Armitage Changelog ================== 17 Apr 11 - Change Log --------- Windows command shell interactions are now less likely

to die. How oh how did we get here? Armitage interacts with cmd.exe through a Meterpreter channel. If an unnecessary read happens, it ties up the meterpreter session for 10-20s AND the channel dies. If you typed commands in too quickly, it's probable that Armitage would do an unnecessary read and the channel would die. I believe I've headed off this problem. Armitage now locks the channel until the command completes. If the command times out or completes, the channel becomes unlocked. This should prevent most out of place reads. In collaboration mode, this was a great way for excited teammates to tie up the meterp session for everyone. :) "I typed this command 20 times and nothing happened!!!" Doh! You queued 20 reads with a 10-20S timeout each and destroyed that channel. -- Armitage protects against this situation now. - Command history no longer saves empty commands. - Armitage server mode now provides all details that a client needs to connect to the server. 13 Apr 11 - Change Log (Dayton, OH Capstone Edition) --------- Metasploit now has host normalization (this is great news). I've removed the OS reporting code from Armitage as a consequence. This means less overhead communicating with Metasploit - Fixed a potential deadlock triggered when interacting with a Windows command shell. Sorry about the freezes Matt and Brant. - Fixed a strange condition in Armitage that sometimes caused shell sessions to die. - Download from file browser now notifies user when a file is downloaded. - Armitage server mode now prints database connect string to console to assist with set up of Metasploit teaming. - Fixed a bug causing exploit recommendations to not show for Windows hosts due to host normalization - Added a check to prevent cd .. button in file browser from retriggering too quickly. This will prevent the meterpreter command queue from becoming very backed up doing a cd/ls over and over again. - Graph view no longer counts edges as a selected item when creating a list of hosts to apply an action to. - Added another heuristic to prevent Windows cmd.exe interaction from locking up. 10 Apr 11 - Change Log --------- Fixed key logger dump button. - Process migrate function displays success or fail message again. - Armitage now displays nmap output in a tab. You can thank scriptjunkie for making this work in Metasploit. Please send cash, check, or money order directly to him. - Greatly improved post-pivot host discovery workflow... here's the deal: -- [host] -> Meterpreter -> ARP Scan menu now shows networks local to host and lets you choose to launch an ARP scan from that Meterpreter session. -- Highlight one or more hosts, right-click, and select Scan to launch MSF discovery scans against the highlighted hosts. - Added a rudimentary loot browser/viewer to Armitage. Go to View -> Loot to see the currently captured loots. Loot is the Metasploit term for

data captured by certain post/ modules. - Armitage now presents a warning when it detects a second Metasploit user connected to the same Metasploit server without the collaboration server in place. - Armitage collaboration mode now updates target information more often - Updated Armitage to work with Metasploit's new normalized host OS constants and to restore the os_flavor value when it is wiped out. 16 Mar 11 --------- Shell -> Disconnect now executes in a separate thread. - Armitage now creates ~/armitage-tmp and writes there if the current dir is /Applications or it can't write to the current directory. - Fixed a potential deadlock issue in the file browser - Directory up button in file browser now shows that it has been pressed - Added Execute option to file browser (now you can run a program by right-clicking on it and selecting Execute--for Jesse) - Multiple improvements to responsiveness of command shell and meterpreter tabs. This should benefit collaboration mode too. 12 Mar 11 (MACCDC Post Day 1 Update) --------- Fixed a bug preventing host import from working with a remote connection - Armitage client now increases default wait for meterpreter commands to complete when in teaming mode. - Increased wait time to download a generated payload file to 8s. 11 Mar 11 Update (0100h EST) --------- Fixed a deadlock condition in the module launcher (caused by the changes to increase responsiveness... oops). 10 Mar 11 Update (2230h EST) --------- Fixed race condition importing manual list of hosts (sometimes the file would get deleted). Grr. - Added a lock to prevent multiple Armitage clients from trying to determine what OS a box has. This should help in CTF situations. 10 Mar 11 Changes --------Quick story: NECCDC 2011 Red Team. TJ launches a script that lands 70 sessions in the first few seconds. 11 red team members are connected to Armitage eager to carry out their pieces of pwnage. The Ruby process pegs the CPU and Armitage fails spectacularly. Very funny. This releases fixes that. - Armitage YAML parser now accepts quoted strings in the YAML fields - Added caching of sessions.list, db.hosts, and db.services to Armitage collaboration server. This should help prevent msfrpcd from overloading when many clients are connected and owning boxen at one time. - Improved GUI responsiveness by making several parts of the Armitage GUI spawn a new thread to avoid blocking while communicating with Metasploit - Added a tooltip to the "Start MSF" and "Connect" buttons to clarify use - Export credentials button now prompts for a remote file when connected to a remote Metasploit instance. - Export credentials and payload generate output now transparently downloads to your local host when connected to Armitage's collab server. - Armitage now loads stdapi in Meterpreter if it finds it's not loaded.

Armitage also prompts you to rerun the failed command when this happens. - Right-click in services now shows popup for taking actions against selected hosts. Now you can do mass actions against hosts sorted by port. - Added Access -> Persist to Meterpreter menu. This will run Meterpreter's persistence script using the default Armitage handler. Meterpreter will start at boot and at login. - Added an Armitage.app file for MacOS X. Use Armitage from OS X as a client to connect to Metasploit hosted in other places. - Added a check for whether current working directory is writeable or not. If it's not, Armitage does all of its read/write operations in home dir. Tested with 10 concurrent Armitage clients from four boxes with 140+ shell sessions and a few meterpreter sessions. I think we're ready to rock now. 27 Feb 11 Changes --------- Webcam snap features works again. Sorry about that. :) - Download file button in file browser now works through the collaboration server. This feature has a few limitations / requirements: 1) Armitage server must have the same $PWD as msfrpcd 2) Files must download in less than 12s or else you'll need to retrieve them from the msfrpcd host. 3) Recursive downloads of files from a directory are kept on the host with msfrpcd. You'll need to retrieve them with sftp or something else. 25 Feb 11 Changes --------This release is primarily bug fixes. The network attack collaboration feature is further tested and ready for your use. See: http://www.youtube.com/watch?v=coF8dVLBnOQ - Armitage now consumes data from msfrpcd's stderr when Start MSF button is used. This means Armitage won't lock up when database tables are initialized during the first run on Windows. - pivoting, logins, hail mary, and pass-the-hash now print to the event log. - Pass-the-hash dialog is now available via [host] -> Login -> psexec. - Fixed bug causing Event Log menu to be present outside of collab mode. - armitage.sh start-up shell script is now named armitage - Console destroy and shell unlocking commands on tab close now happen in a new thread to prevent the GUI from blocking. - Armitage now stops meterpreter read thread when it detects a dead session. - Replaced jyaml with a quick and dirty parser that doesn't mistake ####e# for a double number. This was screwing up connecting to postgres for some of you. - Upload button in file browser now works through Armitage's collab server - Added Ctrl+P shortcut to save screen capture of hosts graph view 22 Feb 11 Changes --------- Improved shell "when should I read more data from this channel" heuristic. This means command shell sessions should not freeze on an errant Meterp. read command that blocks until the universe is recreated. - Fixed a potential deadlock using Armitage's meterpreter dialogs with a meterpreter tab open. - Command shell tab now only opens when Armitage knows channel and PID settings - Rewrote how Armitage interfaces with Meterpreter. This has a few impacts:

-- Armitage now waits for a command to execute and reads its output before executing another command. This prevents Armitage from getting confused when you're doing a lot of stuff at once. -- You can now open multiple meterpreter console tabs for a session -- Commands executed by Armitage's dialogs will not show up in your Meterpreter tab(s). - File browser now does a cd "current directory" before each action. - Added a network attack collaboration feature to Armitage. This is as beta as it gets (although it *should* work). To use it, start msfrpcd and connect Armitage's collaboration server (on the same box as msfrcpd!) ./armitage --server host port user pass [ssl? 1 or 0] This will connect Armitage's collaboration server to the Metasploit RPC daemon you specify. This server will then bind port+1 and tell future Armitage clients to use it for extra collaboration features. Connect one or more remote Armitage clients as normal. Some of the features you get in this mode: 1. View -> Event Log for chatting and watching major events 2. Command shell and webcam/screenshot features work for remote clients 3. Armitage clients automatically lock a shell session when they're in use and notify other clients that it's locked if they try to use it. 4. Transparent real-time sharing of meterpreter amongst multiple clients. Payload generation now works on Windows (I wasn't escaping the backslashes in the paths... doh!) Armitage now prompts you for a path (and not a file chooser) when generating a payload using a remote connection to Metasploit. Armitage now loads database settings from file in MSF_DATABASE_CONFIG env var You can now highlight text in the Armitage console tabs on MacOS X. Fixed a potential deadlock when opening a Windows command shell tab

Update 9am EST - Removed a remnant of my development environment from server.sl. If you see: jar file to import package from was not found! at line 25 Then you need to update. 13 Feb 11 Changes --------- Organized View menu (it was getting out of control) - Added RPC Console item to view menu (Start MSF only). This item will show the STDOUT for msfrpcd. Use this to watch nmap's output. - Added Ctrl+A shortcut to select all text in a console tab - Kill meterpreter, kill pivots, and credential dumps now use fresh consoles to execute. This ensures they will execute even if the global console is stale (this sometimes happens.) - Added tab completion to Meterpreter window. - Hosts -> Import Hosts now lets you select multiple files to import at once. - Use SSL is now checked by default on Linux (and unchecked by def. on Win) - Updated Armitage to remove or alter some UI options when connected to a remote Metasploit RPC instance. -- Meterpreter shell is the only interact option -- Webcam and Screenshot menu items are gone -- Upload asks for a full file name rather than show a file chooser dialog These adjustments are necessary during remote connections as Armitage does not have access to the local file system of the Metasploit RPC daemon.

21 Jan 11 Changes --------- Increased wait time between connection attempts to MSF RPC - Fixed bug with Windows command shell not working when using Armitage from a Windows host. - Host refresh using sysinfo now only happens when no OS is set for the host. - Fixed a deadlock condition caused when an automatic sysinfo request was made while a Meterpreter tab for the same host was open. 18 Jan 11 Changes --------- Added a Migrate Now! item to Meterpreter Access menu. Runs migrate -f. - Right-click in Meterpreter console now shows menu as before (silly bugs). - Armitage now detects hashdump failure and reports possible causes to you. - Armitage now binds default handler to 0.0.0.0. - Added a table view for the targets area. Go to View -> Targets to change the setting. If you're working with many hosts, table view may be better for you. - Added preliminary support for Metasploit post/ modules. You can launch them and if a host is highlighted, Armitage will populate the SESSION var for you. - Armitage now uses the sysinfo command in a meterpreter session to pull host OS info if it doesn't know it. This also means Armitage will auto-populate the host OS when a client-side attack is successful. - Tab completion is now ignored when input field is empty 13 Jan 11 Changes --------- Hosts reported as Windows Me now display W2K era Windows logo. - "Hail Mary" attack is now launched and managed by Armitage. Exploits are selected using the output of db_autopwn AND the operating system information Armitage knows. Also attacks are launched in a more optimal order (sorted by exploit rank/age). This is a big improvement over db_autopwn by itself. - Added a link to the Armitage Issue Tracker in the Help menu. - Updated remote exploit payload selection to choose Java payloads or Windows shell payloads before resorting to the generic/* payloads. - Updated client-side exploit launcher to let you select the target. Armitage uses this target (plus the exploit name) to determine which payload to use. multi/java_signed_applet works very nicely now ;) - Fixed (once and for all now) the mysterious OS info not refreshing bug. Now those pretty OS pictures will show up if Metasploit knows about the OS. - Added a 52 character length limit to a target's description in the target dropdown. This stops weird GUI layouts caused by long target descriptions. - Exploit recommendations now take into account FreeBSD hosts. - Added an OpenBSD option to the hosts menu. - Armitage now does a setg AutoLoadStdapi true when setting up MSF. - Last modified field of file browser now sorts properly. - Jobs console and its kill feature should now work in all circumstances. - Session menus for meterpreter now limited for non-Win meterp sessions. - Updated Armitage/Windows to provide a better startup experience. Simply extract the archive over your MSF install and rock n' roll. 22 Dec 10 Changes --------- Updated meterpreter shell and command shell console to honor your set preferences. I forgot to pass $preferences to the console constructor. Doh! - Added a -d/--debug command line option. This will dump System.getProperties() and a log of all exchanges with the MSF server to debug.log in the current working directory. - To play nice with existing conventions, Armitage is now licensed under the BSD license. Distribute, use, reuse, recycle.... have fun.

- Fixed a deadlock condition that arose when a large nmap scan is imported - About dialog now shows up centered. - Armitage now has a graphic for Cisco IOS. You can mark a host as a Cisco IOS device. Also Armitage recognizes IOS from an NMAP Scan. - Fixed Armitage "crash" due to read timeouts. This would occur for those of you who ran a really taxing operation (e.g., db_autopwn). - Added a time limit flag to db_autopwn (20s) - Ctrl+R is now even more aggressive clearing internal data structures. - Shell N -> Meterpreter... no longer blocks waiting for the operation to complete. 13 Dec 10 Changes --------Added Meterpreter -> Browse -> Webcam Shot to grab webcam snap shots. You may now click the image in the webcam/screenshot view to save it. Workspace -> Create menu now automatically switches you to the net workspace. UNIX shell sessions now have an Upload... menu. This item will open a local file and use the printf command on the remote host to put it together. It's slow but it works. Removed the rename file menu item from the file browser. It turns out I had my Windows command shell vs. meterpreter command interface crossed. The command doesn't exist in Meterpreter. Upload button now waits until file is uploaded to refresh file listing Added Timestomp item to File Browser popup menu. This works like a clipboard. Select Get MACE to capture the MACE values of the current file. Use Set MACE on another file to set the MACE values to the currently known attributes. Dump hashes menu item no longer pulls up a new credentials tab. Added a Refresh button to the credentials tab. Updated db refresh code to be a little smarter about when it needs to merge db_notes hints into the MSF database.

6 Dec 10 Changes -------- added -y filename.yml command line option for specifying a YAML file with database parameters - updated "Start MSF" to launch "ruby msfrpcd" on Windows. This requires the current working directory of Armitage be set to the Metasploit base directory. - jobs view now parses job output with only 3 columns of information. - connect dialog is now centered on your screen when you start Armitage - Armitage now saves your settings when you use Start MSF. - Armitage now forces cells in editor mode to save before launching a module or an exploit. This should prevent a few surprises where things seemed like they weren't working for a few of you. - MSF Discovery Scans are now started from a separate thread, preventing Armitage from "locking up" while the scans launch. A dialog also comes up to state how many scans were launched. - MSF Discovery Scans are now limited to 2 threads/scan on Windows and 8 on other operating systems. This prevents serious lag issues caused by starting too many threads. - connect dialog is now a window, meaning it has an icon in whatever your window manager is and if you close it Armitage exits. - updated DB Connect String helper dialog to ask for DB user, DB pass, DB host, and DB name. This should prevent some of you from confusing the database user/pass with the MSFRPCD user/pass. - Current environment variables are now passed to msfrpcd when executed from Armitage. This will allow msfrpcd to inherit any PATH changes and other necessary things when Armitage is run from a shell script or batch file. - Added .svn folders to the Armitage distribution. Now you can use svn update .

to keep your install of Armitage up to date. - File browser upload and make directory commands now allow files with spaces in them. - Armitage will now exit if it takes longer than 5 seconds to shutdown msfrpcd when cancel is pressed during the connecting phase. 25 Nov 10 --------- start msf button now kills msfrpcd session if db_connect fails - set default database options to mysql with BackTrack 4 R2 settings. - Armitage -> Exit menu now kills msfrpcd, if the "Start MSF" button was used - Added ability to set up a multi/handler from Payload launch dialog 13 Nov 10 --------- fixed file browser directory icon showing up in every field within Windows L&F - added an export button to the credentials view. This will save the credentials to a pwdump format file. - fixed console highlighting issue, sadly you'll need to click in the console in put box for it to have focus again. Write once, debug everywhere. - added "hail mary" attack option--this launches db_autopwn - attack menus now honor the armitage.required_exploit_rank.string setting - added Ctrl+R shortcut for refreshing the target view (esp. OS info) - fixed db_notes parsing for latest version of MSF (3.5.x?) - fixed how auxiliary scans are displayed in the jobs table. - db connect helper now prepopulates fields with info taken from connect string - added an 8s timeout to abort the database connect if it fails. - OS from db_notes to db_hosts refresh is now guaranteed on connect - Packaged everything into a single jar file, now I can code in what I like without hassle from people who are too lazy to look at the code. - SSL handshake now fails after 8 seconds (should give those of you trying an SSL connect to a non-SSL server an idea that something is up) - added an executable to launch Armitage on Windows - fixed command shell interaction bug caused by directories with spaces. - Start MSF button now reports an error if it couldn't start MSF-RPC 2 Nov 10 -------- Initial (priv8) release.