Core Impact Penetrates Deeply - 2

Review: Version 6 offers speedier performance and targets Mac OS X

Organizations concerned with maintaining a tight security profile will appreciate Core Security Technologies Core Impact 6, a tool that allows automated, ethical penetration testing—in place of, or in addition to, hiring outside consultants.

Core Impact 6 has a new framework that speeds client-side penetration testing, along with the ability (although limited at this time) to target Apple Computers Mac OS X systems. Core Impact 6 also tests client-side applications that repeatedly have proved to be vulnerable to exploitation, including Web browsers and media players.

At $25,000 for a single license, Core Impact 6 is a pricey but effective tool for midsize and large enterprises or for any organization that requires frequent security auditing. (For eWeek Labs review of a book dedicated to open-source penetration testing, see "Pen-testing tips abound in topical tome" at eweek.com.)

Core Impact 6 will be especially well-suited for companies that take a very hands-on approach to penetration testing and therefore also are concerned with closing vulnerabilities to ensure system security. This is especially true for organizations that take a proactive stance in meeting audit requirements for standards such as the PCI (Payment Card Industry) Data Security Standard.

eWeek Labs installed Core Impact 6 on a PC running Microsofts Windows XP. Our test network contained a variety of Linux operating systems, including The CentOS Projects CentOS, Red Hats RHEL (Red Hat Enterprise Linux) 4 and Canonicals Ubuntu 6.06 LTS (Long Term Support), along with Windows XP, Windows Server 2003 Standard and Windows 2000 Server.

To evaluate Core Impact 6s ability to target virtual machines, our test network penetration also included several Windows Server 2003 and Ubuntu systems running on VMwares VMware Server. (For eWeek Labs review of a Web application penetration-testing tool, see "Hailstorm 2.6 finds Web app faults" at eweek.com.)

Overall, results were good. Core Impact 6 identified most of the systems on our network with a fair degree of accuracy on the first pass.

Core Impact 6 did not identify an Apple G4 system running Mac OS X 10.3.9. It also missed one of the physical Ubuntu systems, but it did correctly identify the virtual Ubuntu systems. One Windows 2000 Server system was misidentified as a Windows 2000 Home system, but this was not unexpected, as similarities in the two operating systems—and the hacks that exploit them—are quite similar.

Subsequent passes over the network with several common sharing services turned on—including Apple Remote Desktop—allowed Core Impact 6 to identify and profile one of our Apple systems.

Its clear from our test results that Core Impact may be on Version 6 but that its Apple identification and exploitation capabilities are Version 1.0. However, given Core Securitys previous successful development work on Windows and Linux, its likely that subsequent Mac OS X tests will greatly improve on this first stab.

For now, the Apple information gathering and exploits work only against PowerPC-based systems. This meant that our Mac Mini running an Intel Core Duo processor remained a mystery to Core Impact 6.

There also arent anywhere near the number of exploits for Mac OS X systems as there are for Windows systems. Core Security officials said they are working on developing more exploits to run against Mac OS X.

Looking for Leaks

After all the systems on our network were identified through Core Impact 6s information-gathering tools, we started running attack and penetration tests.

Users who are familiar with Core Impact will not be surprised by the user interface of Version 6. The Rapid Penetration Test panel remains basically unchanged from Version 5.1: Its neatly laid out, allowing administrators to easily discover, penetrate and exploit applications, as well as report on Core Impact operations.

In the first round of penetration testing, one of several options that we enabled allowed Core Impact 6 to run exploits that might make a target service unavailable. We also were able to use a wizard to automatically launch all possible attacks against selected targets. This is a very aggressive test posture, and we recommend it only against targets that have already been thoroughly reviewed for potential weaknesses and hardened against attack.

We ran these tests against systems that were patched to the most current level possible, and our patched and updated systems averaged 1.3 exploits per machine after our first round of testing.

Reconnaissance Mission

As part of our first round of testing, we enabled Core Impact 6 to install, when possible, a local in-memory agent with administrator privileges. New in Version 6 of Core Impact is the ability of this agent to run multithreaded tasks. (The local agent was limited to a single thread in previous versions.) This change means that penetration testers will see dramatically reduced test times, as the local agent can now execute many exploits simultaneously.

New information-gathering client-side modules in Core Impact 6 allowed us to produce a list of valid e-mail addresses for a domain using techniques commonly used by spammers. We used the SMTP and e-mail crawler modules—which use brute-force methods including VRFY and RCPT TO commands—to get a list of addresses off our camfrancisco.com e-mail server.

With a little hand configuration, we successfully used the Client Information Email Webbug module to send specially crafted e-mail to users on our Microsoft Exchange Server 2003 e-mail system. The module used an image that, when rendered, generated a connection back to the Core Impact 6 console. Using this connection, the Core Impact 6 system noted the operating system, browser and browser version, and other information about the target system.

All the data gathered in a penetration-test reconnaissance operation helps find vulnerabilities in a system that could be exploited. The new semiautomated client-side modules made Core Impact 6 results more accurate and let us run more targeted attacks in subsequent penetration tests.

Also new in this version of Core Impact are local exploits that perform penetration tests on several browser vulnerabilities.

We ran address-book exploits against Opera Softwares Opera, Microsofts Outlook and the Mozilla Foundations Thunderbird browsers. We left our browsers configured in default states running on systems configured as end-user workstations, with only a passing attempt at changing parameters to make the systems secure. (We made sure the Linux systems were up-to-date and that our Windows XP systems had the latest service pack and patches installed.) Using the address-book modules, we were able to get an agent to automatically enumerate entries from compromised systems. A related module that successfully ran on a compromised Windows XP system allowed us to automatically capture auto-complete passwords stored in Microsofts Internet Explorer.

The client-side modules use agents that are installed by Core Impact 6 when it finds a vulnerable system. Longtime users of the Core Impact system will notice small differences in the way the agents work in Version 6, but none of the changes should require much user retraining.

After testing is complete, Core Impact 6 generates a set of reports that show existing vulnerabilities and the exploits that can be waged against them. We used these reports to plan subsequent penetration tests on our network and to remove discovered weaknesses, helping to ensure the secure operation of the network.

Technical Director Cameron Sturdevant can be reached at cameron_sturdevant@ziffdavis.com.

Evaluation Shortlist

Immunitys Canvas

Uses frequently updated exploits that can be adapted by IT security operators (www.immunitysec.com)

The Metasploit Projects Metasploit Framework

An open-source project with some code supplied by Core Security (www.metasploit.com)

Security consulting companies and outside auditors

Third-party companies use a variety of applications (often open source) for penetration testing