Getting Started with Core Impact | Generating Agents
This video discusses how to generate powerful agents in the form that is most useful to your specific pen test. Most of the power is exposed through a single module: the Package and Register Agent module.
Core Impact agents are incredibly flexible tool for leveraging systems after they've been exploited. You can use and deploy it in a variety of ways. including:
- From exploits themselves
- Simulated breach scenarios
- Post exploit activities
- Insider threat simulation
You can find the Package and Register Agent under Agents --> Package and Register Agent. Let's walk through a few different capabilities.
Platform Selection
Core Impact agents are available on a number of operating system platforms, some of which are more common than others. Most commonly, you'll likely work with Windows, Linux, and Mac. However, we also support AIX, Solaris, OpenBSD, FreeBSD.
Architecture
Most common architectures are i386 and x86-64. We also support PowerPC and Sparc-v8.
Target File
The Target File parameter is the output file name. For example, if you're writing out an agent as executable, this is where you will specify that.
Ask UAC Credentials
The Ask UAC Credentials option provides the ability to have the agent prompt via UAC the user to enter their admin credentials.
Binary Type
The binary type provides flexibility for generating file types: executable, library, or raw.
Agent Expiration and Date
This is to implement the self-terminating functionality contained within the Core Impact agent.
Cookie
A cookie is an identifier up to 8 characters that allows Core Impact to tie a listener to a specific agent. For example, if you put it on a USB stick and drop it somewhere, this would allow you to track where the agent was left behind.
Use Singlestage Agent
If you use the singlestage agent, the entire agent is packaged up at once. With exploits, you typically don't do this because you have a limited amount of buffer space, but this feature allows you to choose. This can help with AV evasion. Note: it is always recommended to test in a lab environment.