What Are Agents?
An agent is a binary implant injected into the memory or file system of a targeted or compromised remote host. Core Impact agents can be directed with an easy-to-use interface, enabling testers to execute multiple tasks including information gathering, crawling a web application, or escalating privileges. Additionally, all agents have built-in antivirus evasion techniques for maximum efficiency. All communications to and from agents are encrypted and authenticated, ensuring that the pen testing process remains secure.
With our patented Core Agents, dynamic interactions with the remote host are simple, reliable, and secure. And with several versatile agents to choose from, you’ll have the flexibility you need for comprehensive pen testing.
Types of Agents
For comprehensive testing of your entire IT infrastructure, both OS agents and logical agents are available. OS agents are used primarily for network and client side tests, while logical agents are typically deployed for web application tests.
OS agents operate similarly to malware, serving as a conduit to the remote host and providing access to a user seeking to exploit the target system. These agents are typically utilized in a network or a client-side test.
OS agents can be deployed in three different ways in order to suit the needs and goals of different types of pen tests.
The memory resident agent runs within the memory space of the exploited service or application. It can run in very limited memory space (approx. 81-125kb), and because it does not interfere with the hard drive, it is very stealthily and can bypass most antivirus solutions.
If Core Impact disconnects from the agent, the service is restarted, or the system is rebooted, the agent will automatically be erased.
Persistent agents are established within the file system of the remote host, which increases its presence and provides a stronger foothold. This allows these agents to survive if the system or application is restarted. There is an option to convert memory resident agents into persistent agents if you need them to withstand reboots.
While it is important to perform detailed inspections upon test completion to ensure everything installed during testing has been removed, it is often very time consuming and sometimes error prone. Core Impact’s temporal agents have a kill by date embedded to automatically ensure nothing is left behind. The agent, which can be persistent or memory resident, will cleanly wipe themselves from whatever system they're installed on once this date is reached. Even if a target is hibernated during a test and misses the cleanup signal, Impact agents will see that it’s past due and clean itself up.
A logical agent is primarily used for web application tests and has the ability to exploit web app vulnerabilities. There are different types of logical agents depending on what needs to be executed. Some logical agents include SQL injection, PHP file inclusion, cross site scripting, and command injection.
In certain circumstances, logical agents can be leveraged to install an OS agent that provides access to the network, and has the option to set a kill by date with the temporal agent functionality.
While the primary purpose of a Core Impact agent is to perform operations on a targeted system, agents can also perform operations on other agents. This process, known as “chaining” allows you to connect a new agent to an existing agent using its preexisting communication channel. This allows you to maintain a single connection, instead of having to create a new connection every time an agent is added. This not only streamlines the process, it also allows for more sophisticated exploits.
A local agent which lives on Core Impact’s console is typically the starting point for all attacks. However, Core Impact allows for pivoting, which means that if an agent is deployed onto a target system or device, you can set that agent as the origin point for attacks. Pivoting to remote source agents can make certain network and web apps tests more effective.
Core Impact’s agents provide reliable, stable communication so tasks can be completed efficiently and effectively. Different channels are used depending on the network scenario, so Core Impact provides several options to ensure multiples areas of the infrastructure can be tested.
Additionally, a special Crypto channel is available to provide encryption, and can be layered on top of the cannel that provides communication.
Communication channels include:
- Connect to Target (bind) – Direct connection to the target system
- Connect from Target (reverse) – Direct connection from the target system
- Reuse Connection – Connection through the same port used for the exploit
- HTTPS Channel – Communication occurs through HTTP tunnel
- DNS – Communication occurs through a domain channel
- SQL – Communication occurs through databases