<%image(20080225-logo_core_impact.gif|194|50|CORE IMPACT)%>
Last week I spoke at a local security professionals user group about Automated Penetration Testing with CORE IMPACT (from Core Security Technologies). There has been some great developments in the automated penetration testing area recently with commercial tools like CORE IMPACT and Immunity’s CANVAS. However, lets not forget about recent advancements with open source solutions like Metasploit 3. All of these products perform automated penetration testing.
Instead of posting my slide deck I will highlight some of the key points below. Note that this is presented from the perspective of a customer, this was not a sales pitch for CORE IMPACT even though they do have a great product. Next month I will be speaking about Metasploit 3, specifically talking about the autopwn feature which automates exploiting network hosts. One thing I want to mention, automated penetration testing should never replace detailed manual penetration testing! You should use these tools to supplement your tool kit, not replace them!
First, some background on automated penetration testing tools:
What makes a good penetration testing framework?
A framework should be platform independent. Meaning, it should be able to be installed on on Windows, Mac, or Linux. A good exploit collection w/regular updates are also important. Third, an intuitive and robust GUI should be included. This is really to make sure everyone on your pen test team can quickly pick it up and use the product with very little training. Next, you need to have the ability to add new exploits! This is important because you may need to create an exploit for a custom application or even a new one that you may discover. Along that same line is that the product should be open source or have the ability to customize and view the exploit code. Finally, good reporting tools should also be included since the is one of the challenges of pen testing, report generation.
What frameworks are available?
Several commercial and open source penetration frameworks are available. Ones listed towards the bottom of this list are more specialized (example, there are ones specific web application and email gateway testing).
Commercial Tools
CORE IMPACT
Immunity Canvas
Open Source Tools
Metasploit Framework
Inguma
Attack Tool Kit
SecurityForest
BeEF (Browser Exploitation Framework)
PIRANA (email content filtering framework)
w3af – Web Application Attack and Audit Framework
What is CORE IMPACT?
CORE IMACT is a commercial penetration testing framework. The product uses a common pen test methodology:
-Information Gathering
-Attack and Penetration
-Privilege Escalation
-Clean Up and Reporting
CORE IMPACT provides network, client-side and web (SQL Injection and PHP remote file inclusion) RPT (Rapid Penetration Test) functions. It is easy to use (almost too easy) and is safe because all the exploits are tested by the CORE IMPACT development team before being released to customers. In addition, you can develop your own custom modules and exploits in the Python scripting language. Finally, lets not forget about the pretty reports that CORE IMPACT can give you via a Crystal Reports back end.
How does it work?
You basically launch agents and modules against target systems from the console.
Agents- Small programs you install on compromised systems and use to advance an attack. These agents are memory resident! (think Metasploit’s meterpreter). The level of agents give you additional functionality (example: pivoting)
Modules- Operations that can be launched against target systems. Examples: OS fingerprinting, port scanning, and targeted exploits.
You can also view detailed information about target systems. CORE IMPACT also keeps a record of all activity, module output, and the results of attacks. Good to know if you ever need to go back and prove that it wasn’t you who crashed a system or network device! 🙂
Cool Features
Hands down, pivoting, is the highlight of the product. For example, you can use a compromised host in a DMZ like a web server and then use that host to scan and attack other hosts on an internal network. You can do this with Metasploit and Netcat as well but CORE IMPACT does it much more smoothly. Some other features worth mentioning:
-Collect Windows password hashes in-memory
-Log keystrokes, sniff passwords and hashes
-Collect saved login credentials from popular applications such as Internet Explorer, Firefox and MSN
-Install agents with valid user name, password, hash combinations
-MSRPC fragmentation and traffic encryption (Test IDS/IPS defenses)
-Ability to import vulnerability scan data (Nessus, Qualys)
Limitations
CORE IMPACT comes pretty close to perfect, however, I have found a few limitations:
Importing external vulnerability data can be slow and buggy. If you have very large Nessus NBE files, it can take a long time to import these files. I have had the console crash with large amounts of data being imported. That being said, the console is sometimes unstable. This was a big problem in version 6, however, version 7 is much more stable. When the console crashes, it causes all of your agents to disconnect. Do you know Python? If so, great! If not, you should if you want to tear apart existing exploits or create your own.
CORE IMPACT won’t tell you everything able to be exploited on a host! CORE IMPACT is designed to quickly exploit and get you root or admin access on a host! If there are other ways in or other misconfiguration, the product will probably miss those. Hence, the reason you still need to do manual penetration testing of your network and need to have a detailed vulnerability scan competed as part of each assessment.
Finally, CORE IMPACT is expensive! If you work for a small company you may not be able to afford it! However, if you think about how much a third-party penetration test would cost your company per year, you could easily justify this cost to do this on your own.
Conclusion
CORE IMPACT is a fantastic product. If you need to quickly conduct a penetration test to assess your environment CORE IMPACT will efficiently and safely do the job for you. However, CORE IMPACT is expensive so you may have a hard time justifying the cost to your company. If cost is an issue, Metasploit 3 or another open source product may be a better option.
you forgot about SAINT.
I personally have had little luck on "real" networks using Core, Canvas or SAINT. By real i mean networks that aren’t vuln to DCOM and are actually patching and hardening. not saying anything bad about any of the products, just something to keep in mind when its time to put those tools to test in a real environment. If you have had success i’d be interested to hear/read about it.
-CG
Good call on SAINT. I always thought that SAINT was just a vulnerability scanner like Nessus but I do see that they have a penetration testing tool called "SAINTexploit" integrated in the product. I would be interested in hearing how this product differs from CORE or Canvas.
You are right, CORE doesn’t do well with patched and hardened hosts. However, I have found that the client side exploits are really the best part of the product. Just having the ability to email "fake" phishing emails or SPAM to users and exploit the local system pays for itself. Sure, you can do this on your own without CORE but having everything integrated into a single product speeds things up. I have successfully used CORE to test the "human element" and it does this very well.