Core Security offers powerful testing tool

Category Security testing
Product: Core Impact 6.0
Vendor: Core Security Technologies
Price: $25,000 for annual subscription

Prior to Core Impact, the vast majority of security penetration testers would use "off-the-Web" exploit code, after scouring an application code for backdoors and covert channels. Core Impact changed the security landscape by providing stable, tested and trustworthy exploits for ethical hacking.

The latest release of this automated, commercial-grade penetration-testing software platform is an invaluable tool for professional penetration testers and corporate security engineers.

Configuration/Management: A
Installing Core Impact 6.0 was a breeze--download, double-click and enter the long string to decrypt the installation executable.

There are two main workflows: The rapid penetration test guides the user through the phases of reconnaissance, exploitation and reporting via a series of menu-driven wizards. You can choose the type of exploits to test, as well as the levels of risk to take (e.g., whether or not to run exploits that might crash or DoS the service).

The second workflow is conducted via modules. In this more granular mode, you choose from this version's plethora of available exploits.

Effectiveness: A
We were able to run multiple exploits, test and compromise machines in minutes, giving the attacker complete command and control over our target systems and arming us with detailed information.

We first ran a rapid penetration test in which Core Impact walks you through a simple set of questions to identify the target systems. It scanned the network and identified live hosts, listening ports and OS versions, allowing us to choose the exploit modules most likely to compromise the target.

We chose remote exploits first, attacking the Microsoft Windows Plug and Play services umpnpmgr.dll vulnerability (Microsoft bulletin MS05-039). One click brings up a quick description of the exploit and the vulnerability, including links to patches and remediation information.

We then tested client-side exploits, switching to the "Modules View" to select individual attacks. We ran the IE IFRAME buffer-overflow exploit--which automatically sets up a Web server on the attack system, with a Web page serving up the exploit--and browsed the attack site to compromise our target system. Compromising a target using remote and client-side exploits demonstrates the need to patch the vulnerable software. One of the biggest benefits of running exploits against real systems is gaining insight into how credible the threat posed by vulnerabilities is in our environment.

At the end, Core Impact removes all the agents from the target system, a step often neglected by inexperienced penetration testers. Test activity is logged for review.

Reporting: B
Core Impact comes with a number of report generation options, from a simple executive summary to a detailed vulnerability report. The reports are simple and straightforward. The vulnerability report includes the number of systems compromised, along with detailed information regarding the vulnerabilities exploited. Administrators could use this report to remediate the exposures by following the remediation information and links to patches.

Core Impact uses Crystal Reports, with an XML-based generation system that can be altered and customized to meet your requirements. To take advantage of this feature, however, you have to get under the hood and change the XML templates.

Verdict
Core Impact 6.0 is an amazing tool to validate your security posture. We highly recommend it to security engineers to verify the vulnerability of their networks, or confirm test results from third-party consultants.

Testing methodology
We used VMware virtualization software to install a fully patched Windows XP Pro system to host Core Impact; and a Windows 2000 Advanced Server system with a few service packs missing to play the victim.

This product review originally appeared in the January 2007 edition of Information Security magazine.