Core Impact puts a vise grip on vulnerabilities

Last week’s column talked about the Metasploit Framework vulnerability scanner. Although the interface is a bit cumbersome, it’s an excellent free tool for testing single exploits and can do more with additional automation. I’ve also previously discussed the dual-sourced vulnerability scanner Nessus.

In both columns, I said that as good as these tools are, many commercial scanners are better. Last week, I had a chance to revisit that theory as I reviewed Core Security Technologies' Core Impact 5.1 vulnerability scanner.

Created in 1996, Core Impact has been around a long time, and I have used this tool many times professionally to test networks and beta software. While it only installs on Windows platforms, Core Impact can scan Windows, Linux, Unix, and other related platforms. It contains hundreds of exploits and a good multipane window interface (see my blog for screen shots). Like many products, it has a click-once button for downloading new updates.

Core Impact's main screen looks almost too busy at first, but it isn’t. It contains everything you need to do and outputs the results in just one screen, and you can customize the screen any way you like.

In fact, almost every facet of Core Impact is customizable, mostly by editing XML files. You can control what you see on-screen, what the default settings are, how helpful wizards interact with the end-user, what ports are scanned, and what information reports contain -- all by editing easy-to-read XML code. Exploits are written in Python, which is also readily customizable. Core Impact even comes with a nice user document for customizing and creating exploits.

All activities that the product executes are documented on-screen and in a log file in detail. Information about the penetration testing pathway, each activity, and each exploit is documented in enough detail that there shouldn’t be any surprises. The level of documentation and detail is top-notch.

Penetration testers are walked through a series of steps that mimic the “hacker methodology”: Information Gathering, Attack & Penetration, Local Information Gathering, Privilege Escalation, etc. Information gathering and device discovery is fair, using various TCP/IP scan types (syn, TCP connect, ICMP [Internet Control Message Protocol]), but isn’t as thorough as some competitors, which use SNMP and other additional discovery methods to be even more accurate. However, you can import host lists from other discovery tools, like GFI’s LANguard and the open source Nmap.

Discovery continues on each host with a port scan. In what I think is a smart choice, the default ports scanned match only the ports that Core Impact will use to do exploitation, but you can easily create a custom port scan list, or take just the most common TCP and UDP (User Datagram Protocol) ports. Full-service enumeration will verify the protocol running on each port.