No Tool Is An Island, So Why Can't We Be Friends?

January 13, 2011

"No man is an island, entire of itself; every man is a piece of the continent, a part of the main." - John Donne

Similarly, no tool is an island, entire of itself. Any pen tester using only one tool is doing themselves and their clients a disservice. This is why Core Impact is geared towards interaction with other tools. As such, in this post I'm going to talk about using two different tools from other vendors in conjunction with Impact.

I've been using Burp Suite for ages since back when there was no such thing as Burp Suite, only Burp Proxy. (KIDS THESE DAYS WHEN I WAS YOUR AGE UPHILL BOTH WAYS MOVIES COST A NICKEL DIDN'T HAVE THE TWITTERS DANCED THE CHARLESTON) It remains one of my favorite tools; a must-have.

Burp has a Web spidering functionality that seeds from the browsing you do against the target and guesses intelligently about what other content might be there.

Impact has a method of web crawling referred to as "interactive crawling" where you point some tool capable of making HTTP requests and routing through a proxy through an HTTP(S) proxy that Impact launches.

Usually, this is a browser, but it doesn't have to be! One technique that I use is to point my browser at Burp Suite, and point Burp at the Impact proxy. The result is that I can browse the target website while Burp spiders based on my crawling, and Impact piggybacks on all the requests and identifies all the pages requested. ZANG!

There's also lots of ways to use modules from the Metasploit framework (the free one!) alongside Impact. As a thought experiment, let's say that you're performing a penetration test for a client and find that they're running an old version of some Web server you've never heard of before the test. Let's say that someone wrote a proof of concept exploit for use with MSF and you don't want to port it to Impact. No problem.

In Metasploit, there's a category of Windows payloads which allow you to upload and execute a file of your choice. Conveniently, in Impact there's a module which allows you to Trojanize an agent and pack it into a variety of executables for various operating systems and architectures. The Metasploit "Upload and Execute" payloads are located at payload/windows/upexec/. Use any one of them and set the PEXEC option to point to the Trojanized Impact agent. Run the exploit, and TA-DA!

You've just deployed an Impact agent using a Metasploit exploit.

Expect more in the "Why can't we be friends?" series, since there are so many tools out there!

Keep fighting that good fight, info-warriors.

--

- Dan Crowley, Technical Specialist

  • Penetration testing

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!