How CORE IMPACT Pro Works

The CORE IMPACT Pro Rapid Penetration Test (RPT) streamlines testing of servers, desktop systems, end users systems, and web applications by automating tasks that would traditionally require significant time, effort and expertise to perform.

The RPT automates the accepted best practice for performing penetration tests through six key steps:

For additional information, click on the steps in the diagram below.

IMPACT provides integrated Rapid Penetration Testing capabilities across three attack categories

Network Rapid Penetration Test: replicates the actions of an attacker launching remote exploits on your network
Client-Side Rapid Penetration Test: replicates phishing, spear phishing, spam and other social engineering attacks against end users
Web Application Rapid Penetration Test: replicates SQL injection and remote file inclusion attacks against e-commerce, customer self-service, ERP and other web applications

The three test approaches differ in the Information Gathering and Attack and Penetration stages, as outlined below. The remaining steps of the RPT are the same once a server, end-user system or web application is compromised.

Each step is automated using easy-to-use wizards that simplify testing for new users and allow advanced users to efficiently execute common tasks. Advanced users can also manually run specific product modules to further customize the penetration testing process.

Information Gathering

Network Rapid Penetration Test

The Information Gathering step collects data about the targeted network, typically using Network Discovery, Port Scanner, and OS and Service Identification modules. Alternately, you can complete this step by importing information from your network mapping tool or vulnerability scanner. Access to a vulnerability scanner is not required to use IMPACT.

Key Capabilities

Identify the operating system and services running on targeted machines
Control the IP ranges you want to scan
Select from a variety of network discovery and port scanning methods, including TCP Connect, Fast SYN and ICMP

Client-Side Rapid Penetration Test

In the case of end-user testing, Information Gathering involves the collection of email addresses to target with phishing, spear phishing or other social engineering attacks. IMPACT offers a number of modules for gathering email addresses of individuals in your organization, or you can enter or import your own list of email addresses to test.

Key Capabilities

Crawl a website to harvest addresses published on the site
Leverage major search engines to locate addresses for a given domain
Find addresses in PGP and Whois databases

Web Application Rapid Penetration Test

During this phase of the Web Application RPT, IMPACT crawls through web pages and identifies pages to test.

Key Capabilities

Specify a domain or range of web pages to crawl
Set a link depth limit for the crawler
Select whether to follow links outside the specified site
Establish the browser type and version to use
Supply any login information required to emulate an attack from someone with access rights to the web application

Attack and Penetration

Network Rapid Penetration Test

During Attack and Penetration, CORE IMPACT Pro automatically selects and launches remote attacks leveraging IP, OS, architecture, port and service information obtained in the Information Gathering step. You can choose to launch every potential attack against each target computer, or you can have the system stop once it successfully deploys a single Network Agent, which carries the attack payload. You maintain full control over which computers are attacked and the order in which exploits are launched. In addition, you can further simplify and speed tests by excluding exploits that may leave a target service unavailable or take a long time to run.

Key Capabilities

Launch multiple, simultaneous attacks to speed the testing process
Interact with compromised machines via discrete Agents that are installed only in system memory
Run local exploits to attack machines internally, rather than from across the network
Maintain control over which exploits are applied

Client-Side Rapid Penetration Test

In the Attack and Penetration stage of the Client-Side RPT, you create an email, associate it with an exploit, and go phishing. The product includes sample email templates that mimic common phishing attacks. You can also create your own custom spear phishing emails that leverage inside knowledge of your organization. IMPACT’s extensive library of client-side exploits includes attacks that target endpoint applications, endpoint security solutions, and endpoint operating systems and services. The product also takes care of sending the email, giving you options such as selecting an SMTP server or spoofing a specific “from” email address.

Key Capabilities

Create phishing, spear phishing and spam emails from a variety of pre-built templates
Safely deploy Agents using real-world malware attacks to test end-user system security
Track who responds to attacks and measure the effectiveness of security awareness programs
Demonstrate the consequences of a end-user security breach by interacting with compromised workstations

Web Application Rapid Penetration Test

IMPACT tests web applications against the following types of attacks: Cross-Site Scripting (URL-based, reflective) SQL Injection (traditional and blind) and Remote File Inclusion (RFI) for PHP. For each, the product first analyzes which pages identified during Information Gathering may be vulnerable to attack. IMPACT then dynamically creates exploits to prove whether the vulnerabilities pose actual threats. If an exploit is successful, IMPACT establishes an Agent that allows you to take a number of actions to reveal at-risk information assets.

Key Capabilities

Analyze custom, customized and out-of-the-box web applications for security weaknesses
Validate security exposures using dynamically generated exploits, emulating a hacker trying various attack paths and methods
Demonstrate the consequences of an attack by interacting with web server file systems and databases through command shells and database consoles
Perform tests without corrupting web applications or running code on targeted servers

At this point in Client-Side and Web Application* tests, you can deploy a Network Agent on the compromised end-user system/web server. This shifts you to a network penetration test, simulating a multistaged attack that proceeds beyond an initial compromise to target systems on the same network.

*Applies to Microsoft SQL and Oracle servers compromised via SQL injection and web servers compromised via remote file inclusion for PHP.

Local Information Gathering

The Local Information Gathering step collects information about computers that have IMPACT agents deployed on them. During this step, you leverage Network Agents to interact with compromised computers and gather previously unavailable information about the OS, privileges, users and installed applications. CORE IMPACT Pro can collect information from all deployed Agents or only from those that you specify.

Key Capabilities

Browse file structures and view file contents on compromised machines
View rights obtained on compromised machines
Interact with compromised machines via command shells
Demonstrate the consequences of security breaches by replicating the steps an attacker would take after gaining access to a system

Privilege Escalation

During the Privilege Escalation step, CORE IMPACT Pro attempts to penetrate deeper into a compromised computer by running local exploits in an attempt to obtain administrative privileges. After Privilege Escalation, you can shift the source Agent to one of the newly compromised systems and cycle back to the initial Information Gathering step, thereby establishing a beachhead from which to run attacks deeper into the network.

Key Capabilities

Run local exploits to attack systems internally, rather than from across the network
Gain administrative privileges on compromised systems
View the networks to which a compromised computer is connected
Launch attacks from any compromised system to other computers on the same network, gaining access to systems with increasing levels of security

Cleanup

The Cleanup step automatically uninstalls every connected Agent. Agents are uninstalled in post order to support complex Agent chains. In addition, all Agents are automatically uninstalled when closing the active workspace, regardless of whether the Cleanup step is executed or not.

Key Capabilities

Run tests without installing modules or tools on compromised systems (or altering them
in any way)
Quickly and easily remove all Agents from compromised machines, leaving your network and end-user systems in their original states

Report Generation

CORE IMPACT Pro generates clear, informative reports that provide data about targeted systems and applications, results of end-user tests, audits of all exploits performed, and details about proven vulnerabilities. You can view and print reports using Crystal Reports or export them in popular formats such as HTML, PDF and Microsoft Word.

CORE IMPACT Pro provides the following reports:

Network Test Reports

Executive report
A high-level snapshot of all activities and test results.

Activity report
A report of all executed exploits (available in three levels of detail).

Host report
Detailed host information, including the number of compromised computers, the average number of vulnerabilities exploited on each computer, and the CVE names of vulnerabilities found on each computer.

Vulnerability report
A detailed report of successfully exploited, versus potential, vulnerabilities on each computer.

PCI Report
Validates and prioritizes results from vulnerability scans performed by Payment Card Industry (PCI) Approved Scanning Vendors

Delta Report
Tracks and compares test results over time, providing an ideal way for customers to present the progress of vulnerability management initiatives to compliance auditors and executive management.

Client-Side Test Reports

Client-Side Penetration Test Report
A full audit trail of each client-side test, including the email template sent, exploit launched, test result (success or fail), and details about compromised systems.

User Report
A client-side testing report of which links were clicked, when they were clicked, and by whom.

Web Application Test Reports

Web Application Vulnerability Report
Provides detailed information about vulnerable fields and other paths of attack revealed during the testing process, identifying which parts of an exposed application require development changes or other security fixes.

Web Application Executive Report
Provides a high-level summary of tested web applications and results to inform management of test results and to validate remediation resource requirements.

Key Capabilities

Obtain actionable information about exploited vulnerabilities, compromised end-user systems, web application weaknesses and associated risks
Create activity audits to satisfy compliance and regulatory requirements
Export report content in popular formats that can be easily customized and shared