From: cepacolmax@hushmail.com
Date: Tue Jul 08 2003 - 20:29:36 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Now that we have cleared the air, I offer again my (previously refused)
posting in response to Glenn Wolfe's question so very long ago. To paraphrase,
Mr. Wolfe asked if anyone on the pen-test list had any experience with
the heavily advertised CORE Impact Tool. I do.
I choose to post from an anonymous email account, knowing full well that
this has some impact on my credibility. It is for this reason, in addition
to my sense of fairness, that I will endeavour to be as objective and
even-handed as possible.
The review, as presented to pen-test for posting Friday, 27 June 2003
[editied for accuracy, based on my learning between the time of the original
post and now]:
<review>
We're testing the app in-house right now. I'd have to give it a 5 out
of 10.
There is some potential here - the interface is nice, and it is appealing
to have an outside shop researching/developing new exploits.
The existing exploits are fairly well documented. Info is included as
to what service the exploits attacks, and how.
The tool lends itself nicely to a structured methodology, so that repeated
evaluations and evaluations of large numbers of hosts are sure to be
apples:apples comparisons from one test to the next.
Also, the CORE team has been very willing to help, and very accommodating.
However, there are some issues. You can't evaluate a host until you have
run network discovery and found it, and network discovery is limited
to ping sweeps, arp, tcp scans, and sniffing. There is no [obvious] way
to evaluate a host that does not get picked up by one of these tools.
[Turns out there is a way to add unprobed hosts to the target list.]
Exploits are a bit limited, and mostly cater to testing IIS. We have
a great deal of HP-UX & Solaris on our network, so this is not a very
good match at present. Also, The rate at which new exploits are delivered
currently leaves something to be desired. We've been testing the Impact
for a month now, and I haven't seen any new exploits appear in the list.
Also, the list of exploits seems to be entirely webserver oriented. There
are simply no exploit[s] for routers or firewalls or any other component
of a common network.
There are also some bugs in the software - it doesn't seem be consistently
able to recognize the NIC - One time you start the app, and all is well.
The next time you start, you may get a "network interface not found"
warning. Sometimes this can be corrected just by telling the app which
card to use[.--snip-- This may be due to Impact's use of WinPcap 2.3.]
Fingerprinting is also somewhat lacking. I just downloaded an update
today, but Impact still cannot ID half the windows[XP] boxes on my test
network.
Finally, there is the fact that we have yet to compromise a single host
using this tool. My next step is to tailor-make a vulnerable box for
one of the provided exploits, and see if Impact can penetrate it. I'll
keep you posted, if you like.
</review>
<review addendum>
Since I originally wrote the above review, we have met with the development
team at CORE, and communicated the same concerns to them.
We have been informed that a new version should be out in the near future
that will address many of the shortcomings listed above.
Also, the use of a test network with specific vulnerabilities catering
to Impact's exploit list allowed us to successfully experiment with compromising
a target.
</review addendum>
Apologies for the length - just trying to be complete. Hope this is helpful
to all!
- -Max
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3
wkYEARECAAYFAj8LYkAACgkQ6muvpb42jICoAgCfd4W6tUBVm8k9ogexDtnJYlKnhoAA
n3izLsQfKY6ZvoHeQGsNclCJvbc6
=44ng
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434
Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
---------------------------------------------------------------------------
The Lightning Console aggregates IDS events, correlates them with
vulnerability info, reduces false positives with the click of a button, anddistributes this information to hundreds of users.
Visit Tenable Network Security at http://www.tenablesecurity.com to learn
more.
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:36 EDT