Re: Pentesting tool - Commercial

Andre Gironda wrote:
> The numbers show that Core Impact is superior to Canvas and Metasploit.
> Unfortunately, it also shows that Impact is missing quite a lot. The
> point I was trying to make is that you can't use only one exploitation
> engine.

In the second edition of my book, Network Security Assessment (, I have looked at the support for different technologies and services from MSF, IMPACT, and CANVAS (including GLEG and Argeniss zero-day packs). The analysis between these platforms, including details of the supported technologies and exploit modules, is up-to-date as of October 2007.

You can flick through the Google Books edition and see what I mean. It contains paragraphs like this:

"MSF has no exploit modules for ProFTPD at the time of writing. CORE IMPACT supports CVE-2006-5815 (sreplace() off-by-one bug) and CVE-2004-0346 (RETR command overflow). Immunity CANVAS does not support any ProFTPD issues at this time."

In general, my high-level analysis is as follows:

MSF is an excellent and well maintained tool, with support for a significant number of server software issues in particular. Useful modules include those for AIM, CA BrightStor ARCserve, Microsoft RPC services, and Veritas Backup Exec.

IMPACT is sometimes too easy to use and therefore can be difficult to work with in specific environments and configurations. The number of modules for this tool is colossal, with many useful modules for IIS, Microsoft RPC services, Veritas, CA, and others. The issue however with IMPACT's remote exploit modules, is that there are numerous modules that MSF supports which IMPACT does not. IMPACT has a wide range of remote exploit modules, but virtually all of them are for the big server technologies (Microsoft, CA, Veritas, etc.). Where IMPACT comes into its own is with regard to locally exploitable, and client-side vulnerabilities. IMPACT support for client-side bugs is astounding.

CANVAS using the GLEG and Argeniss zero-day exploit packs supports a large number of interesting remotely exploitable bugs that aren't found in MSF or IMPACT. The tool also has some useful database (MSSQL and Oracle) testing routines and modules that have value. However, wide and deep support for bugs is something that CANVAS does not really cover when compared to MSF or IMPACT.

None of these are vulnerability assessment (VA) scanners with capabilities like Nessus; they are exploitation frameworks. You should not be using IMPACT to run an end-to-end penetration test or assessment process. You should use Nmap, Nessus, and other automated VA platforms to get a clear idea of the target network and its configuration, then use MSF/IMPACT/CANVAS to punch through that with some specific exploit modules, and reposition.



Chris McNab
Technical Director

Matta Consulting Limited
Falstaff House
34 Bardolph Road
Richmond upon Thames

T: 08700 77 11 00

The information contained in this email is intended only for the person(s) to whom it is addressed and may contain confidential or privileged material or information that is exempt from disclosure under applicable law. Information and attachments may be used only for the purpose for which they are sent, and copying, disclosure or distribution of any information contained herein is strictly prohibited.

This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

Relevant Pages

  • Re: [PHP] IE8 and HTML5
    ... Everyone has their favorite unstandardized feature they'd love IE to support. ... Experimental support for Canvas and other unstandardized features might be a good thing; I know the spec editors would welcome implementor feedback. ... Could be I'm underestimating the effects of press hype about chrome on MS's strategy, but I think actually Microsoft's turn towards a stronger emphasis on standards support long preceded the release of Chrome. ...
  • Re: How to reduce duplication in this small JS script
    ... but is there a Javascript library which uses SVG in browsers that ... support SVG and Canvas in the browsers that support Canvas? ...
  • RE: Animation to adjust position of elements. (wpf)
    ... suggest that you use a Canvas instead of a Grid in your WPF application. ... Microsoft Online Community Support ... where an initial response from the community or a Microsoft Support ...
  • RE: [PHP] IE8 and HTML5
    ... Subject: IE8 and HTML5 ... Does this mean canvas support? ... Everyone has their favorite unstandardized feature they'd love IE to ... Experimental support for Canvas and other unstandardized features ...
  • Re: Vector 21 - Boston
    ... pay a million bucks for a painting of a black dot on a white canvas. ... I would consider forking out some bucks (not bugs) for a white dot on ...