Fortra has 4 tools for pen-testers and red-teams. In this blog I quickly go through what each tool does and where it fits within the market. I then provide links to elsewhere on this site for more detailed information.
Fortra VM
This is a tool for performing Vulnerability Management tasks. The objective is to get a list of vulnerabilities that can be fixed, or if you are a pen-tester, then a list of vulnerabilities you can focus on for further testing.
General information here: https://s4applications.uk/fortra/fortra-vulnerability-manager/
Recorded demo here: https://s4applications.uk/invicti/acunetix/fortra-vm-demo/
Fortra VM and Core Impact Together
You can perform a vulnerability scan with Fortra VM and then load that scan into Core Impact and have Core Impact text the vulnerabilities to see if they can be exploited, so-called “vulnerability validation”.
We don’t have a demo of this, but it is covered in the Core Impact User Guide, which is here: https://hstechdocs.helpsystems.com/manuals/corects/impact/current/userguide/content/topics/appx_integration_import-vs-data.html
Use the plugin for “Frontline” to import Fortra VM data.
Core Impact
This tool is targeted at pen-testers and is an exploitation framework. This competes in a similar product category to Metasploit.
It is a workbench with a reporting engine, complete audit trail, and exploits that massively speed up the work of a pen-tester. It includes network-level exploits, phishing attacks, and web application exploits, plus other tools like ransomware simulation.
General information here: https://s4applications.uk/fortra/core-impact/
Recorded demo here: https://s4applications.uk/fortra/core-impact-demo/
Core Impact and Cobalt Strike Together
The Core Impact tool is integrated with Cobalt Strike. You will find some demos of this here: https://s4applications.uk/fortra/core-impact-with-cobalt-strike/
This is known by Fortra as their Offensive Security Advanced Bundle.
Cobalt Strike
This is the industry-leading Command and Control (c2) infrastructure. This is used by most red teams (plus most malware) because of its power and EDR evasion technology.
General information and demo here: https://s4applications.uk/fortra/cobalt-strike/
Recorded demo here: https://s4applications.uk/fortra/cobalt-strike/cobalt-strike-demo/
Cobalt Strike and Outflank Together
The Cobalt Strike and OST tools are also integrated together. I don’t have a demo yet, but I hope to soon.
This is known by Fortra as their Red Team Bundle.
Outflank Security Tooling (OST)
OST is a set of 20+ tools that perform tasks that red team members want to do. These range from a Sharpfuscator (hides C# executables from AV/ERD), to Hidden Desktop (an OPSEC safe implementation of hidden Virtual Network Computing), to Stego Loader (embeds a payload in a picture file) and so on.
Several of the individual tools are discussed, with demos on this page: https://s4applications.uk/fortra/outflank-security-tooling-ost-video-demos/
The full set of tools is covered in the PDF which is available on the “OST Tech Overview Document” button on this page: https://s4applications.uk/fortra/outflank-security-tooling-ost/#tech-overview.
