Put an end to manual penetration testing

Penetration testing is an important part of any security consultant’s toolkit. That’s the only way to estimate how many vulnerabilities a given network has and, thus, how easy it would be to compromise that network.

The problem with penetration testing is that it can be a slow process. Because it can take so long, the vulnerabilities may have shifted by the time the test is complete.

Core Security Technologies’ Core Impact product solves the problem of slow manual penetration testing and the hassle of keeping up with the flood of new vulnerabilities. When we tested Core Impact, we found that it automated testing to the point that you don’t need a highly trained security professional to operate it.

We understood from the beginning that automated penetration testing programs are potentially dangerous weapons. An unauthorized test can set alarms ringing in your network administration department. And if you use the Internet addresses of the CIA, don’t be surprised if unsmiling people in dark suits come knocking at your door.

We installed Impact on a laptop PC running Windows XP in just five minutes. The installation includes the WinPCap driver (www.winpcap.org) to do promiscuous mode Ethernet captures. This enables you to access the lowest levels of network traffic and see everything on your network rather than just the packets addressed to your computer.

When it started up, Impact listed all of the modules that were loading into RAM. These modules were written in the Python language. We began a penetration test session by clicking on “New Workspace” on the main screen. This created a job that we could return to whenever we wished.

The actual test screen took place in a multipane interface — a single, easy-to-use screen where we did most of our work. The workflow portion of the interface can be toggled between a rapid penetration test and the more complete “modules view.”

We started by using the RPT, which includes six tasks, conveniently numbered and listed in order from information gathering to report generation.

The first step of the test was information gathering, in which we defined our targets. When we executed this phase, we performed an active port scan against the targets we selected. We decided on a SYN scan, inviting innocent computers on the network to respond to our friendly greeting.

You can choose different types of scans if you are, for example, trying to avoid detection by an intrusion-detection or intrusion-prevention system.

You would normally carry this out by first reconnoitering the target network with a tool such as Nmap (www.nmap.com), then importing the results into Impact. This gives you a variety of information about your targets, such as the operating systems they are running, their active services, open ports, Media Access Control (MAC) addresses and so forth.

Once you have obtained a good picture of the network, the next phase is attack and penetration. When this process is successful, Impact automatically places an agent on the target computer. That is, Impact proves that vulnerability exists by performing an actual penetration. This procedure injects foreign code into a vulnerable file on the target machine, normally a Data Link Library or service file.

We had intended to include real-life networks in our authorized attacks, but we chickened out when we considered the potential consequences. The results on our fully updated and buttoned-down lab machines were completely predictable. Our computers were secure but dull. To raise the excitement level, we turned off their firewalls and rolled back their patches. Then Impact leapt in like a lion on a carcass.

The next phase, local information gathering, let us dig into the systems we had compromised and gave us details relayed back via the agent. The details included patches installed on the target system, users and groups, and particulars about the operating system and hardware. This would be good for finding out which users are members of the local systems administrator’s group, opening doors for further exploitation.

From here, we moved on to privilege escalation, where we gained privileges on the exploited systems. It suddenly struck us that when we gained control of a domain controller we could traverse security of the entire domain. This was not a comforting thought.

At this point, we were finished with our foray into hackerdom, but we didn’t want to leave a mess behind. The cleanup module silently touched each of the computers we had compromised and removed our agents wherever they were embedded, leaving our machines pristine and serenely stable.

Our final step was to generate the reports needed to show our systems people the areas they needed to target to strengthen the systems. First, we generated an executive report, complete with nicely formatted and colorful charts.

The activity report, which documented all we had done, is a good one to send to the person who actually manages the intrusion detection and prevention systems. They could determine if they had detected any penetration test activities, or if there are tweaks they could do to increase the level of monitoring.

Finally, the host report shows vulnerabilities for each host, and lists which ones were exploited. Importantly, it provides information on what to do to remediate these vulnerabilities.

What we liked

We liked that Impact places a piece of innocuous code onto the machines it compromises. No one can argue that vulnerabilities were found and the computers were actually penetrated. The agents operated smoothly and did not break any services.

Moreover, the operator can do practically everything from just one well-designed screen. We were impressed by features such as the ability to drag exploit modules and drop them onto individual targets.

It is also worth noting that on its opening screen, Impact includes a place for the user to e-mail comments and suggestions to the vendor, and it provides a link to a knowledge base. We appreciate vendors who listen to their customers and make it easy to find help.

Finally, we appreciate the frequency of updates Core provides. Expect one or more updates each week to the exploits modules. During our test period, Core did a good job of keeping up with new vulnerabilities.

Conclusions and recommendations

After using Impact, it seems obvious to us that manual penetration testing is obsolete. Because it is quite possible that someone else is using automated attacks against you, it is prudent to begin authorized automated penetration testing at your own organization to pinpoint the weak points.

Impact is significantly more expensive than its competitors, but we found little else to criticize. We recommend it because it is fast and effective. Once you’ve used it, you can’t go back to slow manual penetration testing.

Greer is a network security consultant. Dyer is a security specialist at a large state agency. They can be reached at egreer@thecourageequation.com.

Core Security Technologies(617) 399-6980

www.coresecurity.com

Price: A one-year subscription for Core Impact is $25,000.

Pros: The product has an easy-to-use graphical user interface. It frequently updates the exploits modules and generates good reports.

Cons: It is relatively expensive.

Platforms: Core Impact installs only on machines running Microsoft Windows, but it scans Windows, Unix and Linux computers.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.