A few days ago we had Core Security give us a web demo on their product Core Impact. Although I had watched the demo before, on a prerecorded webcast, this time my colleagues and I were able to ask the demonstrator questions. Simply put, Core Impact is a tool that encapsulates scanning and exploitation capabilities. Basically, the scanner will detect hosts, enumerate the information provided by the detected hosts, and version the operating system and accessible applications. The tool will also accept input from other scanning tools such as, but not limited to, NMap and Nessus. The exploitation part of the tool will confirm and perform the exploitation of any vulnerability it has been configured to detect. The real power of this tool comes from the fact that once a host has been successfully exploited it now becomes a stepping stone for the tool to perform the same actions to any other hosts or networks connected to the compromised host. If Core Impact can exploit a vulnerability on any of your systems you are truly 0wn3d.
Now, you may have seen a few recent blogs that talk about this tool already. Roger Grimes talked about it in his article "Core Impact puts a vise grip on vulnerabilities ". Larry Pesce talks about it on his blog and even offers a discount through the Pauldotcom Security Weekly podcast. I thought that I would list a few things that I didn't realize until we were able to ask a few questions.
- Core Impact can exploit a system and network in several manners. The most common method is to exploit an application or operating system through a known vulnerability that the Core Security research and developers (R&D) have been able to write specialized shellcode. By special I mean that the R&D team concentrates their efforts on exploits that will allow the shellcode to run "inside" of the exploited process. This means that once a system is compromised there is no evidence that is readily apparent to human review and even most security related processes. The shellcode that runs inside of a process is referred to as an agent because it can be used to perform Core Impact functionality from the compromised system.
- Core Impact agents come in two flavors (there may be more but this is what we went over) known as Level0 and Level1 agents. Level0 agents live in the memory of the exploited process. This means that no permanent changes have been made to the system or the exploited process. They can be completely cleaned up either by a command or after a period of inactivity. Because of the amount of memory they are limited to the communications between the client and server application are transmitted in clear text (important when you cannot trust the connection between the systems - i.e. don't transfer important information like shadow files unless absolutely necessary). Level1 agents are actual executables that are written to disk. These agents can be configured to start on system boot. Because they are a running process and they are not limited in size due to memory they have a lot more functionality. Although I am not aware of all of these extra functions the one I do know about is that these agents can protect their communications with a Blowfish cypher.
- All of the settings provided through the tool are configurable by the user. If a service is running on a nonstandard port the user can easily make this adjustment. Core Security has also provided the user with the means to develop their own modules by including code examples and development documentation.
- Although Core Impact is mainly geared towards exploiting remote and local vulnerabilities it can also be used to exploit client-side vulnerabilities. An easy example of this is a browser vulnerability. Once inside a network the tool can send out an email with a specific attack that is designed to exploit a browser vulnerability that is activated through user interaction. The tool will wait patiently until an unwary user initiates the exploit and the browser then connects back to the tool which, now, 0wn3s that system.
- Every action, from scanning to command line interaction on the exploited system, is recorded and used to document all activity performed during a session. This can, in turn, be included in the detailed reports that are automatically generated by the tool.
- Currently the tool has exploits for all variations of Microsoft Windows, Linux (x86), Solaris (x86 and SPARC), BSD (x86). There may be more but that is all I could remember off the top of my head. Upcoming versions will expand this list and these should include exploits for Mac OSX.
Of course, Core Impact does cost a pretty penny especially when compared to such open source projects as Metasploit. But when you buy Core Impact you are doing more than just buying a fancy exploitation tool. You are buying peace of mind that the exploits included in the tool have been rigorously tested by Core Security's R&D team. If they say that an exploit will not bring down an application or corrupt a system then they mean that they have tested it over and over. You are also purchasing a maintenance agreement and are thereby supported by this R&D team which makes up close to seventy percent of the company's staff.
That said, you definitely need to check out the new version of the Metasploit framework version 3.0. This new version is a complete rewrite of the code in Ruby . Although I have not had time to evaluate it I am getting very good feedback about it already. Apparently they have taken a few pages from Core Impact and they are, or will be, including a few similar features. For a list of features that have already been considered for this tool check out the Release Notes. I am really interested in finding out about its ability to "Support automated network discovery and event correlation through recon modules."
As a final thought I also wanted to point out that these tools are not the end-all-be-all for penetration testing. These tools are great for finally exploiting a service or operating system but they do not fully cover all aspects required for information discovery. These tools should be used during the final steps of a penetration test after all other methods of discovery have been performed and the information they return has been analyzed. Additionally, before using these tools to their full capabilities you must ensure that your customer wants you do perform these tests. Many applications and system are critical to a company's infrastructure and even the possibility that the system or application may be taken offline might not be an option for them. It is always good to identify possible vulnerabilities and then ask for additional permission to continue. Most of the time you will be permitted but there may be a requirement that a system administrator be standing right next to the system in case there is a need to trouble shoot a situation. Getting this person in place may take enough time that you will have to save your session are restart at a later date.
I sure hope that you find this helpful. Please leave a comment and let me know.
Thanks,
Cutaway
NMap, Ruby, Pauldotcom, Nessus, Metasploit, shellcode, MSF3, Larry Pesce, Roger Grimes, Core Impact, Security Ripcord, Core Security
