From: Kurt Seifried (bt@seifried.org)
Date: Wed Jul 09 2003 - 02:38:58 EDT
OB Disclaimer: I wrote the original set of documentation for Core Impact,
however I currently have no formal business ties to them (in other words I
ain't being paid to say this). I am cc'ing this to
maximiliano.caceres@coresecurity.com as there are several suggestions for
improvements.
This review sort of hits one of the big problems I saw with Core IMPACT,
primarily that people compare it directly to other pen testing tools, which
typically are just banner harvesting tools (i.e. Nessus) and not actually
"exploit the service, and run shell code on the remote end".
> There is some potential here - the interface is nice, and it is appealing
> to have an outside shop researching/developing new exploits.
>
> The existing exploits are fairly well documented. Info is included as
> to what service the exploits attacks, and how.
And there is the source code, in Python which is quite readable, I don't
believe many other proprietary apps give such access to the exploits,
something to consider (you have a higher degree of assurance as to what
exactly the program is doing).
> The tool lends itself nicely to a structured methodology, so that repeated
> evaluations and evaluations of large numbers of hosts are sure to be
> apples:apples comparisons from one test to the next.
As well you can easily verify results, and have a good audit trail in case
something wierd turns up (or doesn't turn up).
> Also, the CORE team has been very willing to help, and very accommodating.
> However, there are some issues. You can't evaluate a host until you have
> run network discovery and found it, and network discovery is limited
> to ping sweeps, arp, tcp scans, and sniffing. There is no [obvious] way
> to evaluate a host that does not get picked up by one of these tools.
> [Turns out there is a way to add unprobed hosts to the target list.]
You can add hosts or import them (i.e. import a previous workspace that
contains a list of all the hosts at your site or whatever). This needs to be
better documented, agreed.
> Exploits are a bit limited, and mostly cater to testing IIS. We have
> a great deal of HP-UX & Solaris on our network, so this is not a very
> good match at present. Also, The rate at which new exploits are delivered
> currently leaves something to be desired. We've been testing the Impact
> for a month now, and I haven't seen any new exploits appear in the list.
Have you run the update tool (and do you have access to the updates)?
As to new exploits this is of course limited by the resources at Core, which
like any company are finite. As well depending on your needs/skill level you
can write your own exploits, Core has a developers guide, all you need is
some Python knowledge and exploit knowledge, most of the "hard" stuff is
done via library calls (i.e. libegg which actually creates your shell
code/etc. reducing toil enormously). The tool is STRONGLY designed to allow
end users to add their own exploits with relative ease.
Also it is important to remember that these exploits actually compromise the
service, they just don't run a banner harvesting tool (as many products do)
and identify it as vulnerable, they actually compromise the vulnerable
service, this makes exploits a bit more work to create.
> Also, the list of exploits seems to be entirely webserver oriented. There
> are simply no exploit[s] for routers or firewalls or any other component
> of a common network.
Huh? They have extensive support for SSH exploits (having corrected at least
one flaw, and accidently introducing a flaw when that flaw was corrected =)
this is one of the more "reliable" services to find on network components.
There are also Bind, lprng, ntpd, rpc, samba, sendmail, telnetd,
ttdbserverd, wuftpd and so on exploits.
> There are also some bugs in the software - it doesn't seem be consistently
> able to recognize the NIC - One time you start the app, and all is well.
> The next time you start, you may get a "network interface not found"
> warning. Sometimes this can be corrected just by telling the app which
> card to use[.--snip-- This may be due to Impact's use of WinPcap 2.3.]
Yup.
> Fingerprinting is also somewhat lacking. I just downloaded an update
> today, but Impact still cannot ID half the windows[XP] boxes on my test
> network.
>
> Finally, there is the fact that we have yet to compromise a single host
> using this tool. My next step is to tailor-make a vulnerable box for
> one of the provided exploits, and see if Impact can penetrate it. I'll
> keep you posted, if you like.
> </review>
I've used the exploits in Core to break into systems, they work. The agents
are also remarkebly reliable (considering they are only a few hundred bytes
in size at their smallest).
> <review addendum>
> Since I originally wrote the above review, we have met with the
development
> team at CORE, and communicated the same concerns to them.
Good.
> We have been informed that a new version should be out in the near future
> that will address many of the shortcomings listed above.
Good.
> Also, the use of a test network with specific vulnerabilities catering
> to Impact's exploit list allowed us to successfully experiment with
compromising
> a target.
> </review addendum>
>
> Apologies for the length - just trying to be complete. Hope this is
helpful
> to all!
>
> - -Max
I think it's also important to add that this isn't just a penetration
testing tool, it's a framework for developing penetration testing. Using
Core Impact you can apply your specific business needs, i.e. internal best
practices, Core will let you do pretty much what you want. As well because
of the framework/infrastructure and the documentation provided it has the
ability to let users add their own exploits, again not something most
commercial tools allow easily.
Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/
---------------------------------------------------------------------------
The Lightning Console aggregates IDS events, correlates them with
vulnerability info, reduces false positives with the click of a button, anddistributes this information to hundreds of users.
Visit Tenable Network Security at http://www.tenablesecurity.com to learn
more.
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:36 EDT