forked from rsmudge/armitage
-
Notifications
You must be signed in to change notification settings - Fork 6
/
whatsnew.txt
1630 lines (1503 loc) · 83.9 KB
/
whatsnew.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Armitage Changelog
==================
13 Aug 15 (tested against msf git revision: 55ef5dd484)
---------
- Updated MsgPack library and code that uses it.
- Team server now authenticates client before exchanging serialized objects
- Fixed a repaint bug when removing last server button.
- Sped up rendering of graph view on Windows and MacOS X.
- Updated YAML parser and other code to become compatible with Kali 2.0
20 Nov 14 (tested against msf git revision: 55ef5dd484)
---------
- Added helper for SCRIPT option.
- Right-click a tab's X button and use "Send to bottom" or Ctrl+B to
dock a tab to the bottom of the Armitage window. Use Ctrl+E to get
get rid of the docked tab..
- Added more YAML warnings to save heartache for custom installs
- Database layer now uses core.version results to decide which MSF
data model to use.
- File tab completion (Cortana console) better handles ~
- team server startup verifies default host is an IPv4 address.
- Prompt for default address is now more aggressive and continues to
ask until an address is put in. If a user hit cancel on this dialog,
threads to poll the database never get started. Bad day, for sure.
- Armitage now sends a keep-alive every 1-2mins over an idle team
server connection to combat disconnection by a NAT device
- Armitage client now shows Disconnect message when it loses any of
its connections to the team server.
Cortana Updates (for scripters)
--------
- &credential_add, &credential_delete use Metasploit 4.10 conventions
- name field for hosts is now available.
18 Aug 14 (tested against msf git revision: 55ef5dd484)
---------
- Added hard-coded database.yml path as fallback for Kali users
- Updated internal db.creds/db.creds2 calls to pull from new creds
model in database.
- [meterpreter] -> Access -> Dump Hashes -> wdigest uses sso post
module now. New creds model makes this better.
- Added Import option to View -> Credentials dialog.
15 Jul 14 (tested against msf git revision: 55ef5dd484)
---------
- Command Shell experience on Windows Meterpreter is much better now
- Java Meterpreter may now interact with a bash shell
- Removed [host] -> Meterpreter -> Access -> Migrate Now! menu item
- Ctrl+Escape temporarily drops the timeout times for Meterpreter
commands to 5s, across the board. If a Meterpreter session appears
unresponsive, try this to force any hung commands to timeout
- Armitage now warns when a team server is non-responsive by making
its server button purple. When the server is responsive again, the
button will turn its normal color again. This requires that you're
connected to multiple team servers.
- Windows EXE launcher for Armitage now finds 64-bit Java.
15 May 14 (tested against msf git revision: 0a4c10876d)
---------
- Worked around invisible text selection bug with latest Java on Kali
23 Apr 14 (tested against msf git revision: 0a4c10876d)
---------
- Added Ctrl+L to quickly add an entry to timeline.[xml|tsv] (exported
through View -> Reporting -> Export Data)
- Added osx-app to Output: type for payloads. Outputs a zipped MacOS X
app archive.
- Scrubbed Armitage to eliminate unnecessary blocking calls from Sleep
source code. This improves Armitage's responsiveness and takes away
many opportunities for deadlock.
- Sync Files for Loot and Downloads is now much better with large files
- REJOICE! After more than three years of a team server capability,
Armitage now tells you when you are disconnected from a server.
- Keyboard shortcuts to change text size now work in table view
- Added Copy button to View -> Creds
- Services tab right-click menu now has options to edit a service's info
- Updated Armitage's YAML parser to better deal with unexpected whitespace
and to provide better errors when YAML file contains constructs that
Armitage's YAML parser can't deal with.
- Armitage's intercept of the shell command now intercepts shell when
arguments are present too. This prevents meterp sessions from getting
messed up.
- Logging now deals with IPv6 addresses better for Windows users
- Launching psexec at 4+ hosts will no longer open a tab for each host
- Armitage no longer allows two buttons with the same name in its team
server button bar.
Cortana Updates (for scripters)
--------
- Added &script_load to load a script (as if the user did this)
- Added &script_unload to unload a script
27 Feb 14 (tested against msf git revision: 72da8299a5)
---------
- Armitage console is now a mouse hot spot. Right-click a host in the
console to see its menu. Click a module to open the module's launcher
- Armitage module launch console ignores false meterpreter prompt from
msfrpcd after a successful exploit job is run.
- hashdump and wdigest menus now add usernames with spaces to database
thanks to Steve Pinkham for reporting this issue *with* a fix.
- Added [host] -> Login -> psexec (psh) to use psexec_psh to authenticate
to a host.
- Armitage.app for MacOS X now works with Oracle's Java 1.7
- Long awaited! I've added a feature to change LHOST in Armitage. Go to
Armitage -> Listeners -> Set LHOST.
- IPv6 reverse sessions now associate with their host properly.
- Windows open with Ctrl+W now show the Armitage icon
- Armitage now uses a JFrame to display its dialogs. This will give each
window its own button in the taskbar regardless of window manager.
21 Nov 13 (tested against msf git revision: 597eb56dcf)
---------
- Fixed webcam selection logic that I broke last update. Go me!
- Added a helper for PATH option
- Java 1.6 is no longer a supported environment to run Armitage. Added
a warning message to indicate as much. You should update to Java 1.7
- Connect dialog now masks the password field.
- Armitage no longer allows you to start msfrpcd on Windows. It shows an
error stating that you need to connect to a team server on Linux.
- Fixed a potential deadlock when opening a module launcher dialog.
- Missing MSF_DATABASE_CONFIG error now gives troubleshooting steps with
the error message.
- Added another check to detect and correct a corrupt module cache.
- [host] -> Operating System -> Firewall works again.
- You can now set PAYLOAD for windows/local/wmi exploit
- Default meterpreter/reverse_tcp listener now encodes its second stage
21 Aug 13 (tested against msf git revision: 0af2f1c611)
---------
- Removed sunrpc and dcerpc modules from MSF Scans feature
- Fixed a potential deadlock when updating the host display
- Updated multiplexing code to be compatible with enumdesktops command
- Updated multiplexing code to be compatible with webcam_list command
- You may now choose which camera to take a Webcam Shot from
- Close button now shows w/ Armitage dialogs on Kali Linux.
- Module Launcher dialog is now always active when opened.
- EXE::Custom is no longer treated as an advanced option. When available
it's always present for you to modify in a module.
- Meterpreter -> Access -> Persistence now uses the local exploit module
(default settings now work without tweaks too)
- Meterpreter -> Access -> Pass Session and Process -> Inject now use the
payload_inject local exploit module.
- Added Meterpreter -> Access -> Dump Hashes -> wdigest to run mimikatz's
wdigest command, to retrieve plaintext creds.
- Armitage now uses a better method to shuttle files to team server and
notify you of the progress of this action.
- Made multiplexing code smarter about load and use commands.
- Added a check to detect commercial MSF modules in the module cache and
to automatically clear it. When this happens you will need to restart the
Metasploit Framework. A corrupt cache causes some RPC calls to throw
errors as plain msfrpcd is not allowed to interact with commercial modules.
- Added ANSI color markup to armitage's console output. It's less scary
than the default messages and it's nicer to look at.
- Added cmd/unix/reverse to payload selection logic.
- Updated the payload output formats to match what's now possible in MSF
- Armitage -> Listeners actions now show commands/output in a tab
- [host] -> Login options now set DB_ALL_CREDS to false. Making this option
default to true is not the decision I would have made.
6 Jun 13 (tested against msf git revision: c705928052)
--------
- Attacks -> Hail Mary now asks you to confirm the action.
- Fixed a potential table sorting issue
- Changed how some tables are updated to minimize blocking of other
tasks. This should make UI feel snappier in many cases.
- Credential helper now shows credentials from all servers you're
connected to.
- Updated multiplexing code to be compatible with mimikatz extension's
output scheme.
- Meterpreter upload command (with no arguments) now prompts for a file.
This file will be bounced to team server (if one is present) and
uploaded to the target for you.
- Cred tables no longer show SSH keys
- Added vmauthd to the Login menu
- Increased the number of modules run in response to services found during
a sweep with the MSF Scans feature.
- Attack menu attached to host now splits menus up if there are more than
10 items. This will help with the webapp and http menus.
- Added a menu to mark a host as a firewall
- Added a type-fix hack for MsgPack Long types
Cortana Updates (for scripters)
--------
- Updated &log_resource to account for new log folder layout scheme that
involves a description of the current Armitage server
- Fixed a potential argument corruption bug with filters
10 Apr 13 (tested against msf ca43900a7)
---------
- Jobs dialog now queries job info in a separate thread context,
stopping it from locking up your Armitage instance.
- Fixed console queue display bug when a required option has no setting
- Hashdump -> lsass method now pops open a Meterpreter tab and shows
its progress. Should help when there's a lot of hashes coming back.
- Hail Mary attack now gives better feedback about what it's doing
- Fixed blank line showing when a host label exists and a session w/o
any information is associated with the host.
- The correct OS icon is now shown for Windows 2012 Server.
- Added an Inject button to the Process Explorer
- Event log now shows date with timestamp
- Messages to your nick in the event log are now highlighted
- Disabled the display of the MSF banner by default.
Cortana Updates (for scripters)
--------
- Added work-around to prevent &psexec failing due to Ruby complaining
about incompatible encodings.
6 Mar 13 (tested against msf ca43900a7)
--------
- Active console now gets higher priority when polling msf for output
- Improved team server responsiveness in high latency situations by
creating additional connections to server to balance messages over
- Preferences are now shared among each Armitage connection.
6 Mar 13 (2000h)
--------
- Fixed issue with additional team server connections reporting wrong
application and receiving a summary rejection by the team server.
Cortana Updates (for scripters)
--------
- Added a &publish, &query, &subscribe API to allow inter-script
communication across the team server.
- Added &table_update to set the contents of a table tab without
disturbing the highlighted rows.
- Added an exec_error event. Fired when &m_exec or &m_exec_local fail
due to an error reported by meterpreter.
- Fixed a bug that sometimes caused session_sync to fire twice (boo!)
- Added a 60s timeout to &s_cmd commands. Cortana will give a shell
command 60s to execute. If it doesn't finish in that time, Cortana
will release the lock on the shell so the user can control it.
(ideally, this shouldn't happen... this is a safety mechanism)
- Changed Meterpreter command timeout to 2m from 12s. This is because
https meterpreter might not checkin for up to 60s, if it's been
idle for a long time. This will make &m_cmd less likely to timeout
12 Feb 13 (tested against msf 16438)
---------
- Fixed a corner case preventing the display of removed host labels
when connected to a team server.
- Fixed RPC call cache corruption in team server mode. This bug could
lead to some exploits defaulting to a shell payload when meterpreter
was a possibility.
- Slight optimization to some DB queries. I no longer pull unused
fields making the query marginally faster. Team server is more
efficient too as changes to unused fields won't force data (re)sync.
- Hosts -> Clear Database now clears host labels too.
- Added the ability to manage multiple team server instances through
Armitage. Go to Armitage -> New Connection to connect to another
server. A button bar will appear that allows you to switch active
Armitage connections.
- Credentials available across instances are pooled when using
the [host] -> Login menu and the credential helper.
- Rewrote the event log management code in the team server
- Added nickname tab completion to event log. I feel like I'm writing
an IRC client again.
- Hosts -> Clear Database now asks you to confirm the action.
- Hosts -> Import Hosts announces successful import to event log again.
23 Jan 13 (tested against msf 16351)
---------
- Added helpers to set EXE::Custom and EXE::Template options.
- Fixed a bug displaying a Windows 8 icon for Windows 2008 hosts
- Cleaned up Armitage -> SOCKS Proxy job management code. The code to
check if a proxy server is up was deadlock prone. Removed it.
- Starting SOCKS Proxy module now opens a tab displaying the module
start process. An event is posted to the event log too.
- Created an option helper to select credentials for SMBUser, SMBPass,
USERNAME, and PASSWORD.
- Added a feature to label hosts. A label will show up in its own column
in table view or below all info in graph view. Any team member may
change a label through [host] -> host -> Set Label. You may also use
dynamic workspaces to show hosts with certain labels attached.
- Fixed bad things happening when connecting Armitage to 'localhost' and
not '127.0.0.1'.
- Screenshots and Webcam shots are now centered in their tab.
- Added an alternate .bat file to start msfrpcd on Windows in the
Metasploit 4.5 installer's environment.
- Added a color-style for [!] warning messages
Cortana Updates (for scripters)
--------
- &handler function now works as advertised.
- Cortana now avoids use of core.setg
4 Jan 13 (tested against msf 16252)
--------
- Added a helper to set REXE option
- Added an icon to represent Windows 8
- [host] -> Login menu is now built using open services for all
highlighted hosts, not just the first one.
- [host] -> Login items now escape punctuation characters in passwords
before passing them to a framework module.
- Added the windows and linux postgres_payload exploits to the use a
reverse payload by default list.
- Small tweak to allow Armitage to work with Metasploit 4.5 installed
environment on Windows.
Cortana Updates (for scripters)
--------
- &credential_add and &credential_delete no longer break when a
password has creative punctuation in it.
26 Nov 12 (tested against msf 16114)
---------
- Windows command shell tab is now friendlier to commands that prompt
for input (e.g., time command)
- [host] -> Meterpreter -> Access -> Escalate Privileges now shows all
the framework's new exploit/windows/local modules too
- [host] -> Shell -> Post Modules now shows the framework's unix/local
and exploit/linux/local modules
- Added Ctrl+I shortcut. Lets you choose a session to interact with.
- Added Steal Token button to Processes dialog.
- Armitage now asks Metasploit for a non-expiring authentication token.
This will prevent Armitage from losing its access to msfrpcd when you
put your computer to sleep or pause the VM running Metasploit.
- add_user and add_[local]group_user now show all of their output when
the -h flag is used to operate on a remote host.
- added a Delete menu to creds table. Right-click a cred to delete it
Cortana Updates (for scripters)
--------
- aliased &data_delete to &data_clear to match the documentation.
- &file_get, &loot_get, and &file_content no longer delete the remote
file when connected to a teamserver.
16 Oct 12 (tested against msf 15972)
---------
- Added port 5985 to MSF Scans list.
- Meterpreter -> Access -> Persistence sets ACTION option for you
- Changed how LHOST and LPORT are set globally to prevent Ruby
character encoding conversion error in the framework.
- Pass Session, Log Keystrokes, and Persist now query module info
in a separate thread (avoids a deadlock opportunity)
- Armitage now shows folder/URL in a popup dialog for environments
where JDesktop API to open them directly is not supported
- Check all credentials option now filters the list to avoid trying
a pair of credentials twice.
- Armitage's exploit payload selection now selects cmd/unix/interact
when appropriate.
- Explore -> Processes now works with Java Meterpreter again.
- MSF Scans feature now runs http_version against port 443
5 Sept 12 (tested against msf r15804)
---------
- Setup dialog now trims host, port, user, and pass fields.
- Armitage now complains when it can't write to your preferences
file (versus just hanging without a real error message)
- View -> Jobs now queries jobs in a thread outside of UI thread
- Tab completion now uses a separate thread to call into the RPC
server. This prevents a deadlock if server is not responding.
- Login -> psexec now shows when 445 is open on a Windows machine.
The old criteria was too restrictive.
- Added a helper to set Wordlist option
- Armitage now sets a random LPORT for non-exploit modules with an
LPORT option (e.g., post modules that do priv escalation)
- Armitage now shows an error if it can't open a Win command shell
- Steal Token dialog now uses incognito module to get token data
instead of the MSF post module. This is more reliable.
- You may now setup the reverse payload for current_user_psexec
Cortana Updates (for scripters)
--------
- added an eventlog popup hook
16 Aug 12 (tested against msf r15753)
----------
- Dynamic workspaces now removes closed services from its set of
hosts matching certain open ports.
- Cortana console now reports a clear error message a built-in
command is executed without the right number of arguments.
- Added host icons for Android and iOS. You may now set these
operating systems by going to [host] -> Host -> Operating System
- Armitage now shows the client-side exploit dialog for any exploit
that does not target an RHOST (for example, windows/smb/smb_relay)
- Added support for remote exploits that use RHOSTS over RHOST
(this includes the new windows/local/current_user_psexec)
- Added a helper for setting the SESSION option
Cortana Updates (for scripters)
--------
- s_cmd no longer times out after 60s. It will wait forever for
a command to complete now.
- added shell_read event which fires when a shell s_cmd comes
back with intermediate output.
- fixed a potential deadlock with &open_console_tab
- scripts now have the ability to redefine the max size of a
workspace: db_workspace(%(size => #####));
2 Aug 12 (tested again msf r15698)
--------
- Armitage now reports vulnerability module and descriptions
properly (again) when exporting data. Had to update to match a
change to the db schema.
- Pass-the-Hash and Login dialogs now stay open if you press
shift while clicking Launch. This convention is pretty universal
to Armitage.
- Team server now buffers all of its outgoing data. I've also
disabled SO_NODELAY. This will greatly improve team server latency
on congested networks without impacting responsiveness otherwise.
- Added Cortana, a DARPA funded scripting technology, into Armitage.
There's a lot of fun to be had here.
- Armitage now queues messages to destroy a console rather than
spinning up a new thread for each closed console.
- Rendering of icons for hosts now happens outside of UI thread.
- Increased timeout for meterpreter read command
- Armitage now detects a corrupt module cache and attempts to clear
it so it can be rebuilt.
5 Jul 12
--------
- Login -> psexec now sets a different LPORT for each host it's
launched against when using a reverse payload. Fixes a bug where
using a reverse connect payload against X hosts didn't work.
- Progressbar Cancel button now works with the Sync Files button
in View -> Downloads and View -> Loot
- Fixed a potential deadlock with the Sync Files feature
- Clicking the Size column in View -> Downloads now sorts properly
24 Jun 12
---------
- Meterpreter -> Kill now uses session.stop RPC call
- Simplified code to stop a running job
- Added an option to disable TCP_NODELAY from the comamnd line:
java -Darmitage.enable_nagle=true -jar armitage.jar
Use this if you see "bad mac" SSL errors when connected to a
team server.
- Log Keystrokes tab now changes color when there is activity
- Randomized filename for USERPASS_FILE to allow multiple brute
forces to happen at once.
- Added a View item in the File Browser's popup menu. This will
let you quickly read several highlighted text files (it also
saves the files to the right place locally too)
7 Jun 12 - Adding on to those quick bug fixes / tweaks
--------
- Disabled Nagles algorithm for team server and client SSL sockets.
This makes team server much more responsive... trust me.
- Fixed bug preventing Armitage from showing "Started Service"
message when starting the SOCKS Proxy server.
- Fixed a find feature highlight bug in the View tab.
30 May 12 - A few quick bug fixes / tweaks...
---------
- Fixed an exception when killing a session or removing a route
through the UI.
- Oooh, ps command added a new column to its output. Updated ps
parser to handle this.
- Hosts -> Import Hosts now works under Windows again. Had to
escape the filename. *sigh*
- Hail Mary now sets LHOST option. This is necessary for some
attacks to work properly.
- Tweaked console create code in beginning of Armitage setup to
hopefully avoid aggravating the evil console.create deadlock
condition.
21 May 12
---------
- Added a hack to prevent the input area from flickering when the
prompt changes.
- Updated the color palette to something a little more subtle.
- Added an optimization to how modules are launched. This will make
a difference for team use in high latency situations.
- Rewrote MSF Scans feature to use console queue. This option is more
reliable and it makes the code easier to follow.
- Added a hack to combine chat message writes with a read request.
This will make the event log more responsive in a high latency
situation (can't you tell I care about this "situation")
- Fixed text highlights through Ctrl+F on Windows. UNIX platforms
were always OK. Another good reason to not use these tools on
Windows. Ever.
- View -> Downloads Sync Files feature now works on Windows. It looks
like leaving those pesky :'s in the file paths is bad.
17 May 12
---------
- Fixed bug with loot/download viewer breaking with a font resize.
- Default console font color is now grey. I never noticed that I had
white text on a black background before. That's a lot of contrast.
This is adjustable too through Armitage -> Preferences.
- And... the Armitage console now displays pretty colors. If you don't
like colors, set the console.show_colors.boolean preference to false
through Armitage -> Preferences.
- Fixed a bug preventing input field from getting focus when popping a
console tab using Ctrl+W.
14 May 12
---------
- Oopserific--dynamic workspace shortcuts were not bound until you
clicked the Workspaces menu. I fixed that.
- Improved console pool's ability to detect a dead console. If you saw
"null" prompts in an open tab, it's because of a dead console. Fixed
- Bound Ctrl+Backspace to reset dynamic workspaces. Ctrl+0 is now back
to what it originally did (resetting the font size to default).
- Added Ctrl+T to take a screenshot of the active tab
- Added Ctrl+W to pop the active tab into its own window
- Armitage team server is now SSL enabled. The teamserver script (you
are using it, right?) generates a certificate for you using keytool.
The server presents the SHA1 hash of its certificate. Armitage users
have the opportunity to verify and trust the hash of the certificate
presented to them or to reject it and not connect.
- Added Ctrl+Left / Ctrl+Right to quickly navigate through tabs.
- Added a check to prevent clients from connecting to msfrpcd directly
when teaming is enabled.
- Fixed a bug that prevented command shells from opening on some sessions
- Team server client now caches certain calls to RPC server.
- Reworked the Loot/Downloads View button. Now, all highlighted files are
displayed in one View tab. This makes searching easier. Each file is
displayed with a colored header (to make it easier to tell when one file
ends and the other begins).
- Added Sync Files button to Loot/Downloads tabs when connected to a team
server. This button will download all files associated with the highlighted
rows and save them in the Armitage data directory.
7 May 12
--------
Note: Armitage team server setup has changed. Refer to the manual for
the latest information: http://www.fastandeasyhacking.com/manual#7
- Armitage team mode now routes all Metasploit-bound calls through the
deconfliction server. Armitage also pools "temporary" Metasploit
consoles. It's too bad this is logged as one change, because it's
more like twenty. These changes were motivated by a desire to avoid
triggering a race condition that was introduced w/ Metasploit 4.3.0.
http://dev.metasploit.com/redmine/issues/6829
On the bright side these changes will allow a lot more flexibility
to optimize how Armitage interacts with msfrpcd and to do some neat
things (like logging) in a centralized way.
- Module description (in module launch dialog) is now resizable.
- Added Ctrl+D keyboard shortcut to close active tab.
- Armitage now uses (more robust) console queue for launching post
modules, handlers, brute force attacks, and other things.
- Fixed a race condition in the Jobs tab refresh after killing a job
- Armitage now filters smb hashes from non-psexec/smb login dialogs.
- Added armitage.log_data_here.folder setting. This setting lets you
specify where Armitage will save its logs, downloaded files, and
screenshots. *cough* Some penetration testers like to dump everything
to an encrypted volume. *cough*. I apologize it took this long to
get this feature in place.
- Improved perceived responsiveness of a console interaction
17 Apr 12
---------
- Modified how Armitage determines a console command is complete to stay
compat with behavior changes in a recent Metasploit update.
- Armitage now queues console commands to prevent out of order execution.
16 Apr 12
---------
- The search field in the module browser now updates results in real time.
Start typing and Armitage will start filtering the module tree for you.
Clear the field to reset it to the default state.
- Added keyboard shortcuts to switch dynamic workspaces...
Ctrl+1 = first workspace
Ctrl+2 = second workspace
....
Ctrl+0 = show all
- Added keyboard shortcuts:
Ctrl+N = new console
Ctrl+O = open preferences
- Armitage's Meterpreter -> Access -> Dump Hashes -> lsass method is now
much better about grabbing all of the hashdump output and adding it to
the creds table. The hashdump command returns output as an arbitrary
number of chunks. I now use a different read strategy for determining when
the output is complete.
- You may now use Ctrl+Alt to deselect highlighted items in a range in the
Jobs and Workspaces table views (most other table views that do multi
selection should allow this already).
- Added Shell -> Pass Session for *NIX shell sessions. Uses the system_session
module to pass a shell session elsewhere (or duplicate the current shell)
29 Mar 12
---------
- Fixed a bug that affects first-time users. Armitage was not initializing a
console before trying to connect to the database.
28 Mar 12
---------
- Team server now delivers chat messages in batches vs. one line at a time.
This will make syncing on reconnect much better (in theory)
- Several optimizations to prevent unnecessary reads/calls to deconfliction
server when in team mode. This will primarily affect high latency situations.
- Use Shift+Click to close all tabs with the same name. This feature now closes
all tabs in the same group (e.g., all screenshots, file browsers, command
shells, etc.)
- Armitage now logs launches of the enum_dns module.
- Hosts -> DNS Enumerate now populates NS field with highlighted host.
- Armitage now adds a tooltip to tabs associated with a session. Hover your
mouse over a tab X button to see which host the tab is associated with.
- Fixed a potential exception caused when listing downloads.
- Created a queue to process certain commands meant for Metasploit in order and
in a throttled manner. Started moving some Armitage calls to it. Now you can
fire an exploit at 1,000 hosts and Armitage won't blink. It might take awhile
before that exploit finishes firing against all of the hosts though :)
- The file browser now has a "List Drives" button. It's only available on
Windows sessions. Click it to see which drives are available.
- File browser can now navigate to folders with apostrophes in their name.
- Made some major internal changes to how Armitage interacts with Metasploit. The
goal is to make a more robust and faster hacking experience for you.
22 Mar 12
---------
- Updated Armitage NMap profiles with the following:
-T4 (instead of -T5) [wait longer for open services to reply]
-n [forces NMap to not resolve the hostname of IP addresses]
--min-hostgroup 96 [allows more parallelism when scanning hosts]
- Armitage now intercepts screenshot and webcam_snap commands from meterpreter
shell and performs the appropriate action with them.
- View -> Creds -> Export button now works in team mode.
- Doh! Armitage now properly shows VMWare icon when OS is set to a VMWare ESXi
- Armitage "is command finished?" heuristic now accounts for commands like
del /S which prompt with a (Y/N)? - you can safely use these commands again.
- Armitage now detects whether a client connecting to the team server is out
dated or not. It rejects old clients. They will get a message indicating they
need to update and then their client won't do anything else. You'll see a
message printed to STDOUT where the team server ran about the rejection.
- Added a * indicator to the active workspace in the workspaces menu.
- Added Hosts -> DNS Enumerate, this menu launches a Metasploit module that will
attempt to discover hosts by querying a name server in different ways.
- Added a file chooser helper to WORDLIST option.
- Armitage now displays a pivot relationship between a compromised host and the
NAT/proxy device it is connected through.
- Added a Copy button to services tab. This button copies the highlighted hosts
to the clipboard. I found myself needing this several times recently.
- Improved reverse payload selection logic (now it includes rev php meterpreter)
- Armitage now sets a different LPORT for each exploit launched with a rev payload
10:30am
- Changed algorithm for determining which edges to highlight in graph view. If there
is a pivot and both sides have a session, then the edge is highlighted.
8 Mar 12 1.43-dev
--------
- Armitage now uses session_host to determine which host a session is associated
with. This value is grabbed directly from the OS itself. You'll no longer have
20 meterpreter sessions associated with a NAT/firewall device.
- Armitage now spins up a new listener for each client-side attack (no longer
relying on the random default listener created on startup). Of course you can
change this... double-click the PAYLOAD option to set it to something else.
- Token stealing dialog now disables refresh button while grabbing tokens. Enables
it again when done.
- Armitage now talks to Metasploit every two minutes to prevent auth timeout.
- Armitage now displays a firewall icon for hosts with no OS marked as a firewall
by MSF.
- Armitage now selects an IPv6 bind payload when attacking IPv6 hosts.
- Armitage now explicitly sets RPORT for different MSF Scan options and psexec.
- Updated the about dialog to include a version number and release date.
- Added a ./teamserver [external IP] [shared pass] script to the UNIX distro of
Armitage. This script makes it much easier to startup Armitage's team server mode.
2 Mar 12 - Catching up to a few MSF 4.3.0-dev changes...
--------
- Added a tab rename feature.
- Hosts that self report as .NET server now display an XP/2003 era icon.
- Updated route command parser to conform to Metasploit 4.3.0's output for it
- "Check all credentials" feature now works when running the deconfliction
server AND client from the same folder.
- [host] -> Host -> Operating System -> * now clears notes related to host
before updating OS. This allows future scans to trigger MSF normalization
code and update the OS to something else (e.g., from Unknown to X)
29 Feb 12
---------
- Armitage now displays a VMWare icon for hosts flagged as ESX/ESXi servers
- Overhauled token stealing user experience--this is the cadillac version. You
now get a nice list of the available tokens (from the post module), click to
impersonate, refresh, rev2self, and getuid.
- Improved file browser responsiveness
- Table view now allows individual hosts to be deselected in an interveral
(Armitage will no longer reselect these hosts for you)
- Dynamic workspaces no longer requires a comma and a space between entries (a
comma is good enough)
- Improved the [Host] -> Remove menu option
- Deconfliction server now returns the previous 100 events to new clients.
- File browser directory up button is now more obvious
- Keyboard accelerators when you right-click in the graph view are now correct.
- Adjusted the graph view scrolling increments to something sane.
- Added a slight delay between commands issued to a console to prevent them
from executing out of order.
21 Feb 12
---------
- Added Cut/Copy/Paste menu to table cell editor.
- Module browser search field now treats spaces as a wildcard. You may type:
"win meterp" and Armitage will treat it as "win*meterp"
- Hovering over an edge in graph view no longer reports a "null" tooltip
- Fixed parsing of ps output for the process dialog (it's much much better now)
14 Feb 12
---------
- Added ports 5631 (pc anywhere) and 902 (vmauthd) to the MSF Scans feature.
- Several cosmetic tweaks to the spacing in Armitage tables.
- Moved table render code from Sleep to Java to avoid potential lock conflicts
- Added support for vba-exe payload output type.
- Payload generation dialog now sets more appropriate default options for the
vba output type when it is selected.
- Meterp command shell "read more stuff?" heuristic now accounts for Yes/No/All
- Fixed ExitOnSession showing up twice when setting advanced options for a
client-side exploit
- You may now import multiple files through Hosts -> Import again.
- Added 5s timeout to d-server connect attempt.
- Added a --client [connect.properties] to specify which Metasploit server to
connect to. The connect.properties file is a Java properties file that looks
like this (without the leading whitespace):
host=127.0.0.1
port=55553
user=msf
pass=test
19 Jan 12
---------
- Data export now includes a sessions file. This lists all of the Metasploit
sessions you had in your database. There's some neat data here including
which exploit was used, which payload, start time, and close time. You can
calculate how much time you spent on your client's boxes. Cool stuff.
- Fixed a potential dead-lock caused by mouse enter/exit events firing code
that required a lock. Nice landmine to defuse.
- Fixed a weird condition with d-server detection. Sometimes (rarely)
Armitage wouldn't detect the d-server even when it's present.
- Added check to d-server allowing one lock per/client. Client won't reobtain
a lock until it lets it go. This prevents you from opening two shell tabs
for a shell session in team mode.
- Fixed an infinite loop condition when some Windows shell commands would
return output with no newlines (e.g., net stop [some service]). Thanks
Jesse for pointing me to this one.
- Data export now includes a timeline file. This file documents all of the
major engagement events seen by Armitage. Included with each of these
events is the source ip of the attack system and the user who carried out
the action (when teaming is setup).
- Data export now exports timestamps with current timezone (not GMT)
- Fixed a nasty bug that's been with Armitage since the beginning! I wasn't
freeing edges properly in the graph view. If you had pivots setup in graph
view and used Armitage long enough--eventually Armitage would slow down until
the program became unusable. At least it's fixed now.
- Adjusted the d-server state identity hash combination algorithm to better
avoid collissions.
- Armitage now displays 'shell session' below a host if the host info is just
the Windows shell banner.
5 Jan 12
--------
- Armitage d-server now transmits hosts, service, and session state only
when something has changed. This makes teaming much snappier.
- Uploading an imported hosts file now shows a progress dialog.
- File browser upload function no longer blocks the user interface in team
mode. A progress dialog is shown for uploading larger files.
- Removed Ctrl+R refresh hosts shortcut from graph view (it's no longer
necessary)
- Armitage now exits if it was unable to connect to the collaboration server.
- Hosts -> NMap Scans and Hosts -> MSF Scans dialogs are now populated with
the selected values from the target area by default.
- You may now interact with a Windows command shell through Java meterpreter.
- Armitage no longer shows Webcam Shot option through Java meterpreter.
- Armitage now detects when it does not have read permissions for the database
YAML file and prompts with something helpful. Before it would just freeze
with a blank dialog. Not helpful. :)
- Armitage now only shows services that are open.
- View -> Reporting -> Export Data now has the capability of dumping the whole
database (not just the current workspace).
- Added a dialog to View -> Reporting Export Data. Now you have the ability to
dump all hosts or choose to dump one of the dynamic workspaces. This gives
you a lot of flexibility with which hosts are included.
- Cleaned up exported output of vulnerabilities in the Metasploit database:
-- duplicate entries are collapsed to one (this was the fault of my query)
-- refs column contains references separated by a comma and a space
-- added info and module columns. The module column indicates the appropriate
Metasploit module
-- Metasploit modules now populate name, info, and module in an appropriate
way.
- Values exported to TSV are cleaned up such that newlines are replaced with a
literal \n and tabs are converted to three spaces.
30 Dec 11 - last release of the year?
---------
- Hosts -> Clear Database now clears the sessions and clients tables
- Fixed a bug preventing dynamic workspace port/session filter from
working on a fresh database. This was a fun one. This only affected
folks with a completely fresh database and because Hosts -> Clear
Database didn't clear everything, this went unnoticed until now.
- Added various reverse shell payloads to payload helper dialog.
- Added file chooser helper for SigningCert and SigningKey options.
- Added hack to return correct route info when setting up pivoting through
Java meterpreter.
- Armitage now posts a note to the event log when a user starts a browser
exploit or a server module.
- Armitage now supports dragging and dropping a module onto a host in graph
and table view. This action opens the module launcher configured to work
with that host.
- Drastically rewrote MSF Scans. MSF Scans now intelligently builds a list
of ports to scan based on what Metasploit can do. After an initial port
scan, MSF Scans runs discovery modules against relevant hosts. As a bonus
you will see all of the output of these scans.
- Enhanced the Windows heuristic used to guess which OS image to display
- The deconfliction server throttle is now less draconian about how long it
throttles a call.
- Armitage no longer posts to the event log from the UI thread (this will
prevent the UI from blocking in some cases)
- Command shell now handles interaction with d-server in a separate thread
from the UI thread. This will prevent UI blocking in some cases.
- Added Ping Sweep... option for non-Windows meterpreter sessions. Now Java
meterpreter users have a quick host discovery option.
- Change Host OS option now matches new Metasploit database schema.
- Deconfliction server now sets LHOST to the IP address you provided. Also,
Armitage clients do not overwrite LHOST once it is set.
- Interacting with a shell in team mode no longer blocks UI to communicate
with d-server.
12 Dec 11
---------
- Armitage teaming mode now downloads the resulting file for any fileformat
exploit.
- Armitage -> Set Exploit Rank and Set Target View now show a * next to an
item to indicate the current setting.
- Shift+click on Launch in a module launch dialog will not close the module
launch dialog. One use case for this: set up a payload multi/handler,
shift+click Launch to do it, then change output type to exe, click Launch
and you're all set.
- Dynamic Workspace editor now trims whitespace from your entries. Errant
whitespace causes Armitage to reject the entry and your workspace never
acivates.
- Updated the "msfrpcd died" troubleshooting dialog. The new one takes folks
to a website with detailed information.
- Armitage now uses "load" to load a meterpreter module instead of "use"
- Key logger event log announcement now notes the session ID. This is so
your teammates will know not to migrate that session since it's recording
key strokes.
- Right-click X in tab -> Save Screenshot now displays filename without the
path.
- Deconfliction server now detects when database is not available and offers
troubleshooting steps.
- Loot/Downloads viewer now has a right-click menu to Copy selected text.
22 Nov 11 - A big improvement...
---------
- Services refresh is now set to 30s (vs. 60s before)
- Workspaces -> Manage now opens as a tab and shows all data about workspaces
- Fixed a bug with Edit Workspace not auto-checking session box when set.
- Meterpreter -> Access -> Escalate Privileges now highlights the priv esc
options in the post module true. This is viable now that getsystem is a
module.
- Payload module launcher now lets you set Template, Iterations, Encoder, and
KeepTemplateWorking for any Windows payload. Also, payload is generated and
saved locally without opening a tab.
- sessions -i ## trap is now smarter and opens a shell tab for shell sessions,
a meterpreter tab for meterpreter sessions, and offers an error when you
try to interact with a session that doesn't exist.
- Armitage no longer shows a host until it receives a db.hosts reply.
- Right-click a module and select Relevant Targets to create a dynamic
workspace that shows only targets that meet the host/port criteria for that
module. Use Ctrl+A to select all of those hosts and rock'n'roll. :)
- Hosts -> Import Hosts now works when the folder/file has spaces in it.
- Dynamic workspaces are now local to the current Armitage client. They no
longer have a global effect in teaming mode.
- Added an Activate button to workspace management dialog.
- Fixed a bug with sessions only dyn workspace sometimes showing hosts that
do not have sessions.
- You may now highlight multiple jobs in View -> Jobs and select Kill to get
rid of all them at once.
11.17.11 - All the things I wanted to do, but didn't have time
--------
Release Note 1: if you use Armitage teaming, things changed. You have to start
msfrpcd with a different set of flags and your team must use the latest version
of Armitage. If you have a script that starts msfrpcd, you must update it.
More information is at: http://www.fastandeasyhacking.com/manual#7
Release Note 2: Armitage requires a Metasploit base install of 4.0 or greater.
If you use msfupdate to update a Metasploit install prior to 4.0, then Armitage
will not work. The Metasploit pre-4.0 installers did not install dependencies
that Armitage requires today. Missing are certain Java cryptography extensions
and the msgpack Ruby gem. BackTrack 5 is Metasploit 3.7. BackTrack 5r1 is 4.0.
- db.services now limits its results to hosts that are returned by db.hosts.
This fixes a bug where services data for some hosts was not returned when
when >3,500 hosts are in the armitage database.
- MSF Scans menu is now available under Hosts menu again.
- Removed Browser Autopwn menu as its future in Metasploit is undecided.
- Find Attacks/Hail Mary now pull latest service info from DB before resolving
the attacks. This prevents a situation where Find Attacks after a scan yielded
nothing because Armitage had not synced with the database yet.
- Deconfliction server now complains when you try to use 127.0.0.1 as your host
- Added cut/copy/paste/clear menu to most textfields. (for Glen)
- Added Workspaces -> Manage to edit, add, and remove dynamic workspaces.
- Added code to intercept "sessions -i ##" and open a meterpreter tab instead.
- Armitage now honors port setting when starting msfrpcd for you.
- Armitage now detects msfrpcd shutdown and offers user advice to fix it. The
most common cause is probably a lack of msgpack.
- Fixed a deadlock that happened when generating a payload.
11.13.11 - A major rewrite of a lot of stuff.
--------
- Moved from XML/RPC interface to MSGPACK. This should be much faster.
- Removed Armitage dependence on Metapsloit db.* API--since it may go away soon.
- Attack recommendations and Hail Mary no longer depend on db_autopwn. New code
offers same results with improved speed.
- Simplified Hail Mary and Find Attacks to use port/OS information only.
- Greatly improved keystroke recorder. The option is now called "Log Keystrokes".
It uses the Metasploit keystroke_recorder post module. Results are regularly
dumped into the post module window. Also, the results are stored as loot
available for the team to view.
- Launching the keystroke_recorder post module now makes an announcement to the
event log.
- Added a button to Processes tab to log keystrokes. This will bring up a the
keystroke_recorder module configured to migrate to the process and record
keystrokes there.
- Removed Workspaces menu. Armitage now works from the default workspace.
- Simplified Hosts menu.
- Meterpreter -> Access -> Persistence now calls persistence post module.
- Improved Meterpreter -> Access -> Steal Tokens, it's still wonky but it's a
little better now.
- Host import now uses db_import command running in a console.
- Added Armitage -> Set Exploit Rank to update the minimum exploit rank value.
- Armitage now displays up to 512 hosts and 12,288 services at any given time.
This keeps Armitage operable even if you scan a big freaking network.
- Added dynamic workspaces. This feature gives you the ability to define a filter
on the database and Armitage will display only hosts that match this filter.
You may define filters based on operating system, open ports, and network address.
Go to Workspaces -> Create to create a filter. Filters show up under the
Workspaces menu and you may switch back and forth betweem them too.
- Simplified the Connect dialog. One button. :)
- Right-click Scan option now scans for HTTPS.
- Check all credentials option no longer tries blank passwords/username as pass
- Added a read optimization to the console code. This will reduce load in a team
engagement + make consoles feel faster when there is output.
- Armitage now opens the event log tab instead of a metasploit console tab in team
mode.
- Fixed a host sorting issue in table view.
- Moved View -> Targets to Armitage -> Set Target View
- Overhauled how Armitage handles downloaded files. Downloads are saved to a set
place on the attack server. Downloads are available to the whole team through
View -> Downloads. This works like the loot viewer. Team members may view text
files or download binary files. This method is friendlier when downloading whole
directories of stuff.
10.20.11
--------
- Modified hail mary attack to get a little more success with some common Windows
attacks.
10.17.11
--------
- Added menu item to dump hashes using the old lsass method or the smart hashdump
registry method.
10.13.11 take II?
--------
- updated msf3/data directories to account for new install locations.
- Removed Meterpreter -> Access - > Duplicate because it is now redundant with
Meterpreter -> Access -> Pass Session
- Updated Meterpreter -> Access -> Pass Session to have LPORT of default
Meterpreter listener. Click Launch to simply duplicate your current session.
- Added Meterpreter -> Access -> Steal Token to list and steal user/group tokens
- Updated meterpreter multiplexer to not expect output from rev2self.
10.13.11
--------
- added ability to set up VNC on a target when connected to a remote Metasploit
- Armitage now tells you where to connect your VNC client to access the desktop
of a compromised host. You'll need to have a local VNC client available.
10.12.11 - oooh SECKSY
--------
- fixed a typo in the default armitage settings file.
- made PAYLOAD helper friendly to post/windows/manage/payload_inject
- Meterpreter -> Access -> Pass Session now uses payload_inject
10.12.11
--------
- Meterpreter N -> Hashdump now runs post/windows/gather/smart_hashdump module.
This gives you the benefit of seeing its output and it works in more
situations.
- Right-click the tab X button and select Save Screenshot to take a screenshot
of the current tab. This image will render the tab contents exactly as seen
on the screen. Useful for putting together a report or presentation.
(thanks Rob for the suggestion)
- Added a module launcher helper for RHOSTS and RHOST. This helper will let you
import a list of IPs (separated by newlines) from a file into these fields.
- View -> Reporting -> Export Data no longer fails if there are no hosts to
export data about.
- Armitage now runs post/auxiliary modules as jobs (meaning you may kill them
using View -> Jobs)
- hashdump and smart_hashdump post modules will now announce to the event log
that hashes were dumped when they're run (whether through the menu or
the module browser).
- View -> Reporting -> Export Data now takes a screenshot of the table view
and includes it in the artifacts (when table view is active)
09.26.11 - take 2
--------
- Improved performance when launching exploits and other modules that open
a new tab.
- Launching an exploit will only open a tab when fewer than four hosts are
highlighted. If four or more are highlighted, then Armitage will use the old