Cortana Tutorial - Armitage
Cortana Tutorial - Armitage
Cortana Tutorial - Armitage
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Low-‐level Metasploit Control<br />
Metasploit offers a remote API for programmers to write clients against. This API covers<br />
most of what you would want to do with Metasploit. <strong>Cortana</strong> abstracts this API for you, but<br />
there may be times when you want to talk to Metasploit directly or you may want to extend<br />
the <strong>Cortana</strong> API for your scripts.<br />
To call an RPC API method:<br />
call("module.method", ...);<br />
The call method accepts any number of arguments. <strong>Cortana</strong> will convert that data you<br />
provide to the types expected by the RPC server. It's very good at doing this.<br />
<strong>Cortana</strong>'s control of Metasploit builds on this one function. Because this is a choke-‐point for<br />
all Metasploit control, it presents an interesting opportunity. With <strong>Cortana</strong>, you may hook<br />
any call to Metasploit, rewrite the parameters, and send it on its way. The means to do this<br />
is a filter. <strong>Cortana</strong> filters are like event listeners. Filters accept the arguments to some<br />
action, inspect them, and potentially change them in some way.<br />
<strong>Cortana</strong> allows filters to catch any call to Metasploit. Here's a module spy that lists all<br />
modules (with arguments) launched by scripts in the current <strong>Cortana</strong> container:<br />
filter module_execute {<br />
println("Launched: $1 / $2");<br />
println("Arguments: $3");<br />
return @_;<br />
}<br />
Filters must return their arguments. The return @_ line at the bottom of this filter<br />
accomplishes this. In Sleep, the array @_ contains the arguments passed to the current<br />
function.<br />
&call is one of the few <strong>Cortana</strong> functions that block. This means <strong>Cortana</strong> will wait until<br />
Metasploit returns a result and then provide it to you. If you don't need the result of the<br />
method you're calling, then use the &call_async function. This will queue the call and allow<br />
it to execute without blocking other <strong>Cortana</strong> scripts or the <strong>Armitage</strong> user interface.<br />
To find out which calls are available, consult the Metasploit Remote API document:<br />
https://community.rapid7.com/servlet/JiveServlet/downloadBody/1516-‐102-‐3-‐<br />
2501/RemoteAPI_4.1.pdf<br />
High-‐Level Metasploit Control<br />
To interact with Metasploit, you do not need to use a virtual console or learn the Metasploit<br />
Remote API. <strong>Cortana</strong> provides several functions to make it easy to launch modules and<br />
query information about them.<br />
13