Core Impact Penetrates DeeplyBy Cameron Sturdevant | Print
Re-Imagining Linux Platforms to Meet the Needs of Cloud Service Providers
Review: Version 6 of pen-test platform offers speedier performance and OS X discovery.Organizations concerned with maintaining a tight security profile will appreciate Core Security Technologies' Core Impact 6, a tool that allows automated, ethical penetration testingin place of, or in addition to, hiring outside consultants.
Core Impact 6 has a new framework that speeds client-side penetration testing, along with the ability (although limited at this time) to target Apple Computer's OS X systems. Core Impact 6 also tests client-side applications that have repeatedly proven to be vulnerable to exploitation, including Web browsers and media players.
At $25,000 for a single license, Core Impact 6 is a pricey but effective tool for midsize and large enterprises or for any organization that requires frequent security auditing.
eWEEK Labs installed Core Impact 6 on a PC running Microsoft Windows XP. Our test network contained a variety of Linux operating systems, including Community Enterprise Operating System's CentOS, Red Hat's RHEL (Red Hat Enterprise Linux) 4 and Canonical's Ubuntu 6.06 LTS (Long Term Support), along with Windows XP, Windows Server 2003 Standard and Windows 2000 Server.
To evaluate Core Impact 6's ability to target virtual machines, our test network also included several Windows Server 2003 and Ubuntu systems running on VMware's VMware Server.
Overall, results were good. Core Impact 6 identified most of the systems on our network with a fair degree of accuracy on the first pass.
Core Impact 6 did not identify an Apple G4 system running Mac OS X 10.3.9. It also missed one of the physical Ubuntu systems, but it did correctly identify the virtual Ubuntu systems. One Windows 2000 Server system was misidentified as a Windows 2000 Professional system, but this was not unexpected, as similarities in the two operating systemsand the hacks that exploit themare quite similar.
Subsequent passes over the network with several common sharing services turned onincluding Apple Remote Desktopallowed Core Impact 6 to identify and profile one of our Apple systems.
It's clear from our test results that Core Impact may be on Version 6 but that its Apple identification and exploitation capabilities are Version 1.0. However, given Core Security's previous successful development work on Windows and Linux, it's likely that subsequent Apple OS X tests will greatly improve on this first stab.
For now, the Apple information gathering and exploits work only against PowerPC-based systems. This meant that our Mac Mini running an Intel Core Duo processor remained a mystery to Core Impact 6. There also aren't anywhere near the number of exploits for Apple OS X systems as there are for Windows systems. Core Security said they are working on developing more exploits to run against Apple OS X.
Looking for Leaks
After all the systems on our network were identified through Core Impact 6's information-gathering tools, we started running attack and penetration tests.
Users who are familiar with Core Impact will not be surprised by the user interface of Version 6 of the platform. The Rapid Penetration Test panel remains basically unchanged from Version 5.1: It's neatly laid out, allowing administrators to easily discover, penetrate and exploit applications, as well as report on Core Impact operations.
Next Page: Round one.
In the first round of penetration testing, one of several options that we enabled allowed Core Impact 6 to run exploits that might make a target service unavailable. We also were able to use a wizard to automatically launch all possible attacks against selected targets. This is a very aggressive test posture, and we recommend it only against targets that have already been thoroughly reviewed for potential weaknesses and hardened against attack.
We ran these tests against systems that were patched to the most current level possible, and our patched and updated systems averaged 1.3 exploits per machine after our first round of testing.
As part of our first round of testing, we enabled Core Impact 6 to install, when possible, a local in-memory agent with administrator privileges. New in Version 6 of Core Impact is the ability of this agent to run multithreaded tasks. (The local agent was limited to a single thread in previous versions.) This change means that pen testers will see dramatically reduced test times as the local agent can now execute many exploits simultaneously.
New information-gathering client-side modules in Core Impact 6 allowed us to produce a list of valid e-mail address for a domain using techniques commonly used by spammers. We used the SMTP and e-mail crawler moduleswhich use brute-force methods including VRFY and RCPT TO commandsto get a list of addresses off our camfrancisco.com e-mail server.
With a little hand configuration, we successfully used the Client Information Email Webbug module to send specially crafted e-mail to users on our Microsoft Exchange Server e-mail system. The module used an image that, when rendered, generated a connection back to the Core Impact 6 console. Using this connection, the Core Impact 6 system noted the operating system, browser and browser version, and other information about the target system.
All the information gathered in a pen-test reconnaissance operation helps find vulnerabilities in a system that could be exploited. The new semi-automated client-side modules made Core Impact 6 results more accurate and let us run more targeted attacks in subsequent penetration tests.
Also new in this version of Core Impact are local exploits that perform pen tests on several browser vulnerabilities.
We ran address-book exploits against Opera Software's Opera, Microsoft's Outlook and the Mozilla Foundation's Thunderbird browsers. We left our browsers configured in default states running on systems configured as end-user workstations, with only a passing attempt at changing parameters to make the systems secure. (We made sure the Linux systems were up-to-date and that our Windows XP systems had the latest service pack and patches installed.) Using the address-book modules, we were able to get an agent to automatically enumerate entries from compromised systems. A related module that successfully ran on a compromised Windows XP system allowed us to automatically capture auto-complete passwords stored in Microsoft's Internet Explorer.
The client-side modules use agents that are installed by Core Impact 6 when it finds a vulnerable system. Longtime users of the Core Impact system will notice small differences in the way the agents work in Version 6, but none of the changes should require much user retraining.
After testing is complete, Core Impact 6 generates a set of reports that show existing vulnerabilities and the exploits that can be waged against them. We used these reports to plan subsequent pen tests on our network and to remove discovered weaknesses, helping to ensure the secure operation of the network.
Technical Director Cameron Sturdevant can be reached at email@example.com.
Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.