Get notified about Armitage updates. Sign up for the Armitage Technical Notes mailing list.
I will email you when an update is ready. I won't send spam or give away your information.
15 Jul 14 (tested against msf git revision: 55ef5dd484)
- Command Shell experience on Windows Meterpreter is much better now
- Java Meterpreter may now interact with a bash shell
- Removed [host] -> Meterpreter -> Access -> Migrate Now! menu item
- Ctrl+Escape temporarily drops the timeout times for Meterpreter
commands to 5s, across the board. If a Meterpreter session appears
unresponsive, try this to force any hung commands to timeout
- Armitage now warns when a team server is non-responsive by making
its server button purple. When the server is responsive again, the
button will turn its normal color again. This requires that you're
connected to multiple team servers.
- Windows EXE launcher for Armitage now finds 64-bit Java.
15 May 14 (tested against msf git revision: 0a4c10876d)
- Worked around invisible text selection bug with latest Java on Kali
23 Apr 14 (tested against msf git revision: 0a4c10876d)
- Added Ctrl+L to quickly add an entry to timeline.[xml|tsv] (exported
through View -> Reporting -> Export Data)
- Added osx-app to Output: type for payloads. Outputs a zipped MacOS X
- Scrubbed Armitage to eliminate unnecessary blocking calls from Sleep
source code. This improves Armitage's responsiveness and takes away
many opportunities for deadlock.
- Sync Files for Loot and Downloads is now much better with large files
- REJOICE! After more than three years of a team server capability,
Armitage now tells you when you are disconnected from a server.
- Keyboard shortcuts to change text size now work in table view
- Added Copy button to View -> Creds
- Services tab right-click menu now has options to edit a service's info
- Updated Armitage's YAML parser to better deal with unexpected whitespace
and to provide better errors when YAML file contains constructs that
Armitage's YAML parser can't deal with.
- Armitage's intercept of the shell command now intercepts shell when
arguments are present too. This prevents meterp sessions from getting
- Logging now deals with IPv6 addresses better for Windows users
- Launching psexec at 4+ hosts will no longer open a tab for each host
- Armitage no longer allows two buttons with the same name in its team
server button bar.
Cortana Updates (for scripters)
- Added &script_load to load a script (as if the user did this)
- Added &script_unload to unload a script
27 Feb 14 (tested against msf git revision: 72da8299a5)
- Armitage console is now a mouse hot spot. Right-click a host in the
console to see its menu. Click a module to open the module's launcher
- Armitage module launch console ignores false meterpreter prompt from
msfrpcd after a successful exploit job is run.
- hashdump and wdigest menus now add usernames with spaces to database
thanks to Steve Pinkham for reporting this issue *with* a fix.
- Added [host] -> Login -> psexec (psh) to use psexec_psh to authenticate
to a host.
- Armitage.app for MacOS X now works with Oracle's Java 1.7
- Long awaited! I've added a feature to change LHOST in Armitage. Go to
Armitage -> Listeners -> Set LHOST.
- IPv6 reverse sessions now associate with their host properly.
- Windows open with Ctrl+W now show the Armitage icon
- Armitage now uses a JFrame to display its dialogs. This will give each
window its own button in the taskbar regardless of window manager.
21 Nov 13 (tested against msf git revision: 597eb56dcf)
- Fixed webcam selection logic that I broke last update. Go me!
- Added a helper for PATH option
- Java 1.6 is no longer a supported environment to run Armitage. Added
a warning message to indicate as much. You should update to Java 1.7
- Connect dialog now masks the password field.
- Armitage no longer allows you to start msfrpcd on Windows. It shows an
error stating that you need to connect to a team server on Linux.
- Fixed a potential deadlock when opening a module launcher dialog.
- Missing MSF_DATABASE_CONFIG error now gives troubleshooting steps with
the error message.
- Added another check to detect and correct a corrupt module cache.
- [host] -> Operating System -> Firewall works again.
- You can now set PAYLOAD for windows/local/wmi exploit
- Default meterpreter/reverse_tcp listener now encodes its second stage
21 Aug 13 (tested against msf git revision: 0af2f1c611)
- Removed sunrpc and dcerpc modules from MSF Scans feature
- Fixed a potential deadlock when updating the host display
- Updated multiplexing code to be compatible with enumdesktops command
- Updated multiplexing code to be compatible with webcam_list command
- You may now choose which camera to take a Webcam Shot from
- Close button now shows w/ Armitage dialogs on Kali Linux.
- Module Launcher dialog is now always active when opened.
- EXE::Custom is no longer treated as an advanced option. When available
it's always present for you to modify in a module.
- Meterpreter -> Access -> Persistence now uses the local exploit module
(default settings now work without tweaks too)
- Meterpreter -> Access -> Pass Session and Process -> Inject now use the
payload_inject local exploit module.
- Added Meterpreter -> Access -> Dump Hashes -> wdigest to run mimikatz's
wdigest command, to retrieve plaintext creds.
- Armitage now uses a better method to shuttle files to team server and
notify you of the progress of this action.
- Made multiplexing code smarter about load and use commands.
- Added a check to detect commercial MSF modules in the module cache and
to automatically clear it. When this happens you will need to restart the
Metasploit Framework. A corrupt cache causes some RPC calls to throw
errors as plain msfrpcd is not allowed to interact with commercial modules.
- Added ANSI color markup to armitage's console output. It's less scary
than the default messages and it's nicer to look at.
- Added cmd/unix/reverse to payload selection logic.
- Updated the payload output formats to match what's now possible in MSF
- Armitage -> Listeners actions now show commands/output in a tab
- [host] -> Login options now set DB_ALL_CREDS to false. Making this option
default to true is not the decision I would have made.
6 Jun 13 (tested against msf git revision: c705928052)
- Attacks -> Hail Mary now asks you to confirm the action.
- Fixed a potential table sorting issue
- Changed how some tables are updated to minimize blocking of other
tasks. This should make UI feel snappier in many cases.
- Credential helper now shows credentials from all servers you're
- Updated multiplexing code to be compatible with mimikatz extension's
- Meterpreter upload command (with no arguments) now prompts for a file.
This file will be bounced to team server (if one is present) and
uploaded to the target for you.
- Cred tables no longer show SSH keys
- Added vmauthd to the Login menu
- Increased the number of modules run in response to services found during
a sweep with the MSF Scans feature.
- Attack menu attached to host now splits menus up if there are more than
10 items. This will help with the webapp and http menus.
- Added a menu to mark a host as a firewall
- Added a type-fix hack for MsgPack Long types
Cortana Updates (for scripters)
- Updated &log_resource to account for new log folder layout scheme that
involves a description of the current Armitage server
- Fixed a potential argument corruption bug with filters
10 Apr 13 (tested against msf ca43900a7)
- Jobs dialog now queries job info in a separate thread context,
stopping it from locking up your Armitage instance.
- Fixed console queue display bug when a required option has no setting
- Hashdump -> lsass method now pops open a Meterpreter tab and shows
its progress. Should help when there's a lot of hashes coming back.
- Hail Mary attack now gives better feedback about what it's doing
- Fixed blank line showing when a host label exists and a session w/o
any information is associated with the host.
- The correct OS icon is now shown for Windows 2012 Server.
- Added an Inject button to the Process Explorer
- Event log now shows date with timestamp
- Messages to your nick in the event log are now highlighted
- Disabled the display of the MSF banner by default.
Cortana Updates (for scripters)
- Added work-around to prevent &psexec failing due to Ruby complaining
about incompatible encodings.
6 Mar 13 (tested against msf ca43900a7)
- Active console now gets higher priority when polling msf for output
- Improved team server responsiveness in high latency situations by
creating additional connections to server to balance messages over
- Preferences are now shared among each Armitage connection.
6 Mar 13 (2000h)
- Fixed issue with additional team server connections reporting wrong
application and receiving a summary rejection by the team server.
Cortana Updates (for scripters)
- Added a &publish, &query, &subscribe API to allow inter-script
communication across the team server.
- Added &table_update to set the contents of a table tab without
disturbing the highlighted rows.
- Added an exec_error event. Fired when &m_exec or &m_exec_local fail
due to an error reported by meterpreter.
- Fixed a bug that sometimes caused session_sync to fire twice (boo!)
- Added a 60s timeout to &s_cmd commands. Cortana will give a shell
command 60s to execute. If it doesn't finish in that time, Cortana
will release the lock on the shell so the user can control it.
(ideally, this shouldn't happen... this is a safety mechanism)
- Changed Meterpreter command timeout to 2m from 12s. This is because
https meterpreter might not checkin for up to 60s, if it's been
idle for a long time. This will make &m_cmd less likely to timeout
12 Feb 13 (tested against msf 16438)
- Fixed a corner case preventing the display of removed host labels
when connected to a team server.
- Fixed RPC call cache corruption in team server mode. This bug could
lead to some exploits defaulting to a shell payload when meterpreter
was a possibility.
- Slight optimization to some DB queries. I no longer pull unused
fields making the query marginally faster. Team server is more
efficient too as changes to unused fields won't force data (re)sync.
- Hosts -> Clear Database now clears host labels too.
- Added the ability to manage multiple team server instances through
Armitage. Go to Armitage -> New Connection to connect to another
server. A button bar will appear that allows you to switch active
- Credentials available across instances are pooled when using
the [host] -> Login menu and the credential helper.
- Rewrote the event log management code in the team server
- Added nickname tab completion to event log. I feel like I'm writing
an IRC client again.
- Hosts -> Clear Database now asks you to confirm the action.
- Hosts -> Import Hosts announces successful import to event log again.
23 Jan 13 (tested against msf 16351)
- Added helpers to set EXE::Custom and EXE::Template options.
- Fixed a bug displaying a Windows 8 icon for Windows 2008 hosts
- Cleaned up Armitage -> SOCKS Proxy job management code. The code to
check if a proxy server is up was deadlock prone. Removed it.
- Starting SOCKS Proxy module now opens a tab displaying the module
start process. An event is posted to the event log too.
- Created an option helper to select credentials for SMBUser, SMBPass,
USERNAME, and PASSWORD.
- Added a feature to label hosts. A label will show up in its own column
in table view or below all info in graph view. Any team member may
change a label through [host] -> host -> Set Label. You may also use
dynamic workspaces to show hosts with certain labels attached.
- Fixed bad things happening when connecting Armitage to 'localhost' and
- Screenshots and Webcam shots are now centered in their tab.
- Added an alternate .bat file to start msfrpcd on Windows in the
Metasploit 4.5 installer's environment.
- Added a color-style for [!] warning messages
Cortana Updates (for scripters)
- &handler function now works as advertised.
- Cortana now avoids use of core.setg
4 Jan 13 (tested against msf 16252)
- Added a helper to set REXE option
- Added an icon to represent Windows 8
- [host] -> Login menu is now built using open services for all
highlighted hosts, not just the first one.
- [host] -> Login items now escape punctuation characters in passwords
before passing them to a framework module.
- Added the windows and linux postgres_payload exploits to the use a
reverse payload by default list.
- Small tweak to allow Armitage to work with Metasploit 4.5 installed
environment on Windows.
Cortana Updates (for scripters)
- &credential_add and &credential_delete no longer break when a
password has creative punctuation in it.
26 Nov 12 (tested against msf 16114)
- Windows command shell tab is now friendlier to commands that prompt
for input (e.g., time command)
- [host] -> Meterpreter -> Access -> Escalate Privileges now shows all
the framework's new exploit/windows/local modules too
- [host] -> Shell -> Post Modules now shows the framework's unix/local
and exploit/linux/local modules
- Added Ctrl+I shortcut. Lets you choose a session to interact with.
- Added Steal Token button to Processes dialog.
- Armitage now asks Metasploit for a non-expiring authentication token.
This will prevent Armitage from losing its access to msfrpcd when you
put your computer to sleep or pause the VM running Metasploit.
- add_user and add_[local]group_user now show all of their output when
the -h flag is used to operate on a remote host.
- added a Delete menu to creds table. Right-click a cred to delete it
Cortana Updates (for scripters)
- aliased &data_delete to &data_clear to match the documentation.
- &file_get, &loot_get, and &file_content no longer delete the remote
file when connected to a teamserver.
16 Oct 12 (tested against msf 15972)
- Added port 5985 to MSF Scans list.
- Meterpreter -> Access -> Persistence sets ACTION option for you
- Changed how LHOST and LPORT are set globally to prevent Ruby
character encoding conversion error in the framework.
- Pass Session, Log Keystrokes, and Persist now query module info
in a separate thread (avoids a deadlock opportunity)
- Armitage now shows folder/URL in a popup dialog for environments
where JDesktop API to open them directly is not supported
- Check all credentials option now filters the list to avoid trying
a pair of credentials twice.
- Armitage's exploit payload selection now selects cmd/unix/interact
- Explore -> Processes now works with Java Meterpreter again.
- MSF Scans feature now runs http_version against port 443
5 Sept 12 (tested against msf r15804)
- Setup dialog now trims host, port, user, and pass fields.
- Armitage now complains when it can't write to your preferences
file (versus just hanging without a real error message)
- View -> Jobs now queries jobs in a thread outside of UI thread
- Tab completion now uses a separate thread to call into the RPC
server. This prevents a deadlock if server is not responding.
- Login -> psexec now shows when 445 is open on a Windows machine.
The old criteria was too restrictive.
- Added a helper to set Wordlist option
- Armitage now sets a random LPORT for non-exploit modules with an
LPORT option (e.g., post modules that do priv escalation)
- Armitage now shows an error if it can't open a Win command shell
- Steal Token dialog now uses incognito module to get token data
instead of the MSF post module. This is more reliable.
- You may now setup the reverse payload for current_user_psexec
Cortana Updates (for scripters)
- added an eventlog popup hook
16 Aug 12 (tested against msf r15753)
- Dynamic workspaces now removes closed services from its set of
hosts matching certain open ports.
- Cortana console now reports a clear error message a built-in
command is executed without the right number of arguments.
- Added host icons for Android and iOS. You may now set these
operating systems by going to [host] -> Host -> Operating System
- Armitage now shows the client-side exploit dialog for any exploit
that does not target an RHOST (for example, windows/smb/smb_relay)
- Added support for remote exploits that use RHOSTS over RHOST
(this includes the new windows/local/current_user_psexec)
- Added a helper for setting the SESSION option
Cortana Updates (for scripters)
- s_cmd no longer times out after 60s. It will wait forever for
a command to complete now.
- added shell_read event which fires when a shell s_cmd comes
back with intermediate output.
- fixed a potential deadlock with &open_console_tab
- scripts now have the ability to redefine the max size of a
workspace: db_workspace(%(size => #####));
2 Aug 12 (tested again msf r15698)
- Armitage now reports vulnerability module and descriptions
properly (again) when exporting data. Had to update to match a
change to the db schema.
- Pass-the-Hash and Login dialogs now stay open if you press
shift while clicking Launch. This convention is pretty universal
- Team server now buffers all of its outgoing data. I've also
disabled SO_NODELAY. This will greatly improve team server latency
on congested networks without impacting responsiveness otherwise.
- Added Cortana, a DARPA funded scripting technology, into Armitage.
There's a lot of fun to be had here.
- Armitage now queues messages to destroy a console rather than
spinning up a new thread for each closed console.
- Rendering of icons for hosts now happens outside of UI thread.
- Increased timeout for meterpreter read command
- Armitage now detects a corrupt module cache and attempts to clear
it so it can be rebuilt.
5 Jul 12
- Login -> psexec now sets a different LPORT for each host it's
launched against when using a reverse payload. Fixes a bug where
using a reverse connect payload against X hosts didn't work.
- Progressbar Cancel button now works with the Sync Files button
in View -> Downloads and View -> Loot
- Fixed a potential deadlock with the Sync Files feature
- Clicking the Size column in View -> Downloads now sorts properly
24 Jun 12
- Meterpreter -> Kill now uses session.stop RPC call
- Simplified code to stop a running job
- Added an option to disable TCP_NODELAY from the comamnd line:
java -Darmitage.enable_nagle=true -jar armitage.jar
Use this if you see "bad mac" SSL errors when connected to a
- Log Keystrokes tab now changes color when there is activity
- Randomized filename for USERPASS_FILE to allow multiple brute
forces to happen at once.
- Added a View item in the File Browser's popup menu. This will
let you quickly read several highlighted text files (it also
saves the files to the right place locally too)
7 Jun 12 - Adding on to those quick bug fixes / tweaks
- Disabled Nagles algorithm for team server and client SSL sockets.
This makes team server much more responsive... trust me.
- Fixed bug preventing Armitage from showing "Started Service"
message when starting the SOCKS Proxy server.
- Fixed a find feature highlight bug in the View tab.
30 May 12 - A few quick bug fixes / tweaks...
- Fixed an exception when killing a session or removing a route
through the UI.
- Oooh, ps command added a new column to its output. Updated ps
parser to handle this.
- Hosts -> Import Hosts now works under Windows again. Had to
escape the filename. *sigh*
- Hail Mary now sets LHOST option. This is necessary for some
attacks to work properly.
- Tweaked console create code in beginning of Armitage setup to
hopefully avoid aggravating the evil console.create deadlock
21 May 12
- Added a hack to prevent the input area from flickering when the
- Updated the color palette to something a little more subtle.
- Added an optimization to how modules are launched. This will make
a difference for team use in high latency situations.
- Rewrote MSF Scans feature to use console queue. This option is more
reliable and it makes the code easier to follow.
- Added a hack to combine chat message writes with a read request.
This will make the event log more responsive in a high latency
situation (can't you tell I care about this "situation")
- Fixed text highlights through Ctrl+F on Windows. UNIX platforms
were always OK. Another good reason to not use these tools on
- View -> Downloads Sync Files feature now works on Windows. It looks
like leaving those pesky :'s in the file paths is bad.
17 May 12
- Fixed bug with loot/download viewer breaking with a font resize.
- Default console font color is now grey. I never noticed that I had
white text on a black background before. That's a lot of contrast.
This is adjustable too through Armitage -> Preferences.
- And... the Armitage console now displays pretty colors. If you don't
like colors, set the console.show_colors.boolean preference to false
through Armitage -> Preferences.
- Fixed a bug preventing input field from getting focus when popping a
console tab using Ctrl+W.
14 May 12
- Oopserific--dynamic workspace shortcuts were not bound until you
clicked the Workspaces menu. I fixed that.
- Improved console pool's ability to detect a dead console. If you saw
"null" prompts in an open tab, it's because of a dead console. Fixed
- Bound Ctrl+Backspace to reset dynamic workspaces. Ctrl+0 is now back
to what it originally did (resetting the font size to default).
- Added Ctrl+T to take a screenshot of the active tab
- Added Ctrl+W to pop the active tab into its own window
- Armitage team server is now SSL enabled. The teamserver script (you
are using it, right?) generates a certificate for you using keytool.
The server presents the SHA1 hash of its certificate. Armitage users
have the opportunity to verify and trust the hash of the certificate
presented to them or to reject it and not connect.
- Added Ctrl+Left / Ctrl+Right to quickly navigate through tabs.
- Added a check to prevent clients from connecting to msfrpcd directly
when teaming is enabled.
- Fixed a bug that prevented command shells from opening on some sessions
- Team server client now caches certain calls to RPC server.
- Reworked the Loot/Downloads View button. Now, all highlighted files are
displayed in one View tab. This makes searching easier. Each file is
displayed with a colored header (to make it easier to tell when one file
ends and the other begins).
- Added Sync Files button to Loot/Downloads tabs when connected to a team
server. This button will download all files associated with the highlighted
rows and save them in the Armitage data directory.
7 May 12
Note: Armitage team server setup has changed. Refer to the manual for
the latest information: http://www.fastandeasyhacking.com/manual#7
- Armitage team mode now routes all Metasploit-bound calls through the
deconfliction server. Armitage also pools "temporary" Metasploit
consoles. It's too bad this is logged as one change, because it's
more like twenty. These changes were motivated by a desire to avoid
triggering a race condition that was introduced w/ Metasploit 4.3.0.
On the bright side these changes will allow a lot more flexibility
to optimize how Armitage interacts with msfrpcd and to do some neat
things (like logging) in a centralized way.
- Module description (in module launch dialog) is now resizable.
- Added Ctrl+D keyboard shortcut to close active tab.
- Armitage now uses (more robust) console queue for launching post
modules, handlers, brute force attacks, and other things.
- Fixed a race condition in the Jobs tab refresh after killing a job
- Armitage now filters smb hashes from non-psexec/smb login dialogs.
- Added armitage.log_data_here.folder setting. This setting lets you
specify where Armitage will save its logs, downloaded files, and
screenshots. *cough* Some penetration testers like to dump everything
to an encrypted volume. *cough*. I apologize it took this long to
get this feature in place.
- Improved perceived responsiveness of a console interaction
17 Apr 12
- Modified how Armitage determines a console command is complete to stay
compat with behavior changes in a recent Metasploit update.
- Armitage now queues console commands to prevent out of order execution.
16 Apr 12
- The search field in the module browser now updates results in real time.
Start typing and Armitage will start filtering the module tree for you.
Clear the field to reset it to the default state.
- Added keyboard shortcuts to switch dynamic workspaces...
Ctrl+1 = first workspace
Ctrl+2 = second workspace
Ctrl+0 = show all
- Added keyboard shortcuts:
Ctrl+N = new console
Ctrl+O = open preferences
- Armitage's Meterpreter -> Access -> Dump Hashes -> lsass method is now
much better about grabbing all of the hashdump output and adding it to
the creds table. The hashdump command returns output as an arbitrary
number of chunks. I now use a different read strategy for determining when
the output is complete.
- You may now use Ctrl+Alt to deselect highlighted items in a range in the
Jobs and Workspaces table views (most other table views that do multi
selection should allow this already).
- Added Shell -> Pass Session for *NIX shell sessions. Uses the system_session
module to pass a shell session elsewhere (or duplicate the current shell)
29 Mar 12
- Fixed a bug that affects first-time users. Armitage was not initializing a
console before trying to connect to the database.
28 Mar 12
- Team server now delivers chat messages in batches vs. one line at a time.
This will make syncing on reconnect much better (in theory)
- Several optimizations to prevent unnecessary reads/calls to deconfliction
server when in team mode. This will primarily affect high latency situations.
- Use Shift+Click to close all tabs with the same name. This feature now closes
all tabs in the same group (e.g., all screenshots, file browsers, command
- Armitage now logs launches of the enum_dns module.
- Hosts -> DNS Enumerate now populates NS field with highlighted host.
- Armitage now adds a tooltip to tabs associated with a session. Hover your
mouse over a tab X button to see which host the tab is associated with.
- Fixed a potential exception caused when listing downloads.
- Created a queue to process certain commands meant for Metasploit in order and
in a throttled manner. Started moving some Armitage calls to it. Now you can
fire an exploit at 1,000 hosts and Armitage won't blink. It might take awhile
before that exploit finishes firing against all of the hosts though :)
- The file browser now has a "List Drives" button. It's only available on
Windows sessions. Click it to see which drives are available.
- File browser can now navigate to folders with apostrophes in their name.
- Made some major internal changes to how Armitage interacts with Metasploit. The
goal is to make a more robust and faster hacking experience for you.
22 Mar 12
- Updated Armitage NMap profiles with the following:
-T4 (instead of -T5) [wait longer for open services to reply]
-n [forces NMap to not resolve the hostname of IP addresses]
--min-hostgroup 96 [allows more parallelism when scanning hosts]
- Armitage now intercepts screenshot and webcam_snap commands from meterpreter
shell and performs the appropriate action with them.
- View -> Creds -> Export button now works in team mode.
- Doh! Armitage now properly shows VMWare icon when OS is set to a VMWare ESXi
- Armitage "is command finished?" heuristic now accounts for commands like
del /S which prompt with a (Y/N)? - you can safely use these commands again.
- Armitage now detects whether a client connecting to the team server is out
dated or not. It rejects old clients. They will get a message indicating they
need to update and then their client won't do anything else. You'll see a
message printed to STDOUT where the team server ran about the rejection.
- Added a * indicator to the active workspace in the workspaces menu.
- Added Hosts -> DNS Enumerate, this menu launches a Metasploit module that will
attempt to discover hosts by querying a name server in different ways.
- Added a file chooser helper to WORDLIST option.
- Armitage now displays a pivot relationship between a compromised host and the
NAT/proxy device it is connected through.
- Added a Copy button to services tab. This button copies the highlighted hosts
to the clipboard. I found myself needing this several times recently.
- Improved reverse payload selection logic (now it includes rev php meterpreter)
- Armitage now sets a different LPORT for each exploit launched with a rev payload
- Changed algorithm for determining which edges to highlight in graph view. If there
is a pivot and both sides have a session, then the edge is highlighted.
8 Mar 12 1.43-dev
- Armitage now uses session_host to determine which host a session is associated
with. This value is grabbed directly from the OS itself. You'll no longer have
20 meterpreter sessions associated with a NAT/firewall device.
- Armitage now spins up a new listener for each client-side attack (no longer
relying on the random default listener created on startup). Of course you can
change this... double-click the PAYLOAD option to set it to something else.
- Token stealing dialog now disables refresh button while grabbing tokens. Enables
it again when done.
- Armitage now talks to Metasploit every two minutes to prevent auth timeout.
- Armitage now displays a firewall icon for hosts with no OS marked as a firewall
- Armitage now selects an IPv6 bind payload when attacking IPv6 hosts.
- Armitage now explicitly sets RPORT for different MSF Scan options and psexec.
- Updated the about dialog to include a version number and release date.
- Added a ./teamserver [external IP] [shared pass] script to the UNIX distro of
Armitage. This script makes it much easier to startup Armitage's team server mode.
2 Mar 12 - Catching up to a few MSF 4.3.0-dev changes...
- Added a tab rename feature.
- Hosts that self report as .NET server now display an XP/2003 era icon.
- Updated route command parser to conform to Metasploit 4.3.0's output for it
- "Check all credentials" feature now works when running the deconfliction
server AND client from the same folder.
- [host] -> Host -> Operating System -> * now clears notes related to host
before updating OS. This allows future scans to trigger MSF normalization
code and update the OS to something else (e.g., from Unknown to X)
29 Feb 12
- Armitage now displays a VMWare icon for hosts flagged as ESX/ESXi servers
- Overhauled token stealing user experience--this is the cadillac version. You
now get a nice list of the available tokens (from the post module), click to
impersonate, refresh, rev2self, and getuid.
- Improved file browser responsiveness
- Table view now allows individual hosts to be deselected in an interveral
(Armitage will no longer reselect these hosts for you)
- Dynamic workspaces no longer requires a comma and a space between entries (a
comma is good enough)
- Improved the [Host] -> Remove menu option
- Deconfliction server now returns the previous 100 events to new clients.
- File browser directory up button is now more obvious
- Keyboard accelerators when you right-click in the graph view are now correct.
- Adjusted the graph view scrolling increments to something sane.
- Added a slight delay between commands issued to a console to prevent them
from executing out of order.
21 Feb 12
- Added Cut/Copy/Paste menu to table cell editor.
- Module browser search field now treats spaces as a wildcard. You may type:
"win meterp" and Armitage will treat it as "win*meterp"
- Hovering over an edge in graph view no longer reports a "null" tooltip
- Fixed parsing of ps output for the process dialog (it's much much better now)
14 Feb 12
- Added ports 5631 (pc anywhere) and 902 (vmauthd) to the MSF Scans feature.
- Several cosmetic tweaks to the spacing in Armitage tables.
- Moved table render code from Sleep to Java to avoid potential lock conflicts
- Added support for vba-exe payload output type.
- Payload generation dialog now sets more appropriate default options for the
vba output type when it is selected.
- Meterp command shell "read more stuff?" heuristic now accounts for Yes/No/All
- Fixed ExitOnSession showing up twice when setting advanced options for a
- You may now import multiple files through Hosts -> Import again.
- Added 5s timeout to d-server connect attempt.
- Added a --client [connect.properties] to specify which Metasploit server to
connect to. The connect.properties file is a Java properties file that looks
like this (without the leading whitespace):
19 Jan 12
- Data export now includes a sessions file. This lists all of the Metasploit
sessions you had in your database. There's some neat data here including
which exploit was used, which payload, start time, and close time. You can
calculate how much time you spent on your client's boxes. Cool stuff.
- Fixed a potential dead-lock caused by mouse enter/exit events firing code
that required a lock. Nice landmine to defuse.
- Fixed a weird condition with d-server detection. Sometimes (rarely)
Armitage wouldn't detect the d-server even when it's present.
- Added check to d-server allowing one lock per/client. Client won't reobtain
a lock until it lets it go. This prevents you from opening two shell tabs
for a shell session in team mode.
- Fixed an infinite loop condition when some Windows shell commands would
return output with no newlines (e.g., net stop [some service]). Thanks
Jesse for pointing me to this one.
- Data export now includes a timeline file. This file documents all of the
major engagement events seen by Armitage. Included with each of these
events is the source ip of the attack system and the user who carried out
the action (when teaming is setup).
- Data export now exports timestamps with current timezone (not GMT)
- Fixed a nasty bug that's been with Armitage since the beginning! I wasn't
freeing edges properly in the graph view. If you had pivots setup in graph
view and used Armitage long enough--eventually Armitage would slow down until
the program became unusable. At least it's fixed now.
- Adjusted the d-server state identity hash combination algorithm to better
- Armitage now displays 'shell session' below a host if the host info is just
the Windows shell banner.
5 Jan 12
- Armitage d-server now transmits hosts, service, and session state only
when something has changed. This makes teaming much snappier.
- Uploading an imported hosts file now shows a progress dialog.
- File browser upload function no longer blocks the user interface in team
mode. A progress dialog is shown for uploading larger files.
- Removed Ctrl+R refresh hosts shortcut from graph view (it's no longer
- Armitage now exits if it was unable to connect to the collaboration server.
- Hosts -> NMap Scans and Hosts -> MSF Scans dialogs are now populated with
the selected values from the target area by default.
- You may now interact with a Windows command shell through Java meterpreter.
- Armitage no longer shows Webcam Shot option through Java meterpreter.
- Armitage now detects when it does not have read permissions for the database
YAML file and prompts with something helpful. Before it would just freeze
with a blank dialog. Not helpful. :)
- Armitage now only shows services that are open.
- View -> Reporting -> Export Data now has the capability of dumping the whole
database (not just the current workspace).
- Added a dialog to View -> Reporting Export Data. Now you have the ability to
dump all hosts or choose to dump one of the dynamic workspaces. This gives
you a lot of flexibility with which hosts are included.
- Cleaned up exported output of vulnerabilities in the Metasploit database:
-- duplicate entries are collapsed to one (this was the fault of my query)
-- refs column contains references separated by a comma and a space
-- added info and module columns. The module column indicates the appropriate
-- Metasploit modules now populate name, info, and module in an appropriate
- Values exported to TSV are cleaned up such that newlines are replaced with a
literal \n and tabs are converted to three spaces.
30 Dec 11 - last release of the year?
- Hosts -> Clear Database now clears the sessions and clients tables
- Fixed a bug preventing dynamic workspace port/session filter from
working on a fresh database. This was a fun one. This only affected
folks with a completely fresh database and because Hosts -> Clear
Database didn't clear everything, this went unnoticed until now.
- Added various reverse shell payloads to payload helper dialog.
- Added file chooser helper for SigningCert and SigningKey options.
- Added hack to return correct route info when setting up pivoting through
- Armitage now posts a note to the event log when a user starts a browser
exploit or a server module.
- Armitage now supports dragging and dropping a module onto a host in graph
and table view. This action opens the module launcher configured to work
with that host.
- Drastically rewrote MSF Scans. MSF Scans now intelligently builds a list
of ports to scan based on what Metasploit can do. After an initial port
scan, MSF Scans runs discovery modules against relevant hosts. As a bonus
you will see all of the output of these scans.
- Enhanced the Windows heuristic used to guess which OS image to display
- The deconfliction server throttle is now less draconian about how long it
throttles a call.
- Armitage no longer posts to the event log from the UI thread (this will
prevent the UI from blocking in some cases)
- Command shell now handles interaction with d-server in a separate thread
from the UI thread. This will prevent UI blocking in some cases.
- Added Ping Sweep... option for non-Windows meterpreter sessions. Now Java
meterpreter users have a quick host discovery option.
- Change Host OS option now matches new Metasploit database schema.
- Deconfliction server now sets LHOST to the IP address you provided. Also,
Armitage clients do not overwrite LHOST once it is set.
- Interacting with a shell in team mode no longer blocks UI to communicate
12 Dec 11
- Armitage teaming mode now downloads the resulting file for any fileformat
- Armitage -> Set Exploit Rank and Set Target View now show a * next to an
item to indicate the current setting.
- Shift+click on Launch in a module launch dialog will not close the module
launch dialog. One use case for this: set up a payload multi/handler,
shift+click Launch to do it, then change output type to exe, click Launch
and you're all set.
- Dynamic Workspace editor now trims whitespace from your entries. Errant
whitespace causes Armitage to reject the entry and your workspace never
- Updated the "msfrpcd died" troubleshooting dialog. The new one takes folks
to a website with detailed information.
- Armitage now uses "load" to load a meterpreter module instead of "use"
- Key logger event log announcement now notes the session ID. This is so
your teammates will know not to migrate that session since it's recording
- Right-click X in tab -> Save Screenshot now displays filename without the
- Deconfliction server now detects when database is not available and offers
- Loot/Downloads viewer now has a right-click menu to Copy selected text.
22 Nov 11 - A big improvement...
- Services refresh is now set to 30s (vs. 60s before)
- Workspaces -> Manage now opens as a tab and shows all data about workspaces
- Fixed a bug with Edit Workspace not auto-checking session box when set.
- Meterpreter -> Access -> Escalate Privileges now highlights the priv esc
options in the post module true. This is viable now that getsystem is a
- Payload module launcher now lets you set Template, Iterations, Encoder, and
KeepTemplateWorking for any Windows payload. Also, payload is generated and
saved locally without opening a tab.
- sessions -i ## trap is now smarter and opens a shell tab for shell sessions,
a meterpreter tab for meterpreter sessions, and offers an error when you
try to interact with a session that doesn't exist.
- Armitage no longer shows a host until it receives a db.hosts reply.
- Right-click a module and select Relevant Targets to create a dynamic
workspace that shows only targets that meet the host/port criteria for that
module. Use Ctrl+A to select all of those hosts and rock'n'roll. :)
- Hosts -> Import Hosts now works when the folder/file has spaces in it.
- Dynamic workspaces are now local to the current Armitage client. They no
longer have a global effect in teaming mode.
- Added an Activate button to workspace management dialog.
- Fixed a bug with sessions only dyn workspace sometimes showing hosts that
do not have sessions.
- You may now highlight multiple jobs in View -> Jobs and select Kill to get
rid of all them at once.
11.17.11 - All the things I wanted to do, but didn't have time
Release Note 1: if you use Armitage teaming, things changed. You have to start
msfrpcd with a different set of flags and your team must use the latest version
of Armitage. If you have a script that starts msfrpcd, you must update it.
More information is at: http://www.fastandeasyhacking.com/manual#7
Release Note 2: Armitage requires a Metasploit base install of 4.0 or greater.
If you use msfupdate to update a Metasploit install prior to 4.0, then Armitage
will not work. The Metasploit pre-4.0 installers did not install dependencies
that Armitage requires today. Missing are certain Java cryptography extensions
and the msgpack Ruby gem. BackTrack 5 is Metasploit 3.7. BackTrack 5r1 is 4.0.
- db.services now limits its results to hosts that are returned by db.hosts.
This fixes a bug where services data for some hosts was not returned when
when >3,500 hosts are in the armitage database.
- MSF Scans menu is now available under Hosts menu again.
- Removed Browser Autopwn menu as its future in Metasploit is undecided.
- Find Attacks/Hail Mary now pull latest service info from DB before resolving
the attacks. This prevents a situation where Find Attacks after a scan yielded
nothing because Armitage had not synced with the database yet.
- Deconfliction server now complains when you try to use 127.0.0.1 as your host
- Added cut/copy/paste/clear menu to most textfields. (for Glen)
- Added Workspaces -> Manage to edit, add, and remove dynamic workspaces.
- Added code to intercept "sessions -i ##" and open a meterpreter tab instead.
- Armitage now honors port setting when starting msfrpcd for you.
- Armitage now detects msfrpcd shutdown and offers user advice to fix it. The
most common cause is probably a lack of msgpack.
- Fixed a deadlock that happened when generating a payload.
11.13.11 - A major rewrite of a lot of stuff.
- Moved from XML/RPC interface to MSGPACK. This should be much faster.
- Removed Armitage dependence on Metapsloit db.* API--since it may go away soon.
- Attack recommendations and Hail Mary no longer depend on db_autopwn. New code
offers same results with improved speed.
- Simplified Hail Mary and Find Attacks to use port/OS information only.
- Greatly improved keystroke recorder. The option is now called "Log Keystrokes".
It uses the Metasploit keystroke_recorder post module. Results are regularly
dumped into the post module window. Also, the results are stored as loot
available for the team to view.
- Launching the keystroke_recorder post module now makes an announcement to the
- Added a button to Processes tab to log keystrokes. This will bring up a the
keystroke_recorder module configured to migrate to the process and record
- Removed Workspaces menu. Armitage now works from the default workspace.
- Simplified Hosts menu.
- Meterpreter -> Access -> Persistence now calls persistence post module.
- Improved Meterpreter -> Access -> Steal Tokens, it's still wonky but it's a
little better now.
- Host import now uses db_import command running in a console.
- Added Armitage -> Set Exploit Rank to update the minimum exploit rank value.
- Armitage now displays up to 512 hosts and 12,288 services at any given time.
This keeps Armitage operable even if you scan a big freaking network.
- Added dynamic workspaces. This feature gives you the ability to define a filter
on the database and Armitage will display only hosts that match this filter.
You may define filters based on operating system, open ports, and network address.
Go to Workspaces -> Create to create a filter. Filters show up under the
Workspaces menu and you may switch back and forth betweem them too.
- Simplified the Connect dialog. One button. :)
- Right-click Scan option now scans for HTTPS.
- Check all credentials option no longer tries blank passwords/username as pass
- Added a read optimization to the console code. This will reduce load in a team
engagement + make consoles feel faster when there is output.
- Armitage now opens the event log tab instead of a metasploit console tab in team
- Fixed a host sorting issue in table view.
- Moved View -> Targets to Armitage -> Set Target View
- Overhauled how Armitage handles downloaded files. Downloads are saved to a set
place on the attack server. Downloads are available to the whole team through
View -> Downloads. This works like the loot viewer. Team members may view text
files or download binary files. This method is friendlier when downloading whole
directories of stuff.
- Modified hail mary attack to get a little more success with some common Windows
- Added menu item to dump hashes using the old lsass method or the smart hashdump
10.13.11 take II?
- updated msf3/data directories to account for new install locations.
- Removed Meterpreter -> Access - > Duplicate because it is now redundant with
Meterpreter -> Access -> Pass Session
- Updated Meterpreter -> Access -> Pass Session to have LPORT of default
Meterpreter listener. Click Launch to simply duplicate your current session.
- Added Meterpreter -> Access -> Steal Token to list and steal user/group tokens
- Updated meterpreter multiplexer to not expect output from rev2self.
- added ability to set up VNC on a target when connected to a remote Metasploit
- Armitage now tells you where to connect your VNC client to access the desktop
of a compromised host. You'll need to have a local VNC client available.
10.12.11 - oooh SECKSY
- fixed a typo in the default armitage settings file.
- made PAYLOAD helper friendly to post/windows/manage/payload_inject
- Meterpreter -> Access -> Pass Session now uses payload_inject
- Meterpreter N -> Hashdump now runs post/windows/gather/smart_hashdump module.
This gives you the benefit of seeing its output and it works in more
- Right-click the tab X button and select Save Screenshot to take a screenshot
of the current tab. This image will render the tab contents exactly as seen
on the screen. Useful for putting together a report or presentation.
(thanks Rob for the suggestion)
- Added a module launcher helper for RHOSTS and RHOST. This helper will let you
import a list of IPs (separated by newlines) from a file into these fields.
- View -> Reporting -> Export Data no longer fails if there are no hosts to
export data about.
- Armitage now runs post/auxiliary modules as jobs (meaning you may kill them
using View -> Jobs)
- hashdump and smart_hashdump post modules will now announce to the event log
that hashes were dumped when they're run (whether through the menu or
the module browser).
- View -> Reporting -> Export Data now takes a screenshot of the table view
and includes it in the artifacts (when table view is active)
09.26.11 - take 2
- Improved performance when launching exploits and other modules that open
a new tab.
- Launching an exploit will only open a tab when fewer than four hosts are
highlighted. If four or more are highlighted, then Armitage will use the old
behavior of silently launching each exploit. [You're supposed to be able to
attack hundreds of hosts at once--hence my desire to add this caveat]
- When launching an exploit in the background, Armitage will show a dialog
indicating that the exploit was launched against X hosts.
- You may now drag and drop Armitage tabs to rearrange their order.
- Armitage "show all commands" option (for better exploit feedback) is now on
- You may now right-click a screenshot/webcam shot to zoom in or out on the
image. The zoom-level stays fixed (in case you refresh the image later)
- Added a menu to the X button in the tabs. Through this menu you may open the
current tab in its own window or close all like tabs.
- Updated Hosts -> Import Hosts to reflect the current importable file types.
- Added View -> Reporting -> Export Data to dump most Metasploit tables into
TSV and XML files suitable for parsing (by you!) into a report format of
- Armitage now encodes (-e x86/shikata_ga_nai -i 3) any Windows meterpreter
payload generated from the module launcher dialog.
- [host] -> Meterpreter -> Access -> Duplicate now uses multi_meter_inject to
launch Meterpreter into memory directly (rather than upload and execute a file)
- In teaming mode, Armitage will now automatically upload a file selected through
the + option (e.g., USER_FILE +) to the Metasploit server and set the value
in Metasploit accordingly.
- Modified error output for a failed Metasploit method to only display the
method name and error message. Displaying a large input would cause Armitage
UI to start flashing in some weird disco mode until a hard reset. Yeaah.
- Armitage now highlights the event log tab when something new is posted and the
tab is not active. Control the color by editing tab.highlight.color pref.
- Fixed a bug preventing preference values from saving properly (and having an
- Added "Check all credentials" option to the login dialogs. This option will
login to the service to test each credential. Successful logins will populate
the credentials table.
- Fixed a bug preventing the first open console from scrolling all the way to
the bottom when open.
- Credential export button now escapes the file path (making the button work on
Windows). This bug is another good example of why you should use Armitage on
Linux. It'll just work. Windows users: expect surprises.
- Use Ctrl+Shift on a tab X button to remove the tab and create a desktop window
with its contents. I suspect you'll find this really useful at times.
- Armitage now remembers your auto-layout setting. Right-click in the graph area
to change it.
- Setting armitage.show_all_commands.boolean to true will now run each exploit in
its own tab. Setting this is a good way to get feedback on the attacks you
launch and to learn the Metasploit console better.
- Fixed bug preventing Meterpreter -> Access -> Hashdump from noting all hashes
into the credentials table.
07.30.11 - Paying down some engineering debt.
- Loot viewer no longer displays non-text files. If you try to "view" a
binary loot, it will the folder containing it.
- Improved UI responsiveness by making sure all communication with Metasploit
happens in some thread other than the UI thread. This will prevent latency
from bogging the UI down and making it feel locked up. Armitage will also
feel a lot faster for many actions.
- The code that creates a console, executes a command, and calls a callback
now uses a much tighter sleeping schedule (10ms vs 500ms). This greatly
improves Armitage responsiveness.
- Armitage connect progress dialog now shows progress setting up the Armitage
environment once a connection is successful. Chances are it'll happen fast
enough that you won't see it.
- View -> Activity Log now opens activity log folder on MacOS X.
- Removed restriction that prevents user from deleting/clearing default
- File chooser helper used to set values in the module launch dialog now
escapes all backslashes in the path. This fixes a problem on Windows caused
by the console stripping the unescaped backslashes.
07.28.11 - Armed for Metasploit 4
- Armitage now sends use prive with use stdapi when it gets a command not
found error in Meterpreter.
- Armitage now sends BLANK_PASSWORDS 0 with any Login menu items. This
should speed up the login by forcing Metasploit to not try a blank
- Armitage no longer sends payload related variables to auxiliary modules.
(note to programmer: auxiliary modules don't use PAYLOADs :P~~~)
- Module launch dialog for client-side attacks (fileformat and browser)
now presents payload options to you. They're still configured to a
reasonable default (and updated as the exploit target changes).
- Client-side payload "guess" is now better about selecting an OS X specific
payload when appropriate.
- Double-click the PAYLOAD option in the module launch dialog to open a
chooser that lets you select a payload and choose whether to create a
handler for it or not. This will configure the appropriate payload vars
for you. You're welcome to tweak them from there.
- Simplified some of the logic in the file browser and added better error
- Added a visual hint to clickable option names in the module launcher.
Double-clicking these options will open a dialog to assist setting the value.
- Added a visual hint to clickable preference types in the preferences window.
Double-clicking these types will open a dialog to assist setting the value.
- Fixed a potential deadlock caused by launching modules while Armitage is
- Added a preference to disable displaying the MSF ASCII banner when a new
console opens. This preference is set to show the banner by default.
- Added a regexp to strip non-ascii chars from usernames collected with dump
hashes. The RPC daemon throws an exception when I try to report usernames
with these chars in them.
23 Jul 11 - Change Log
- Ooops! My baaad. I broke db.creds in MSF. Someone else unbroke it. Now
I call it the right way from Armitage so everything works like it's
supposed to. :)
21 Jul 11 - Change Log
- loots dialog is now populated by db.loots RPC call. This is faster
and compatible with changes made to MSF.
- credentials dialog is now populated by.creds RPC call. This is
faster and compatible with changes made to MSF.
- RPC connection code now strips out more characters that may cause
the XML parser to complain.
** There were a few changes made to MSF over the past few days that
broke the credentials and loots dialog. This update brings Armitage
back to compatability with what exists in MSF trunk. **
19 Jul 11 - Change Log
- You may now execute a post module against multiple hosts at once.
Simply highlight the hosts, find your post module, double-click it
and watch the magic happen. The drawback--each session will open a
new tab to display the output of the post module.
- You may now hold down shift and click on a tab to close all tabs
with the same title. If you run a post module against multiple hosts
this is a good way to get rid of all those tabs.
- Graph view Ctrl+P shortcut (save screenshot of graph view) now shows
- post module output now logs to ~/.armitage/[host]/post.log
- Fixed some weirdness with popup menu mouse events not being consumed
- Added View -> Activity Logs to open folder containing Armitage logs
- Fixed command history so up arrow really gives the previous command
- Keystrokes dumped using dump button on key scan dialog are now logged
*Respun* Armitage.dmg with .app file fix for MacOS X Lion. Thanks to
@NightLion for contributing this.
12 Jul 11 - Change Log
- Fixed a race condition causing some file browser actions to fail on
Windows hosts at times.
- Files downloaded through file browser are now archived in:
- Hail Mary output nows goes to [log dir]\all\hailmary.log
- Added Crack Passwords button to Credentials tab. This opens the
launcher for John the Ripper: auxiliary/analyze/jtr_crack_fast
- Added Post Modules item to Meterpreter N -> Explore and Shell N menus.
This menu item will show applicable post-exploitation modules in
the module browser.
- Loot browser now opens loot viewer as a tab.
- Loot viewer now has many of the same keyboard shortcuts as a console
tab. You can Ctrl+F to search for stuff, Ctrl+Plus/Minus to increase
and shrink the font, and Ctrl+A to select everything.
02 Jul 11 - Change Log
- Doubled wait time for Meterpreter ls command to complete.
- Armitage now shows psexec option instead of smb on Login menu for
Windows hosts (when smb service is present).
- Fixed bug preventing manual import of a single host
- Removed automatic resending of console commands that didn't appear
sent. This was a work-around for a msf bug that may not be present
anymore. We'll find out.
- Removed --script-all from NMap profiles. I saw quite a discussion
about this on the NMap mailing list. Oops. Oh well :)
- All host import options now use Metasploit's import_data RPC call.
This is what all the remote calls map to anyways.
- Added Help button to start dialog.
- Armitage now opens cmd.exe and executes programs from the file
browser using the current process token (execute -t in Meterpreter)
- Added logging. Logs are stored in ~/.armitage organized as
[date]/[host]/[file]. The logging captures:
- all Console tab output (console.log)
- the collaboration event log (event.log)
- all Meterpreter tab output (meterpreter_[session].log)
- all Command Shell tab output (cmd_[session]_[pid].log)
- all Shell tab output (shell_[session].log)
- all Screenshots captured through Armitage (.../Screenshots/)
- all Webcam shots captured through Armitage (.../Webcam Shots/)
You can turn this off by setting armitage.log_everything.boolean
to false in the Armitage preferences.
- Added a Reset button to preferences dialog to reset Armitage
- SSL now defaults to off on all platforms
- Added a Default button to the database settings helper. This
button loads the default database settings ignoring what is in the
- Loot viewer now uses the same colors and font as a console tab
- Fixed bug preventing Loot browser from populating data/time column
- Preferences dialog now brings font and shortcut dialogs to front
to prevent them from being hidden by prefs dialog.
24 Apr 11 - Happy Birthday Gerry Edition
- Added a check to prevent jerk faces from entering an empty nick in
collaborative mode. :)
- Fixed a potential dead-lock condition with the screenshot/webcam
- Armitage -> Listeners -> Reverse now binds to 0.0.0.0.
- Host import now posts an event to the collab mode shared event log
- added an option to display an MOTD message to clients that connect
to Armitage in the collaboration mode. Use -m or --motd before
--server and specify a file, e.g.:
armitage -m /path/to/motd.txt --server ...
Clients will see this message when they connect.
- Added Meterpreter -> Access -> Pass Session to send a meterpreter
session to a handler set up on another host.
- Armitage now sets ExitOnSession to false for multi/handlers started
- Pivoting and ARP Scan dialogs now highlight first option by default.
- Added a sanity check to the Route class to prevent malformed IPs
from screwing up sorting.
- Removed sqlite3 from the database options. I should have done this
long ago--it has no place in Armitage.
- Armitage now intercepts meterpreter "shell" command and opens a
new tab with the cmd.exe interaction in it.
17 Apr 11 - Change Log
- Windows command shell interactions are now less likely to die. How
oh how did we get here? Armitage interacts with cmd.exe through a
Meterpreter channel. If an unnecessary read happens, it ties up the
meterpreter session for 10-20s AND the channel dies. If you typed
commands in too quickly, it's probable that Armitage would do an
unnecessary read and the channel would die. I believe I've headed
off this problem. Armitage now locks the channel until the command
completes. If the command times out or completes, the channel
becomes unlocked. This should prevent most out of place reads. In
collaboration mode, this was a great way for excited teammates to
tie up the meterp session for everyone. :) "I typed this command
20 times and nothing happened!!!" Doh! You queued 20 reads with a
10-20S timeout each and destroyed that channel. -- Armitage
protects against this situation now.
- Command history no longer saves empty commands.
- Armitage server mode now provides all details that a client needs
to connect to the server.
13 Apr 11 - Change Log (Dayton, OH Capstone Edition)
- Metasploit now has host normalization (this is great news). I've
removed the OS reporting code from Armitage as a consequence. This
means less overhead communicating with Metasploit
- Fixed a potential deadlock triggered when interacting with a Windows
command shell. Sorry about the freezes Matt and Brant.
- Fixed a strange condition in Armitage that sometimes caused shell
sessions to die.
- Download from file browser now notifies user when a file is downloaded.
- Armitage server mode now prints database connect string to console to
assist with set up of Metasploit teaming.
- Fixed a bug causing exploit recommendations to not show for Windows
hosts due to host normalization
- Added a check to prevent cd .. button in file browser from retriggering
too quickly. This will prevent the meterpreter command queue from
becoming very backed up doing a cd/ls over and over again.
- Graph view no longer counts edges as a selected item when creating a
list of hosts to apply an action to.
- Added another heuristic to prevent Windows cmd.exe interaction from
10 Apr 11 - Change Log
- Fixed key logger dump button.
- Process migrate function displays success or fail message again.
- Armitage now displays nmap output in a tab. You can thank scriptjunkie
for making this work in Metasploit. Please send cash, check, or money
order directly to him.
- Greatly improved post-pivot host discovery workflow... here's the deal:
-- [host] -> Meterpreter -> ARP Scan menu now shows networks local to
host and lets you choose to launch an ARP scan from that Meterpreter
-- Highlight one or more hosts, right-click, and select Scan to launch
MSF discovery scans against the highlighted hosts.
- Added a rudimentary loot browser/viewer to Armitage. Go to View -> Loot
to see the currently captured loots. Loot is the Metasploit term for
data captured by certain post/ modules.
- Armitage now presents a warning when it detects a second Metasploit
user connected to the same Metasploit server without the collaboration
server in place.
- Armitage collaboration mode now updates target information more often
- Updated Armitage to work with Metasploit's new normalized host OS
constants and to restore the os_flavor value when it is wiped out.
16 Mar 11
- Shell -> Disconnect now executes in a separate thread.
- Armitage now creates ~/armitage-tmp and writes there if the current dir
is /Applications or it can't write to the current directory.
- Fixed a potential deadlock issue in the file browser
- Directory up button in file browser now shows that it has been pressed
- Added Execute option to file browser (now you can run a program by
right-clicking on it and selecting Execute--for Jesse)
- Multiple improvements to responsiveness of command shell and meterpreter
tabs. This should benefit collaboration mode too.
12 Mar 11 (MACCDC Post Day 1 Update)
- Fixed a bug preventing host import from working with a remote connection
- Armitage client now increases default wait for meterpreter commands to
complete when in teaming mode.
- Increased wait time to download a generated payload file to 8s.
11 Mar 11 Update (0100h EST)
- Fixed a deadlock condition in the module launcher (caused by the changes
to increase responsiveness... oops).
10 Mar 11 Update (2230h EST)
- Fixed race condition importing manual list of hosts (sometimes the file
would get deleted). Grr.
- Added a lock to prevent multiple Armitage clients from trying to
determine what OS a box has. This should help in CTF situations.
10 Mar 11 Changes
Quick story: NECCDC 2011 Red Team. TJ launches a script that lands 70
sessions in the first few seconds. 11 red team members are connected to
Armitage eager to carry out their pieces of pwnage. The Ruby process pegs
the CPU and Armitage fails spectacularly. Very funny. This releases fixes
- Armitage YAML parser now accepts quoted strings in the YAML fields
- Added caching of sessions.list, db.hosts, and db.services to Armitage
collaboration server. This should help prevent msfrpcd from overloading
when many clients are connected and owning boxen at one time.
- Improved GUI responsiveness by making several parts of the Armitage GUI
spawn a new thread to avoid blocking while communicating with Metasploit
- Added a tooltip to the "Start MSF" and "Connect" buttons to clarify use
- Export credentials button now prompts for a remote file when connected
to a remote Metasploit instance.
- Export credentials and payload generate output now transparently
downloads to your local host when connected to Armitage's collab server.
- Armitage now loads stdapi in Meterpreter if it finds it's not loaded.
Armitage also prompts you to rerun the failed command when this happens.
- Right-click in services now shows popup for taking actions against
selected hosts. Now you can do mass actions against hosts sorted by port.
- Added Access -> Persist to Meterpreter menu. This will run Meterpreter's
persistence script using the default Armitage handler. Meterpreter will
start at boot and at login.
- Added an Armitage.app file for MacOS X. Use Armitage from OS X as a
client to connect to Metasploit hosted in other places.
- Added a check for whether current working directory is writeable or not.
If it's not, Armitage does all of its read/write operations in home dir.
Tested with 10 concurrent Armitage clients from four boxes with 140+ shell
sessions and a few meterpreter sessions. I think we're ready to rock now.
27 Feb 11 Changes
- Webcam snap features works again. Sorry about that. :)
- Download file button in file browser now works through the collaboration
server. This feature has a few limitations / requirements:
1) Armitage server must have the same $PWD as msfrpcd
2) Files must download in less than 12s or else you'll need to retrieve
them from the msfrpcd host.
3) Recursive downloads of files from a directory are kept on the host with
msfrpcd. You'll need to retrieve them with sftp or something else.
25 Feb 11 Changes
This release is primarily bug fixes. The network attack collaboration
feature is further tested and ready for your use.
- Armitage now consumes data from msfrpcd's stderr when Start MSF button is
used. This means Armitage won't lock up when database tables are
initialized during the first run on Windows.
- pivoting, logins, hail mary, and pass-the-hash now print to the event log.
- Pass-the-hash dialog is now available via [host] -> Login -> psexec.
- Fixed bug causing Event Log menu to be present outside of collab mode.
- armitage.sh start-up shell script is now named armitage
- Console destroy and shell unlocking commands on tab close now happen in a
new thread to prevent the GUI from blocking.
- Armitage now stops meterpreter read thread when it detects a dead session.
- Replaced jyaml with a quick and dirty parser that doesn't mistake ####e#
for a double number. This was screwing up connecting to postgres for some
- Upload button in file browser now works through Armitage's collab server
- Added Ctrl+P shortcut to save screen capture of hosts graph view
22 Feb 11 Changes
- Improved shell "when should I read more data from this channel" heuristic.
This means command shell sessions should not freeze on an errant Meterp.
read command that blocks until the universe is recreated.
- Fixed a potential deadlock using Armitage's meterpreter dialogs with a
meterpreter tab open.
- Command shell tab now only opens when Armitage knows channel and PID
- Rewrote how Armitage interfaces with Meterpreter. This has a few impacts:
-- Armitage now waits for a command to execute and reads its output
before executing another command. This prevents Armitage from getting
confused when you're doing a lot of stuff at once.
-- You can now open multiple meterpreter console tabs for a session
-- Commands executed by Armitage's dialogs will not show up in your
- File browser now does a cd "current directory" before each action.
- Added a network attack collaboration feature to Armitage. This is as
beta as it gets (although it *should* work). To use it, start msfrpcd
and connect Armitage's collaboration server (on the same box as msfrcpd!)
./armitage --server host port user pass [ssl? 1 or 0]
This will connect Armitage's collaboration server to the Metasploit RPC
daemon you specify. This server will then bind port+1 and tell future
Armitage clients to use it for extra collaboration features.
Connect one or more remote Armitage clients as normal. Some of the
features you get in this mode:
1. View -> Event Log for chatting and watching major events
2. Command shell and webcam/screenshot features work for remote clients
3. Armitage clients automatically lock a shell session when they're in use
and notify other clients that it's locked if they try to use it.
4. Transparent real-time sharing of meterpreter amongst multiple clients.
- Payload generation now works on Windows (I wasn't escaping the backslashes
in the paths... doh!)
- Armitage now prompts you for a path (and not a file chooser) when generating
a payload using a remote connection to Metasploit.
- Armitage now loads database settings from file in MSF_DATABASE_CONFIG env var
- You can now highlight text in the Armitage console tabs on MacOS X.
- Fixed a potential deadlock when opening a Windows command shell tab
Update 9am EST
- Removed a remnant of my development environment from server.sl. If you see:
jar file to import package from was not found! at line 25
Then you need to update.
13 Feb 11 Changes
- Organized View menu (it was getting out of control)
- Added RPC Console item to view menu (Start MSF only). This item will show
the STDOUT for msfrpcd. Use this to watch nmap's output.
- Added Ctrl+A shortcut to select all text in a console tab
- Kill meterpreter, kill pivots, and credential dumps now use fresh
consoles to execute. This ensures they will execute even if the global
console is stale (this sometimes happens.)
- Added tab completion to Meterpreter window.
- Hosts -> Import Hosts now lets you select multiple files to import at once.
- Use SSL is now checked by default on Linux (and unchecked by def. on Win)
- Updated Armitage to remove or alter some UI options when connected to a
remote Metasploit RPC instance.
-- Meterpreter shell is the only interact option
-- Webcam and Screenshot menu items are gone
-- Upload asks for a full file name rather than show a file chooser dialog
These adjustments are necessary during remote connections as Armitage does
not have access to the local file system of the Metasploit RPC daemon.
21 Jan 11 Changes
- Increased wait time between connection attempts to MSF RPC
- Fixed bug with Windows command shell not working when using Armitage from a
- Host refresh using sysinfo now only happens when no OS is set for the host.
- Fixed a deadlock condition caused when an automatic sysinfo request was
made while a Meterpreter tab for the same host was open.
18 Jan 11 Changes
- Added a Migrate Now! item to Meterpreter Access menu. Runs migrate -f.
- Right-click in Meterpreter console now shows menu as before (silly bugs).
- Armitage now detects hashdump failure and reports possible causes to you.
- Armitage now binds default handler to 0.0.0.0.
- Added a table view for the targets area. Go to View -> Targets to change the
setting. If you're working with many hosts, table view may be better for you.
- Added preliminary support for Metasploit post/ modules. You can launch them
and if a host is highlighted, Armitage will populate the SESSION var for you.
- Armitage now uses the sysinfo command in a meterpreter session to pull host
OS info if it doesn't know it. This also means Armitage will auto-populate
the host OS when a client-side attack is successful.
- Tab completion is now ignored when input field is empty
13 Jan 11 Changes
- Hosts reported as Windows Me now display W2K era Windows logo.
- "Hail Mary" attack is now launched and managed by Armitage. Exploits are
selected using the output of db_autopwn AND the operating system information
Armitage knows. Also attacks are launched in a more optimal order (sorted by
exploit rank/age). This is a big improvement over db_autopwn by itself.
- Added a link to the Armitage Issue Tracker in the Help menu.
- Updated remote exploit payload selection to choose Java payloads or Windows
shell payloads before resorting to the generic/* payloads.
- Updated client-side exploit launcher to let you select the target. Armitage
uses this target (plus the exploit name) to determine which payload to use.
multi/java_signed_applet works very nicely now ;)
- Fixed (once and for all now) the mysterious OS info not refreshing bug.
Now those pretty OS pictures will show up if Metasploit knows about the OS.
- Added a 52 character length limit to a target's description in the target
dropdown. This stops weird GUI layouts caused by long target descriptions.
- Exploit recommendations now take into account FreeBSD hosts.
- Added an OpenBSD option to the hosts menu.
- Armitage now does a setg AutoLoadStdapi true when setting up MSF.
- Last modified field of file browser now sorts properly.
- Jobs console and its kill feature should now work in all circumstances.
- Session menus for meterpreter now limited for non-Win meterp sessions.
- Updated Armitage/Windows to provide a better startup experience. Simply
extract the archive over your MSF install and rock n' roll.
22 Dec 10 Changes
- Updated meterpreter shell and command shell console to honor your set
preferences. I forgot to pass $preferences to the console constructor. Doh!
- Added a -d/--debug command line option. This will dump System.getProperties()
and a log of all exchanges with the MSF server to debug.log in the current
- To play nice with existing conventions, Armitage is now licensed under the
BSD license. Distribute, use, reuse, recycle.... have fun.
- Fixed a deadlock condition that arose when a large nmap scan is imported
- About dialog now shows up centered.
- Armitage now has a graphic for Cisco IOS. You can mark a host as a Cisco IOS
device. Also Armitage recognizes IOS from an NMAP Scan.
- Fixed Armitage "crash" due to read timeouts. This would occur for those of
you who ran a really taxing operation (e.g., db_autopwn).
- Added a time limit flag to db_autopwn (20s)
- Ctrl+R is now even more aggressive clearing internal data structures.
- Shell N -> Meterpreter... no longer blocks waiting for the operation to
13 Dec 10 Changes
- Added Meterpreter -> Browse -> Webcam Shot to grab webcam snap shots.
- You may now click the image in the webcam/screenshot view to save it.
- Workspace -> Create menu now automatically switches you to the net workspace.
- UNIX shell sessions now have an Upload... menu. This item will open a local
file and use the printf command on the remote host to put it together. It's
slow but it works.
- Removed the rename file menu item from the file browser. It turns out I had
my Windows command shell vs. meterpreter command interface crossed. The
command doesn't exist in Meterpreter.
- Upload button now waits until file is uploaded to refresh file listing
- Added Timestomp item to File Browser popup menu. This works like a clipboard.
Select Get MACE to capture the MACE values of the current file. Use Set MACE
on another file to set the MACE values to the currently known attributes.
- Dump hashes menu item no longer pulls up a new credentials tab.
- Added a Refresh button to the credentials tab.
- Updated db refresh code to be a little smarter about when it needs to merge
db_notes hints into the MSF database.
6 Dec 10 Changes
- added -y filename.yml command line option for specifying a YAML file with
- updated "Start MSF" to launch "ruby msfrpcd" on Windows. This requires the
current working directory of Armitage be set to the Metasploit base directory.
- jobs view now parses job output with only 3 columns of information.
- connect dialog is now centered on your screen when you start Armitage
- Armitage now saves your settings when you use Start MSF.
- Armitage now forces cells in editor mode to save before launching a module or
an exploit. This should prevent a few surprises where things seemed like they
weren't working for a few of you.
- MSF Discovery Scans are now started from a separate thread, preventing
Armitage from "locking up" while the scans launch. A dialog also comes up to
state how many scans were launched.
- MSF Discovery Scans are now limited to 2 threads/scan on Windows and 8 on
other operating systems. This prevents serious lag issues caused by
starting too many threads.
- connect dialog is now a window, meaning it has an icon in whatever your
window manager is and if you close it Armitage exits.
- updated DB Connect String helper dialog to ask for DB user, DB pass, DB host,
and DB name. This should prevent some of you from confusing the database
user/pass with the MSFRPCD user/pass.
- Current environment variables are now passed to msfrpcd when executed from
Armitage. This will allow msfrpcd to inherit any PATH changes and other
necessary things when Armitage is run from a shell script or batch file.
- Added .svn folders to the Armitage distribution. Now you can use svn update .
to keep your install of Armitage up to date.
- File browser upload and make directory commands now allow files with spaces
- Armitage will now exit if it takes longer than 5 seconds to shutdown msfrpcd
when cancel is pressed during the connecting phase.
25 Nov 10
- start msf button now kills msfrpcd session if db_connect fails
- set default database options to mysql with BackTrack 4 R2 settings.
- Armitage -> Exit menu now kills msfrpcd, if the "Start MSF" button was used
- Added ability to set up a multi/handler from Payload launch dialog
13 Nov 10
- fixed file browser directory icon showing up in every field within Windows L&F
- added an export button to the credentials view. This will save the credentials to
a pwdump format file.
- fixed console highlighting issue, sadly you'll need to click in the console input
box for it to have focus again. Write once, debug everywhere.
- added "hail mary" attack option--this launches db_autopwn
- attack menus now honor the armitage.required_exploit_rank.string setting
- added Ctrl+R shortcut for refreshing the target view (esp. OS info)
- fixed db_notes parsing for latest version of MSF (3.5.x?)
- fixed how auxiliary scans are displayed in the jobs table.
- db connect helper now prepopulates fields with info taken from connect string
- added an 8s timeout to abort the database connect if it fails.
- OS from db_notes to db_hosts refresh is now guaranteed on connect
- Packaged everything into a single jar file, now I can code in what I like
without hassle from people who are too lazy to look at the code.
- SSL handshake now fails after 8 seconds (should give those of you trying
an SSL connect to a non-SSL server an idea that something is up)
- added an executable to launch Armitage on Windows
- fixed command shell interaction bug caused by directories with spaces.
- Start MSF button now reports an error if it couldn't start MSF-RPC
2 Nov 10
- Initial (priv8) release.