In both columns, I said that as good as these tools are, many commercial scanners are better. Last week, I had a chance to revisit that theory as I reviewed Core Security Technologies' Core Impact 5.1 (http://www.coresecurity.com/products/coreimpact/index.php) vulnerability scanner.
Created in 1996, Core Impact has been around a long time, and I have used this tool many times professionally to test networks and beta software. While it only installs on Windows platforms, Core Impact can scan Windows, Linux, Unix, and other related platforms. It contains hundreds of exploits and a good multipane window interface (see my blog for screen shots). Like many products, it has a click-once button for downloading new updates.
Core Impact's main screen looks almost too busy at first, but it isn't. It contains everything you need to do and outputs the results in just one screen, and you can customize the screen any way you like.
In fact, almost every facet of Core Impact is customizable, mostly by editing XML files. You can control what you see on-screen, what the default settings are, how helpful wizards interact with the end-user, what ports are scanned, and what information reports contain -- all by editing easy-to-read XML code. Exploits are written in Python, which is also readily customizable. Core Impact even comes with a nice user document for customizing and creating exploits.
All activities that the product executes are documented on-screen and in a log file in detail. Information about the penetration testing pathway, each activity, and each exploit is documented in enough detail that there shouldn't be any surprises. The level of documentation and detail is top-notch.
Penetration testers are walked through a series of steps that mimic the "hacker methodology":
Information Gathering, Attack & Penetration, Local Information Gathering, Privilege Escalation, etc. Information gathering and device discovery is fair, using various TCP/IP scan types (syn, TCP connect, ICMP [Internet Control Message Protocol]), but isn't as thorough as some competitors, which use SNMP and other additional discovery methods to be even more accurate. However, you can import host lists from other discovery tools, like GFI's LANguard (http://www.gfi.com/languard) and the open source Nmap (http://www.insecure.org/nmap).
Discovery continues on each host with a port scan. In what I think is a smart choice, the default ports scanned match only the ports that Core Impact will use to do exploitation, but you can easily create a custom port scan list, or take just the most common TCP and UDP (User Datagram Protocol) ports. Full-service enumeration will verify the protocol running on each port.
While it will not tell you which Web server product is running on port 80, Core Impact will verify that the protocol is HTTP, and recognize the same even on non-default ports. For example, it will identify a Remote Desktop Protocol (RDP) application even if it is not running on its default TCP port number, 3389.
OS fingerprinting is provided within the product using a licensed copy of the Nmap OS fingerprinting database. It would be nice to see application fingerprinting enabled, so you could identify the correct Web server (Apache, IIS, etc.).
Once the host IP addresses are gathered, the tester then chooses what exploits to execute and how aggressive they should to be. Testers can choose to enable or disable penetration tests that take a long time, like a password brute force.
If the product is able to exploit the intended victim and gain access, a small, memory-only agent is executed on the host. This agent is called Level 0. Once the agent is installed, the remote tester can pillage and plunder the compromised host, escalate privileges if needed, dump password hashes, install a keylogger, take screenshots, enumerate users and groups, and so on.
The agent allows a mini-shell to be installed with a limited series of commands (list, copy, move, rename, upload, download, and execute a command). The remote agent and mini-shell can be installed remotely using non-exploitation techniques (NetBIOS, Telnet, rlogin, etc.) as well as remotely uninstalled, removing all traces of its existence.
Customized groups of exploits can be gathered into a single macro. Client-side attacks are simulated by connecting to the remotely installed agent, which then runs the exploit locally (often in Internet Explorer).
But the real value of any commercial vulnerability scanner is how well the exploits are crafted. Taking nothing away from the incredible team members at Metasploit and Nessus, Core Security Technologies has a highly paid staff of creators and a highly paid staff of QA reviewers. They research and create highly reliable and more functional exploits.
For example, the Microsoft DCOM-RPC exploit (aka Blaster) normally works across port 135. Core Security Technologies' team discovered that it would work across multiple ports (including 80, 137, 139, and 445). Usually, the exploit causes Windows to reboot because the RPC service crashes and its default recovery option is to restart Windows, but Core Impact 's implementation executes custom code that patches memory to make reboots less likely to occur.
Overall, I was very impressed with Core Impact and would recommend it to anyone.