Talkback
E-mail
Printer Friendly
Reprints
Core Impact has long been one of our favorite tools for testing the effectiveness of security devices. Now that we’ve had a chance to see what the recently released Version 7.5 of the product can do, we like Core Impact even better. This latest version adds two important Web application testing techniques, polishes the e-mail phishing attack capabilities introduced in Version 6, and generally makes penetration testing easier than ever before.
|
|||||||||||||||||||||||||||||||||||||||||||
[ Core Impact won a spot in InfoWorld's Technology of the Year awards. See the slideshow of all security winners. ]
In serious security geek circles, you may get picked on for using Core Impact because it is so simple, but then again you’re likely to have more free time to think of retorts. Whether you're a seasoned penetration tester or a neophyte, the new reporting interface and idiot-proof attack wizards make it a breeze to discover and exploit the vulnerabilities remaining in both your silicon- and carbon-based infrastructures.
Unsocial engineering
In Version 6.0, Core Impact introduced valuable client-side attacks that tested the security awareness of end-users by sending
Trojans embedded in a legitimate-looking e-mail. By using these types of phishing attacks, you can directly assess the security
awareness of your end-users. Do they readily click Yes and turn over control of their machines to malicious software applications,
or do they report a potentially infected attachment to the help desk as taught in their yearly security training?
Version 7.5 makes configuring e-mail phishing attacks much simpler. First off, this version allows you to harvest e-mail addresses via several methods and by integrating with search tools, including Google, Yahoo, AltaVista, MSN Live Search, and MetaCrawler. Impact is able to search the Internet for corporate e-mails that black hats and spammers are scavenging as you read this. Other methods for importing a corporate target’s e-mail addresses include harvesting DNS, Whois, and PGP key servers or by crawling the target corporation’s Web site. The tool can easily import e-mail addresses from a list as well.
Once Impact is loaded with e-mail addresses, you feed it the template of an e-mail message that looks to have been drafted by someone important (your CEO, for example). Then you pick your exploit or Trojan, select how to embed the malicious payload (Excel spreadsheets and zip files work well), and pull the trigger. The e-mail is sent to the victims on your list and sits in their inboxes with all of their other mail. When a user opens the attachment, the Trojan calls back to Core Impact, setting up an agent tunnel ready for exploitation and giving you a look at which of your users need additional training in Information Assurance.
There's one shortcoming we spotted in this feature: Once a client Trojan is in place, it tries to connect to Core Impact only once; if Impact isn’t available when the exploit is first executed, the potential compromise is lost. We'd like to see a timer added to the exploit to allow it to continue trying (every 10 minutes, every hour, once a day) if it doesn't connect the first time. Additionally, we'd like to see Impact itself able to run on a server as a service, especially since an e-mail with a Trojan payload may not be opened for several days. Having Impact available to receive the call at any time would make this feature much more effective.
Victor R. Garza is senior contributing editor of the InfoWorld Test Center. Charles D. Herring is a network security consultant in the greater Chicago area.
