly recommended.
Really, really. Go check it out
until then until you come back to see us the next time I want to thank you again for watching breaking stuff with Joe here on Cyber Eri on demand.