From: Chris McNab (chris.mcnab@trustmatta.com)
Date: Thu Feb 28 2008 - 10:25:22 EST
Andre Gironda wrote:
> The numbers show that Core Impact is superior to Canvas and Metasploit.
>
> Unfortunately, it also shows that Impact is missing quite a lot. The
> point I was trying to make is that you can't use only one exploitation
> engine.
In the second edition of my book, Network Security Assessment
(http://books.google.com/books?id=zKhCEYRGFuYC&printsec=frontcover), I
have looked at the support for different technologies and services from
MSF, IMPACT, and CANVAS (including GLEG and Argeniss zero-day packs).
The analysis between these platforms, including details of the supported
technologies and exploit modules, is up-to-date as of October 2007.
You can flick through the Google Books edition and see what I mean. It
contains paragraphs like this:
"MSF has no exploit modules for ProFTPD at the time of writing. CORE
IMPACT supports CVE-2006-5815 (sreplace() off-by-one bug) and
CVE-2004-0346 (RETR command overflow). Immunity CANVAS does not support
any ProFTPD issues at this time."
In general, my high-level analysis is as follows:
MSF is an excellent and well maintained tool, with support for a
significant number of server software issues in particular. Useful
modules include those for AIM, CA BrightStor ARCserve, Microsoft RPC
services, and Veritas Backup Exec.
IMPACT is sometimes too easy to use and therefore can be difficult to
work with in specific environments and configurations. The number of
modules for this tool is colossal, with many useful modules for IIS,
Microsoft RPC services, Veritas, CA, and others. The issue however with
IMPACT's remote exploit modules, is that there are numerous modules that
MSF supports which IMPACT does not. IMPACT has a wide range of remote
exploit modules, but virtually all of them are for the big server
technologies (Microsoft, CA, Veritas, etc.). Where IMPACT comes into its
own is with regard to locally exploitable, and client-side
vulnerabilities. IMPACT support for client-side bugs is astounding.
CANVAS using the GLEG and Argeniss zero-day exploit packs supports a
large number of interesting remotely exploitable bugs that aren't found
in MSF or IMPACT. The tool also has some useful database (MSSQL and
Oracle) testing routines and modules that have value. However, wide and
deep support for bugs is something that CANVAS does not really cover
when compared to MSF or IMPACT.
None of these are vulnerability assessment (VA) scanners with
capabilities like Nessus; they are exploitation frameworks. You should
not be using IMPACT to run an end-to-end penetration test or assessment
process. You should use Nmap, Nessus, and other automated VA platforms
to get a clear idea of the target network and its configuration, then
use MSF/IMPACT/CANVAS to punch through that with some specific exploit
modules, and reposition.
Regards,
Chris
-- Chris McNab Technical Director Matta Consulting Limited Falstaff House 34 Bardolph Road Richmond upon Thames TW9 2LH T: 08700 77 11 00 W: www.trustmatta.com The information contained in this email is intended only for the person(s) to whom it is addressed and may contain confidential or privileged material or information that is exempt from disclosure under applicable law. Information and attachments may be used only for the purpose for which they are sent, and copying, disclosure or distribution of any information contained herein is strictly prohibited. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:26 EDT