info@coresecurity.com  | +1.617.399.6980 | Contact Us

• Solutions
  • Solutions Overview
    • About Our Solutions
    • Determine Exposure to Real-World Threats
    • Perform Continual, Automated Testing
    • Assess Security Across IT Layers
    • Validate Security Controls
    • Connect Security Data to Business Risk
  • Solutions by Industry
    • Financial Services
    • Government
    • Health Care
      • Respond to the HITECH ACT
      • Validate HIPAA Compliance
      • Limit Unauthorized Insider Activities
      • Maximize limited security staffing
      • Drive down Web-based Security Risks
      • Insulate Your Networks from Unauthorized Devices
      • Diminish the Impact of Social Engineering
      • Validate security investments
    • Higher Education
      • Overview
      • Assess exposure to potential data breaches
      • Insulate networks from unmanaged devices
      • Limit unauthorized insider activities
      • Drive down web-based security risks
      • Maximize limited security staffing
      • Diminish the impact of social engineering
      • Validate security investments
      • Meet compliance demands
    • Retail
  • Solutions for Compliance
    • CAG
    • FFIEC
    • FISMA / NIST
      • NIST 800-137
      • NIST 800-39
      • NIST 800-53
    • GLBA
    • HIPAA
    • PCI
    • SOX
    • Validate Security Controls
• Products
  • Products Overview
  • CORE INSIGHT Enterprise
    Security Intelligence Solution
    • Overview
    • How It Works
    • Dashboards
    • Reports
    • What's New
    • Demos
      • CORE Insight Videos
    • Data Sheets and White Papers
    • Comparing CORE INSIGHT to CORE IMPACT
    • How to Buy
  • CORE IMPACT Pro
    Penetration Testing Software
    • Overview
    • What It Tests
      • End-User Security Awareness
      • Endpoint Systems
      • Mobile Devices
      • Network Devices
      • Network Systems
      • Web Applications
      • Wireless Networks
      • IPS/IDS, Firewalls and Other Defenses
      • Vulnerabilities Identified by Scanners
    • Commercial-Grade Exploits
      • Overview
      • Recent Exploits and Updates
      • How Our Exploits Work
      • About Our Client-Side Exploits
      • About Our Agents
    • Vulnerability Scanner Integration
    • Reporting
    • What's New
      • Version 12.3
      • Version 12
      • Version 11
    • Demos
      • Impact
    • Data Sheets, White Papers and Other Resources
    • Intro To Penetration Testing
      • What Is Penetration Testing?
      • Comparing Security Testing Options
      • What To Look For
      • Independent Penetration Testing Resources
      • Conducting Penetration Tests
    • Comparing CORE IMPACT to CORE INSIGHT
    • Training, Certification and Support
    • How to Buy
  • Core WebVerify Web
    Application Security Testing Software
    • Overview
    • Web Application Vulnerability Coverage
    • WebVerify vs. Scanners
    • Reveal Implications of Application Vulnerabilities
  • Core CloudInspect Cloud Security Testing for AWS
  • Demos and Evaluations
  • The Research Behind Our Products
  • Why Our Products are Safe
  • How to Buy
• Services
  • Services Overview
  • Core Security Consulting
    Services
    • Overview
    • Comprehensive Penetration Testing
    • Application Penetration Testing
    • Web Services Security Assessment
    • Source Code Auditing
    • Wireless Penetration Testing
    • Leading-Edge Technology Testing
    • How to Buy
  • CORE IMPACT Professional Services
    • Overview
    • Web Application Penetration Testing Services
    • Network Penetration Testing Services
    • Client-Side Penetration Testing Services
    • Wireless Network Penetration Testing Services
    • Benefits
    • How to Buy
• CoreLabs Research
  • CoreLabs Overview
  • Research Projects
  • Advisories
  • Publications
    • Presentations and Papers
    • Journals and Magazines
    • Internet Articles
  • Open Source Projects
  • CoreLabs Extranet Site
• News & Events
  • News & Events Overview
  • Events and Webcasts
    • Webcasts
    • Conferences
    • Speaking Engagements
  • News
    • Press Releases
    • In The News
  • Reviews
  • Awards
• Partners
  • Partners Overview
  • Strategic Partners
    • Business Partners
    • Technology Partners
  • Training Partners
    • CICT Training and Certification
  • Using Core's Products in Your Consulting Practice
• Company
  • Company Overview
  • Management Team
  • Board of Directors
  • Customers
    • Success Stories
  • Careers
  • Contact Us
• Blog
• Customer Portal

Home :: Products :: CORE IMPACT Pro Penetration Testing Software :: What's New

CORE IMPACT Pro
Penetration Testing Software

• Products

• Products Overview

• CORE INSIGHT Enterprise
  Security Intelligence Solution
  • Overview
  • How It Works
  • Dashboards
  • Reports
  • What's New
  • Demos
    • CORE Insight Videos
  • Data Sheets and White Papers
  • Comparing CORE INSIGHT to CORE IMPACT
  • How to Buy

• CORE IMPACT Pro
  Penetration Testing Software
• Overview
• What It Tests
  • End-User Security Awareness
  • Endpoint Systems
  • Mobile Devices
  • Network Devices
  • Network Systems
  • Web Applications
  • Wireless Networks
  • IPS/IDS, Firewalls and Other Defenses
  • Vulnerabilities Identified by Scanners
• Commercial-Grade Exploits
  • Overview
  • Recent Exploits and Updates
  • How Our Exploits Work
  • About Our Client-Side Exploits
  • About Our Agents
• Vulnerability Scanner Integration
• Reporting
• What's New
• Version 12.3
• Version 12
• Version 11
• Demos
  • Impact
• Data Sheets, White Papers and Other Resources
• Intro To Penetration Testing
  • What Is Penetration Testing?
  • Comparing Security Testing Options
  • What To Look For
  • Independent Penetration Testing Resources
  • Conducting Penetration Tests
• Comparing CORE IMPACT to CORE INSIGHT
• Training, Certification and Support
• How to Buy

• Core WebVerify Web
  Application Security Testing Software
  • Overview
  • Web Application Vulnerability Coverage
  • WebVerify vs. Scanners
  • Reveal Implications of Application Vulnerabilities

• Core CloudInspect Cloud Security Testing for AWS

• Demos and Evaluations

• The Research Behind Our Products

• Why Our Products are Safe

• How to Buy

What’s New in CORE IMPACT Pro v10.5 - April 2010

CORE IMPACT Pro v10.5 extends the ability of security professionals to replicate attacks against IT systems by combining the product’s commercial-grade, automated penetration testing with the community-built functionality of the Metasploit network penetration testing framework. The release also adds support for the SCAP reporting and AES encryption standards sanctioned by the U.S. federal government. In addition, customers can now easily import IMPACT penetration testing data into Payment Card Industry Data Security Standard (PCI DSS) self-assessment reports using the Qualys PCI Connect service. Enhancements to the software’s dashboard interface and the addition of new usage statistics enable customers to better understand both their security posture and that of the IMPACT user community.

In CORE IMPACT Pro v10.5 new features include:

• Integration with the Metasploit Penetration Testing Framework
• Support for the Security Content Automation Protocol (SCAP)
• Use of the AES Encryption Standard for IMPACT Agent Communications
• Integration with Qualys PCI Connect
• CORE IMPACT Pro Usage Statistics and Dashboard Enhancements
• Microsoft Windows 7 64-bit Support

Integration with the Metasploit Penetration Testing Framework

With CORE IMPACT Pro v10.5 customers can now use Metasploit in concert with IMPACT Pro. The new integration offers the benefits of Core’s commercial-grade, automated solution – with its massive library of professionally developed exploits, easy-to-use interface, and in-depth reporting capabilities – combined with the capabilities of Metasploit. The integration works in two ways:

• Begin testing with CORE IMPACT Pro and add Metasploit into the process, using IMPACT’s resident attack and penetration capabilities and Metasploit side by side.
• Begin testing with Metasploit and then bring a compromised system into the IMPACT environment for further and deeper assessment, and to test other systems on the same network.

Regardless of the approach taken, test results are consolidated into IMPACT reports that provide actionable data about where an organization’s critical risks lie and what can be done about them.

Beginning with CORE IMPACT Pro
Under this approach, users launch Metasploit’s network exploits in tandem with IMPACT Pro exploits. Users begin the assessment using IMPACT Pro’s information gathering capabilities to first profile a target network. IMPACT then conveys operating system and service pack details about identified systems to Metasploit. As IMPACT selects and deploys its own exploits, it also leverages Metasploit’s db-autopwn feature to launch relevant Metasploit exploits against each targeted system – and the results are subsequently uploaded back into IMPACT Pro. This allows users to view Metasploit testing information within the IMPACT environment, without requiring Metasploit expertise.

Beginning with Metasploit
Under this approach, users bring a system compromised during testing with Metasploit into the IMPACT environment and deploy an IMPACT Pro Agent. An Agent is IMPACT’s patented, syscall proxy payload, which allows users to:

• Launch IMPACT Pro’s full range of automated penetration testing capabilities from the compromised system.
• Leverage IMPACT’s broad selection of commercial-grade exploits, plus extensive pre- and post-exploitation capabilities for in-depth, comprehensive attack replication.
• Pivot penetration tests to other systems, mimicking an attacker’s attempts to identify and exploit   paths of weakness to backend systems and data.
  
  
• Learn more about the integration between IMPACT Pro and Metasploit

Support for the Security Content Automation Protocol (SCAP)

SCAP is a standard promoted by the U.S. National Institute of Standards and Technology (NIST) and National Security Agency (NSA) as a common format for exchanging IT security information. According to NIST Special Publication 800-117, “SCAP comprises a suite of specifications for organizing and expressing security-related information in standardized ways, as well as related reference data, such as identifiers for software flaws and security configuration issues.”

In support of the SCAP standard, CORE IMPACT Pro v10.5 incorporates the following data into the product’s reports and is also able to export the data in XML format for use in centralized security databases:

• CVE numbers: Common Vulnerabilities and Exposures (CVE) are unique identifiers for publically known vulnerabilities. CORE IMPACT reports CVE numbers for vulnerabilities that it successfully compromises during testing.
• CVSS ratings:  The Common Vulnerability Scoring System (CVSS) represents a universal standard for rating the severity of known vulnerabilities. CORE IMPACT includes CVSS ratings for vulnerabilities that it successfully compromises during testing.
• CPE: Common Platform Enumeration (CPE) is a structured naming scheme for IT systems, platforms and packages. CORE IMPACT reports the CPE for systems identified and exploited during penetration testing.

Use of the AES Encryption Standard for IMPACT Agent Communications

CORE IMPACT Pro v10.5 updates agent communications to use AES encryption for communications between the IMPACT Console and IMPACT Agents deployed on systems undergoing penetration tests. Widely adopted by the U.S. government, the AES encryption standard replaces the product’s previous encryption capabilities. AES encryption can now be used for all communications between CORE IMPACT and the systems it successfully compromises, masking data concerning exploitable vulnerabilities, target system configuration, exposed files and more.

Integration with Qualys PCI Connect

CORE IMPACT Pro v10.5 offers fully supported integration with the QualysGuard® PCI Connect program, the industry’s first Software-as-as-Service (SaaS) ecosystem for PCI compliance. PCI Connect provides merchants seeking to comply with the PCI Data Security Standard with a fully integrated platform of online security and vulnerability management solutions that allow them to address and validate the regulation’s specific controls.

Via the integration of CORE IMPACT Pro, Qualys customers can now address PCI DSS Requirement 11.3 – which directs merchants to perform in-depth penetration testing both annually and after making upgrades or modifications to IT systems retaining sensitive cardholder data.

Organizations using IMPACT Pro and PCI Connect can run IMPACT’s PCI Vulnerability Validation Report to complete their Self Assessment Questionnaire (SAQ) directly within the QualysGuard PCI Connect interface. IMPACT Pro also allows organizations to carry out a wide range of security assessments dictated by other PCI DSS guidelines, as well as validate the efficacy of many mandated security controls.

CORE IMPACT Pro Usage Statistics and Dashboard Enhancements

Usage Statistics Enhancements
With IMPACT v9, released in June 2009, customers had the option to contribute anonymous statistics to a Customer Community Data Aggregation program. These statistics included usage frequency, tested environments, and the success rate of exploits and other testing modules. IMPACT v10, released in December 2010, enabled users to view their own statistics in the product’s dashboard, and customers opting into the aggregation program could view overall statistics for the community.

• In addition to tracking the new statistics below, IMPACT will allow customers to report their industry category with their statistics, while still remaining anonymous. Participants in the Data Aggregation Program can then view

IMPACT Pro v10.5 adds tracking and reporting for the following statistics:

• Web exploitation statistics including:
• number of SQL Injection Agents configured
• number of SQL Injection issues found where no Agent could be configured
• the database engine and heuristics used for each SQL Injection Agent configured
• number of Cross-Site Scripting (XSS) Agents configured
• number of Remote File Inclusion (RFI) Agents configured
• number of Web Browser Agents committed
• number of workspaces with web pages committed

• Number and percentage of workspaces with:
• machine/network entities committed
• email addresses committed
• WiFi networks committed
• web pages committed
  
  
• Platform on which IMPACT is running
• Deployed agent count (all agents)
• Number of wireless access points found by encryption type (i.e., WEP, WPA, WPA-2 or none)
• Number WiFi networks cracked by encryption type

 Dashboard Enhancements
The CORE IMPACT Pro dashboard serves as a centralized area for customers to access information about installed exploits and other modules, product update notifications, usage data, customer community statistics, scheduled tasks, and more. CORE IMPACT Pro v10.5 includes an updated dashboard design, making it easier for customers to navigate and leverage this information.

Microsoft Windows 7 64-bit Support

CORE IMPACT Pro v10.5 can be installed on 64-bit versions of Windows 7 Pro and Ultimate.

Related Content