Dumping Windows NTLM Password Hashes With Armitage C2

Dumping Hashes With Armitage C2

Hello world and welcome to HaXeZ, in this post I’m going to explain how to dump NTLM hashes using Armitage. Armitage, (created by Raphael Mudge) is a C2 or command and control application that provides a GUI for Metasploit. Furthermore, it allows for the creation of team servers which allows for multiple users to interact with the same workspace. I decided to make this post due to the difficulties I had with the Introduction to C2 room on TryHackMe.

Setting Up Armitage

First, we need to set up Armitage. In order to do this, we need to clone the GitLab repository found here. Next, we need to run the package.sh script to set it up. Once the setup is complete, we need to start Postgresql.

systemctl start postgresql

Once Postgresql is up and running, we need to drop the existing Metasploit database and initialize a new one. This can be achieved by running the msfdb delete and msfdb init commands as shown below. Please be advised that the screenshots are from the attack box on TryHackMe.

Setting Up Armitage
Setting Up Armitage

Creating Armitage Team Server

While this isn’t entirely necessary, we will next use the teamserver binary located at /opt/armitage/releases/unix to create a teamserver. In order to create the teamserver, we need to run the binary followed by our IP and password. The IP is your eth0 IP and the password is anything you want it to be.

./teamserver <YOUR-IP> <YOUR-PASSWORD>
Creating Armitage Team Server
Creating Armitage Team Server

Starting Armitage

Next, we need to start the C2 or Command and Control application itself. In order to this we need to run the Armitage binary from the /opt/armitage/releases/unix directory. No other arguments are needed, just punch it into the CLI and wait for the window.

Starting Armitage
Starting Armitage

Connecting

Once you run the binary, a window will pop up. Using the information from the teamserver CLI, populate the required information. The application will then attempt to connect to the Postgresql database with the supplied credentials (you remember your password right). The reason we need to connect to the database is that Armitage heavily relies on the Metasploit database.

Connecting
Connecting

Armitage Nickname

This is by far the most important part of any engagement. Whether it’s Red Teaming, Hacking, or Penetration Testing. Having an awesome hacker handle is crucial to success and without it, you will be doomed to fail. Ok, maybe not but this is the part where you need to choose your username. This is the username that your Armitage teammates will see you as so choose something incredibly cringy and embarrassing.

Nickname
Nickname

Add The Target

In order to dump those precious hashes, you need a target. Again, I’m following the TryHackMe Introduction to C2 room. The target of my nefarious hacking activities will be the box named Blue which is vulnerable to Eternal Blue. In order to add the host, click hosts and click add hosts. You will then be presented with a window similar to the one below. Punch in the IP address and click ok.

Add The Target
Add The Target

Exploiting The Target

In order to exploit the target, we need to locate the Eternal Blue exploit from the menu. Under Exploit, Windows, SMB, grab the ms17_010_eternal exploit and drag it over the target. The exploit you need to use will depend entirely on the target you want to attack. I’m using Blue as the target because it is an easy machine to hack. Believe it or not, Blue loves being hacked.

Exploiting The Target
Exploiting The Target

Configuring The Payload

Funnily enough, you don’t actually need to do anything to configure the payload. This section of the article is a complete waste of space. Leave the settings as default and click launch. The only reason this section of the article exists is that I took a screenshot. So yeah, drag the payload over the host. Don’t change the settings. Click launch.

Configuring The Payload
Configuring The Payload

Shell To Meterpreter

If you successfully exploited the target, you should have some lovely ASCII showing WIN (provided you’re exploiting Blue). That’s fantastic, however, it isn’t. You have managed to get yourself a standard shell as NT AUTHORITY. Don’t get me wrong, this shell is good for most things but let’s face it, we want a Meterpreter shell. Well, there is an easy way to upgrade to a Meterpreter shell. Just use the search box for shell_to_meterpreter and drag it onto the host. This should spawn a new Meterpreter shell.

Shell To Meterpreter
Shell To Meterpreter

Migrate To Exfiltrate

You now have your Meterpreter session open and sure you can attempt to dump hashes now. However, if you do, you will likely not get all the user’s hashes. At least that was my experience when attempting to dump Ted’s hash on the TryHackMe room. In order to dump Ted’s hash, we need to migrate our process. There are arguments to be made about which process to migrate to. Migrating to certain processes will be a lot more stealthy. This is something I intend to cover in future posts. However, for now, migrate to the lsass.exe process. This will give you the access required to dump the hashes. If you’re wondering how to do this then right-click the host, select Meterpreter, select Explore, then select show process. The rest is fairly straightforward.

Migrate To Exfiltrate
Migrate To Exfiltrate

Dump Those Hashes

Finally, we are ready to dump the hashes. In order to get that elusive hash of Ted, all we need to do is click Meterpreter, Access, and Dump Hashes. You will get a number of methods, the method I chose was the Lsass method. This worked straight away and dumped Teds hash to the terminal as you can see below. Granted, we already had the administrator hash was already ours but it’s annoying not hacking everyone isn’t it?

Dump Those Hashes
Dump Those Hashes

Conclusions

Ok, I may have gone a bit overboard on the graphics. I’m also sure that this write-up is full of spelling mistakes and graphical errors. If you can forgive that, then I hope this has helped you solve the TryHackMe introduction to C2 room. I will admit that I struggled with this room having never used Armitage before. I could have rinsed it using Metasploit but that wasn’t the point of the room. God knows how long I tried to set up Armitage on my Kali virtual machine. I eventually gave up and used the TryHackMe attack box. As for Armitage itself, it could THM attack box but I thought it was slower than using Metasploit. Anyway, I had a lot of fun with this one. Big thanks to Rummy for helping out.

%d bloggers like this: