Automate Pen Testing with Fast-Track Client-Side Attacks

By Paul Rubens | Mar 10, 2010 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3869906/Automate-Pen-Testing-with-FastTrack-ClientSide-Attacks.htm

In the first piece in this series we looked at installing the Metasploit framework and Fast-Track, and using it to carry out an automated penetration test on all the machines on a network using Metasploit's db_autopwn feature. In this piece we'll be taking a look at how to use another feature: Fast-Track's Mass Client-Side Attack.

An important question to answer is what the difference is between the two types of test. Db_auto-pwn starts by port scanning all the hosts that it finds in a given IP range. It then assumes that any ports it finds open have been opened to allow the services that use those ports as their default ports to run: If it finds a port 25 open, it assumes that there must be an SMTP server running on that host using that port. It then launches all the SMTP exploits it has at that port, and other exploits at other ports as appropriate.

The Mass Client-Side Attack is different in that it uses browser-side exploits. To do this is starts a Web server on the penetration testing machine running Fast-Track, and imports all of Metasploit's client-side attacks (as well as Fast-Track's own). What happens next? "As soon as someone connects to us, all mayhem is started and massive amounts of exploits (are) launched at the connecting systems," is how Fast-Track author David Kennedy described it at a security conference in February.

To run a Mass Client-Side Attack, the first step is to navigate to the directory in which Fast-Track is installed, and start it. This time, rather than run it in menu mode, we'll be using Fast-Track's web GUI, which is accessed using the –g option.

As root, or using sudo, enter:

python fast-track.py –g

and then start a Web browser and navigate to 127.0.0.1:44444

After a few seconds, you'll see the main Fast-Track GUI displayed.

Figure 1: The Fast-Track GUI

At this stage it's a good idea to choose the Fast-Track Updates option in the left hand sidebar and update everything.

Once this has completed (and it can take as long as 15 minutes) choose Mass Client-Side Attack from the sidebar. Under Main Interface enter the IP address of your pen testing machine, and then choose a payload: In the screenshot below, Meterpreter Reverse TCP Shell has been selected.

Figure 2: Fast Track Attack Options

For this penetration test to work, machines on the network being tested need to access the Web server running on the pen testing machine, and the simple way to do this is simply to start a browser on a given machine, and point it at the IP address of the pen testing machine.

Fast-Track automates this by using a program called Ettercap to carry out an automated ARP cache poisoning attack on the machine to be tested. The result of this is that the browser on that machine requests any Web page anywhere on the Internet, the request will be diverted to the pen testing machine.

Setting up ARP poisoning (if you wish to use it) is supposed to be as simple as choosing "Ettercap Enabled" from the Ettercap Options box, and supplying the IP address of the machine to be tested, although it failed to work in my tests. You can set up ARP poisoning and filtering manually using Ettercap (for instructions follow the Ettercap link above.)

Finally, to launch the attack, click "Launch" at the bottom of the page.

At this point several windows will open, including one to stop the Mass Client Attack, and one showing Fast-Track's progress.

Figure 3: Fast-Track shows its progress.

Now head for the machine being tested, and either enter any Web address (if you're using the Ettercap option) or the IP address of the pen testing machine. In a few seconds, if any of the attacks are successful, the browser will freeze, or you'll get a message in the browser saying the site is currently down.

Figure 4: A browser timing out shows Fast-Track has completed its work.

Either way, you'll be able to list any sessions using

sessions –l

and find out which exploits have been successful with

sessions –v

Finally, connect if you wish using a Meterpreter prompt, as described in the first piece in this series, using:

sessions –i n

Where n is the session number you want to connect with.

From there, the machine is pretty much at your mercy – until you carry out the remediation work necessary.

What's surprising is that thanks to the work carried out by Kennedy (aka ReL1K) and the rest of the Fast-Track development team, you can carry out this test with just a few clicks. It also makes it easy for anyone else to compromise any exploitable systems, which is why – as ever – it's important that it's you that does it first.

There's much more to Fast-Track than is covered here, including testing MS SQL servers using SQL injection and password brute-forcing, and using other exploits that come to light from time to time. For more information on Fast-Track, visit Fast-Track at www.thepentest.com.