With the recent release of Core Impact Professional v12.5 and the addition of the Identity Manager functionality I thought now was the perfect time to talk about the User Actions functionality. While this functionality has existed for many versions prior to 12.5, it is arguable that this version really makes leveraging this capability a no-brainer.
Let's start out with what the User Actions does at a basic level. User Actions allow IMPACT to call a user-defined third-party application or program to perform an action. Some examples of this are automatically opening an SSH or maybe FTP client, or an RDP session to use the credentials you've found.
Ok, so how does this work? To start there are some default options for this built into your Core Impact installation. To take a look at these, right click on a host IP address, the localhost will work fine. About half way down that menu you'll see the User Actions option. Moving your mouse to there will open the prebuilt action;, FTP . If you were to select FTP it will pass the ftp request with the host IP address to Internet Explorer browser using the notation ‘ftp://’ to tell IE we want to open an FTP session to the IP.
Let's look at what else we can do with this. I've come up with a short list of other things that you could use with this, especially to leverage the ID Manager features in IMPACT version 12.5. I'll show you how to use User Actions to open and pass parameters to PuTTY, WinSCP, MS RDP, and VNC as examples. These will allow us to automatically open and pass host details for the SSH, TELNET, Rlogin, RDP, VNC and FTP protocols.
Of course the first step is to download PuTTY, WinSCP, and a VNC client to your IMPACT computer. Now that you have those we can configure IMPACT to connect to these and pass the host IP your connecting to automatically.
I'll use PuTTY for SSH, TELNET, and Rlogin. WinSCP for FTP, and sFTP and the java VNC client. To set these up as User Actions go to the Options window from the Tools menu, or use the CTRL-E keyboard shortcut. Select the User Actions menu on the left to define your own actions.
First we will want to change the default FTP action to point to WinSCP. Simply select the ellipsis button[...] on the right side of the Program column and navigate to where you saved the WinSCP executable. For this one we don't have to change anything else. Let's do a few more before testing these. To add a new User Action click the New button and give it a name like sFTP by clicking on name1 and renaming. Select the WinSCP executable as you did for FTP and then in the Parameters column type, sftp://[ip]. The sftp:// parameter is what tells WinSCP which protocol to use and the [ip] parameter tell IMPACT to pass the IP address of the host you right-clicked on. Pretty straight forward really.
Some programs require additional parameters like for PuTTY to telnet, -telnet[ip], or rlogin, -rlogin[ip]. for RDP you simply have to call the MSTSC executable with the /v parameter. I've also included a screenshot of my setup for various programs. For the java VNC client simply choose the JAR file and simply use [ip] as the passed parameter.
In order to understand what else you can do with User Actions simply look up the settings for running any of these or other programs via command-line.
That's pretty cool if you ask me. If you can think of anything else to use this for let me know via a comment below.
Senior Systems Engineer, CORE Security