Re: Product Review - CORE Impact

From: Ivan Arce (ivan.arce@coresecurity.com)
Date: Wed Jul 09 2003 - 18:28:52 EDT


Hi,
 I would like to thank cepacolmax@hushmail.com for his review
and comments on our product, CORE IMPACT.

Given the public interest on the product I will attempt to clarify
IMPACT's capabilities and features. The reader might chose to
sign up for an online demo at our website to learn more
about it (http://www.coresecurity.com) or ignore the rest of
this email if not really interested in it.

Keep in mind that *I work for Core* but the following is just a
description of features and ongoing plans, I will try my best to avoid
blatantly plugging the product or content-free remarks.

And besides the product itself, I believe that the rationale for some
features explained below can trigger some interesting conversation about
penetration testing techniques and real world experices which suprisingly
has not been part of regular discussions in the list lately.

To the moderator: I suspect that this email belongs to the product's tech
support mailing list but since some of its perceived strenghts and weaknesses
are discussed publicly, I would think it is fair to let me elaborate on them.

If not, I will understand

-ivan

>We're testing the app in-house right now. I'd have to give it a 5 out
>of 10.
>
>There is some potential here - the interface is nice, and it is appealing
>to have an outside shop researching/developing new exploits.
>The existing exploits are fairly well documented. Info is included as
>to what service the exploits attacks, and how.
>The tool lends itself nicely to a structured methodology, so that repeated
>evaluations and evaluations of large numbers of hosts are sure to be
>apples:apples comparisons from one test to the next.
>Also, the CORE team has been very willing to help, and very accommodating.

Thanks, it is always fulfilling to know that our team is causing a good
impression
to both our existing and future customers :)

>
>
>However, there are some issues. You can't evaluate a host until you have
>run network discovery and found it, and network discovery is limited

Actually, you can’t evaluate a host until it is present in the entity view
window
of IMPACT. The entity view represents the product's knowledge of its
environment and
shows networks, hosts and deployed agents. Note that there are several ways to
populate the entity view and many more can be added (network discovery is just
one
of them).

As of v3.1 the entity view db can be populated by:
 1. Using network discovery modules, these are as you pointed out:
   ICMP echo network discovery
   TCP connect discovery
   ARP "who has" discovery
   Passive network sniffing
 2. Manually using the "New host" module in the "Misc" module folder
 3. Directly from a DNS server using the "DNS Zone Transfer" module
    in the "Information Gathering/DNS" folder
 4. From Nessus or Nmap output files using the "Nessus output
    interpreter" or "Nmap output interpreter modules" in the
    "Misc" folder

Ultimately remember that IMPACT modules are just editable python files, so
any other suitable way to populate the entity view can be added easily
(i.e. read IP/hostnames directly from a file). We are open to your suggestions
for new modules in this area.

>to ping sweeps, arp, tcp scans, and sniffing. There is no way to evaluate
>a host that does not get picked up by one of these tools.
>
>Exploits are a bit limited, and mostly cater to testing IIS. We have a
>great deal of HP-UX & Solaris on our network, so this is not a very

As of v3.1, IMPACT supports MS Windows (2k, XP, NT4), Linux and OpenBSD on
Intel
architectures and Solaris on Sparc. HP-UX is not yet there, but we are
considering
adding new platforms (based on our customer feedback of this sort).

>good match at present. Also, The rate at which new exploits are delivered
>currently leaves something to be desired. We've been testing the Impact
>for a month now, and I haven't seen any new exploits appear in the list.

That’s right :)
For the past month or so we were committed to improving the reliability and
usefulness
of our existing module base. Almost all windows and unix modules have been
updated.
Upon successful exploitation of a vulnerability, an IMPACT module deploys an
agent
in the newly compromised host, this agent is actually in the payload of the
exploit
and allows the user to execute system calls on the compromised host. No file
upload,
download or shell spawning shellcode is needed or used. However, this new
agent needs
some sort of connection with the agent that launched the exploit module
(generally the
console but possibly some other agent on a different host).

Our recent work in this area was directed at making it possible for all
exploit modules
to deploy agents that can:
 . receive a TCP connection from the agent that launched the module (typical,
   simplest scenario)
 . open a connection back to the agent that launched the remote exploit
   module (this is useful for scenarios were you need to establish and
   outgoing connection due to firewall restrictions on inbound packets)
 . reuse the socket of an existing connection (ie. the established http
session just
   used to exploit a vulnerability, right now we support this for unix targets
   only).
>
>Also, the list of exploits seems to be entirely webserver oriented. There
>are simply no exploit for routers or firewalls or any other component
>of a common network.

As of v3.1, IMPACT has 42 remote exploits and 18 local (privilege escalation)
exploits
as well as some other useful tools (fake SMB server, fake web server, password
sniffer,
ARP spoofer, windows service manager, pcap server, injection of agents into
running processes, etc.).

Of the 42 remotes, 12 are webserver oriented. The rationale behind that is
that
generally traffic to a webserver is allowed though firewalls, so a degree of
focus on
webserver exploits is desired for external pentesting capabilities. Other
generally open
services are of interest as well (i.e. DNS, SSH, ftp, etc.)

So while exploit support for routers and firewalls makes a lot of sense on
certain scenarios, keep in mind that from the perspective of both internal or
external pentests, going directly at the servers will give more 'bang for the
buck'
in the short term.
Support for deploying agents on routers or other appliances is something we
evaluate
based on feedback from our customers (in fact we've discussed internally about
routers,
printers, web enabled cameras, and other ip capable gizmos), and we are
carefully
considering which such improvement opportunities to pursue. Your feedback is
certainly
a good indication of what should be considered for future versions or module
updates.

>
>There are also some bugs in the software - it doesn't seem be consistently
>able to recognize the NIC - One time you start the app, and all is well.
>
>The next time you start, you may get a "network interface not found"
>warning. Sometimes this can be corrected just by telling the app which
>card to use, but on some installations the list of NICs within the app
>is blank, even though other apps can see and use it. In this particular
>case, the NIC is not something highly irregular - just an old Intel PCI
>NIC.

This is most likely due to a known problem interacting with pcap. IMPACT uses
pcap 2.3 and interacts badly with pcap 3.0 or products that install it.
Generally
you need to make sure that you only have one pcap installed (v2.3) and to
reboot
your computer after installing IMPACT. If that does not solve the problem, we
would gladly work with you to find a different solution.

>Fingerprinting is also somewhat lacking. I just downloaded an update
>today, but Impact still cannot ID half the windows boxes on my test network.

Yep, you are right there. Our OS detection by stack fingerprinting module is
lacking, I attribute this mainly to the small DB of fingerprints we have at
the
moment. This is something we are addressing. We will have news about this very
soon.

>
>Finally, there is the fact that we have yet to compromise a single host
>using this tool. My next step is to tailor-make a vulnerable box for
>one of the provided exploits, and see if Impact can penetrate it. I'll
>keep you posted, if you like.

Certainly, keep us posted!

-ivan

---
Perscriptio in manibus tabellariorum est
Noli me vocare, ego te vocabo
Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES
46 Farnsworth Street
Boston, MA 02210
Ph: 617-399-6980
Fax: 617-399-6987
ivan.arce@coresecurity.com
www.coresecurity.com
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
---------------------------------------------------------------------------
The Lightning Console aggregates IDS events, correlates them with 
vulnerability info, reduces false positives with the click of a button, anddistributes this information to hundreds of users.
Visit Tenable Network Security at http://www.tenablesecurity.com to learn 
more.
----------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:36 EDT