Penetration Testing mailing list archives
Re: Core Impact
From: paul dansing <dansing () swissinfo org>
Date: Wed, 22 Jun 2005 16:16:45 -0700
Tuesday, June 21, 2005, 3:30:12 PM, David wrote:
Immunity's CANVAS http://www.immunitysec.com/ <- Commercial tool write in Python Exploitation Framework http://www.securityforest.com/wiki/index.php/Exploitation_Framework <- OpenSource tool with "massive amount of exploits available" MetaSploit http://www.metasploit.com/ <-OpenSource tool - with Web GUI ATK http://www.computec.ch/projekte/atk/main.html <-OpenSource tool write in VB for Windows
These are very weak comparisons. There are two separate things here, an exploitation development platform that happens to have exploits, versus an exploit GUI. securityforest and atk are just exploit GUIs they have no functionality nor support for exploit development. I can list half a dozen other such projects, they are just wrappers. (short list: neat, raccess, arplhmd, sf (securityforest), tHorK, atk, and countless other wrappers or autorooters released in the past few decades there is nothing special about these shells.) The only public exploit dev platforms right now are impact, canvas, and framework (aka metasploit).
For Core Impact, I think that it is a good tool but it has certain limitations...the number of exploits... if you can use an exploit, you need "port/rewrite" the code in the Core´s "standard"...the good thing in this tool is the capacity of "pivot" the compromised host and to use it as platform of attack against internal hosts...
The "standard" you refer to in quotes, is python, and not only is it a secure language but it is also used by canvas, and rumor has it framework 3.0 will be in python (but I dread this, perl is so much easier than python imho)
I think that this tools must be used jointly with a clear metodology (OSSTMM). A good automatic exploit framework must be 1) platform independent 2) good exploit collection 3) a intutive GUI 4) you can add new exploits without rewrite the code 5) OpenSource and 6) good reporting tools.
The first three qualifications are nonsense. (1) What does platform independence have to do with the ABILITY of the product to perform it's function? Not only is this judgement illogical, but it is moot in the day of vmware, bochs, qemu, etc. Any "professional" with any skill or intelligence whatsoever, is running several different OS at any given time. If you don't have a win32 session up somewhere, on your desktop, in a virtualmachine, lab, then you are incompetent to judge the security of a customer's network. You should not be hired. Like it or not most machines on the planet are running windows. fact. And if you want to be competent at securing them, then you need to drop the win32 phobia and dig in and learn and use it and be working with NEW vulnerabilities that affect it, every week and sometimes every day, or you are flying blind. (2) the number of exploits that are bundled with a framework have NOTHING to do with the quality the framework. A skilled professional uses these tools for exploit DEVELOPMENT not kiddie point and clicky. Yes it is nice that the vendors provide good 0day for penetration testing, but that is not the primary strength of these development platforms. (3) again, GUI? wtf does this have anything to do with the quality of a product to get a job done. I have always been irked that reviews include a category for "usability" or "easy of use" ... ease of use to retards or skilled professionals?? it is relative. So it doesn't belong. Some "pros" are allergic to a command line and have to have a GUI, these people are not relevant and your opinions don't matter. The tools ability is what matters. (4) yes this is good. (5) opensource is nice but if all of the exploit modules are open source does it really matter if the engine is? (6) i disagree that reporting tools make a difference but as a penetration testing aid, I can see the merit in what you are saying, sure its nice that they be able to clearly report the module output as modules are run. About the topic of this thread though, yes Core IMPACT is an excellent product and well worth its price. Those who complain about the bundled exploits only working on certain versions or languages (this goes for both IMPACT and CANVAS), are not making a fair comparison. These are commercial quality exploits that outperform any public exploit for the same vulnerability you'll find. In most cases that I can see where the default values fail the exploit also attempts to bruteforce to find correct values. So far none of the reviews that have been published about these products are written by exploit *developers* who actually use and appreciate these products for their full capabilities. The end user who _just_ runs the pre-bundled exploits is the low end of the intended and targeted userbase of these very capable products. d
Current thread:
- Core Impact Security Professional (Jun 21)
- Re: Core Impact Chris Raymond (Jun 21)
- RE: Core Impact boxerb (Jun 21)
- Re: Core Impact David Eduardo Acosta Rodríguez (Jun 21)
- Re: Core Impact paul dansing (Jun 22)
- <Possible follow-ups>
- Re: Core Impact securityfocus (Jun 21)
- Re: Core Impact Daniel Miessler (Jun 24)
- Re: Core Impact Daniele Milan (Jun 24)
- Re: Core Impact Chris Byrd (Jun 24)
- Re: Core Impact nick johnson (Jun 24)
- Re: Core Impact Daniel Miessler (Jun 24)
- RE: Core Impact Andre Protas (Jun 21)
- Re: Core Impact Christoph Puppe (Jun 22)
- Core Impact Security Professional (Jun 23)