-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Now that we have cleared the air, I offer again my (previously refused) posting in response to Glenn Wolfe's question so very long ago. To paraphrase, Mr. Wolfe asked if anyone on the pen-test list had any experience with the heavily advertised CORE Impact Tool. I do. I choose to post from an anonymous email account, knowing full well that this has some impact on my credibility. It is for this reason, in addition to my sense of fairness, that I will endeavour to be as objective and even-handed as possible. The review, as presented to pen-test for posting Friday, 27 June 2003 [editied for accuracy, based on my learning between the time of the original post and now]: <review> We're testing the app in-house right now. I'd have to give it a 5 out of 10. There is some potential here - the interface is nice, and it is appealing to have an outside shop researching/developing new exploits. The existing exploits are fairly well documented. Info is included as to what service the exploits attacks, and how. The tool lends itself nicely to a structured methodology, so that repeated evaluations and evaluations of large numbers of hosts are sure to be apples:apples comparisons from one test to the next. Also, the CORE team has been very willing to help, and very accommodating. However, there are some issues. You can't evaluate a host until you have run network discovery and found it, and network discovery is limited to ping sweeps, arp, tcp scans, and sniffing. There is no [obvious] way to evaluate a host that does not get picked up by one of these tools. [Turns out there is a way to add unprobed hosts to the target list.] Exploits are a bit limited, and mostly cater to testing IIS. We have a great deal of HP-UX & Solaris on our network, so this is not a very good match at present. Also, The rate at which new exploits are delivered currently leaves something to be desired. We've been testing the Impact for a month now, and I haven't seen any new exploits appear in the list. Also, the list of exploits seems to be entirely webserver oriented. There are simply no exploit[s] for routers or firewalls or any other component of a common network. There are also some bugs in the software - it doesn't seem be consistently able to recognize the NIC - One time you start the app, and all is well. The next time you start, you may get a "network interface not found" warning. Sometimes this can be corrected just by telling the app which card to use[.--snip-- This may be due to Impact's use of WinPcap 2.3.] Fingerprinting is also somewhat lacking. I just downloaded an update today, but Impact still cannot ID half the windows[XP] boxes on my test network. Finally, there is the fact that we have yet to compromise a single host using this tool. My next step is to tailor-make a vulnerable box for one of the provided exploits, and see if Impact can penetrate it. I'll keep you posted, if you like. </review> <review addendum> Since I originally wrote the above review, we have met with the development team at CORE, and communicated the same concerns to them. We have been informed that a new version should be out in the near future that will address many of the shortcomings listed above. Also, the use of a test network with specific vulnerabilities catering to Impact's exploit list allowed us to successfully experiment with compromising a target. </review addendum> Apologies for the length - just trying to be complete. Hope this is helpful to all! - -Max -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAj8LYkAACgkQ6muvpb42jICoAgCfd4W6tUBVm8k9ogexDtnJYlKnhoAA n3izLsQfKY6ZvoHeQGsNclCJvbc6 =44ng -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 --------------------------------------------------------------------------- The Lightning Console aggregates IDS events, correlates them with vulnerability info, reduces false positives with the click of a button, anddistributes this information to hundreds of users. Visit Tenable Network Security at http://www.tenablesecurity.com to learn more. ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Jul 09 2003 - 07:34:00 PDT