Re: Core Impact

• Previous message: Andres Molinetti: "TFTP and XP_CMDSHELL - Weird"
• In reply to: David Eduardo Acosta Rodríguez: "Re: Core Impact"
• Next in thread: Christoph Puppe: "Re: Core Impact"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 22 Jun 2005 16:16:45 -0700
To: pen-test@securityfocus.com

Tuesday, June 21, 2005, 3:30:12 PM, David wrote:
> Immunity's CANVAS http://www.immunitysec.com/ <- Commercial tool write in
> Python
> Exploitation Framework
> http://www.securityforest.com/wiki/index.php/Exploitation_Framework <-
> OpenSource tool with "massive amount of exploits available"
> MetaSploit http://www.metasploit.com/ <-OpenSource tool - with Web GUI
> ATK http://www.computec.ch/projekte/atk/main.html <-OpenSource tool write in
> VB for Windows

These are very weak comparisons. There are two separate things here,
an exploitation development platform that happens to have exploits,
versus an exploit GUI. securityforest and atk are just exploit GUIs
they have no functionality nor support for exploit development. I can
list half a dozen other such projects, they are just wrappers. (short
list: neat, raccess, arplhmd, sf (securityforest), tHorK, atk, and
countless other wrappers or autorooters released in the past few
decades there is nothing special about these shells.)

The only public exploit dev platforms right now are impact, canvas,
and framework (aka metasploit).

> For Core Impact, I think that it is a good tool but it has certain
> limitations...the number of exploits... if you can use an exploit, you need
> "port/rewrite" the code in the Core´s "standard"...the good thing in this
> tool is the capacity of "pivot" the compromised host and to use it as
> platform of attack against internal hosts...

The "standard" you refer to in quotes, is python, and not only is it
a secure language but it is also used by canvas, and rumor has it
framework 3.0 will be in python (but I dread this, perl is so much
easier than python imho)

> I think that this tools must be used jointly with a clear metodology
> (OSSTMM). A good automatic exploit framework must be 1) platform independent
> 2) good exploit collection 3) a intutive GUI 4) you can add new exploits
> without rewrite the code 5) OpenSource and 6) good reporting tools.

The first three qualifications are nonsense.

(1) What does platform independence have to do with the ABILITY of the
product to perform it's function? Not only is this judgement
illogical, but it is moot in the day of vmware, bochs, qemu, etc. Any
"professional" with any skill or intelligence whatsoever, is running
several different OS at any given time. If you don't have a win32
session up somewhere, on your desktop, in a virtualmachine, lab, then
you are incompetent to judge the security of a customer's network. You
should not be hired. Like it or not most machines on the planet are
running windows. fact. And if you want to be competent at securing
them, then you need to drop the win32 phobia and dig in and learn and
use it and be working with NEW vulnerabilities that affect it, every
week and sometimes every day, or you are flying blind.

(2) the number of exploits that are bundled with a framework have
NOTHING to do with the quality the framework. A skilled professional
uses these tools for exploit DEVELOPMENT not kiddie point and clicky.
Yes it is nice that the vendors provide good 0day for penetration
testing, but that is not the primary strength of these development
platforms.

(3) again, GUI? wtf does this have anything to do with the quality of
a product to get a job done. I have always been irked that reviews
include a category for "usability" or "easy of use" ... ease of use to
retards or skilled professionals?? it is relative. So it doesn't
belong. Some "pros" are allergic to a command line and have to have a
GUI, these people are not relevant and your opinions don't matter. The
tools ability is what matters.

(4) yes this is good.

(5) opensource is nice but if all of the exploit modules are open
source does it really matter if the engine is?

(6) i disagree that reporting tools make a difference but as a
penetration testing aid, I can see the merit in what you are saying,
sure its nice that they be able to clearly report the module output as
modules are run.

About the topic of this thread though, yes Core IMPACT is an excellent
product and well worth its price. Those who complain about the
bundled exploits only working on certain versions or languages (this
goes for both IMPACT and CANVAS), are not making a fair comparison.
These are commercial quality exploits that outperform any public
exploit for the same vulnerability you'll find. In most cases that I
can see where the default values fail the exploit also attempts to
bruteforce to find correct values.

So far none of the reviews that have been published about these
products are written by exploit *developers* who actually use and
appreciate these products for their full capabilities. The end user
who _just_ runs the pre-bundled exploits is the low end of the
intended and targeted userbase of these very capable products.

d

• Previous message: Andres Molinetti: "TFTP and XP_CMDSHELL - Weird"
• In reply to: David Eduardo Acosta Rodríguez: "Re: Core Impact"
• Next in thread: Christoph Puppe: "Re: Core Impact"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]