(Steve Shead is a longtime security practitioner and avid user of CORE IMPACT Pro)
CORE IMPACT Pro has the ability to do a full on Network Vulnerability Test or you can do just Information Gathering using the Network RPT tabs. It seems that there’s little attention paid to the modules that make up the suite of tools, yet there is so much fun to be had in there.
For instance, maybe there’s a time when you want to write your own exploits and execute them in Core, or maybe you want to do specific types of discovery and attack; CORE IMPACT Pro gives you that ability, and with tremendous flexibility.
I’m going to walk you through a couple of scenarios using the product’s “modules” view just to show how simple yet excruciatingly effective that portion can be.
First, create a new workspace and click on the “Modules View” tab at the bottom, left of the Modules workspace. You’ll see a list of folders.
Take time to look around; look in all the folders at all the available tools and note the modules structure – you’ll be pleasantly surprised at what is available there. If you wanted to perform a specific targeted attack, or information gathering using a single method, you can have some serious fun here.
I’m going to start with an ICMP sweep to identify all “live” hosts on a subnet, then:
– Double click on the “Information Gathering” folder in the modules workspace. The folder will expand.
– Double click on the “Network Discovery” folder – that folder expands also!
– Double click “Network Discovery – ICMP” then input the subnet details you want to scan as shown in the image below, and hit “OK.”
CORE IMPACT will then perform an ICMP sweep to find hosts and will attempt to resolve the hostnames. One thing to note – this all happens lightening fast!
Once the sweep is done, CORE IMPACT displays the discovered hosts. That’s great, but I want more information so I’m going to attempt to identify the operating systems of the discovered hosts. For a mostly Windows-based network (assumption), I prefer using SMB information gathering.
In the modules workspace, then:
– Double click the OS Detection folder.
– Drag “OS Detect by SMB” and drop it onto your network block. (Where it says “Network: 192.168.100.0.)
The module will then attempt to find the OS of all the hosts listed in that subnet. In my example there is a mix of operating systems. There were a few that didn’t come up in the SMB scan so there’s more information to be had. Isn’t there always?
In the OS Detection folder there is Nmap OS Stack Fingerprinting. Using Nmap OS Stack Fingerprinting the same way I used the SMB module (drag and drop) and now I can see some Cisco routers - I’m even given the IOS rev (useful information indeed – plus I see some Macs. I’m going to take a look at a Mac.)
When I TCP port scan the Mac I see the Windows File Sharing services running. I’m going to try enumerating users on this machine by dragging the SMB information-gathering module and dropping it onto the host. The SAMR Dumper module gives me some useful information, shown below:
Module "DCE-RPC SAMR Dumper" (v1.18) started execution on Wed Jun 24 16:46:45 2009
Retrieving endpoint list from 192.168.100.2
Found user: nobody
Found user: root
Found user: daemon
Found user: unknown
Found user: lp
Found user: uucp
Found user: postfix
Found user: www
Found user: mysql
Found user: sshd
Found user: qtss
Found user: imap
Found user: mailman
Found user: appserver
Found user: clamav
Found user: amavisd
Found user: jabber
Found user: xgridcontroller
Found user: xgridagent
Found user: appowner
Found user: securityagent
Found user: sshead
The anonymous user has NULL SMB password.
Received 23 entries.
-- Module finished execution after 2 secs.
These usernames can be used in a password attack on this machine if you are so inclined, but I’m not interested in that right now.
I’m going to scan the IP 192.168.0.254 machine since it looks like a Windows 2000 machine (don’t worry – it’s a security test machine). After checking the open ports listed on this machine, I’m pretty sure it’s vulnerable to an older remote RPC exploit (ms06-040 worked on this in the old days) to gain access, then:
– Double click the “Exploits” folder in the Modules view.
–Double click the “Remote” folder and drag the “MSRPC SRVSVC NetrpPath Canonicalize (MS06-040) exploit” onto the host.
If the exploit succeeds, you’ll see the agent installed just below the host. Depending on whether you chose a “bind” shell or a “reverse” shell will dictate how you want to interact. I love reverse shells, personally.
We can now connect to the agent and continue the attack. By right clicking on the agent we can invoke an encrypted remote command prompt. The “ipconfig” command reveals that this machine is dual homed – that means there’s more fun to be had – see how this is panning out?
I’d like to explore the newly found network using CORE IMPACT – and why not right? This is one of the many fancy features of CORE IMPACT. I can now set the installed agent as a “Source” (right click on the agent and select “Set as Source”) and pivot any attack from this agent to the new network. This feature can be extended and remote networks can be explored using “agent chaining” – but that’s another story.
I will start the information gathering cycle again on the newly discovered network and perhaps exploit a Windows XP machine on the remote network.
Ok – let’s stop there for now. You can see that I could have branched off in a number of different directions, attacks, scans and much more, just from messing around in the modules area.
Sometimes it pays to get granular and use individual scans and attacks. Sometimes it pays to have the flexibility to craft your own exploits and be able to incorporate them into your CORE IMPACT environment.
The moral here is don’t just play with the automated stuff, though that’s a ton of fun – you’re missing so much more by leaving out the modules – and the modules can lead you in some pretty interesting directions, that you wouldn’t otherwise see if everything was automated.
-Steve Shead, Information Security Officer and Director of IT