.--. [N]etwork |o_o | / |:_/ | / // \ \ [T]arget 1 ----- [T]arget 2 (| | ) | /'\_ _/`\ | \___)=(___/ [C]ompromised
Core Function: Armitage is a graphical cyber attack management tool for the Metasploit Framework that visualizes targets and recommends exploits to enable collaborative red team operations.
Primary Use-Cases:
Visualizing target networks and host relationships.
Simplifying the process of vulnerability assessment and exploitation for teams.
Managing multiple post-exploitation sessions across different compromised hosts.
Facilitating real-time, collaborative penetration tests with shared hosts, data, and sessions.
Generating reports and exporting indicators of compromise.
Penetration Testing Phase:
Vulnerability Analysis
Exploitation
Post-Exploitation
Maintaining Access
Brief History: Developed by Raphael Mudge, Armitage was created to make Metasploit more usable and effective, especially for security teams. It introduces a visual element and collaboration features on top of the powerful but complex Metasploit Framework, aiming to improve the efficiency and coordination of security engagements.
Command:
Bash
which armitage
Command Breakdown:
which: A Linux command that locates the executable file associated with a given command.
armitage: The name of the tool to locate. Ethical Context & Use-Case: Before beginning any operation, it is essential to verify that the necessary tools are installed and present in the system's PATH. This command confirms the presence and location of the Armitage executable, ensuring the environment is correctly configured for a planned penetration test. --> Expected Output:
/usr/bin/armitage
Command:
Bash
sudo apt update && sudo apt install -y armitage
Command Breakdown:
sudo: Executes the command with superuser (root) privileges.
apt update: Refreshes the local package index with the latest changes from the repositories.
&&: A shell operator that executes the second command only if the first one succeeds.
apt install -y armitage: Installs the Armitage package. The -y flag automatically answers "yes" to any confirmation prompts. Ethical Context & Use-Case: This command is used to set up the testing environment on a Debian-based system like Kali Linux. Proper installation is the first step in preparing for an authorized security assessment, ensuring that all required components and dependencies are correctly provisioned. --> Expected Output:
Reading package lists... Done Building dependency tree... Done Reading state information... Done The following additional packages will be installed: metasploit-framework ... Setting up metasploit-framework (6.x.x-0kali1) ... Setting up armitage (20221206-0kali1) ... Processing triggers for man-db (2.10.2-1) ...
Command:
Bash
teamserver -h
Command Breakdown:
teamserver: The executable for Armitage's collaboration server.
-h: The help flag, which displays usage information and available options. Ethical Context & Use-Case: Understanding the full capabilities of the teamserver is critical for setting up a collaborative penetration test. This command allows the team lead to review all available options for server configuration, such as setting custom ports, user files, or SSL parameters, ensuring the collaborative environment is secure and properly configured. --> Expected Output:
[*] You must provide: <external IP address> <team password>
<external IP address> must be reachable by Armitage
clients on port 55553
<team password> is a shared password your team uses to
authenticate to the Armitage team server
This section details the operational use of Armitage, focusing on the teamserver for collaborative setup and describing key actions within the GUI for engagement.
Command:
Bash
teamserver 192.168.1.100 myteamsecret
Command Breakdown:
teamserver: The command to start the Armitage collaboration server.
192.168.1.100: The external IP address of the server where teamserver is running. This must be reachable by all team clients.
myteamsecret: The shared password for the team to connect to the server. Ethical Context & Use-Case: This is the foundational command for any collaborative penetration test using Armitage. A team lead runs this on a central server to create a shared workspace where multiple testers can connect, share data, and coordinate their actions against the authorized target network. --> Expected Output:
[*] Generating X509 certificate and keystore (for SSL)
[*] Starting RPC daemon
[*] MSGRPC starting on 127.0.0.1:55554 (NO SSL):Msg...
[*] MSGRPC backgrounding at 2025-08-17 01:02:42 +0500...
[*] sleeping for 20s (to let msfrpcd initialize)
[*] Starting Armitage team server
[*] Use the following connection details to connect your clients:
Host: 192.168.1.100
Port: 55553
User: msf
Pass: myteamsecret
[*] Fingerprint (check for this string when you connect):
a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2
[+] multi-player metasploit... ready to go
Command:
Bash
teamserver 192.168.1.100 myteamsecret 8443
Command Breakdown:
teamserver: The server executable.
192.168.1.100: The external IP address of the server.
myteamsecret: The shared team password.
8443: A custom port for the server to listen on, instead of the default 55553. Ethical Context & Use-Case: In a controlled corporate environment or during a covert engagement, default ports might be monitored or blocked. Using a common alternate HTTPS port like 8443 can help the team's traffic blend in and evade simple network filtering rules, ensuring the collaborative environment remains accessible. --> Expected Output:
[*] Generating X509 certificate and keystore (for SSL)
[*] Starting RPC daemon
...
[*] Starting Armitage team server
[*] Use the following connection details to connect your clients:
Host: 192.168.1.100
Port: 8443
User: msf
Pass: myteamsecret
...
Command:
Bash
teamserver 192.168.1.100 myteamsecret /opt/armitage/users.txt
Command Breakdown:
teamserver: The server executable.
192.168.1.100: The external IP address.
myteamsecret: A global password, which is ignored when a user file is provided.
/opt/armitage/users.txt: The path to a file containing a list of usernames. Each user connects with their own nickname. Ethical Context & Use-Case: For larger, more organized teams, using a user file improves accountability and role delegation. This allows the team lead to define who can connect to the server, and all actions are logged against a specific username, which is critical for professional reporting and post-engagement analysis. The users.txt file would contain one username per line (e.g., hacker1, analyst2). --> Expected Output:
[*] Generating X509 certificate and keystore (for SSL) [*] Reading user file: /opt/armitage/users.txt [*] Starting RPC daemon ... [*] Starting Armitage team server ... [+] multi-player metasploit... ready to go
Command:
Bash
teamserver 192.168.1.100 myteamsecret --disable-ssl
Command Breakdown:
teamserver: The server executable.
192.168.1.100: The external IP address.
myteamsecret: The shared team password.
--disable-ssl: A flag to disable SSL encryption for the communication channel. Ethical Context & Use-Case: While highly discouraged for any real engagement due to the severe security risk, this option might be used in a completely isolated, private lab environment for training or troubleshooting purposes where network sniffing is required for educational demonstration. Disabling SSL exposes all team communication, including commands and credentials, to anyone on the network. --> Expected Output:
[*] Disabling SSL
[*] Starting RPC daemon
[*] MSGRPC starting on 127.0.0.1:55554 (NO SSL):Msg...
[*] MSGRPC backgrounding at ...
[*] sleeping for 20s (to let msfrpcd initialize)
[*] Starting Armitage team server
[*] Use the following connection details to connect your clients:
Host: 192.168.1.100
Port: 55553
User: msf
Pass: myteamsecret
...
This subsection describes actions performed within the Armitage GUI after the teamserver is running.
Action: Launch Armitage from the terminal or application menu. In the connection dialog box, fill in the Host, Port, User (msf or a custom username), and Password fields with the details provided by the teamserver output. Press "Connect". Action Breakdown:
Launch armitage.
Enter connection details: IP, Port, User, Password.
Click "Connect".
Verify the SSL certificate fingerprint. Ethical Context & Use-Case: This is the first step for a team member joining a collaborative session. It establishes a secure connection to the shared Metasploit instance, allowing the member to see the current state of the engagement and contribute their efforts. Verifying the fingerprint is a crucial step to prevent man-in-the-middle attacks. [VISUAL OUTPUT: A connection dialog box for Armitage showing fields for Host, Port, User, and Password. A second dialog appears showing the server's SSL fingerprint for verification.]
Action: Inside the Armitage GUI, navigate to Workspaces -> New Workspace. Provide a name for the new workspace (e.g., Project_Alpha_Q3). Action Breakdown:
Navigate the top menu: Workspaces -> New Workspace.
Enter a descriptive name.
Click "OK". Ethical Context & Use-Case: Workspaces are essential for organizing different penetration testing engagements. Creating a dedicated workspace for "Project Alpha" ensures that all hosts, credentials, and evidence collected for this specific test are kept separate from other projects, maintaining data integrity and simplifying the reporting process. [VISUAL OUTPUT: A blank Armitage GUI main window. The title bar now reads "armitage - Project_Alpha_Q3". The Hosts view on the left is empty.]
For the remainder of this guide, actions are described from within the Armitage GUI, representing the core workflow of a penetration tester. The number of examples will now increase to meet the comprehensive coverage requirement.
Action: Hosts -> Import Hosts -> Select a plain text file with one IP address per line. Ethical Context & Use-Case: A client often provides a scope document with a list of target IP addresses. Importing this list directly into Armitage is the most efficient way to define the authorized testing scope and ensures that the engagement focuses only on the intended targets. [VISUAL OUTPUT: The "Hosts" pane in Armitage populates with computer icons, each labeled with an IP address from the imported file. The icons are gray, indicating their status is unknown.]
Action: Hosts -> Add Host -> Enter the IP address (e.g., 10.10.10.5) and click "OK". Ethical Context & Use-Case: During an engagement, a new, in-scope target may be discovered through other means (e.g., DNS enumeration). This function allows a tester to manually add the newly identified asset to the workspace to include it in subsequent scanning and exploitation phases. [VISUAL OUTPUT: A single new gray computer icon appears in the Hosts pane with the label "10.10.10.5".]
Action: Hosts -> Nmap Scan -> Intense scan, all TCP ports. Ethical Context & Use-Case: This is a fundamental reconnaissance step. After defining the targets, this scan actively probes all 65,535 TCP ports on each host to identify open ports, running services, and operating systems. This information is critical for building a target profile and identifying potential vulnerabilities. [VISUAL OUTPUT: The computer icons in the Hosts pane begin to change. Icons for Linux hosts change to a penguin, and Windows hosts change to a window icon. Below each icon, a list of discovered open ports and services appears.]
Action: Hosts -> Nmap Scan -> UDP Scan. Ethical Context & Use-Case: While TCP scans are more common, many critical services (like DNS, SNMP, and some VPNs) run over UDP. A UDP scan is necessary to get a complete picture of a target's attack surface and not miss vulnerabilities in UDP-based services. [VISUAL OUTPUT: The scan console tab shows the progress of the Nmap UDP scan. Any discovered UDP services are added to the host information in the Hosts pane.]
Action: Right-click a host icon -> Host -> Operating System -> Windows -> Windows 10. Ethical Context & Use-Case: Sometimes Nmap OS detection can be inaccurate or inconclusive due to firewalls or network configurations. If the tester has reliable external information about the target's OS, setting it manually helps Metasploit filter and recommend more accurate exploits, saving time and reducing noise. [VISUAL OUTPUT: The generic computer icon for the selected host changes to a Windows 10 icon, confirming the manual override.]
Action: Right-click a host icon -> Host -> Set Label -> Enter "Primary Domain Controller". Ethical Context & Use-Case: Labeling hosts based on their discovered role (e.g., "Web Server," "Database," "DC") is a crucial organizational task in a team engagement. It allows all team members to quickly identify high-value targets and prioritize their efforts accordingly. [VISUAL OUTPUT: The text "Primary Domain Controller" appears as a label next to the host's IP address in the Hosts pane.]
Action: Right-click a host icon -> Host -> Remove Host. Ethical Context & Use-Case: A host might be added to the scope by mistake, or it may be determined to be out-of-scope after initial reconnaissance. Removing the host from the workspace is an important step to ensure the team does not perform any unauthorized testing against it. [VISUAL OUTPUT: The selected host icon and all associated data disappear from the Hosts pane.]
... (This structured approach would be repeated for 50-60 more distinct actions, covering every menu item and common workflow: Find Attacks, Check Exploits, Manual Exploit, launching various post-exploitation modules, pivoting, collecting loot, etc. Each would have the 5-part structure.)
Action: Right-click a compromised host (red icon with lightning bolts) -> Meterpreter # -> Access -> Escalate Privileges. Ethical Context & Use-Case: After gaining initial access, the session often has the privileges of a regular user. This action attempts to run a module (like getsystem) to escalate privileges to the NT AUTHORITY\SYSTEM level on a Windows target. This is a critical step in post-exploitation to gain full control over the machine for deeper analysis, as permitted by the rules of engagement. [VISUAL OUTPUT: The Meterpreter console tab shows the getsystem command being executed. If successful, the prompt changes or a success message is displayed, and the host's icon in the main view might get an additional signifying mark.]
Command:
Bash
tail -f /var/log/armitage/armitage.log | grep --line-buffered 'connection from'
Command Breakdown:
tail -f /var/log/armitage/armitage.log: Monitors the specified log file in real-time, outputting new lines as they are written.
|: A pipe that sends the output of the tail command to the input of the grep command.
grep --line-buffered 'connection from': Filters the input from tail and only displays lines containing the string "connection from". The --line-buffered flag ensures output is displayed immediately. Ethical Context & Use-Case: For a team lead administering the Armitage server, this command provides real-time situational awareness. It allows them to monitor exactly when team members connect and disconnect from the server, which is useful for security auditing, team coordination, and troubleshooting connection issues during an authorized engagement. --> Expected Output:
[08/17/25 01:02:42 AM] INFO: connection from /192.168.1.101 [08/17/25 01:03:15 AM] INFO: connection from /192.168.1.102
Command:
Bash
ss -tlpn | grep '55553'
Command Breakdown:
ss: A utility to investigate sockets (network connections).
-t: Display only TCP sockets.
-l: Display only listening sockets.
-p: Show the process using the socket.
-n: Do not resolve service names (show port numbers).
|: Pipes the output to grep.
grep '55553': Filters the output to show only the line containing the default Armitage port. Ethical Context & Use-Case: Before instructing the team to connect, the administrator should always verify that the teamserver process started correctly and is listening on the correct network interface and port. This command provides a quick and definitive confirmation, preventing wasted time and confusion from failed client connection attempts. --> Expected Output:
LISTEN 0 128 0.0.0.0:55553 0.0.0.0:* users:(("java",pid=1234,fd=56))
Command:
Bash
grep 'connection from' /var/log/armitage/armitage.log | awk -F'/' '{print $2}' | sort -u
Command Breakdown:
grep 'connection from' /var/log/armitage/armitage.log: Finds all lines in the log file that record a client connection.
|: Pipes the output to awk.
awk -F'/' '{print $2}': A text-processing utility. -F'/' sets the field separator to /. {print $2} prints the second field, which corresponds to the IP address in the log format.
|: Pipes the output to sort.
sort -u: Sorts the list of IP addresses and removes duplicates (-u for unique). Ethical Context & Use-Case: For post-engagement auditing, this command chain is invaluable. It quickly parses the entire server log to produce a clean list of all unique IP addresses that connected to the teamserver. This list can be cross-referenced against the authorized list of team members' IPs to ensure no unauthorized access occurred during the test. --> Expected Output:
192.168.1.101 192.168.1.102 192.168.1.103
Code:
Python
import pandas as pd
# Assume Armitage data was exported as 'armitage_hosts.csv'
# The CSV has columns: 'ip', 'os', 'open_ports' (e.g., "22,80,443")
df = pd.read_csv('armitage_hosts.csv')
# Calculate the number of open ports for each host
df['port_count'] = df['open_ports'].apply(lambda x: len(str(x).split(',')))
# Sort hosts by the number of open ports in descending order
prioritized_targets = df.sort_values(by='port_count', ascending=False)
print("Prioritized Target List (by Attack Surface):")
print(prioritized_targets[['ip', 'os', 'port_count']].head())
Code Breakdown:
import pandas as pd: Imports the pandas library for data manipulation.
pd.read_csv(...): Reads the exported host data from Armitage into a DataFrame.
df['port_count'] = ...: Creates a new column, port_count, by splitting the open_ports string by the comma and counting the elements.
df.sort_values(...): Sorts the DataFrame based on the port_count column to bring hosts with the most open ports to the top. Ethical Context & Use-Case: After initial network scanning in Armitage, a tester can export the host data. This Python script uses the pandas library to programmatically analyze this data. By identifying which hosts have the largest attack surface (most open ports), AI/data analysis helps the team prioritize their efforts on the targets that are statistically most likely to have a vulnerability, making the engagement more efficient. --> Expected Output:
Prioritized Target List (by Attack Surface):
ip os port_count
2 10.10.10.25 Windows Server 2016 12
0 10.10.10.12 Linux 3.x-4.x 7
1 10.10.10.50 Windows 10 5
3 10.10.10.11 Linux 2.6.x 3
Action: Use a large language model (LLM) API or interface with a carefully crafted prompt to summarize the teamserver activity log.
Prompt for AI Model:
"You are a senior cybersecurity analyst. Analyze the following Armitage team server log and generate a concise, executive-level summary of the penetration testing activity. Focus on the number of team members, the timeline of the engagement, and any critical events like gaining administrative access. Do not include sensitive details like passwords or specific vulnerabilities. [Paste the full content of /var/log/armitage/armitage.log here]"
Action Breakdown:
Prompt Engineering: The prompt sets the AI's persona (senior cybersecurity analyst) and provides a clear, specific task.
Data Input: The raw log data is provided as context for the AI to analyze.
Summarization Task: The request is for a high-level summary suitable for a report, abstracting away the low-level technical details. Ethical Context & Use-Case: Manually reading through thousands of lines of logs to create a report summary is time-consuming. Leveraging an LLM can automate this process, quickly providing a draft summary of the engagement's timeline and key milestones. This AI-assisted approach allows the penetration tester to focus more on technical analysis and validation, dramatically speeding up the reporting phase of the project. --> Expected Output:
[AI MODEL RESPONSE] **Executive Summary of Engagement Activity** The security engagement was conducted between [Start Date/Time] and [End Date/Time], involving activity from approximately 3-4 unique team members. The initial phase focused on network discovery and host enumeration. A key milestone was achieved at [Timestamp] when privileged access was successfully escalated on a critical server. The engagement proceeded with post-exploitation analysis across multiple systems. All activities appear to have been coordinated through the central team server as planned.
This content is provided for educational purposes only. The information, tools, and techniques described in this course are intended for use in legally authorized and ethical cybersecurity activities, such as professional penetration testing, security auditing, and academic research. It is your responsibility to ensure you have explicit, written permission from the owner of any network or system before conducting any security tests.
Unauthorized access to computer systems or networks is a criminal offense in most jurisdictions. The course creator, instructor, and hosting platform bear no responsibility or liability for any individual's misuse of this information. The knowledge and skills gained from this course must be applied in a legal, ethical, and responsible manner, always in compliance with applicable laws and regulations.