Core Impact hammers on vulnerabilities

If you don’t know where your enterprise’s security holes lie, chances are someone else does. Finding and securing those vulnerabilities is one of the best ways to boost infrastructure security.

Core Impact 3.1 is a toolkit that allows you to exploit vulnerabilities yourself to gain firsthand knowledge of how a hacker might attack and use your machines against you. Impact also has good logging and reporting to ensure consistency of testing from assessment sweep to assessment sweep.

I like Core Impact’s do-it-yourself approach, but it should be used as an adjunct to either a consulting team or vulnerability-assessment tool, which might better meet a company’s security needs.

Unlocking the Toolkit

After using Impact off and on since last year, I liked the changes in 3.1. The update can run on Windows XP,  create macros for repetitive tasks, and use additional exploits and tool offerings (with one-touch updating) such as the SNMP Generic Browser, Snort TCP Stream Integer Overflow exploit, IIS WebDAV (Internet Information Server Web Distributed Authoring and Versioning), and MSRPC (Microsoft remote procedure call) Locator exploits.

Opening the Impact Console prompts the user to create a pass phrase, creating a unique key for each workspace. This key is used to communicate with remote Impact agents and ensures that agents used by a specific workspace are bound to that workspace.

Agents are a major component of Core Impact. Once a vulnerable host has been exploited, you can send out an agent, “pivot” to the newly compromised host, and continue exploits from this new location. I found this pivoting ability a unique and extremely useful feature because I was able to do what a real hacker would do after compromising a vulnerable machine: use that new host to extend my tendrils throughout the enterprise.

The process of exploiting or attacking a host using Core Impact is straightforward. Impact’s workspace is a series of five well-laid-out windows. Modules lists exploits, information gathering tools, created macros, and report tools; Entity View shows all discovered hosts on the network; All Executed Modules presents a complete, time-stamped list of each action; Executed Module Info displays real-time status of actions and logs; and Output acts like a miniature help file.

Unfortunately Impact ships with terse documentation and lacks macro modules for common exploits. For example, when I used the newly included SNMP Generic Browser to see if a host was vulnerable to SNMP information gathering, the Output window documentation only listed a few lines about which SNMP variables work with this technique and some common SNMP Read/Write passwords. I would have been much better served by a pre-existing macro that conducted at least a terse dictionary attack via SNMP.

Core Impact does produce exploit History and Findings reports in HTML or XML, but not in Word or PDF formats. And it can’t differentiate between management and technical reports.

Core Impact can be a time sink, with staffers continuously hitting host systems trying to engage the right exploit — despite the fact that Core Impact highlights exploits that will work with an identified host’s OS.

Although I liked Core’s Impact vulnerability toolkit, it’s hard to recommend it over other automated security tools that scan enterprise networks for vulnerable machines (such as those from Foundstone and Qualys). Outsourced vulnerability-assessment services may rank even higher. Core Impact has its advantages, but gets a lukewarm reaction in comparison to other available options.