It's amazing how many cool things you can do (or test) when availing yourself of the manual capabilities of CORE IMPACT Pro.
In CORE IMPACT Pro, there’s a healthy dose of flexibility in the level of control that you can exercise over your testing from the standpoint of automated versus manual exploitation. Employing more manual control typically means a higher degree of difficulty, but it also means more power, more flexibility, and most importantly, MORE PWNAGE. Here’s what I see as the levels of control, with comparison to the difficulty levels from the iconic video game “Wolfenstein 3D”:
- One-step testing
- "Daddy, can I play?"
- Wizards (Rapid Penetration Test)
- "Don’t hurt me"
- "Bring ‘em on"
- Custom-written modules
- "I AM DEATH INCARNATE"
Personally, I like playing on hard mode. It’s challenging, but you get more out of it and isn’t that the point? I’d love to talk about custom-writing modules, but the folks who would get something out of that probably aren’t reading this blog. They’re probably off doing something like chewing nails, climbing rock faces with their pinky fingers only, head butting applications until vulnerabilities surrender and identify themselves, or hanging out with scantily-clad women (or men!) who say to them, “Oh Dan^H^H^HHans, tell me about return-oriented programming again…” with a glint in their eye.
That said, today I’m writing about using the modules already built into IMPACT Pro. There’s a lot of functionality already incorporated into the product that just isn’t available through the use of its automated wizards. So, let’s get away from those for a second and talk about some of the groovy things you can do with modules.
Flexing IMPACT Pro’s Flexibility To use modules on their own you first have to switch to the Modules view, which can be achieved by clicking the “Modules” tab in the lower left hand corner of the IMPACT Pro interface.
Network Discovery – mDNS (Bonjour) Network>Information Gathering>Network Discovery Have you ever taken a look at the process list on a Windows machine on which iTunes has been installed and played “Count the processes iTunes runs in the background?” It’s a disheartening game, about as fun as “Count the rocks” was on long car trips with your family, but significantly more depressing. One process that runs in the background is designed to listen for and respond to mDNS queries. These queries are for service discovery, and iTunes uses it to facilitate music-sharing. With four mDNS queries, all the boxen running an mDNS responder (any with a default install of iTunes) within reach of a multicasted packet not only give you an indication of their existence but also a list of services they’re offering. How nice of them!
Dictionary Attack Network>Information Gathering As security folk, we’re really starting to understand the importance of patching systems and ensuring they’re up to date. We’re seeing more proactive exploitation defenses being implemented in operating systems, and exploitation is getting trickier and trickier every day. No wonder attackers have started targeting users. Their progress over the past few years can be described with the following diagram: “password” -> “password1” And what a grand progression it has been. Yes, weak passwords are quite possibly the most prevalent security hole, and it would be silly not to be able to test them. The dictionary attack module allows you to perform a network-based dictionary password grind against FTP, SMB, and SSH servers. Give it a list of usernames and a list of passwords, and IMPACT will happily plug away until the list is exhausted or your user accounts are cracked open like a crème brulee.
Install Agent Using Unix-portshell/win-portshell Network>Agents Have you ever mused to yourself: “Self, wouldn’t it be nice if I could use Metasploit or CANVAS or heck, any old exploit I found on milw0rm and use it to deploy an IMPACT Pro agent?” Well, muse no more! If you can set up a bindshell backdoor on a compromised machine, you can use these modules to get IMPACT Pro to deploy an agent through it! Just point it at the host and port on which the shell is being served (or if it’s a connect-back style shell, just give IMPACT Pro the port to listen for incoming connections on!) and voila! New agent deployed. (Pretty soon you’ll be able to do this in IMPACT Pro using the Metasploit Meterpreter as well… more on that effort can be found here.)
Check for Backup/old Copies of Web Pages Web>Information Gathering>Discovery As I mentioned in an earlier blog post, the juiciest stuff you can find in the course of a pen test is usually to be found in places that nobody expects you to look. One really great example of this is in unreferenced directories on web servers, like “/include” or “/backup”. Nikto is a great tool for this, and in IMPACT Pro v10 we added a module which recreates some Nikto functionality, allowing you to check for backup versions of known scripts, and directories/files with names like, for instance, “include” and “backup”! I highly recommend this module, especially if your best attempts at exploitation haven’t found as much as you might have thought they would.
Soon, fellow Tech Support Engineer Caitlin Johanson and I will be starting to record videos of how to use individual IMPACT Pro modules for your viewing pleasure. Also, keep your eyes peeled for some new modules coming out written by yours truly: One to parse HTML comments out of web pages and one to test the validity of SSL certificates. Keep on fighting the good fight (on hard mode!), info-warriors.