Review: Core Impact 5.0
0 Comments
Core Security's Impact is probably the most known commercial tool for penetration testing.
If you are not sure what a penetration testing tool is you could check my previous post: Introduction to Automated Penetration Testers.
The company is wide famous among security guys also for a series of parallel works, from publishing public security advisories and research papers, to hosting some very interesting security projects, which in part are inside Impact.
After following a demo webcast about new features Impact 5.0 offers, I was contacted by the company as usual in these cases.
I asked if I could produce a public review about the product on Security Zero and received an enthusiastic positive answer.
I received more online, interactive training on a real installation and the trial product to realize the following review.
Installation and configuration
Core Impact 5.0 will fit well in a Windows XP Professional machine but will absolutely require administrative privileges for installation.
As soon as you start the program you’ll notice the downloaded updates summary.
They are composed by new exploits developed by Core Security, which customers can download for a whole year since the day their license starts, and the new OS fingerprinting database, provided by NMap.
The update operation can be manually invoked at any time and I strongly suggest doing so before any new penetration test.
When a new vulnerability goes public, Core Security develops and put online for download a new exploit in a 1-2 weeks timeframe.
Penetration tests management is organized in Workspaces, which you can assign to your customers or parts of your network to be treated as isolated.
Every workspace is ciphered with prime numbers generated by mouse movements and a user-defined passphrase.
This is an important feature granting privacy even in machine theft case.
Impact activity is organized in 6 phases:
Targets discovery
The network discovery module is developed directly by Core Security and as already said it uses the NMap OS fingerprinting database.
You can choose to customize the discovery asking to recognize applications instead of just enumerating ports (like NMap can do since some releases).
This module can easily replace any vulnerability scanner you have, like Shadow Security Scanner or eEye Retina.
Another way to find targets to attack is to import a list from portscanners and vulnerability scanners like NMap, Nessus, Retina, LANguard and Saint.
The attack
The real attack can be configured in a very flexible way: you can choose if permit DoS attacks, which eventually will freeze the target network, you can choose to be very invasive giving priority to privileges escalations exploits, etc.
Impact intelligently selects which exploit to launch against a target analyzing what ports portscanner module found opened.
But remember this method is prone to the tricky use of non-standard ports for services, rarely used by companies to protect certain private, critical applications.
When it finds vulnerability in a target system it immediately exploits it injecting an agent. And this is for sure the strength of Impact.
Agents are classified on an invasive level from 0 to 1. A higher agent level means more attack actions available on the target system, until the total machine control.
Depending on how severe the found vulnerability is Impact will be able to inject an agent of level 0 or 1.
But if you chosen to be not much invasive it will try to inject level 0 agents everywhere. At a second time you’ll be able to upgrade the agent from level 0 to level 1.
Pre-made actions (organized in modules) offered by agents are impressive: from simple screen capture to user password dumping, to keylogger installation (and remote sending of every single key pressed by users), to personal firewall disabling, to DLL injection into a running process.
One of the most critical actions is the password sniffer installation with its packet driver.
But the most important feature at all is the capability of using an already-compromised machine (where an agent already is injected) as source for a new attack wave.
In this way every attack can be relaunched towards new network segments where the compromised machine could be connected, unreachable from the starting attack position.
In my test environment the first penetration test victim had two network interfaces connected to networks 10.0.0.0 and 10.1.0.0.
The machine where Impact was installed was on the 10.0.0.0 network and from there was impossible to reach the 10.1.0.0 network.
Attacking and compromising the first victim made possible to reach the second network and a second victim, compromising it too.
Every single module is developed in Python and Core Security offers customers the chance to create their home-made modules to be integrated inside Impact. Obviously an appropriate know-how is required to do so.
At today attacks cannot be scheduled in any way and this is really a pity since Impact can already register an attack sequence with a Macro Wizard.
Anyway Core Security could evaluate introducing this feature in a future release if customers start asking for it.
Meanwhile you could try to drive Impact with 3rd party’s automation tools like Automate.
Information gathering
When an agent is installed on a target machine, customers can require as much information about that machine as they want: what OS patches are installed, local running services, installed applications, etc.
You’ll eventually find now the data you’re looking for.
Agents clean-up
At the end of penetration testing you can launch a clean-up procedure, removing any agent installed on victims, to revert the environment to original conditions.
Reporting
The reporting module is really complete. Is able to extract data and arrange it in four different kinds of reports, aimed to different audiences, from the executive manager to the security manager.
The report is generated by the embedded Crystal Report engine, from BusinessObjects, and can be viewed by the embedded Crystal Report Viewer.
Then you can print it or save in a lot of formats: PDF, HTML, XML, RPT (Crystal Reports), XLS, DOC, etc. It can even be injected in a database via ODBC.
Here an example.
Pricing
Core Security typically offers a one-year unlimited license, able to scan as many IPs as the customer wants and including product updates, training, maintenance and support.
After the year you can still use the product but don’t have exploits updates.
The price for such a license is of $25,000 USD.
Even if the price seems expensive, the cost of a single, outsourced, penetration test on a complex environment can go far beyond it.
The bottom line
Core Impact is a real complex product with huge potential, but has a very high learning curve and you just need few hours to manage basic features with confidence.
The product has a price worth paying with these characteristics.
On the end I strongly suggest it to companies who implemented or are implementing a security assessment plan on their infrastructures, particularly if are much extended.
I also would recommend it to consulting companies offering a penetration testing service.
If you are not sure what a penetration testing tool is you could check my previous post: Introduction to Automated Penetration Testers.
The company is wide famous among security guys also for a series of parallel works, from publishing public security advisories and research papers, to hosting some very interesting security projects, which in part are inside Impact.
After following a demo webcast about new features Impact 5.0 offers, I was contacted by the company as usual in these cases.
I asked if I could produce a public review about the product on Security Zero and received an enthusiastic positive answer.
I received more online, interactive training on a real installation and the trial product to realize the following review.
Installation and configuration
Core Impact 5.0 will fit well in a Windows XP Professional machine but will absolutely require administrative privileges for installation.
As soon as you start the program you’ll notice the downloaded updates summary.
They are composed by new exploits developed by Core Security, which customers can download for a whole year since the day their license starts, and the new OS fingerprinting database, provided by NMap.
The update operation can be manually invoked at any time and I strongly suggest doing so before any new penetration test.
When a new vulnerability goes public, Core Security develops and put online for download a new exploit in a 1-2 weeks timeframe.
Penetration tests management is organized in Workspaces, which you can assign to your customers or parts of your network to be treated as isolated.
Every workspace is ciphered with prime numbers generated by mouse movements and a user-defined passphrase.
This is an important feature granting privacy even in machine theft case.
Impact activity is organized in 6 phases:
- Network Discovery
- Attack and Penetration
- Local Information Gathering
- Privileges Escalation
- Clean Up
- Report Generation
Targets discovery
The network discovery module is developed directly by Core Security and as already said it uses the NMap OS fingerprinting database.
You can choose to customize the discovery asking to recognize applications instead of just enumerating ports (like NMap can do since some releases).
This module can easily replace any vulnerability scanner you have, like Shadow Security Scanner or eEye Retina.
Another way to find targets to attack is to import a list from portscanners and vulnerability scanners like NMap, Nessus, Retina, LANguard and Saint.
The attack
The real attack can be configured in a very flexible way: you can choose if permit DoS attacks, which eventually will freeze the target network, you can choose to be very invasive giving priority to privileges escalations exploits, etc.
Impact intelligently selects which exploit to launch against a target analyzing what ports portscanner module found opened.
But remember this method is prone to the tricky use of non-standard ports for services, rarely used by companies to protect certain private, critical applications.
When it finds vulnerability in a target system it immediately exploits it injecting an agent. And this is for sure the strength of Impact.
Agents are classified on an invasive level from 0 to 1. A higher agent level means more attack actions available on the target system, until the total machine control.
Depending on how severe the found vulnerability is Impact will be able to inject an agent of level 0 or 1.
But if you chosen to be not much invasive it will try to inject level 0 agents everywhere. At a second time you’ll be able to upgrade the agent from level 0 to level 1.
Pre-made actions (organized in modules) offered by agents are impressive: from simple screen capture to user password dumping, to keylogger installation (and remote sending of every single key pressed by users), to personal firewall disabling, to DLL injection into a running process.
One of the most critical actions is the password sniffer installation with its packet driver.
But the most important feature at all is the capability of using an already-compromised machine (where an agent already is injected) as source for a new attack wave.
In this way every attack can be relaunched towards new network segments where the compromised machine could be connected, unreachable from the starting attack position.
In my test environment the first penetration test victim had two network interfaces connected to networks 10.0.0.0 and 10.1.0.0.
The machine where Impact was installed was on the 10.0.0.0 network and from there was impossible to reach the 10.1.0.0 network.
Attacking and compromising the first victim made possible to reach the second network and a second victim, compromising it too.
Every single module is developed in Python and Core Security offers customers the chance to create their home-made modules to be integrated inside Impact. Obviously an appropriate know-how is required to do so.
At today attacks cannot be scheduled in any way and this is really a pity since Impact can already register an attack sequence with a Macro Wizard.
Anyway Core Security could evaluate introducing this feature in a future release if customers start asking for it.
Meanwhile you could try to drive Impact with 3rd party’s automation tools like Automate.
Information gathering
When an agent is installed on a target machine, customers can require as much information about that machine as they want: what OS patches are installed, local running services, installed applications, etc.
You’ll eventually find now the data you’re looking for.
Agents clean-up
At the end of penetration testing you can launch a clean-up procedure, removing any agent installed on victims, to revert the environment to original conditions.
Reporting
The reporting module is really complete. Is able to extract data and arrange it in four different kinds of reports, aimed to different audiences, from the executive manager to the security manager.
The report is generated by the embedded Crystal Report engine, from BusinessObjects, and can be viewed by the embedded Crystal Report Viewer.
Then you can print it or save in a lot of formats: PDF, HTML, XML, RPT (Crystal Reports), XLS, DOC, etc. It can even be injected in a database via ODBC.
Here an example.
Pricing
Core Security typically offers a one-year unlimited license, able to scan as many IPs as the customer wants and including product updates, training, maintenance and support.
After the year you can still use the product but don’t have exploits updates.
The price for such a license is of $25,000 USD.
Even if the price seems expensive, the cost of a single, outsourced, penetration test on a complex environment can go far beyond it.
The bottom line
Core Impact is a real complex product with huge potential, but has a very high learning curve and you just need few hours to manage basic features with confidence.
The product has a price worth paying with these characteristics.
On the end I strongly suggest it to companies who implemented or are implementing a security assessment plan on their infrastructures, particularly if are much extended.
I also would recommend it to consulting companies offering a penetration testing service.
Most Recent Articles
0 Comments:
Post a Comment
Links to this article:
Stay up to date |
|