From: Trygve Aasheim (trygve@pogostick.net)
Date: Thu Feb 28 2008 - 02:25:27 EST
From my standpoint, you're mixing it all together.
What does a framework like Core Impact actually give you:
- It gives you some exploits. Ok. That's one part.
- It gives you the ability to check what a legal user on a system has
access to do, and if this user can break out of its boundaries.
- It gives you the ability to test (as you say), IDS/IPS systems on
networks and hosts
- It gives you the ability to check how many of your users read spam,
and if they click on attachments - and what types of spam they will
click on.
- It gives you the ability to check if your dmz is working as it should
- or other types of network zones.
- It gives you a tool to test your webservers
- And add the stuff I wrote in my previous mail
So this means that you have a technical tool to test access control
mechanisms on hosts, logging and detection on hosts, test your security
configuration, test your users awareness of spam/malware, test your
networks logical design from a host point of view, test webservers, make
your own exploits, and a massive toolbox that supports deploying local
and remote webservers, proxies, tcp proxies, pcap and many more tools to
help you in your work.
So...still, all this can be accomplished using other tools as well. And
I do use a bunch of other tools, but what neither of them can match is
the speed Impact has on doing all these tasks. And speed saves time,
time is money and suddenly you can do all these projects within a very
short time frame - giving you time to adress the issues you've found (or
other stuff).
We've used this framework for a couple of years (together with many
other tools), and the work we've done towards production or production
related infrastructure has never (!) caused anything that can be
compared to shutting down the power. Far from it. The usual results are
in the logs, and that's it. Webscanners can create a lot more fuzz and
unforeseen consequences.
So I agree, the money numbers do not lie. This framework has saved us
and a lot of other partners a lot of money, by bringing a lot of
powerful tools into an easy to use framework - that saves time and gives
you the ability to check if your security infrastructure as a whole also
works in real life, and not just on the paper.
If you buy this just to test exploits on a host, then you can download
HD Moore's great gift to mankind instead.
But if you're hired to test a security infrastructure that includes host
security mechanisms, network security mechanisms, authority mechanisms,
human awareness and so on - and needs a framework to make a report of
everything you do from running exploit modules, sending mail, making
ssh, ftp, telnet, smb connections to what you do when working in a
shell, then Impact should be tested.
Could there be more. Absolutely!
But it's already pretty far ahead of just being an "exploitation engine".
:-)
Andre Gironda wrote:
> On Wed, Feb 27, 2008 at 1:38 PM, Trygve Aasheim <trygve@pogostick.net> wrote:
>
>> This doesn't mean I don't like or use Metasploit, Canvas or any
>> other...I just want to point out that the quality of a product is not
>> based a number, and Core Impact has proven its quality many times, and
>> in many ways.
>>
>
> The numbers show that Core Impact is superior to Canvas and Metasploit.
>
> Unfortunately, it also shows that Impact is missing quite a lot. The
> point I was trying to make is that you can't use only one exploitation
> engine.
>
> However, I also fail to see the point of using an exploitation engine
> except in the case of testing IPS/IDS or similar. In this case,
> anyone would clearly be better off using BreakingPoint Systems
> BPS-1000.
>
> Using exploits on production or IT networks is unethical. This isn't
> the wild west. You're overpaying by about $19K-$26K for what you need
> when you go with Core Impact. I don't know about ya'll, but the idea
> of propagating a pseudo-worm through a corporate network seems about
> as good of an idea as asking the power company to shut off electricity
> to a hospital for "just a minute, to see what will happen".
>
> Instead of RPT, I suggest asset management combined with regular,
> good-old fashioned vulnerability scanning. Most of the "experts" I
> know don't even understand the difference between a vulnerability and
> an exploit. More of those people don't even understand how unreliable
> exploits usually are (let alone scanning errors in vulnerability-only
> scanners).
>
> Core already lied once on this list about how many modules vs.
> exploits vs. CVE's they support. They could make anything up. The
> money numbers do not lie. Compare to Rapid7, Tenable, Lumension, or
> McAfee for yourself.
>
> If you have to raise awareness by running live exploits, try
> Metasploit. It's free. Management still not convinced? Already
> covered all the Metasploit exploits? Try Canvas, it's cheap.
> Management still not convinced? Already covered the Canvas exploits,
> too? Add an exploitation pack or two. Start writing your own
> exploits. Management still not convinced? Already covered all of the
> Canvas exploitation packs and started writing your own in-house
> exploits specific to your architecture? Maybe Core Impact will help;
> call them for a demo.
>
> I have no idea why people are so quick to jump to Core Impact first.
> You can't just throw money at these types of problems. Security is a
> very careful and gradual process.
>
> Cheers,
> Andre
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:26 EDT