Web Buyer's Guide: Core Impact Penetrates Deeply

Contact Us

Security Buyer's Guide

Core Impact Penetrates Deeply

By Cameron Sturdevant - eWEEK

Organizations concerned with maintaining a tight security profile will appreciate Core Security Technologies' Core Impact 6, a tool that allows automated, ethical penetration testing—in place of, or in addition to, hiring outside consultants.

Core Impact 6 has a new framework that speeds client-side penetration testing, along with the ability (although limited at this time) to target Apple Computer's OS X systems. Core Impact 6 also tests client-side applications that have repeatedly proven to be vulnerable to exploitation, including Web browsers and media players.

At $25,000 for a single license, Core Impact 6 is a pricey but effective tool for midsize and large enterprises or for any organization that requires frequent security auditing.

Core Impact 6 will be especially well-suited for companies that take a very hands-on approach to penetration testing and therefore also are concerned with closing vulnerabilities to ensure system security. This is especially true for organizations that take a proactive stance in meeting audit requirements for standards such as PCI (Payment Card Industry).

We installed Core Impact 6 on a PC running Microsoft Windows XP. Our test network contained a variety of Linux operating systems, including Community Enterprise Operating System's CentOS, Red Hat's RHEL (Red Hat Enterprise Linux) 4 and Canonical's Ubuntu 6.06 LTS (Long Term Support), along with Windows XP, Windows Server 2003 Standard and Windows 2000 Server.

To evaluate Core Impact 6's ability to target virtual machines, our test network also included several Windows Server 2003 and Ubuntu systems running on VMware's VMware Server.

Overall, results were good. Core Impact 6 identified most of the systems on our network with a fair degree of accuracy on the first pass.

Core Impact 6 did not identify an Apple G4 system running Mac OS X 10.3.9. It also missed one of the physical Ubuntu systems, but it did correctly identify the virtual Ubuntu systems. One Windows 2000 Server system was misidentified as a Windows 2000 Professional system, but this was not unexpected, as similarities in the two operating systems—and the hacks that exploit them—are quite similar.

Subsequent passes over the network with several common sharing services turned on—including Apple Remote Desktop—allowed Core Impact 6 to identify and profile one of our Apple systems.

It's clear from our test results that Core Impact may be on Version 6 but that its Apple identification and exploitation capabilities are Version 1.0. However, given Core Security's previous successful development work on Windows and Linux, it's likely that subsequent Apple OS X tests will greatly improve on this first stab.

For now, the Apple information gathering and exploits work only against PowerPC-based systems. This meant that our Mac Mini running an Intel Core Duo processor remained a mystery to Core Impact 6. There also aren't anywhere near the number of exploits for Apple OS X systems as there are for Windows systems. Core Security said they are working on developing more exploits to run against Apple OS X.

Looking for Leaks

After all the systems on our network were identified through Core Impact 6's information-gathering tools, we started running attack and penetration tests.

Users who are familiar with Core Impact will not be surprised by the user interface of Version 6 of the platform. The Rapid Penetration Test panel remains basically unchanged from Version 5.1: It's neatly laid out, allowing administrators to easily discover, penetrate and exploit applications, as well as report on Core Impact operations.

In the first round of penetration testing, one of several options that we enabled allowed Core Impact 6 to run exploits that might make a target service unavailable. We also were able to use a wizard to automatically launch all possible attacks against selected targets. This is a very aggressive test posture, and we recommend it only against targets that have already been thoroughly reviewed for potential weaknesses and hardened against attack.

We ran these tests against systems that were patched to the most current level possible, and our patched and updated systems averaged 1.3 exploits per machine after our first round of testing.

Reconnaissance Mission

As part of our first round of testing, we enabled Core Impact 6 to install, when possible, a local in-memory agent with administrator privileges. New in Version 6 of Core Impact is the ability of this agent to run multithreaded tasks. (The local agent was limited to a single thread in previous versions.) This change means that pen testers will see dramatically reduced test times as the local agent can now execute many exploits simultaneously.

New information-gathering client-side modules in Core Impact 6 allowed us to produce a list of valid e-mail address for a domain using techniques commonly used by spammers. We used the SMTP and e-mail crawler modules—which use brute-force methods including VRFY and RCPT TO commands—to get a list of addresses off our camfrancisco.com e-mail server.

With a little hand configuration, we successfully used the Client Information Email Webbug module to send specially crafted e-mail to users on our Microsoft Exchange Server e-mail system. The module used an image that, when rendered, generated a connection back to the Core Impact 6 console. Using this connection, the Core Impact 6 system noted the operating system, browser and browser version, and other information about the target system.

All the information gathered in a pen-test reconnaissance operation helps find vulnerabilities in a system that could be exploited. The new semi-automated client-side modules made Core Impact 6 results more accurate and let us run more targeted attacks in subsequent penetration tests.

Also new in this version of Core Impact are local exploits that perform pen tests on several browser vulnerabilities.

We ran address-book exploits against Opera Software's Opera, Microsoft's Outlook and the Mozilla Foundation's Thunderbird browsers. We left our browsers configured in default states running on systems configured as end-user workstations, with only a passing attempt at changing parameters to make the systems secure. (We made sure the Linux systems were up-to-date and that our Windows XP systems had the latest service pack and patches installed.) Using the address-book modules, we were able to get an agent to automatically enumerate entries from compromised systems. A related module that successfully ran on a compromised Windows XP system allowed us to automatically capture auto-complete passwords stored in Microsoft's Internet Explorer.

The client-side modules use agents that are installed by Core Impact 6 when it finds a vulnerable system. Longtime users of the Core Impact system will notice small differences in the way the agents work in Version 6, but none of the changes should require much user retraining.

After testing is complete, Core Impact 6 generates a set of reports that show existing vulnerabilities and the exploits that can be waged against them. We used these reports to plan subsequent pen tests on our network and to remove discovered weaknesses, helping to ensure the secure operation of the network.

8/26/2006

Related Links:

Related stories on this topic

PGP Desktop Pro 9

Related stories in this industy

PGP Desktop Pro 9

Featured White Paper

Building a Virtual Infrastructure from Servers to Storage by NetApp

The Advantages of a Hosted Messaging Security Solution by Microsoft

Achieving Sales Success with Tablet PCs by Toshiba

What's Missing from SEM? by NetIQ

5 Essentials of Customer Experience Management by Tealeaf

The CIO’s Guide to Mobile Security by Research in Motion

On-Demand Versus On-Premise CRM: Are There Performance Differences? by Business Objects

Overcoming Data Protection Challenges of the Modern Distributed Business by Adaptec

Small and Medium Business Security Solutions by Trend Micro

Is Daily Defragmentation Needed in Today’s Environment? by Diskeeper

Performance Management: New “Hybrids” Combine Agent and Agentless Technology by BMC

A Proven WAN Optimization Approach by Riverbed

Mitigating Fire Risks in Mission Critical Facilities by APC

Architectural Considerations for Archive and Compliance Solutions by Network Appliance

Storage Virtualization: An Overview of Key Technologies and their Capabilities by Datalink

The World of IT has taken a Quantum Leap by Everdream

Fighting the Hidden Dangers of Internet Access by St. Bernard

Secure Optimized Data Protection for Remote Offices by Symantec

Workday Redefines Software by Workday

Simplify & Improve Enterprise Desktop Management by VMware

Spam Filtering: Building a More Accurate Filter by St. Bernard

Intel Energy-Efficient Performance by Dell

Business-Class Security and Compliance for On-Demand Instant Messaging by WebEx

Reducing the Risks of 64-bit Application Porting with Parasoft C++ Test and Parasoft Insure ++ by Parasoft

Reduce IT Costs and Complexity with Effective Application Problem Management by Identify

Understanding E-Mail Hygiene by Mirapoint

Automated Deployment by Dell Managed Services by Dell

From Crisis to Cruise Control: Creating a High-Performance IT Organization by Tripwire

Affordable Data Protection Without the Compromise by EMC

Breaking New Ground: The Evolution of Linux Clustering by Penguin

Preventing Insider Threat with Identity Compliance by Sailpoint

Backup Strategies Re-Examined In Wake of Natural Disasters by CDW

Use of this site is governed by our Terms of Use and Privacy Policy
Copyright © 1996-2007 Ziff Davis Enterprise Inc. All Rights Reserved. eWEEK and Spencer F. Katt are trademarks of Ziff Davis Enterprise Holdings, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.