-
Notifications
You must be signed in to change notification settings - Fork 72
Basic Usage
The whole idea of Armory is to be able to run tools, get data back from those tools, and run other tools based on that data. From there, it really depends on your own workflow with exactly how you use Armory.
To get help on Armory itself:
armory -h
usage: armory [-h] [-m MODULE] [-lm] [-M] [-r REPORT] [-lr] [-R] [-v]
optional arguments:
-h, --help show this help message and exit
-m MODULE, --module MODULE
Use module
-lm, --list_modules List modules
-M, --list_module_options
List module options
-r REPORT, --report REPORT
Use report
-lr, --list_reports List reports
-R, --list_report_options
List report options
-v, --version Display the current version
To list out modules, use the -lm parameter.
Available modules:
DNSRecon
Fierce
GobusterDNS
GobusterDir
Gowitness
HeaderScanner
Hydra
Ingestor
LinkedInt
Nessus
Nmap
NmapCertScan
PowerMeta
SSLScan
SampleModule
SampleToolModule
Sublist3r
TheHarvester
Tko-subs
URLScanner
Whois
To see help for a specific module, use the -M parameter.
armory -m Ingestor -M
Ingestor
Ingests domains and IPs. Domains get ip info and cidr info, and IPs get
CIDR info.
usage: Ingestor [-h] [-d IMPORT_DOMAINS] [-i IMPORT_IPS] [-a] [-p] [-sc] [-sb]
[-Ii] [--force]
optional arguments:
-h, --help show this help message and exit
-d IMPORT_DOMAINS, --import_domains IMPORT_DOMAINS
Either domain to import or file containing domains to
import. One per line
-i IMPORT_IPS, --import_ips IMPORT_IPS
Either IP/range to import or file containing IPs and
ranges, one per line.
-a, --active Set scoping on imported data as active
-p, --passive Set scoping on imported data as passive
-sc, --scope_cidrs Cycle through out of scope networks and decide if you
want to add them in scope
-sb, --scope_base_domains
Cycle through out of scope base domains and decide if
you want to add them in scope
-Ii, --import_database_ips
Import IPs from database
--force Force processing again, even if already processed
The same applies for the reports.
One of the most important concepts to understand with Armory is scoping. There are two possible ways to scope a domain, subdomain, or IP: active or passive.
Active scoping means any tool will be run on it. For example, if you are testing www.foo.bar, and it is marked as active scope, then active tools such as Nmap, Gobuster, and Gowitness would run against it.
Passive scoping means any non-touchy tool would run against it. These are mainly things such as whois, DNS lookups, etc. These are domains/IPs that may be related to a client, but not necessarily in active scope. An example would be if mail.foo.bar just resolves to a default ISP landing page.
Scoping is usually inherited based on a few conditions. For IPs, if the IP is in a netblock that is in the ScopeCIDRs table (more on how to do that below), then the IP will automatically be marked active and passive. If the IP was resolved from a domain, then it'll inherit the domains scoping. If neither of the above, then it will not be marked as either. For subdomains, if the base domain is marked active or passive, then all subdomains discovered will automatically be marked the same. If a subdomain resolves to an IP that is marked active (ie it is in the scopecidrs), then it will also be marked active. If the subdomain is brand new, and the base domain is new, then they'll both be marked out of scope.
This makes more sense as you use it!
Now that the basics are out of the way, how do we actually do work with Armory? To start off, let's take a basic workflow. You are conducting a test on a client with the domain foo.bar, and a net block of 192.168.23.0/24. The first thing you want to do is put the domains and IPs into the database along with their scoping. The module to do this is Ingestor, which is used to explicitly add hosts to the database.
armory -m Ingestor -i 192.168.23.0/24 -a
This will import the CIDR as active scoped.
armory -m Ingestor -d foo.bar -p
This will import foo.bar as a passively scoped domain.
To start off, maybe we want to run Sublist3r and see if we can grab some useful domains.
armory -m Sublist3r -M
usage: Sublist3r [-h] [-b BINARY] [-o OUTPUT_PATH] [--threads THREADS]
[--timeout TIMEOUT] [--tool_args ...] [--no_binary]
[--profile1] [--profile1_data PROFILE1_DATA] [--profile2]
[--profile2_data PROFILE2_DATA] [--profile3]
[--profile3_data PROFILE3_DATA] [--profile4]
[--profile4_data PROFILE4_DATA] [-d DOMAIN] [-f FILE] [-i]
[-s]
optional arguments:
-h, --help show this help message and exit
-b BINARY, --binary BINARY
Path to the binary
-o OUTPUT_PATH, --output_path OUTPUT_PATH
Relative path (to the base directory) to store output
--threads THREADS Number of Armory threads to use
--timeout TIMEOUT Thread timeout in seconds, default is 300.
--tool_args ... Additional arguments to be passed to the tool
--no_binary Runs through without actually running the binary.
Useful for if you already ran the tool and just want
to process the output.
--profile1 Append profile1_data to command
--profile1_data PROFILE1_DATA
Additional arguments to be appended
--profile2 Append profile1_data to command
--profile2_data PROFILE2_DATA
Additional arguments to be appended
--profile3 Append profile1_data to command
--profile3_data PROFILE3_DATA
Additional arguments to be appended
--profile4 Append profile1_data to command
--profile4_data PROFILE4_DATA
Additional arguments to be appended
-d DOMAIN, --domain DOMAIN
Domain to brute force
-f FILE, --file FILE Import domains from file
-i, --import_database
Import domains from database
-s, --rescan Rescan domains that have already been scanned
We'll use the database to supply the domains to scan.
armory -m Sublist3r -i
This will get you some new subdomains. You will also notice that Armory automatically resolves the IPs, as well as does whois lookups to find the CIDRs the IPs belong to.
Now lets do a brute force for subdomains using Gobuster.
armory -m GobusterDNS -i --tool_args -w ~/src/SecLists/Discovery/DNS/subdomains-top1mil-110000.txt -t 100
Every argument after --tool_args gets passed directly to the tool.