| About InfoWorld : Advertise : Subscribe : Contact Us : Awards : Events : Store |
 |
||||
|
||||
 | ||||
 |
|
|||
 |
||||
|
|
|
||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 TEST CENTER Core makes an Impact By Mandy Andress June 14, 2002 PENETRATION TESTING is a standard method for evaluating an organization's network security posture. These assessments can be performed from the standpoint of a malicious insider on the corporate network or a malicious outsider trying to compromise systems from the Internet. Some organizations perform these tests internally, but most hire outside consulting firms.
Core Impact tackles penetration tests in seven steps: information gathering, information analysis and planning, vulnerability detection, target penetration, attack/privilege escalation, analysis and reporting, and cleanup. Impact provides a framework for performing each of these steps in a consistent, organized fashion while logging and recording every action taken at every step. Penetration tests are performed by launching agents and modules against target systems from the Impact Console, where you can also view detailed information about target systems, a record of all activity and module output, and the results of attacks. Agents -- the small programs you install on compromised systems and use to advance an attack -- are the core component of Impact. Agents come in several levels of capability, ranging from Level 0 agents that can execute only a single basic function call at a time to Level 2 agents providing full multitasking support, a secure communication channel, a Python Virtual Machine (for remote execution of modules), and database connectivity. Modules are sets of operations that can be launched against target systems, and include OS fingerprinting, port scanning, and targeted exploits. Modules come in two types: native modules that are compiled directly into the agent's machine language, and Python modules that run over a Python Virtual Machine. The ability to develop custom modules is one of the strengths of Impact. Organizations can use these modules to share the knowledge of their best penetration testers across the entire testing group. We installed Impact on a Windows 2000 Professional system and started an assessment against our test network, which was comprised of Linux and Windows systems as well as a few other network devices, such as Cisco routers, print servers, and firewalls. The Impact Console is very intuitive, using point-and-click and drag-and-drop functionality to execute the testing modules. First, we ran the network discovery module on our test network to identify active systems. We then ran the port scanner module to identify open ports on active systems. Next, we ran the OS stack fingerprinting module to identify the operating systems running on our systems. The OS fingerprinting module is not very extensive out of the box, but you can easily add your own OS signatures to the os_id database. Until we added our own signatures, the module correctly identified only about half of the systems on our test network. All this information gathering took less than five minutes, and afterward we had a detailed log of which modules were executed, when they were executed, and the results of those executions. We identified a Windows 2000 Server running IIS, so we decided to launch the IIS Unicode exploit, one of the exploit modules included with Impact. The exploit was successful (since we were running an unpatched IIS server) and we now had a compromised system running a Level 0 Agent. This entire process occurred in less than a minute with a single drag-and-drop action. One of the greatest features of Impact is the ability to pivot, or move your target launch point. So far, we had been executing modules from our Console system. With a simple mouse selection, we changed the source of our attacks from our Console system to our newly compromised Windows 2000 Server. Running the RevertToSelf local exploit module, we gained full control of the Windows 2000 Server and used it as the launch point to compromise one of our Linux servers with the wuftpd format string vulnerability. To clean everything up at the end of our assessment, we simply uninstalled the agents and left no trace of ever being there. For follow-up analysis, Impact creates two main reports: history and findings. The history report details all the actions taken during the assessment. The findings report details all the information for identified systems, such as name, IP address, OS, open ports, vulnerabilities exploited on the system, and agents installed on the system. Reports are available in HTML or XML. Impact is a revolutionary product that could be just what network managers need to formalize penetration tests, providing exploit code, detailed logging and reporting, as well as easy cleanup. Any organization consistently performing penetration tests should consider using this product.
 RELATED SUBJECTS  SecurityNetworkingSPONSORED WHITE PAPERS 
SPONSORED LINKS
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||
|
||||||||||
