Automated penetration testing tools are a two edged sword: they make it easy to check for well known vulnerabilities on your network, but they can also be used by hackers to try to compromise any vulnerable machines on your network.
Since they are quick and easy to use they can be used by unskilled hackers or script kiddies – which makes it all the more important that you run these tools yourself so you can fix any vulnerabilities you find before they are exploited by others.
A good tool to start with is Fast-Track, a relatively new Python-based open-source project. Parts of Fast-Track rely on the Metasploit Framework , so as well as Fast-Track we’ll need to install that as well. In this How To we’ll be using a system running Ubuntu 9.10 – you may need to make adjustments if you are using a different Linux distro.
Downloading and Installing Metasploit and Supporting Packages.
Before downloading Metasploit, install the supporting packages:
# apt-get install ruby libruby rdoc
# apt-get install libyaml-ruby
# apt-get install libzlib-ruby
# apt-get install libopenssl-ruby
# apt-get install libdl-ruby
# apt-get install libiconv-ruby
# apt-get install rubygems
Then navigate to your home directory and download Metasploit itself. The easiest way to do this is using subversion: ensure that subversion is installed on your system (if not you can get it using sudo apt-get install subversion) then:
svn co https://metasploit.com/svn/framework3/trunk/
Downloading and Installing Fast-Track
To download Fast-Track, navigate again to your home directory and type:
svn co http://svn.thepentest.com/fasttrack/
Next, move to the newly downloaded fasttrack directory and install Fast-Track:
python setup.py install
You’ll be asked for the path to the Metasploit installation you downloaded earlier, and then with any luck Fast-Track will install with all its dependencies. If this doesn’t work, the documentation states the required Python modules you might need to install manually include: PExpect, FreeTDS, PYMSSQL, ClientForms, Beautiful Soup, PyMills, and Psyco – you’ll be able to download them via Ubuntu’s Synaptic package manger. You’ll also need Nmap and SQLite3.
Once Fast-Track is installed, run Fast-Track in menu mode:
python fast-track.py --i
Fast-Track will check all the required packages are installed, and if so, you’ll see the Fast-Track main menu (below).
The first thing to do is update the whole installation by selecting option 1 (Fast-Track Updates) followed by option 10 on the update menu (Update Everything). This can take a little time – about enough to go and get a cup of coffee. Once the process has completed we are ready to get testing.
Using Metasploit’s Autopwn with Fast-Track
The test we are going to run in this article is Metasploit’s built-in Autopwn function. It’s a fairly straightforward process when carried out directly using Metasploit, but Fast-Track automates the whole thing, taking control of Metasploit and doing all the work for us.
To get started, choose option 2 (Autopwn Automation) from the main Fast-Track menu, and enter the IP range you would like to scan for vulnerabilities as if you were using Nmap. For example, type 192.168.1.1-254 to scan a whole 192.168.1 subnet
Then choose option 1 for a bind shell.
A word of caution: the autopwn process could cause applications or systems on the machines being scanned to crash, so it’s wise to choose when to carry out this test carefully.
After the autopwn process completes, which can take anything from 5 minutes to an hour or so, you’ll either get the message “No sessions”, in which case none of the machines on your network could be compromised, or “Active sessions” with a list of machines that have been compromised.
In the screenshot below, the machine at 192.168.1.9 running Fast-Track has pwned (compromised) the machine at 192.168.1.16 using four different vulnerabilities, delivering the meterpreter payload, which we will take a look at in a moment.
Typing sessions --v displays the exploits which were used to pwn the machine.
By typing sessions --i 1 you can now access the pwned machine using the first vulnerability (or replace the 1 with a 2, 3, or 4 to use one of the other three vulnerabilities,) and drop into a meterpreter prompt.
Meterpreter is a very powerful advanced payload which enables a hacker to do a great deal of harm to a system very easily using a few simple commands such as:
- hashdump, which dumps the contents of the compromised machine’s SAM databases (which can then be subjected to an offline attack using a tool like John the Ripper to crack passwords
- upload, which uploads a file or directory, perhaps to help compromise this or other machines on the network further. For example, a hacker could upload (and then execute) a Trojan to ensure that he has easy access to the machine in the future, even if the vulnerability which that provided access to the machine this time is patched.
- keyscan_start, keyscan_stop, keyscan_dump are used to capture keystrokes on the compromised machine, and then dump them to the attacking machine.
or simply: shell, which provides a command prompt on the compromised machine, from where the attacker could create or remove user accounts and get up to all kinds of mischief.
The screenshot below illustrates dropping from the meterpreter> prompt to a command prompt using the shell command, adding a user account “evilhacker2” with a password “evil” to the compromised machine, and then exiting to the meterpreter> prompt to dump the machine’s SAM.
Scary stuff! The key thing here is to identify and fix the vulnerabilities that has been successfully exploited. To identify them, visit the Metasploit module browser and search for the vulnerabilities revealed by the sessions --v command. For example, the first vulnerability, ms03_026_dcom, can be identified as the Microsoft RPC DCOM Interface Overflow. There’s a link to the original Microsoft security bulletin about this vulnerability, and the solution, in this case, is to apply a Microsoft security patch.
Once any vulnerable machines have been patched it makes sense to reboot them and run autopwn again to ensure that they are no longer vulnerable.
In the next piece in this series, we’ll take a look at another automated pen testing technique offered by Fast-Track: the Mass Client-Side Attack option.