Category: metasploit

Building a Collaborative Attack Platform with Amazon EC2 – Part 2: Armitage

Part 2 – Prepare the Armitage Teamserver

Hello All,
how are you?

Let’s go start to prepare the armitage teamserver…What’s? Armitage is to old? You don’t like hacking via GUI?

Is Armitage only a metasploit GUI ? Are you sure? In my idea, Armitage is the way for create a collaborative metasploit platform for starting pentesting e redteaming operation sharing the shells gained via some type of attack…(server side exploits, client side exploits, malware, now this is not very interesting…) If you don’t like this approach…no problem, see you later for the next article: “EC2 collaboration in Empire”, instead, for those who are interested, let’s start:

We can use the Kali EC2 machine created in part 1a, if you don’t have built the machine, you can watch the video now.

After logon  via SSH to your EC2 machine, you must change directory and go to armitage root directory

sudo /bin/bash
cd /usr/share/armitage
root@kali:/usr/share/armitage# ./teamserver
[*] You must provide: <external IP address> <team password>
<external IP address> must be reachable by Armitage
clients on port 55553
<team password> is a shared password your team uses to
authenticate to the Armitage team server

Now we can start the teamserver with the public IP address of our EC2 machine and one password for securing the connection:

./teamserver 54.154.119.193 Passw0rd

In this case we get an error because the database is not initialized, you can initialize the DB with:

 msfdb init

After initializing the DB I can try to start my teamserver again:

./teamserver 54.154.119.193 Passw0rd

wonderful, it’s working, now let’s go to start the armitage client, for do this I’m using another kali machine, but in this case is a local machine, the steps are pretty similar to the previous:

cd /usr/share/armitage
./armitage

The server send you the fingerprinting, if they match you can press yes

and you can choose your nickname…

and voilà, the armitage console is ready for your operation.

For now is all.

Happy hacking and stay tuned

Building a Collaborative Attack Platform with Amazon EC2 – Part 1a: CobaltStrike

   Part 1a – Prepare the PenTest Machine

For real Red Team Operation we need a complex cloud Infrastructure, in real world the Teamserver machine can have various roles or tier, but this is beyond the scope of this article, for more information you can watch the video of Raphael Mudge @armitagehacker at https://www.youtube.com/watch?v=3gBJOJb8Oi0.

In this three videos we’ll try to build a simple EC2 machine with installed Armitage Teamserver and CobaltStrike teamserver which we will use as needed.

Let’s start

  • In real world scenario the Red Team use a business contract and various machines with meticulous capacity analysis for CPU, RAM, HD and network bandwidth, for demo purpose, we’ll use only one Micro Tier machine eligible for free usage tier.

In real world scenarios the EC2 platform is a very clever choice for its scalability, for its bandwidth, because is on-demand and with reasonable costs.  We must also consider that the real attackers will use a solution like this, so if we want to emulate the behavior of an attacker we will, in our turn, use cloud platforms. Even the functionality of teamserver usable thanks to the cloud from anywhere, are a convenience for the whole team.

The first step is to create an account on http://aws.amazon.com

This is not an article for script kiddies, we will use one of our real e-mail address and our real credit card number. (If you already have, you can use your Amazon Ec2 account)

We can choose from any VM linux, but for our job I would choose a Kali VM .

After create the new account (or after log in with your existing account) click on AWS services and click on EC2

Now choose instances and Launch instance

If you want to create a Kali Machine, you can’t choose quick start, you must choose AWS Marketplace

and write “kali” in the search field.

Click on select

Now we can choose the machine type, if you want to take advantage of a free tier machine, you must select t2.micro machine, choose the machine and then click Review and Launch, now we can create a new security group, and ssh is the default opened port, but for red teaming operation we need more ports to be opened, if you’d like,you could open all ports (All traffic – all protocol – all port range – all source, not reccomended in production environment ) or only few ports (for example http80, https443, dns53 and TCP 55553 for Armitage Deconfliction Server), for demo purpose we open “any-any-any-permit”

now click on Review and Launch (and the launch, if necessary), at this point,if you already have a key pair,you can just use it,otherwise you can create a new one (it’s very important to save and backup your key pair, if you loose the key, you can’t log on again on your instance)

flag the acknowledgement and then click launch  instance

if you click on the instance id you can view your instance list and you can manage y our instance

If you want you can get a new name for your instance or edit the zone where put your instance, for this demo, this details can’t be relevant.

Before installing CobaltStrike you can log on your kali machine with any ssh client, if you are using windows you can download putty.

If your ssh client use .ppk key, you need to convert the .pem certificate, you can follow the official AWS guide at http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html

The hostname is something like that : ec2-user@ec2-00-00-00-00.eu-west-1.compute.amazonaws.com where 00-00-00-00 is your real IP. Now you can update and upgrade you linux box with :

sudo apt-get update && sudo apt-get upgrade

For today is all.

watch part 1b – Prepare the CobalStrike teamserver

The video

Part 2 – Build Armitage Teamserver – coming soon