Re: Pentesting tool - Commercial

Andre Gironda wrote:
> The numbers show that Core Impact is superior to Canvas and Metasploit.
> Unfortunately, it also shows that Impact is missing quite a lot. The
> point I was trying to make is that you can't use only one exploitation
> engine.

In the second edition of my book, Network Security Assessment (, I have looked at the support for different technologies and services from MSF, IMPACT, and CANVAS (including GLEG and Argeniss zero-day packs). The analysis between these platforms, including details of the supported technologies and exploit modules, is up-to-date as of October 2007.

You can flick through the Google Books edition and see what I mean. It contains paragraphs like this:

"MSF has no exploit modules for ProFTPD at the time of writing. CORE IMPACT supports CVE-2006-5815 (sreplace() off-by-one bug) and CVE-2004-0346 (RETR command overflow). Immunity CANVAS does not support any ProFTPD issues at this time."

In general, my high-level analysis is as follows:

MSF is an excellent and well maintained tool, with support for a significant number of server software issues in particular. Useful modules include those for AIM, CA BrightStor ARCserve, Microsoft RPC services, and Veritas Backup Exec.

IMPACT is sometimes too easy to use and therefore can be difficult to work with in specific environments and configurations. The number of modules for this tool is colossal, with many useful modules for IIS, Microsoft RPC services, Veritas, CA, and others. The issue however with IMPACT's remote exploit modules, is that there are numerous modules that MSF supports which IMPACT does not. IMPACT has a wide range of remote exploit modules, but virtually all of them are for the big server technologies (Microsoft, CA, Veritas, etc.). Where IMPACT comes into its own is with regard to locally exploitable, and client-side vulnerabilities. IMPACT support for client-side bugs is astounding.

CANVAS using the GLEG and Argeniss zero-day exploit packs supports a large number of interesting remotely exploitable bugs that aren't found in MSF or IMPACT. The tool also has some useful database (MSSQL and Oracle) testing routines and modules that have value. However, wide and deep support for bugs is something that CANVAS does not really cover when compared to MSF or IMPACT.

None of these are vulnerability assessment (VA) scanners with capabilities like Nessus; they are exploitation frameworks. You should not be using IMPACT to run an end-to-end penetration test or assessment process. You should use Nmap, Nessus, and other automated VA platforms to get a clear idea of the target network and its configuration, then use MSF/IMPACT/CANVAS to punch through that with some specific exploit modules, and reposition.



Chris McNab
Technical Director

Matta Consulting Limited
Falstaff House
34 Bardolph Road
Richmond upon Thames

T: 08700 77 11 00

The information contained in this email is intended only for the person(s) to whom it is addressed and may contain confidential or privileged material or information that is exempt from disclosure under applicable law. Information and attachments may be used only for the purpose for which they are sent, and copying, disclosure or distribution of any information contained herein is strictly prohibited.

This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!