Organizations are increasingly looking to penetration testing to effectively determine the risk to their network assets. CORE IMPACT, from Core Security Technologies (www.coresecurity.com) is a tool that aims to help in the process by automating as much of it as possible.
When it comes to penetration testing, most security professionals will start with various port scanners (such as nmap) and vulnerability scanners (such as Nessus) to gain some idea of what vulnerabilities exist on a network. Taking it further than the information gathering phase, however - by attempting to exploit the vulnerabilities discovered and hack the network under investigation -generally requires specialist knowledge and is not something the average corporate security administrator would attempt.
CORE IMPACT is frequently mislabeled as a vulnerability scanner, but to call it that is to do it a great injustice. In fact, as a straight vulnerability assessment tool it falls short of the likes of Nessus - but this is by design. For those who want a full-blown vulnerability assessment, IMPACT integrates fully with eEye’s Retina, Nessus, and GFI Languard.
IMPACT is, in fact, an automated penetration testing tool, which scans a range of hosts looking for vulnerabilities for which it has effective exploits. These exploits can then be launched against the vulnerable hosts to attempt to gain access (or, perhaps, create a Denial of Service condition). Having gained access to a vulnerable host, IMPACT can install Agents which provide varying levels of remote access (including directory listing, uploading and downloading files, and so on). It is even possible to use a compromised host to launch new penetration tests against other hosts on the network which may not have been visible on the initial scan. This way, the penetration tester can move from host to host within the compromised network.
CORE IMPACT thus allows the user to safely exploit vulnerabilities in the network, replicating the kinds of access an intruder could achieve, and proving actual paths of attacks that must be eliminated. The product features the CORE IMPACT Rapid Penetration Test (RPT), a step-by-step automation of the penetration testing process. From the initial information gathering phase to production of the final report, the penetration testing steps within CORE IMPACT can be run completely autonomously. The steps in this process include:
- Information Gathering
- Attack and Penetration
- Local Information Gathering
- Privilege Escalation
- Clean Up
- Report Generation
The Windows-based GUI provides a multi-pane view into the available penetration tests, exploit and information gathering modules, scanned hosts, detected vulnerabilities, detailed module information, module output (results), executed modules and entity properties (details of each host detected).
When all of these windows have been populated the screen can look somewhat busy, but the default layout is actually very useful and is not hard to get used to.
You can, of course, alter the layout to suit your own working methods and save it as the default, as well as perform extensive customization throughout the package by editing the core XML files.
When starting a penetration test, the first thing the user will do is download the latest exploit modules from the Core Web site. These are produced on a regular basis - though don’t expect to find every single one reported by Bugtraq.
Having done that, a Workspace is created for the test (or existing Workspace can be opened and added to). This is an encrypted repository for all information gathered throughout a test, and allows one machine to be used for several projects (for example, by a consultant working at several different client sites) without compromising confidentiality.
Each of the six processes listed previously are available as Wizards in the Rapid Penetration Test window. By following each of them in turn, the average user will follow the typical “hacker methodology” recommended by every generic hacker’s handbook available on Amazon, and be able to complete a very comprehensive penetration test without recourse to experts or outside consultants. Of course, experts and consultants will also find this tool incredibly useful in their day-to-day work.
Running a penetration test
The Information Gathering step uses tools such as nmap to determine the operating system and available services, as well as full service enumeration techniques where possible, and this information is used to determine which exploits in the database may be effective against each host. It appears to identify servers correctly even when running on non-default ports, although it cannot identify specific applications (Apache vs. IIS, for example).
The ability to launch simultaneous, multiple attacks improves the speed and ease with which users can evaluate their network defenses, and the user gets to specify how aggressive he wants IMPACT to be when running exploits. For example, it is possible to exclude all those exploits which would leave services in an unsafe condition, as well as exclude those tests which tend to take an excessive amount of time to complete (such as brute force password cracks).
If any of the exploits succeeds in compromising the target host, a small memory-resident Agent can be installed on the host, which is then accessible from the IMPACT console. A range of remote-control options is then available, including the ability to escalate privileges, grab passwords, install key-logging software, gather additional information about the host and its user accounts and domain memberships, take screen shots, perform directory listings, download files, upload files, delete files, execute OS commands, and so on. Once you have finished, the Agent can be remotely uninstalled leaving no trace of its - or your - presence.
Client-side attacks can be accomplished by IMPACT simulating a malicious server (Web server, for example) and serving exploit code to remote clients which connect to it.
Once finished, a wealth of information is available both on the IMPACT console and via the excellent reports. Four reports are available:
- Executive - provides a summary of all activities
- Activity - details all modules executed
- Host - provides details about all hosts tested
- Vulnerability - details all vulnerabilities successfully exploited on hosts
Reports can be created as HTML, PDF, Microsoft Word and other popular formats so that content can be easily customized and shared with auditors and other parts of the organization.
For those - who are looking to use this tool to create custom packet captures for replay using tools such as Traffic IQ, it is also possible to run individual modules as required. When creating your own PCAPs in this way you should run every variation of each exploit (i.e. with different target OS and different payloads) and create a PCAP for each to ensure that you are not testing only one possible attack vector with your replay tool.
Of course, the nice thing about this sort of tool is that whenever you have an IDS/IPS which fails to detect traffic replayed using a particular PCAP as malicious, you can resort to using the live exploit within IMPACT to make sure it was a real miss and not a problem with the trace file.
At the end of the day, if you run a CORE IMPACT exploit and you gain a shell on the target host without raising an alert or being blocked, your IDS/IPS has definitely failed.