An attack management tool for Metasploit®
-
Release: 5 Sept 12
Developed by:
diff --git a/external/source/armitage/scripts/attacks.sl b/external/source/armitage/scripts/attacks.sl index 8bf11b96ee..16ac3cadff 100644 --- a/external/source/armitage/scripts/attacks.sl +++ b/external/source/armitage/scripts/attacks.sl @@ -349,6 +349,9 @@ sub best_payload { else if ("java/jsp_shell_bind_tcp" in $compatible) { return "java/jsp_shell_bind_tcp"; } + else if ("cmd/unix/interact" in $compatible) { + return "cmd/unix/interact"; + } else { return "generic/shell_bind_tcp"; } diff --git a/external/source/armitage/scripts/gui.sl b/external/source/armitage/scripts/gui.sl index 009e5ea432..da5f974c10 100644 --- a/external/source/armitage/scripts/gui.sl +++ b/external/source/armitage/scripts/gui.sl @@ -475,7 +475,12 @@ sub gotoFile { return lambda({ local('$exception'); try { - [[Desktop getDesktop] open: $f]; + if ([Desktop isDesktopSupported]) { + [[Desktop getDesktop] open: $f]; + } + else { + ask("Browse to this file:", $f); + } } catch $exception { showError("Could not open $f $+ \n $+ $exception"); diff --git a/external/source/armitage/scripts/jobs.sl b/external/source/armitage/scripts/jobs.sl index e0853eb933..fc30868be7 100644 --- a/external/source/armitage/scripts/jobs.sl +++ b/external/source/armitage/scripts/jobs.sl @@ -356,6 +356,16 @@ sub _launch_dialog { if (!isShift($1)) { [$dialog setVisible: 0]; } + + # fix some module options... + if ($command eq "windows/manage/persistence") { + if ('REXE' in $options) { + $options['ACTION'] = 'REXE'; + } + else { + $options['ACTION'] = 'TEMPLATE'; + } + } # it's go time buddy... time to filter some stuff... ($type, $command, $options) = filter_data("user_launch", $type, $command, $options); diff --git a/external/source/armitage/scripts/menus.sl b/external/source/armitage/scripts/menus.sl index be2e78c1f2..ad80e5ca35 100644 --- a/external/source/armitage/scripts/menus.sl +++ b/external/source/armitage/scripts/menus.sl @@ -188,7 +188,12 @@ sub main_attack_items { sub gotoURL { return lambda({ - [[Desktop getDesktop] browse: $url]; + if ([Desktop isDesktopSupported]) { + [[Desktop getDesktop] browse: $url]; + } + else { + ask("Browse to this URL:", $url); + } }, $url => [[new URL: $1] toURI]); } diff --git a/external/source/armitage/scripts/meterpreter.sl b/external/source/armitage/scripts/meterpreter.sl index e961327488..1c9da44636 100644 --- a/external/source/armitage/scripts/meterpreter.sl +++ b/external/source/armitage/scripts/meterpreter.sl @@ -191,11 +191,15 @@ sub showMeterpreterMenu { }, $sid => "$sid")); item($j, "Persist", 'P', lambda({ - launch_dialog("Persistence", "post", "windows/manage/persistence", 1, $null, %(SESSION => $sid, LPORT => %MSF_GLOBAL['LPORT'], HANDLER => "0")); + thread(lambda({ + launch_dialog("Persistence", "post", "windows/manage/persistence", 1, $null, %(SESSION => $sid, LPORT => %MSF_GLOBAL['LPORT'], HANDLER => "0")); + }, \$sid)); }, $sid => "$sid")); item($j, "Pass Session", 'S', lambda({ - launch_dialog("Pass Session", "post", "windows/manage/payload_inject", 1, $null, %(SESSION => $sid, LPORT => %MSF_GLOBAL['LPORT'], HANDLER => "0")); + thread(lambda({ + launch_dialog("Pass Session", "post", "windows/manage/payload_inject", 1, $null, %(SESSION => $sid, LPORT => %MSF_GLOBAL['LPORT'], HANDLER => "0")); + }, \$sid)); }, $sid => "$sid")); setupMenu($j, "meterpreter_access", @($sid)); @@ -241,7 +245,9 @@ sub showMeterpreterMenu { item($j, "Show Processes", 'P', lambda({ createProcessBrowser($sid); }, $sid => "$sid")); if ("*win*" iswm $platform) { item($j, "Log Keystrokes", 'K', lambda({ - launch_dialog("Log Keystrokes", "post", "windows/capture/keylog_recorder", 1, $null, %(SESSION => $sid, MIGRATE => 1, ShowKeystrokes => 1)); + thread(lambda({ + launch_dialog("Log Keystrokes", "post", "windows/capture/keylog_recorder", 1, $null, %(SESSION => $sid, MIGRATE => 1, ShowKeystrokes => 1)); + }, \$sid)); }, $sid => "$sid")); } @@ -305,6 +311,9 @@ sub launch_msf_scans { if ('RPORT' in %o) { $port = %o['RPORT']['default']; push(%ports[$port], $scanner); + if ($port == 80) { + push(%ports['443'], $scanner); + } } safetyCheck(); @@ -313,7 +322,7 @@ sub launch_msf_scans { # add these ports to our list of ports to scan.. these come from querying all of Metasploit's modules # for the default ports - foreach $port (@(50000, 21, 1720, 80, 443, 143, 3306, 1521, 110, 5432, 50013, 25, 161, 22, 23, 17185, 135, 8080, 4848, 1433, 5560, 512, 513, 514, 445, 5900, 5038, 111, 139, 49, 515, 7787, 2947, 7144, 9080, 8812, 2525, 2207, 3050, 5405, 1723, 1099, 5555, 921, 10001, 123, 3690, 548, 617, 6112, 6667, 3632, 783, 10050, 38292, 12174, 2967, 5168, 3628, 7777, 6101, 10000, 6504, 41523, 41524, 2000, 1900, 10202, 6503, 6070, 6502, 6050, 2103, 41025, 44334, 2100, 5554, 12203, 26000, 4000, 1000, 8014, 5250, 34443, 8028, 8008, 7510, 9495, 1581, 8000, 18881, 57772, 9090, 9999, 81, 3000, 8300, 8800, 8090, 389, 10203, 5093, 1533, 13500, 705, 623, 4659, 20031, 16102, 6080, 6660, 11000, 19810, 3057, 6905, 1100, 10616, 10628, 5051, 1582, 65535, 105, 22222, 30000, 113, 1755, 407, 1434, 2049, 689, 3128, 20222, 20034, 7580, 7579, 38080, 12401, 910, 912, 11234, 46823, 5061, 5060, 2380, 69, 5800, 62514, 42, 5631, 902)) { + foreach $port (@(50000, 21, 1720, 80, 443, 143, 3306, 1521, 110, 5432, 50013, 25, 161, 22, 23, 17185, 135, 8080, 4848, 1433, 5560, 512, 513, 514, 445, 5900, 5038, 111, 139, 49, 515, 7787, 2947, 7144, 9080, 8812, 2525, 2207, 3050, 5405, 1723, 1099, 5555, 921, 10001, 123, 3690, 548, 617, 6112, 6667, 3632, 783, 10050, 38292, 12174, 2967, 5168, 3628, 7777, 6101, 10000, 6504, 41523, 41524, 2000, 1900, 10202, 6503, 6070, 6502, 6050, 2103, 41025, 44334, 2100, 5554, 12203, 26000, 4000, 1000, 8014, 5250, 34443, 8028, 8008, 7510, 9495, 1581, 8000, 18881, 57772, 9090, 9999, 81, 3000, 8300, 8800, 8090, 389, 10203, 5093, 1533, 13500, 705, 623, 4659, 20031, 16102, 6080, 6660, 11000, 19810, 3057, 6905, 1100, 10616, 10628, 5051, 1582, 65535, 105, 22222, 30000, 113, 1755, 407, 1434, 2049, 689, 3128, 20222, 20034, 7580, 7579, 38080, 12401, 910, 912, 11234, 46823, 5061, 5060, 2380, 69, 5800, 62514, 42, 5631, 902, 5985)) { $temp = %ports[$port]; } @@ -343,7 +352,12 @@ sub launch_msf_scans { if ($port in %ports) { $modules = %ports[$port]; foreach $module ($modules) { - push(@launch, @($module, %(RHOSTS => join(", ", $hosts), RPORT => $port, THREADS => 24))); + if ($port == 443) { + push(@launch, @($module, %(RHOSTS => join(", ", $hosts), RPORT => $port, THREADS => 24, SSL => "1"))); + } + else { + push(@launch, @($module, %(RHOSTS => join(", ", $hosts), RPORT => $port, THREADS => 24))); + } } } } diff --git a/external/source/armitage/scripts/passhash.sl b/external/source/armitage/scripts/passhash.sl index f609d401e3..34bb737cac 100644 --- a/external/source/armitage/scripts/passhash.sl +++ b/external/source/armitage/scripts/passhash.sl @@ -297,19 +297,24 @@ sub show_login_dialog { } sub createUserPassFile { - local('$handle $user $pass $type $row $2 $name'); + local('$handle $user $pass $type $row $2 $name %entries'); $name = "userpass" . rand(10000) . ".txt"; - $handle = openf("> $+ $name"); + # loop through our entries and store them + %entries = ohash(); foreach $row ($1) { ($user, $pass, $type) = values($row, @("user", "pass", "ptype")); if ($type eq "password" || $type eq $2) { - println($handle, "$user $pass"); + %entries["$user $pass"] = "$user $pass"; } else { - println($handle, "$user"); + %entries[$user] = $user; } } + + # print out unique entry values + $handle = openf("> $+ $name"); + printAll($handle, values(%entries)); closef($handle); if ($client !is $mclient) { diff --git a/external/source/armitage/scripts/process.sl b/external/source/armitage/scripts/process.sl index d6baf0ffdb..17dada93fe 100644 --- a/external/source/armitage/scripts/process.sl +++ b/external/source/armitage/scripts/process.sl @@ -27,6 +27,12 @@ sub parseProcessList { # REMOVEME--this is a backwards compatability hack. @rows = parseTextTable($2, @("PID", "Name", "Arch", "Session", "User", "Path")); } + + # this is the format for Java meterpreter + if (size(@rows) == 0) { + @rows = parseTextTable($2, @("PID", "Name", "Arch", "User", "Path")); + } + foreach $row (@rows) { [%processes[$1] addEntry: $row]; } diff --git a/external/source/armitage/scripts/server.sl b/external/source/armitage/scripts/server.sl index c35274d887..78f9738dbb 100644 --- a/external/source/armitage/scripts/server.sl +++ b/external/source/armitage/scripts/server.sl @@ -355,7 +355,7 @@ sub client { sub main { global('$client $mclient'); - local('$server %sessions $sess_lock $read_lock $poll_lock $lock_lock %locks %readq $id @events $error $auth %cache $cach_lock $client_cache $handle'); + local('$server %sessions $sess_lock $read_lock $poll_lock $lock_lock %locks %readq $id @events $error $auth %cache $cach_lock $client_cache $handle $console'); $auth = unpack("H*", digest(rand() . ticks(), "MD5"))[0]; @@ -400,9 +400,6 @@ sub main { $mclient = $client; initConsolePool(); # this needs to happen... right now. - # set the LHOST to whatever the user specified - call_async($client, "core.setg", "LHOST", $host); - # we need this global to be set so our reverse listeners work as expected. $MY_ADDRESS = $host; @@ -423,6 +420,13 @@ sub main { $lock_lock = semaphore(1); $cach_lock = semaphore(1); + # set the LHOST to whatever the user specified (use console.write to make the string not UTF-8) + $console = createConsole($client); + call($client, "console.write", $console, "setg LHOST $host $+ \n"); + sleep(2000); + # absorb the output of this command which is LHOST => ... + call($client, "console.read", $console); + # # create a thread to push console messages to the event queue for all clients. # @@ -437,7 +441,7 @@ sub main { release($poll_lock); } } - }, \$client, \$poll_lock, \@events, $console => createConsole($client)); + }, \$client, \$poll_lock, \@events, \$console); # # Create a shared hash that contains a thread for each session... diff --git a/external/source/armitage/scripts/util.sl b/external/source/armitage/scripts/util.sl index c25b4efe1f..d1a64d0c85 100644 --- a/external/source/armitage/scripts/util.sl +++ b/external/source/armitage/scripts/util.sl @@ -152,7 +152,10 @@ sub createConsoleTab { sub setg { %MSF_GLOBAL[$1] = $2; - call_async($client, "core.setg", $1, $2); + local('$c'); + $c = createConsole($client); + call_async($client, "console.write", $c, "setg $1 $2 $+ \n"); + call_async($client, "console.release", $c); } sub createDefaultHandler { diff --git a/external/source/armitage/src/armitage/ConsoleClient.java b/external/source/armitage/src/armitage/ConsoleClient.java index e42f870cb9..7937362f1a 100644 --- a/external/source/armitage/src/armitage/ConsoleClient.java +++ b/external/source/armitage/src/armitage/ConsoleClient.java @@ -104,6 +104,9 @@ public class ConsoleClient implements Runnable, ActionListener { if (destroyCommand != null) { ((RpcAsync)connection).execute_async(destroyCommand, new Object[] { session }); } + + /* we don't need to keep reading from this console */ + kill(); } protected void finalize() { diff --git a/external/source/armitage/whatsnew.txt b/external/source/armitage/whatsnew.txt index 100cc74dec..be0f15ec5c 100644 --- a/external/source/armitage/whatsnew.txt +++ b/external/source/armitage/whatsnew.txt @@ -1,6 +1,23 @@ Armitage Changelog ================== +16 Oct 12 (tested against msf 15972) +--------- +- Added port 5985 to MSF Scans list. +- Meterpreter -> Access -> Persistence sets ACTION option for you +- Changed how LHOST and LPORT are set globally to prevent Ruby + character encoding conversion error in the framework. +- Pass Session, Log Keystrokes, and Persist now query module info + in a separate thread (avoids a deadlock opportunity) +- Armitage now shows folder/URL in a popup dialog for environments + where JDesktop API to open them directly is not supported +- Check all credentials option now filters the list to avoid trying + a pair of credentials twice. +- Armitage's exploit payload selection now selects cmd/unix/interact + when appropriate. +- Explore -> Processes now works with Java Meterpreter again. +- MSF Scans feature now runs http_version against port 443 + 5 Sept 12 (tested against msf r15804) --------- - Setup dialog now trims host, port, user, and pass fields.