5. Actividades precedentes que sirven de núcleo al futuro instituto: Méritos docentes
5.4. Docencia en programas de doctorado
more and more often a collaborative effort with teams of talented security practitioners rather than a solo effort.
A
rmitage is a scriptable red team (that is what the offensive security teams are called) col-laboration tool for Metasploit that visualiz-es targets, recommends exploits, and exposvisualiz-es the advanced post-exploitation features in the frame-work.Through one Metasploit/Armitage Server in-stance, your team can:
• Use the same sessions
• Share hosts, captured data, and downloaded files
• Communicate through a shared event log (very similar to a IRC chat if you are familiar with those)
• Run bots to automate red team tasks
What you should know
To get the most of this article you should have a working (and preferably updated) BackTrack 5 R3 system, 32-bit or 64-bit shouldn’t matter but I per-sonally run a 32-bit system in a virtual machine.
This article makes extensive use of the com-mand line so you should preferably be familiar with that. You should also have a workstation that can run the Armitage java GUI, which either can be the BackTrack computer in X-windows or a separate computer running Linux, OSX or Windows which can reach the BackTrack machine via the network.
Armitage’s red team collaboration setup is CPU sensitive and it likes RAM. Make sure you give
the virtual machine (or physical machine) at least 1.5GB of RAM to your BackTrack 5 R3 team serv-er.
What you will learn
After reading this article you should know how to run a Armitage server and have several clients connected to it for multiplayer Metasploit, meaning running red teams with more than a single member on the same Metasploit server.
Installation
I will base this article on BackTrack 5 R3, so get that from http://www.backtrack-linux.org/. After you have downloaded and booted it you need to start with connecting it to the network and update Metasploit Framework. The default username/
password for BackTrack 5 is ”root” / ”toor”(”root”
spelled backwards).
Update BackTrack and Metasploit
Before we begin we should update BackTrack to get the latest fixes by running
# apt-get update
# apt-get dist-upgrade
We should also update the Metasploit Framework by running
# msfupdate
Listing 1a. Updating the Metasploit Framework
#! /bin/sh
### BEGIN INIT INFO
# Provides: armitage-teamserver
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Armitage TeamServer
# Description: Armitage TeamServer for true Multiplayer Metasploit
#
### END INIT INFO
# Author: Michael Boman <[email protected]>
#
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin DESC=”Armitage TeamServer”
NAME=teamserver
ARMITAGE_DIR=/opt/metasploit/msf3/data/armitage DAEMON=$ARMITAGE_DIR/$NAME
DAEMON_ARGS=”172.16.109.130 MySecretPassword”
PIDFILE=/var/run/$NAME.pid SCRIPTNAME=/etc/init.d/$NAME
# Exit if the package is not installed [ -x “$DAEMON” ] || exit 0
# Read configuration variable file if it is present [ -r /etc/default/$NAME ] && . /etc/default/$NAME
# Load the VERBOSE setting and other rcS variables . /lib/init/vars.sh
# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions
#
# Function that starts the daemon/service
#
do_start() {
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --chdir $ARMITAGE_DIR --test
> /dev/null \ || return 1
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --chdir $DAEMON_ARGS \
EXPLOITING WITH METASPLOIT
Listing 1b. Updating the Metasploit Framework || return 2
}
#
# Function that stops the daemon/service
#
do_stop() {
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME RETVAL=”$?”
[ “$RETVAL” = 2 ] && return 2
# Wait for children to finish too if this is a daemon that forks
# and if the daemon is only ever run from this initscript.
# If the above conditions are not satisfied then add some other code
# that waits for the process to drop all resources that could be
# needed by services started subsequently. A last resort is to
# sleep for some time.
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON [ “$?” = 2 ] && return 2
# Many daemons don’t delete their pidfiles when they exit.
rm -f $PIDFILE
return “$RETVAL”
}
#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
#
# If the daemon can reload its configuration without
# restarting (for example, when it is sent a SIGHUP),
# then implement that here.
#
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
return 0 }
case “$1” in start)
[ “$VERBOSE” != no ] && log_daemon_msg “Starting $DESC” “$NAME”
do_start case “$?” in
0|1) [ “$VERBOSE” != no ] && log_end_msg 0 ;;
2) [ “$VERBOSE” != no ] && log_end_msg 1 ;;
;;
stop)
Listing 1c. Updating the Metasploit Framework
[ “$VERBOSE” != no ] && log_daemon_msg “Stopping $DESC” “$NAME”
do_stop case “$?” in
0|1) [ “$VERBOSE” != no ] && log_end_msg 0 ;;
2) [ “$VERBOSE” != no ] && log_end_msg 1 ;;
esac
;;
status)
status_of_proc “$DAEMON” “$NAME” && exit 0 || exit $?
;;
#reload|force-reload)
#
# If do_reload() is not implemented then leave this commented out
# and leave ‘force-reload’ as an alias for ‘restart’.
#
#log_daemon_msg “Reloading $DESC” “$NAME”
#do_reload
#log_end_msg $?
#;;
restart|force-reload)
#
# If the “reload” option is implemented then remove the
# ‘force-reload’ alias
#
log_daemon_msg “Restarting $DESC” “$NAME”
do_stop case “$?” in 0|1) do_start case “$?” in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running *) log_end_msg 1 ;; # Failed to start
esac ;;
*)
# Failed to stop log_end_msg 1 ;;
esac
;;
*)
echo “Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}” >&2 exit 3
;;
esac
:
EXPLOITING WITH METASPLOIT
Once that is done we are ready to get Armitage running.