• Products

• Products Overview

• CORE INSIGHT Enterprise
  Security Testing Solution
  • Overview
  • How It Works
  • Dashboards
  • Demos
  • Data Sheets and White Papers
  • Comparing CORE INSIGHT to CORE IMPACT
  • How to Buy

• CORE IMPACT Pro
  Penetration Testing Software
• Overview
• What It Tests
• End Users
• Endpoint Systems
• Mobile Devices
• Network Devices
• Network Systems
• Web Applications
• Wireless Networks
• IPS/IDS, Firewalls and Other Defenses
• Vulnerabilities Identified by Scanners
• How It Works
• Features and Benefits
  • Overview
  • Exploits You Can Trust
  • How Our Exploits Work
  • About Our Client-Side Exploits
  • About Our Agents
• Vulnerability Scanner Integration
• Reporting
• What's New
• Security Updates
• Demos
  • Impact
• Data Sheets, White Papers and Other Resources
• Intro To Penetration Testing
  • What Is Penetration Testing?
  • Comparing Security Testing Options
  • What To Look For
  • Independent Penetration Testing Resources
  • Conducting Penetration Tests
• Comparing CORE IMPACT to CORE INSIGHT
• Training, Certification and Support
• How to Buy

• Core WebVerify Web
  Application Security Testing Software
  • Overview
  • Web Application Vulnerability Coverage
  • WebVerify vs. Scanners
  • Reveal Implications of Application Vulnerabilities

• Core CloudInspect Cloud Security Testing for AWS

• Demos and Evaluations

• The Research Behind Our Products

• Why Our Products are Safe

• How to Buy

SHARE

Penetration Testing End-Users and End-Users Applications

End-User and Endpoint Penetration Testing with CORE IMPACT Pro determines the susceptibility of email users to social engineering attacks, assesses the overall security of their systems, and depicts how individual client-side exposures can be linked to large-scale breaches of backend data servers.

Click the above image to see how CORE IMPACT Pro gives you unmatched visibility into end-user security risks.

End-User Testing with CORE IMPACT Pro

It’s clear that direct, email-based attacks on employees and contractors pose one of the greatest threats to information security today. Once compromised, end-user workstations not only expose local data to cybercriminals, but also can provide them with access to other, more sensitive systems on the same network.

CORE IMPACT Pro makes it easy for you to frequently assess your organization’s susceptibility to phishing, spear phishing and other social engineering techniques. Using IMPACT Pro’s Client-Side Rapid Penetration Test capabilities, you can safely replicate real-world email-based attacks that test end-user security policies and identify systems requiring patches and other updates. Each test is backed by comprehensive reports that can assist with compliance initiatives and help you pinpoint ways to strengthen data security.

Click on the video to see how CORE IMPACT gives you unmatched visibility into end-user security risks.

Quickly Identify Social Engineering Test Targets

Social engineering attacks target end-user computers otherwise protected by perimeter defenses. The user must therefore inadvertently expose their computer to attack by clicking on an email link or opening an attachment – or sometimes simply by opening or previewing the email message itself. In the cases of phishing and spear phishing, this begins with acquiring an email address. IMPACT Pro offers a number of modules for gathering email addresses from your organization, including:

• Crawl a website to harvest addresses published on the site
• Leverage major search engines to locate addresses for a given domain
• Scan online documents for email addresses to target
• Find addresses in PGP and Whois databases

You can also enter or import your own list of email addresses to test.

Safely Launch Phishing and Spear Phishing Attacks

With IMPACT Pro, you can test email-user security awareness by replicating realistic phishing attacks with or without attempting to exploit the endpoint system.

• Assess security awareness by identifying users who click links in phishing emails
• Set web forms phishing traps to flag data leakage risks
• Test end-user machines for exploitable vulnerabilities and pivot to other network systems

The product includes sample email templates that mimic common phishing threats, and you can create your own custom spear phishing emails that leverage inside knowledge of your organization. IMPACT Pro also takes care of sending the email, giving you options such as selecting an SMTP server or spoofing a specific "from" email address (e.g., the administrative account on your network).

IMPACT Pro's extensive library of client-side exploits cover threats that target:

• Endpoint applications: e.g., web browsers, email clients, instant messaging, media players, business applications and productivity tools
• Endpoint security solutions: e.g., antivirus, anti-phishing, anti-malware, host-based intrusion detection and prevention systems
• Endpoint operating systems and services: e.g., Windows, Mac, Linux

Created in-house by a dedicated team of security experts, the product's client-side exploits are Commercial-Grade - ensuring that they are current, effective and safe for your network.

IMPACT Pro also takes care of sending the email, giving you options such as selecting an SMTP server or spoofing a specific "from" email address (e.g., the administrative account on your network).

Assess the Consequences of Successful Social Engineering

By replicating real-world attacks, IMPACT Pro allows you to see and report on the potential consequences of a compromised end-user system. While conducting a social engineering test, IMPACT Pro runs a web server that launches your selected client-side exploit when end users click on the email link.

If an IMPACT Pro Agent (the payload of the attack) is successfully deployed, you can interact with the end user’s computer and emulate the type of access an attacker could achieve, including:

• View the local file system and mapped drives
• Upload and download files to and from the end-user system
• Open and interact with files on the compromised system
• Gather user names and passwords from endpoint applications
• Take a screenshot of current activity on end-user’s desktop
• Harvest email addresses from mail clients
• Deploy a keylogger that tracks the user’s keystrokes
• Perform a password dump from the user’s web browser

As a result, you gain indisputable evidence of the threats posed by vulnerabilities on end-user systems.

Determine the Risks of Inside Access

In addition to interacting with files on a compromised end-user system, you can use IMPACT Pro to leverage it as a beachhead from which to run subsequent network penetration tests on other systems in the end-user’s network – without uploading any code to the machine. This pivoting capability enables you to exploit trusted relationships and fully understand the “ripple effect” of threats that can occur when a single end-user system is compromised, replicating the steps attackers actually take.

Monitor End-User Response and Evaluate Security Awareness Programs

IMPACT Pro records each GET request as users respond to phishing tests, and test results are then aggregated into two reports:

• Client-Side Penetration Test Report: a full audit trail of each attack, including the email template sent, exploit launched, test result (success or fail), and details about compromised systems
• User Report: a report of which links were clicked, when they were clicked, and by whom

Using the reports, you can quickly identify and address gaps in your security awareness programs.

• Download the CORE IMPACT Pro product overview
• Download the Endpoint Security Testing data sheet
• View Sample Penetration Testing Reports
• Learn how CORE IMPACT Rapid Penetration Testing works