Tuesday, March 17, 2009

Fast-Track: Pen-Testing made simple?

| Brett D. Arion |
Security Engineers are always looking for easier ways to perform penetration tests. Anyone that has been doing this job for any length of time, can remember the pre-Metasploit (or pre-Google if your hair is getting gray like mine) days when you had to really know your code in order to do proof of concept exploits or even the proven exploits. This type of engagement often meant hours tweaking code in order to effectively test the exploit.

OK, so what is my point you say?

Our profession, or hobby as it may be, has just received a shot in the arm and the next tool that will need to be in everyones toolkit, FAST-TRACK. Of course if you bill by the hour and not the job, you probably aren't very glad to see this....just kidding..read on...

So what is FAST-TRACK?

Per the website:

" Fast-Track is a python based open-source project aimed at helping Penetration Testers in an effort to identify, exploit, and further penetrate a network. Fast-Track was originally conceived when I was on a penetration test and found that there was generally a lack of tools or automation in certain attacks that were normally extremely advanced and time consuming. In an effort to reproduce some of my advanced attacks and propagate it down to my team at SecureState, I ended up writing Fast-Track for the public. Many of the issues Fast-Track exploits are due to improper sanitizing of client-side data within web applications, patch management, or lack of hardening techniques. All of these are relatively simple to fix if you know what to look for, but as penetration testers are extremely common findings for us. Fast-Track arms the penetration tester with advanced attacks that in most cases have never been performed before. Sit back relax, crank open a can of jolt cola and enjoy the ride.

"LETS POP A BOX!!!!!!!!!" -Dave Kennedy"

Old veterans like myself often dislike to see tools like this as it makes the hours of tedious work we have done for years seem less worthwhile (only because we did not think to script the stuff ourselves), but ultimately we must commend people like Dave Kennedy with sharing his expertise and experience with the masses. So checking out this tool is a must, but be sure to visit the Wiki page for the tool as is explains the tool in great detail, and will assist you with getting through the setup much more effectively.

Lastly, there is an excellent video at the site as well that gives a great preview of the capabilities of Fast-Track and you can see it here.

Free Security Magazines