Core Impact automates the task of finding security vulnerabilities
By Earl Greer and Kent Dyer
Penetration testing is an important part of any security consultant’s toolkit. That’s the only way to estimate how many vulnerabilities a given network has and, thus, how easy it would be to compromise that network.
The problem with penetration testing is that it can be a slow process. Because it can take so long, the vulnerabilities may have shifted by the time the test is complete.
Core Security Technologies’ Core Impact product solves the problem of slow manual penetration testing and the hassle of keeping up with the flood of new vulnerabilities. When we tested Core Impact, we found that it automated testing to the point that you don’t need a highly trained security professional to operate it.
We understood from the beginning that automated penetration testing programs are potentially dangerous weapons. An unauthorized test can set alarms ringing in your network administration department. And if you use the Internet addresses of the CIA, don’t be surprised if unsmiling people in dark suits come knocking at your door.
We installed Impact on a laptop PC running Windows XP in just five minutes. The installation includes the WinPCap driver (www.winpcap.org) to do promiscuous mode Ethernet captures. This enables you to access the lowest levels of network traffic and see everything on your network rather than just the packets addressed to your computer.
When it started up, Impact listed all of the modules that were loading into RAM. These modules were written in the Python language. We began a penetration test session by clicking on “New Workspace” on the main screen. This created a job that we could return to whenever we wished.
The actual test screen took place in a multipane interface — a single, easy-to-use screen where we did most of our work. The workflow portion of the interface can be toggled between a rapid penetration test and the more complete “modules view.”
We started by using the RPT, which includes six tasks, conveniently numbered and listed in order from information gathering to report generation.
The first step of the test was information gathering, in which we defined our targets. When we executed this phase, we performed an active port scan against the targets we selected. We decided on a SYN scan, inviting innocent computers on the network to respond to our friendly greeting.
You can choose different types of scans if you are, for example, trying to avoid detection by an intrusion-detection or intrusion-prevention system.
You would normally carry this out by first reconnoitering the target network with a tool such as Nmap (www.nmap.com), then importing the results into Impact. This gives you a variety of information about your targets, such as the operating systems they are running, their active services, open ports, Media Access Control (MAC) addresses and so forth.
Once you have obtained a good picture of the network, the next phase is attack and penetration. When this process is successful, Impact automatically places an agent on the target computer. That is, Impact proves that vulnerability exists by performing an actual penetration. This procedure injects foreign code into a vulnerable file on the target machine, normally a Data Link Library or service file.
We had intended to include real-life networks in our authorized attacks, but we chickened out when we considered the potential consequences The results on our fully updated and buttoned-down lab machines were completely predictable. Our computers were secure but dull. To raise the excitement level, we turned off their firewalls and rolled back their patches. Then Impact leapt in like a lion on a carcass.
The next phase, local information gathering, let us dig into the systems we had compromised and gave us details relayed back via the agent. The details included patches installed on the target system, users and groups, and particulars about the operating system and hardware. This would be good for finding out which users are members of the local systems administrator’s group, opening doors for further exploitation.
From here, we moved on to privilege escalation, where we gained privileges on the exploited systems. It suddenly struck us that when we gained control of a domain controller we could traverse security of the entire domain. This was not a comforting thought.
At this point, we were finished with our foray into hackerdom, but we didn’t want to leave a mess behind. The cleanup module silently touched each of the computers we had compromised and removed our agents wherever they were embedded, leaving our machines pristine and serenely stable.
Our final step was to generate the reports needed to show our systems people the areas they needed to target to strengthen the systems. First, we generated an executive report, complete with nicely formatted and colorful charts.
The activity report, which documented all we had done, is a good one to send to the person who actually manages the intrusion detection and prevention systems. They could determine if they had detected any penetration test activities, or if there are tweaks they could do to increase the level of monitoring.
Finally, the host report shows vulnerabilities for each host, and lists which ones were exploited. Importantly, it provides information on what to do to remediate these vulnerabilities.
What we liked
We liked that Impact places a piece of innocuous code onto the machines it compromises. No one can argue that vulnerabilities were found and the computers were actually penetrated. The agents operated smoothly and did not break any services.
Moreover, the operator can do practically everything from just one well-designed screen. We were impressed by features such as the ability to drag exploit modules and drop them onto individual targets.
It is also worth noting that on its opening screen, Impact includes a place for the user to e-mail comments and suggestions to the vendor, and it provides a link to a knowledge base. We appreciate vendors who listen to their customers and make it easy to find help.
Finally, we appreciate the frequency of updates Core provides. Expect one or more updates each week to the exploits modules. During our test period, Core did a good job of keeping up with new vulnerabilities.
Conclusions and recommendations
After using Impact, it seems obvious to us that manual penetration testing is obsolete. Because it is quite possible that someone else is using automated attacks against you, it is prudent to begin authorized automated penetration testing at your own organization to pinpoint the weak points.
Impact is significantly more expensive than its competitors, but we found little else to criticize. We recommend it because it is fast and effective. Once you’ve used it, you can’t go back to slow manual penetration testing.
Greer is a network security consultant. Dyer is a security specialist at a large state agency. They can be reached at firstname.lastname@example.org