With the release of CORE Impact® Pro 2013 R2, Core Security continues to provide the most comprehensive software solution for proactively assessing the security posture of any organization.
New capabilities released in CORE Impact 2013 R2 include:
- Surveillance Camera Attacks
- Web Services Attacks
- Remediation Validation
- ExCraft Labs SCADA Exploit Pack
Surveillance Camera Attacks
Security Cameras are increasingly being added to corporate networks and, as a result, can be vulnerable to web-based vulnerabilities and attacks. CORE Impact allows testing teams to identify whether a host on their network is a camera and then test it for vulnerabilities and authentication weaknesses. If access is achieved, CORE Impact, can further prove vulnerability by viewing the camera's video feed, taking a still shot of the video feed, or accessing the camera's administration interface. Testing video cameras using CORE Impact can be done using the RPT wizards, or manually using the Modules.
- The Network Information Gathering RPT - allows you to scan a target (or range) and determine whether any found hosts are video cameras. The standard Information Gathering modules will run and, if one or more hosts are found, camera identifying modules will execute. You can view these in the Module Log Panel of the Console. If one or more host is confirmed to be a video camera, this will be evident in the Network Entity Database. See Camera Entities. You can then move on to Attack and Penetration for Video Cameras.
- Attack & Penetration for Video Cameras - Once you have successfully run Network Information Gathering and identified one or more hosts as video cameras, you can run the Network Attack & Penetration wizard against the host(s) to identify potential vulnerabilities. To run the Network Attack and Penetration step for video cameras, run the Network RPT as you normally would, targeting the video camera(s) you have in your entity database. When you get to the Attack Method step, keep the following in mind for the available options:
- The Launch exploit modules ... option will for the most part identify potential vulnerabilities. If there are exploits that can bypass authentication, then a Camera Agent may be created in the process.
- The Launch identity modules ... option will attempt several methods to identify working credentials for the target camera(s). It will also try to identify valid URLs that are used in the camera system; the administration interface, for example. If it succeeds, then a Camera Agent will be created on the camera entity.
- If you select both options, be sure to choose After launching exploits as when the identity testing should occur. This will maximize the chances the attack will succeed.
- Entities for Video Cameras - If a host is confirmed to be a video camera, the Network entity database will display details. Entity Hosts identified to be video cameras will have a special icon to identify them visually in the list of hosts. Clicking on a video camera entity will display its details in the Quick Info panel at the bottom of the screen, showing the data that was acquired by the test; brand, model, OS, etc.
- Camera Agents - If the Network Attack and Penetration process is able to gain access to a vulnerable camera, you will see a Camera Agent below the camera in the Entity Database. This agent is not a traditional CORE Impact agent. It does not represent any code on the target host but instead represents information needed to perform certain functions on the device. By right-clicking on the Camera Agent, you will see available options. Only those options that have the needed data will be visible.
- In order to Open Camera Administration Interface, a valid URL to the admin page is needed. If an option is grayed out, this means that the camera entity does not have the data needed to perform the function.
- Take Camera Snapshot: This will display the most recent snapshot taken by the camera (if available).
- Open Camera Video Stream: This will open your default media player (as defined in your Other Options) and show you live stream of what video camera is viewing.
- Open Camera Administration Interface: This will open your web browser and present the web interface used for administration of the video camera.
Support for Web Services
WebApps Information Gathering - The WebApps Information Gathering step scans the domain of a known web-based application and identifies pages and/or web services that may be vulnerable to potential attacks. CORE Impact can detect SOAP-based or RESTful web services.
On the Web Services Discovery Options form, you can opt for the RPT to look for any SOAP-based web services. Select from the available parameters. If any web services vulnerabilities are identified, they will be listed in the Web view of the entity database.
- Search for SOAP web services definitions: Check this option if you want the RPT to look SOAP-based web services. CORE Impact will look for links to .wsdl files. If any are found, they will be parsed and CORE Impact will capture the details of the target web service in the entity database.
- Append '?wsdl' to every found URL: It is possible that a web application will use a SOAP-based web service but not have an explicit link to a .wsdl file within its pages. Select this option if you want CORE Impact to automatically append any found link with the '?wsdl' extension. Keep in mind that this will double all of the requests made by CORE Impact and will cause the Information Gathering step to run longer.
- Select whether CORE Impact should fill in method parameters of any found web services with default values or automatically generated values.
- Define the authentication method for SOAP operations:
- Use the same as for crawling web pages: Use this option if the SOAP operations will not require authentication, or if authentication is required but you have already entered it for use in Web Crawling.
- Use SOAP WS-Security: Manually enter a Username and Password for CORE Impact to use to satisfy the SOAP WS-Security
CORE Impact can detect SOAP-based or RESTful web services. Because SOAP-based web services always have a .wsdl file, these can be detected using Automatic or Interactive web crawling. RESTful web services employ no such definition file so, in order to detect RESTful web services, you must use Interactive web crawling so that CORE Impact can try and detect JSON type calls in the web traffic.
Remediation Validation Report
Available in the Network RPT, this is report compares the Workspace's original results with those after remediation efforts have been performed. The workspace is automatically run with only the successful agents and exploitable hosts used as targets. This eliminates the need to have detailed knowledge of a pen testing that may have been completed months ago. The key capabilities include:
- Identify all the systems previously exploited
- Run the successful exploits that led to the initial breach
- Automatically include pivot points deep in the network
- Generate a report with original and new results
ExCraft Labs SCADA Exploit Pack
Core Security is partnering with ExCraft Labs to deliver enhanced SCADA exploits for the Core Impact Professional platform. The SCADA pack by ExCraft Labs targets over 50 exploits in various SCADA Systems that are deployed across many industries. This enhanced pack is updated with about 10 new exploits on average a month. Because ExCraft developed these exploits on the CORE Impact platform, they can be leveraged in tandem with all the CORE developed exploits thus allowing a comprehensive approach to test and validate SCADA systems.
About CORE Impact Pro
CORE Impact® Pro is the first and most comprehensive software solution for assessing the real-world security of web applications, network systems, endpoint systems, email users, mobile devices, wireless networks, and network devices. Backed by CORE Security’s ongoing vulnerability research, Impact Pro allows you to take security testing to the next level by safely replicating a broad range of data breach threats. As a result, you can identify exactly where and how your organization’s critical data can be breached. Learn more about CORE Impact Pro penetration testing software at www.coresecurity.com/core-impact-pro.