Hi, I would like to thank cepacolmaxat_private for his review and comments on our product, CORE IMPACT. Given the public interest on the product I will attempt to clarify IMPACT's capabilities and features. The reader might chose to sign up for an online demo at our website to learn more about it (http://www.coresecurity.com) or ignore the rest of this email if not really interested in it. Keep in mind that *I work for Core* but the following is just a description of features and ongoing plans, I will try my best to avoid blatantly plugging the product or content-free remarks. And besides the product itself, I believe that the rationale for some features explained below can trigger some interesting conversation about penetration testing techniques and real world experices which suprisingly has not been part of regular discussions in the list lately. To the moderator: I suspect that this email belongs to the product's tech support mailing list but since some of its perceived strenghts and weaknesses are discussed publicly, I would think it is fair to let me elaborate on them. If not, I will understand -ivan >We're testing the app in-house right now. I'd have to give it a 5 out >of 10. > >There is some potential here - the interface is nice, and it is appealing >to have an outside shop researching/developing new exploits. >The existing exploits are fairly well documented. Info is included as >to what service the exploits attacks, and how. >The tool lends itself nicely to a structured methodology, so that repeated >evaluations and evaluations of large numbers of hosts are sure to be >apples:apples comparisons from one test to the next. >Also, the CORE team has been very willing to help, and very accommodating. Thanks, it is always fulfilling to know that our team is causing a good impression to both our existing and future customers :) > > >However, there are some issues. You can't evaluate a host until you have >run network discovery and found it, and network discovery is limited Actually, you can’t evaluate a host until it is present in the entity view window of IMPACT. The entity view represents the product's knowledge of its environment and shows networks, hosts and deployed agents. Note that there are several ways to populate the entity view and many more can be added (network discovery is just one of them). As of v3.1 the entity view db can be populated by: 1. Using network discovery modules, these are as you pointed out: ICMP echo network discovery TCP connect discovery ARP "who has" discovery Passive network sniffing 2. Manually using the "New host" module in the "Misc" module folder 3. Directly from a DNS server using the "DNS Zone Transfer" module in the "Information Gathering/DNS" folder 4. From Nessus or Nmap output files using the "Nessus output interpreter" or "Nmap output interpreter modules" in the "Misc" folder Ultimately remember that IMPACT modules are just editable python files, so any other suitable way to populate the entity view can be added easily (i.e. read IP/hostnames directly from a file). We are open to your suggestions for new modules in this area. >to ping sweeps, arp, tcp scans, and sniffing. There is no way to evaluate >a host that does not get picked up by one of these tools. > >Exploits are a bit limited, and mostly cater to testing IIS. We have a >great deal of HP-UX & Solaris on our network, so this is not a very As of v3.1, IMPACT supports MS Windows (2k, XP, NT4), Linux and OpenBSD on Intel architectures and Solaris on Sparc. HP-UX is not yet there, but we are considering adding new platforms (based on our customer feedback of this sort). >good match at present. Also, The rate at which new exploits are delivered >currently leaves something to be desired. We've been testing the Impact >for a month now, and I haven't seen any new exploits appear in the list. That’s right :) For the past month or so we were committed to improving the reliability and usefulness of our existing module base. Almost all windows and unix modules have been updated. Upon successful exploitation of a vulnerability, an IMPACT module deploys an agent in the newly compromised host, this agent is actually in the payload of the exploit and allows the user to execute system calls on the compromised host. No file upload, download or shell spawning shellcode is needed or used. However, this new agent needs some sort of connection with the agent that launched the exploit module (generally the console but possibly some other agent on a different host). Our recent work in this area was directed at making it possible for all exploit modules to deploy agents that can: . receive a TCP connection from the agent that launched the module (typical, simplest scenario) . open a connection back to the agent that launched the remote exploit module (this is useful for scenarios were you need to establish and outgoing connection due to firewall restrictions on inbound packets) . reuse the socket of an existing connection (ie. the established http session just used to exploit a vulnerability, right now we support this for unix targets only). > >Also, the list of exploits seems to be entirely webserver oriented. There >are simply no exploit for routers or firewalls or any other component >of a common network. As of v3.1, IMPACT has 42 remote exploits and 18 local (privilege escalation) exploits as well as some other useful tools (fake SMB server, fake web server, password sniffer, ARP spoofer, windows service manager, pcap server, injection of agents into running processes, etc.). Of the 42 remotes, 12 are webserver oriented. The rationale behind that is that generally traffic to a webserver is allowed though firewalls, so a degree of focus on webserver exploits is desired for external pentesting capabilities. Other generally open services are of interest as well (i.e. DNS, SSH, ftp, etc.) So while exploit support for routers and firewalls makes a lot of sense on certain scenarios, keep in mind that from the perspective of both internal or external pentests, going directly at the servers will give more 'bang for the buck' in the short term. Support for deploying agents on routers or other appliances is something we evaluate based on feedback from our customers (in fact we've discussed internally about routers, printers, web enabled cameras, and other ip capable gizmos), and we are carefully considering which such improvement opportunities to pursue. Your feedback is certainly a good indication of what should be considered for future versions or module updates. > >There are also some bugs in the software - it doesn't seem be consistently >able to recognize the NIC - One time you start the app, and all is well. > >The next time you start, you may get a "network interface not found" >warning. Sometimes this can be corrected just by telling the app which >card to use, but on some installations the list of NICs within the app >is blank, even though other apps can see and use it. In this particular >case, the NIC is not something highly irregular - just an old Intel PCI >NIC. This is most likely due to a known problem interacting with pcap. IMPACT uses pcap 2.3 and interacts badly with pcap 3.0 or products that install it. Generally you need to make sure that you only have one pcap installed (v2.3) and to reboot your computer after installing IMPACT. If that does not solve the problem, we would gladly work with you to find a different solution. >Fingerprinting is also somewhat lacking. I just downloaded an update >today, but Impact still cannot ID half the windows boxes on my test network. Yep, you are right there. Our OS detection by stack fingerprinting module is lacking, I attribute this mainly to the small DB of fingerprints we have at the moment. This is something we are addressing. We will have news about this very soon. > >Finally, there is the fact that we have yet to compromise a single host >using this tool. My next step is to tailor-make a vulnerable box for >one of the provided exploits, and see if Impact can penetrate it. I'll >keep you posted, if you like. Certainly, keep us posted! -ivan --- Perscriptio in manibus tabellariorum est Noli me vocare, ego te vocabo Ivan Arce CTO CORE SECURITY TECHNOLOGIES 46 Farnsworth Street Boston, MA 02210 Ph: 617-399-6980 Fax: 617-399-6987 ivan.arceat_private www.coresecurity.com PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A --------------------------------------------------------------------------- The Lightning Console aggregates IDS events, correlates them with vulnerability info, reduces false positives with the click of a button, anddistributes this information to hundreds of users. Visit Tenable Network Security at http://www.tenablesecurity.com to learn more. ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Jul 09 2003 - 15:45:20 PDT