commit
7d1752d858
Binary file not shown.
Binary file not shown.
|
@ -60,7 +60,7 @@ sure you peruse the FAQ and Manual first.
|
|||
7. License
|
||||
-------
|
||||
|
||||
(c) 2010-2012 Raphael Mudge. This project is licensed under the BSD license.
|
||||
(c) 2010-2013 Raphael Mudge. This project is licensed under the BSD license.
|
||||
See section 8 for more information.
|
||||
|
||||
lib/jgraphx.jar is used here within the terms of the BSD license offered by
|
||||
|
|
|
@ -1,6 +1,24 @@
|
|||
Armitage Changelog
|
||||
==================
|
||||
|
||||
4 Jan 13 (tested against msf 16252)
|
||||
--------
|
||||
- Added a helper to set REXE option
|
||||
- Added an icon to represent Windows 8
|
||||
- [host] -> Login menu is now built using open services for all
|
||||
highlighted hosts, not just the first one.
|
||||
- [host] -> Login items now escape punctuation characters in passwords
|
||||
before passing them to a framework module.
|
||||
- Added the windows and linux postgres_payload exploits to the use a
|
||||
reverse payload by default list.
|
||||
- Small tweak to allow Armitage to work with Metasploit 4.5 installed
|
||||
environment on Windows.
|
||||
|
||||
Cortana Updates (for scripters)
|
||||
--------
|
||||
- &credential_add and &credential_delete no longer break when a
|
||||
password has creative punctuation in it.
|
||||
|
||||
26 Nov 12 (tested against msf 16114)
|
||||
---------
|
||||
- Windows command shell tab is now friendlier to commands that prompt
|
||||
|
|
|
@ -60,7 +60,7 @@ sure you peruse the FAQ and Manual first.
|
|||
7. License
|
||||
-------
|
||||
|
||||
(c) 2010-2012 Raphael Mudge. This project is licensed under the BSD license.
|
||||
(c) 2010-2013 Raphael Mudge. This project is licensed under the BSD license.
|
||||
See section 8 for more information.
|
||||
|
||||
lib/jgraphx.jar is used here within the terms of the BSD license offered by
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
<html>
|
||||
<body>
|
||||
<center><h1>Armitage 1.44</h1></center>
|
||||
<center><h1>Armitage 1.45</h1></center>
|
||||
|
||||
<p>An attack management tool for Metasploit®
|
||||
<br />Release: 26 Nov 12</p>
|
||||
<br />Release: 4 Jan 13</p>
|
||||
<br />
|
||||
<p>Developed by:</p>
|
||||
|
||||
|
|
Binary file not shown.
After Width: | Height: | Size: 5.4 KiB |
|
@ -243,14 +243,18 @@ sub session_exploit {
|
|||
# credentials API
|
||||
#
|
||||
|
||||
sub _fix_pass {
|
||||
return replace(strrep($1, '\\', '\\\\'), '(\p{Punct})', '\\\\$1');
|
||||
}
|
||||
|
||||
# credential_add("host", "port", "user, "pass", "type")
|
||||
sub credential_add {
|
||||
cmd_safe("creds -a $1 -p $2 -t $5 -u $3 -P $4");
|
||||
cmd_safe("creds -a $1 -p $2 -t $5 -u $3 -P " . _fix_pass($4));
|
||||
}
|
||||
|
||||
# credential_delete("host", port, "user", "pass");
|
||||
sub credential_delete {
|
||||
cmd_safe("creds -a $1 -p $2 -u $3 -P $4 -d");
|
||||
cmd_safe("creds -a $1 -p $2 -u $3 -P " . _fix_pass($4) . " -d");
|
||||
}
|
||||
|
||||
sub credential_list {
|
||||
|
|
|
@ -59,6 +59,9 @@ sub showHost {
|
|||
else if ("*XP*" iswm $match || "*2003*" iswm $match || "*.NET*" iswm $match) {
|
||||
push(@overlay, 'resources/windowsxp.png');
|
||||
}
|
||||
else if ("*8*" iswm $match) {
|
||||
push(@overlay, 'resources/windows8.png');
|
||||
}
|
||||
else {
|
||||
push(@overlay, 'resources/windows7.png');
|
||||
}
|
||||
|
|
|
@ -22,7 +22,7 @@ setMissPolicy(%results2, { return @(); });
|
|||
# %exploits is populated in menus.sl when the client-side attacks menu is constructed
|
||||
|
||||
# a list of exploits that should always use a reverse shell... this list needs to grow.
|
||||
@always_reverse = @("multi/samba/usermap_script", "unix/misc/distcc_exec", "windows/http/xampp_webdav_upload_php");
|
||||
@always_reverse = @("multi/samba/usermap_script", "unix/misc/distcc_exec", "windows/http/xampp_webdav_upload_php", "windows/postgres/postgres_payload", "linux/postgres/postgres_payload");
|
||||
|
||||
#
|
||||
# generate menus for a given OS
|
||||
|
@ -599,26 +599,28 @@ sub host_attack_items {
|
|||
}
|
||||
}
|
||||
|
||||
local('$service $name @options $a $port $foo');
|
||||
local('$name %options $a $port $host $service');
|
||||
%options = ohash();
|
||||
|
||||
foreach $port => $service (%hosts[$2[0]]['services']) {
|
||||
foreach $host ($2) {
|
||||
foreach $port => $service (%hosts[$host]['services']) {
|
||||
$name = $service['name'];
|
||||
if ($port == 445 && "*Windows*" iswm getHostOS($2[0])) {
|
||||
push(@options, @("psexec", lambda(&pass_the_hash, $hosts => $2)));
|
||||
if ($port == 445 && "*Windows*" iswm getHostOS($host)) {
|
||||
%options["psexec"] = lambda(&pass_the_hash, $hosts => $2);
|
||||
}
|
||||
else if ("scanner/ $+ $name $+ / $+ $name $+ _login" in @auxiliary) {
|
||||
push(@options, @($name, lambda(&show_login_dialog, \$service, $hosts => $2)));
|
||||
%options[$name] = lambda(&show_login_dialog, \$service, $hosts => $2);
|
||||
}
|
||||
else if ($name eq "microsoft-ds") {
|
||||
push(@options, @("psexec", lambda(&pass_the_hash, $hosts => $2)));
|
||||
%options["psexec"] = lambda(&pass_the_hash, $hosts => $2);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (size(@options) > 0) {
|
||||
if (size(%options) > 0) {
|
||||
$a = menu($1, 'Login', 'L');
|
||||
foreach $service (@options) {
|
||||
($name, $foo) = $service;
|
||||
item($a, $name, $null, $foo);
|
||||
foreach $name (sorta(keys(%options))) {
|
||||
item($a, $name, $null, %options[$name]);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -678,6 +680,7 @@ sub addFileListener {
|
|||
$actions["SigningKey"] = $actions["*FILE*"];
|
||||
$actions["Wordlist"] = $actions["*FILE*"];
|
||||
$actions["WORDLIST"] = $actions["*FILE*"];
|
||||
$actions["REXE"] = $actions["*FILE*"];
|
||||
|
||||
# set up an action to choose a session
|
||||
$actions["SESSION"] = lambda(&chooseSession);
|
||||
|
|
|
@ -52,6 +52,7 @@ sub host_selected_items {
|
|||
item($i, '1. 95/98/2000', '1', setHostValueFunction($2, "os_name", "Micosoft Windows", "os_flavor", "2000"));
|
||||
item($i, '2. XP/2003', '2', setHostValueFunction($2, "os_name", "Microsoft Windows", "os_flavor", "XP"));
|
||||
item($i, '3. Vista/7', '3', setHostValueFunction($2, "os_name", "Microsoft Windows", "os_flavor", "Vista"));
|
||||
item($i, '4. 8/RT', '4', setHostValueFunction($2, "os_name", "Microsoft Windows", "os_flavor", "8"));
|
||||
|
||||
item($h, "Remove Host", 'R', clearHostFunction($2));
|
||||
}
|
||||
|
|
|
@ -41,6 +41,7 @@ import ui.*;
|
|||
|
||||
# strip any funky characters that will cause this call to throw an exception
|
||||
$user = replace($user, '\P{Graph}', "");
|
||||
$hash = fixPass($hash);
|
||||
|
||||
[$queue addCommand: $null, "creds -a $host -p 445 -t smb_hash -u $user -P $hash"];
|
||||
}
|
||||
|
@ -106,6 +107,7 @@ sub createCredentialsTab {
|
|||
$queue = [new armitage.ConsoleQueue: $client];
|
||||
foreach $entry ($entries) {
|
||||
($user, $pass, $host) = $entry;
|
||||
$pass = fixPass($pass);
|
||||
[$queue addCommand: $null, "creds -d $host -u $user -P $pass"];
|
||||
}
|
||||
|
||||
|
|
|
@ -114,8 +114,13 @@ sub loadPreferences {
|
|||
|
||||
sub loadDatabasePreferences {
|
||||
if ($yaml_file eq "" || !-exists $yaml_file) {
|
||||
if (thisIsTheirCommercialStuff()) {
|
||||
$yaml_file = getFileProper($BASE_DIRECTORY, "ui", "config", "database.yml");
|
||||
}
|
||||
else {
|
||||
$yaml_file = getFileProper($BASE_DIRECTORY, "config", "database.yml");
|
||||
}
|
||||
}
|
||||
|
||||
if (!-exists $yaml_file) {
|
||||
throw [new RuntimeException: "I can not find a database.yml file. I *really* need it.\nTry setting MSF_DATABASE_CONFIG to a file that exists."];
|
||||
|
@ -340,6 +345,7 @@ sub createPreferencesTab {
|
|||
sub setupBaseDirectory {
|
||||
local('%o');
|
||||
%o = call($client, "module.options", "post", "multi/gather/dns_bruteforce");
|
||||
|
||||
if ("NAMELIST" in %o && "default" in %o["NAMELIST"]) {
|
||||
$BASE_DIRECTORY = getFileParent(getFileParent(getFileParent(getFileParent(%o["NAMELIST"]["default"]))));
|
||||
$DATA_DIRECTORY = getFileParent(getFileParent(%o["NAMELIST"]["default"]));
|
||||
|
@ -385,3 +391,8 @@ sub dataDirectory {
|
|||
|
||||
return $f;
|
||||
}
|
||||
|
||||
sub thisIsTheirCommercialStuff {
|
||||
# check if we're living in a Metasploit 4.5+ installer environment.
|
||||
return iff("*app*pro*" iswm $BASE_DIRECTORY);
|
||||
}
|
||||
|
|
|
@ -294,6 +294,11 @@ sub startMetasploit {
|
|||
[System exit: 0];
|
||||
}
|
||||
|
||||
# if the user chooses c:\metasploit AND we're in the 4.5 environment... adjust
|
||||
if (-exists getFileProper($msfdir, "apps", "pro", "msf3")) {
|
||||
$msfdir = getFileProper($msfdir, "apps", "pro");
|
||||
}
|
||||
|
||||
if (charAt($msfdir, -1) ne "\\") {
|
||||
$msfdir = "$msfdir $+ \\";
|
||||
}
|
||||
|
@ -472,6 +477,15 @@ sub _module_execute {
|
|||
$host = "all";
|
||||
}
|
||||
|
||||
# fix SMBPass and PASSWORD options if necessary...
|
||||
if ("PASSWORD" in $3) {
|
||||
$3['PASSWORD'] = fixPass($3['PASSWORD']);
|
||||
}
|
||||
|
||||
if ("SMBPass" in $3) {
|
||||
$3['SMBPass'] = fixPass($3['SMBPass']);
|
||||
}
|
||||
|
||||
# okie then, let's create a console and execute all of this stuff...
|
||||
|
||||
local('$queue $key $value');
|
||||
|
@ -607,3 +621,8 @@ sub initConsolePool {
|
|||
[$client addHook: "console.release", $pool];
|
||||
[$client addHook: "console.release_and_destroy", $pool];
|
||||
}
|
||||
|
||||
sub fixPass {
|
||||
return replace(strrep($1, '\\', '\\\\'), '(\p{Punct})', '\\\\$1');
|
||||
}
|
||||
|
||||
|
|
|
@ -428,13 +428,6 @@ public class Cortana implements Loadable, RuntimeWarningWatcher {
|
|||
|
||||
/* start the timer thread */
|
||||
new cortana.support.Heartbeat(events).start();
|
||||
|
||||
/* regularly communicate with Metasploit or else our connection will drop */
|
||||
new ArmitageTimer(client, "core.version", 200 * 1000L, new ArmitageTimerClient() {
|
||||
public boolean result(String command, Object[] arguments, Map results) {
|
||||
return true;
|
||||
}
|
||||
}, false);
|
||||
}
|
||||
started = true;
|
||||
}
|
||||
|
|
|
@ -25,6 +25,7 @@ public class ATable extends JTable {
|
|||
specialitems.add("SigningCert");
|
||||
specialitems.add("WORDLIST");
|
||||
specialitems.add("SESSION");
|
||||
specialitems.add("REXE");
|
||||
|
||||
return new TableCellRenderer() {
|
||||
public Component getTableCellRendererComponent(JTable table, Object value, boolean isSelected, boolean hasFocus, int row, int column) {
|
||||
|
|
|
@ -1,6 +1,24 @@
|
|||
Armitage Changelog
|
||||
==================
|
||||
|
||||
4 Jan 13 (tested against msf 16252)
|
||||
--------
|
||||
- Added a helper to set REXE option
|
||||
- Added an icon to represent Windows 8
|
||||
- [host] -> Login menu is now built using open services for all
|
||||
highlighted hosts, not just the first one.
|
||||
- [host] -> Login items now escape punctuation characters in passwords
|
||||
before passing them to a framework module.
|
||||
- Added the windows and linux postgres_payload exploits to the use a
|
||||
reverse payload by default list.
|
||||
- Small tweak to allow Armitage to work with Metasploit 4.5 installed
|
||||
environment on Windows.
|
||||
|
||||
Cortana Updates (for scripters)
|
||||
--------
|
||||
- &credential_add and &credential_delete no longer break when a
|
||||
password has creative punctuation in it.
|
||||
|
||||
26 Nov 12 (tested against msf 16114)
|
||||
---------
|
||||
- Windows command shell tab is now friendlier to commands that prompt
|
||||
|
|
Loading…
Reference in New Issue