Core Impact's Rapid Penetration Tests

The Network Attack and Penetration RPT is used to automatically select and launch remote attacks. External information can inform these attacks, or data from the Network Information Gathering RPT can be used to provide intelligence on the attack targets.

There are two attack methods. The exploit attack identifies code execution vulnerabilities in the OS or in any installed programs using Core certified exploits, which have been expert tested and verified. The identity attack finds authentication weaknesses so identity information like usernames and passwords can be acquired.

The Local Information Gathering RPT is used to gain more precise information on a compromised target. Using one of Core Impact’s agents, which serve as a conduit to the remote host, this RPT can uncover additional OS information, user credentials, email addresses, and more.

The Privilege Escalation RPT ensures that every agent that is connected to the target has Root or administrator privileges to provide full access to the compromised system.

The Clean Up RPT automatically uninstalls every connected agent and removes them. This means no agent is left behind after testing to drain resources or be used as a potential backdoor for attackers.

Once organizational email addresses are gathered, which can be completed by the Information Gathering RPT, the Attack and Penetration RPT can be used to send one or more malicious emails. Several attack deployments are available: web browser links, mail client exploits, attachments, and Trojans.

Email templates can be tailored to look more or less authentic to test how discerning users are of their email. If opened, Core Impact users can then pivot and run Network RPTs inside the network. 

Similar to the Attack and Penetration RPT, the Phishing RPT uses harvested email addresses to send emails that will serve as an entry point to the network. These phishing emails will contain urls that launch either a browser redirect from an authentic website, or link to a web page clone of a known website. Once opened, a user would type in their credentials, providing access that can then be exploited using Network RPTs.

These emails can also be tailored to look and read as realistic as needed. Actual emails can even be imported to add to the authenticity, or actual phishing emails can be imported to imitate real world attacks. Reports will generate a list of who opened these emails, providing insight into who is susceptible to these types of attacks.

Once an agent is deployed on the target by a user interacting with the client side attack emails, more information can be gathered from the now compromised target, including additional OS information, agent privileges, users, and installed applications.

The Privilege Escalation RPT ensures that every agent that is connected to the target has Root or administrator privileges to provide full access to the compromised system.

The Clean Up RPT automatically uninstalls every connected agent and removes them. This means no agent is left behind after testing to drain resources or be used as a potential backdoor for attackers.

The WebApps Attack and Penetration RPT takes pages and services that are at risk and tests which specific attacks to which they’re vulnerable. The options of attacks to test for correlate with the OWASP top ten and include:

• Injection
• Broken authentication
• Sensitive data exposure
• XML external entities
• Broken access control
• Security misconfiguration
• Cross site scripting (XSS)
• Insecure deserialization
• Using components with known vulnerabilities

Additionally, tests are available for PHP remote or file inclusion vulnerabilities, invalid redirects and forwards, as well as hidden pages.

This RPT uses SQLi and PHP-RFI agents to gather information on the database, including logins, schema, and sensitive information.