While it will not tell you which Web server product is running on port 80, Core Impact will verify that the protocol is HTTP, and recognize the same even on non-default ports. For example, it will identify a Remote Desktop Protocol (RDP) application even if it is not running on its default TCP port number, 3389.
OS fingerprinting is provided within the product using a licensed copy of the Nmap OS fingerprinting database. It would be nice to see application fingerprinting enabled, so you could identify the correct Web server (Apache, IIS, etc.).
Once the host IP addresses are gathered, the tester then chooses what exploits to execute and how aggressive they should to be. Testers can choose to enable or disable penetration tests that take a long time, like a password brute force.
If the product is able to exploit the intended victim and gain access, a small, memory-only agent is executed on the host. This agent is called Level 0. Once the agent is installed, the remote tester can pillage and plunder the compromised host, escalate privileges if needed, dump password hashes, install a keylogger, take screenshots, enumerate users and groups, and so on.
The agent allows a mini-shell to be installed with a limited series of commands (list, copy, move, rename, upload, download, and execute a command). The remote agent and mini-shell can be installed remotely using non-exploitation techniques (NetBIOS, Telnet, rlogin, etc.) as well as remotely uninstalled, removing all traces of its existence.
Customized groups of exploits can be gathered into a single macro. Client-side attacks are simulated by connecting to the remotely installed agent, which then runs the exploit locally (often in Internet Explorer).
But the real value of any commercial vulnerability scanner is how well the exploits are crafted. Taking nothing away from the incredible team members at Metasploit and Nessus, Core Security Technologies has a highly paid staff of creators and a highly paid staff of QA reviewers. They research and create highly reliable and more functional exploits.
For example, the Microsoft DCOM-RPC exploit (aka Blaster) normally works across port 135. Core Security Technologies’ team discovered that it would work across multiple ports (including 80, 137, 139, and 445). Usually, the exploit causes Windows to reboot because the RPC service crashes and its default recovery option is to restart Windows, but Core Impact 's implementation executes custom code that patches memory to make reboots less likely to occur.
Overall, I was very impressed with Core Impact and would recommend it to anyone.