SlideShare a Scribd company logo

Automated Penetration Testing With Core Impact

Tom Eston
Tom Eston

1. Core Impact is a commercial penetration testing framework that uses a common methodology of information gathering, attack, privilege escalation, and reporting on networks, clients, and web applications. 2. It works by launching modules and agents against target systems from a console to fingerprint systems, scan for vulnerabilities, and perform exploits to compromise targets. 3. While powerful, it has some limitations like importing only certain vulnerability data, occasional bugs and crashes, and being expensive.

Technology
1 of 11
1
2
Most read
3
4
5
6
7
8
9
10
11
Automated Penetration Testing with CORE IMPACT Tom Eston NEO Information Security Forum February 20, 2008
Topics What makes a good penetration testing framework? What is CORE IMPACT? How does it work? Cool features Limitations Live demonstration Network Side RPT (Rapid Penetration Test) Client Side RPT
Disclaimer I am not a paid spokesman for Core Security Technologies Opinions are from a customer perspective “ Automated penetration testing does not replace the need for manual, detailed penetration testing!”
What makes a good penetration testing framework? Platform independent Install on Windows, Mac, Linux Good exploit collection w/regular updates A intuitive, robust GUI Ability to add new exploits Open source or ability to customize Good reporting tools
What frameworks are available? Metasploit Framework Inguma SecurityForest Attack Tool Kit Immunity Canvas ($) CORE IMPACT ($) Some are application or web specific… Orasploit (Oracle) PIRANA (email content filtering framework) BeEF (Browser Exploitation Framework) W3af (Web Application Exploit Framework)
What is CORE IMPACT? Commercial penetration testing framework ($$) Uses a common pen test methodology Information Gathering Attack and Penetration Privilege Escalation Clean Up and Reporting Network, client-side and web (SQL Injection and PHP remote file inclusion) RPT functions Detailed logging Easy to use Safe Exploits are extensively tested by the CORE IMPACT team Develop custom modules and exploits (Python) Pretty reports…
How does it work? Launch agents and modules against target systems from the console Agents - Small programs you install on compromised systems and use to advance an attack. Memory resident! (think Metasploit’s meterpreter) Level of agents give you additional functionality (pivoting) Modules - Operations that can be launched against target systems OS fingerprinting, port scanning, and targeted exploits View detailed information about target systems Keeps a record of all activity, module output, and the results of attacks
Cool Features Pivoting Use compromised host to attack hosts on internal network Collect Windows password hashes in-memory Log keystrokes, sniff passwords and hashes Collect saved login credentials from popular applications such as Internet Explorer, Firefox and MSN Install agents with valid username, password, hash combinations MSRPC fragmentation and traffic encryption Test IDS/IPS defenses
Limitations Importing external vulnerability data Nessus, Qualys, etc… Slow and buggy at times Console sometimes unstable Crash will cause agents to disconnect Know Python? Expensive!
Live Demonstration Lab Setup VMware Server, CORE IMPACT Console 4 Windows Systems, 1 Linux Network Side Rapid Penetration Test Information Gathering Attack and Penetration w/multiple exploits Clean Up Client Side Rapid Penetration Test Phishing simulation Windows XP target running Outlook Express Microsoft WMF Exploit
Questions [email_address] CORE IMPACT from Core Security Technologies http://www.coresecurity.com/

More Related Content

What's hot (8)

PDF
Extent of climate change over India & its projected impact on Indian agricult...
India Water Portal
 
PPTX
GEE Intro 2018.pptx
GorgorGIS
 
PPTX
Environmental Lapse Rate vs Adibatic Lapse Rate
Zachary Kremhelmer
 
PDF
Climate Change and Human Health
Cary Institute of Ecosystem Studies
 
PPTX
SPEI.pptx
arwan2000
 
PDF
How to download Landsat data from USGS Earth Explorer
Gowtham Gollapalli
 
PPTX
Advances in agricultural drought monitoring and forecasting
Abhilash Singh Chauhan
 
PDF
Hsc math practical 1st paper 2015 wg
azaharkdc
 
Extent of climate change over India & its projected impact on Indian agricult...
India Water Portal
 
GEE Intro 2018.pptx
GorgorGIS
 
Environmental Lapse Rate vs Adibatic Lapse Rate
Zachary Kremhelmer
 
Climate Change and Human Health
Cary Institute of Ecosystem Studies
 
SPEI.pptx
arwan2000
 
How to download Landsat data from USGS Earth Explorer
Gowtham Gollapalli
 
Advances in agricultural drought monitoring and forecasting
Abhilash Singh Chauhan
 
Hsc math practical 1st paper 2015 wg
azaharkdc
 

Viewers also liked (20)

PPT
Core.co.enterprise.deck.06.16.10
Core Security Technologies
 
PPT
Wireless application protocol (WAP)
Sajan Sahu
 
PPT
Automated Penetration Testing With The Metasploit Framework
Tom Eston
 
KEY
An introduction to mutation testing
davidmus
 
PPT
Mobile Computing
JAINIK PATEL
 
PPTX
Finalppt metasploit
devilback
 
PDF
Pen-Testing with Metasploit
Mohammed Danish Amber
 
PPTX
Cain
gasay
 
PPTX
Metasploit
Raghunath G
 
PDF
Pentest with Metasploit
M.Syarifudin, ST, OSCP, OSWP
 
PPT
futuristic trends in information technology
amartya_kumar
 
PDF
Metasploit
ninguna
 
PDF
Alphorm.com Support de la formation Hacking et Sécurité Metasploit
Alphorm
 
PDF
State of Digital Transformation 2016. Altimeter Report
Den Reymer
 
PPT
IT ppt
Jamila Bano
 
PPTX
Latest trends in information technology
Eldos Kuriakose
 
PDF
Technology trends for 2016
albert joseph
 
PPTX
Basic Metasploit
Muhammad Ridwan
 
PDF
Metasploit for Penetration Testing: Beginner Class
Georgia Weidman
 
PDF
Gartner TOP 10 Strategic Technology Trends 2017
Den Reymer
 
Core.co.enterprise.deck.06.16.10
Core Security Technologies
 
Wireless application protocol (WAP)
Sajan Sahu
 
Automated Penetration Testing With The Metasploit Framework
Tom Eston
 
An introduction to mutation testing
davidmus
 
Mobile Computing
JAINIK PATEL
 
Finalppt metasploit
devilback
 
Pen-Testing with Metasploit
Mohammed Danish Amber
 
Cain
gasay
 
Metasploit
Raghunath G
 
Pentest with Metasploit
M.Syarifudin, ST, OSCP, OSWP
 
futuristic trends in information technology
amartya_kumar
 
Metasploit
ninguna
 
Alphorm.com Support de la formation Hacking et Sécurité Metasploit
Alphorm
 
State of Digital Transformation 2016. Altimeter Report
Den Reymer
 
IT ppt
Jamila Bano
 
Latest trends in information technology
Eldos Kuriakose
 
Technology trends for 2016
albert joseph
 
Basic Metasploit
Muhammad Ridwan
 
Metasploit for Penetration Testing: Beginner Class
Georgia Weidman
 
Gartner TOP 10 Strategic Technology Trends 2017
Den Reymer
 
Ad

Similar to Automated Penetration Testing With Core Impact (20)

PDF
penetration testing
Shitesh Sachan
 
PDF
Core Impact Pro R1-Release Overview
Core Security
 
PPT
Automating Penetration Tests
fredcobain
 
PDF
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Chris Gates
 
PPTX
Core Insight Enterprise 5min
Nsolera
 
PPTX
Core Insight Enterprise Overview
Nsolera
 
PPTX
Core Insight Enterprise 2min
Nsolera
 
PDF
01_Metasploit - The Elixir of Network Security
Harish Chaudhary
 
PPTX
Metaploit
alexngchunkiat
 
DOCX
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri
 
PPTX
WTF is Penetration Testing v.2
Scott Sutherland
 
PPTX
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
PDF
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
PPTX
Ethical hacking basics
BHAWESH RAJPAL
 
PDF
How to Conduct Penetration Testing for Websites.pptx.pdf
Rosy G
 
PDF
Penetration testing must die
Security BSides London
 
PPTX
Advanced Persistent Threats
ESET
 
PDF
Introduction to Website Pentesting.pptx.pdf
apurvar399
 
PPTX
IBM Smarter Business 2012 - IBM Security: Threat landscape
IBM Sverige
 
PDF
Big Bang Theory: The Evolution of Pentesting High Security Environments
Chris Gates
 
penetration testing
Shitesh Sachan
 
Core Impact Pro R1-Release Overview
Core Security
 
Automating Penetration Tests
fredcobain
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Chris Gates
 
Core Insight Enterprise 5min
Nsolera
 
Core Insight Enterprise Overview
Nsolera
 
Core Insight Enterprise 2min
Nsolera
 
01_Metasploit - The Elixir of Network Security
Harish Chaudhary
 
Metaploit
alexngchunkiat
 
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri
 
WTF is Penetration Testing v.2
Scott Sutherland
 
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Ethical hacking basics
BHAWESH RAJPAL
 
How to Conduct Penetration Testing for Websites.pptx.pdf
Rosy G
 
Penetration testing must die
Security BSides London
 
Advanced Persistent Threats
ESET
 
Introduction to Website Pentesting.pptx.pdf
apurvar399
 
IBM Smarter Business 2012 - IBM Security: Threat landscape
IBM Sverige
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Chris Gates
 
Ad

More from Tom Eston (17)

PDF
Privacy Exposed: Ramifications of Social Media and Mobile Technology
Tom Eston
 
PDF
Cash is King: Who's Wearing Your Crown?
Tom Eston
 
PDF
Social Zombies: Rise of the Mobile Dead
Tom Eston
 
PDF
The Android vs. Apple iOS Security Showdown
Tom Eston
 
PDF
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Tom Eston
 
PDF
Smart Bombs: Mobile Vulnerability and Exploitation
Tom Eston
 
PDF
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Tom Eston
 
PDF
Attacking and Defending Apple iOS Devices
Tom Eston
 
PDF
Social Zombies Gone Wild: Totally Exposed and Uncensored
Tom Eston
 
PDF
Social Zombies II: Your Friends Need More Brains
Tom Eston
 
KEY
Enterprise Open Source Intelligence Gathering
Tom Eston
 
KEY
Staying Safe & Secure on Twitter
Tom Eston
 
KEY
New School Man-in-the-Middle
Tom Eston
 
KEY
Rise of the Autobots: Into the Underground of Social Network Bots
Tom Eston
 
PPT
Information Gathering With Maltego
Tom Eston
 
PPT
Physical Security Assessments
Tom Eston
 
PDF
Online Social Networks: 5 threats and 5 ways to use them safely
Tom Eston
 
Privacy Exposed: Ramifications of Social Media and Mobile Technology
Tom Eston
 
Cash is King: Who's Wearing Your Crown?
Tom Eston
 
Social Zombies: Rise of the Mobile Dead
Tom Eston
 
The Android vs. Apple iOS Security Showdown
Tom Eston
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Tom Eston
 
Smart Bombs: Mobile Vulnerability and Exploitation
Tom Eston
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Tom Eston
 
Attacking and Defending Apple iOS Devices
Tom Eston
 
Social Zombies Gone Wild: Totally Exposed and Uncensored
Tom Eston
 
Social Zombies II: Your Friends Need More Brains
Tom Eston
 
Enterprise Open Source Intelligence Gathering
Tom Eston
 
Staying Safe & Secure on Twitter
Tom Eston
 
New School Man-in-the-Middle
Tom Eston
 
Rise of the Autobots: Into the Underground of Social Network Bots
Tom Eston
 
Information Gathering With Maltego
Tom Eston
 
Physical Security Assessments
Tom Eston
 
Online Social Networks: 5 threats and 5 ways to use them safely
Tom Eston
 

Recently uploaded (20)

PPTX
Building and Operating a Private Cloud with CloudStack and LINBIT CloudStack ...
ShapeBlue
 
PDF
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
PDF
Women in Automation Presents: Reinventing Yourself — Bold Career Pivots That ...
DianaGray10
 
PPTX
Top iOS App Development Company in the USA for Innovative Apps
SynapseIndia
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PDF
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
PDF
Blockchain Transactions Explained For Everyone
CIFDAQ
 
PDF
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
PDF
Why Orbit Edge Tech is a Top Next JS Development Company in 2025
mahendraalaska08
 
PDF
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
PDF
Persuasive AI: risks and opportunities in the age of digital debate
Speck&Tech
 
PPTX
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
PDF
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
PDF
NewMind AI Journal - Weekly Chronicles - July'25 Week II
NewMind AI
 
PDF
SFWelly Summer 25 Release Highlights July 2025
Anna Loughnan Colquhoun
 
PDF
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
PDF
Empowering Cloud Providers with Apache CloudStack and Stackbill
ShapeBlue
 
PDF
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
PPTX
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
PDF
Meetup Kickoff & Welcome - Rohit Yadav, CSIUG Chairman
ShapeBlue
 
Building and Operating a Private Cloud with CloudStack and LINBIT CloudStack ...
ShapeBlue
 
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
Women in Automation Presents: Reinventing Yourself — Bold Career Pivots That ...
DianaGray10
 
Top iOS App Development Company in the USA for Innovative Apps
SynapseIndia
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
Blockchain Transactions Explained For Everyone
CIFDAQ
 
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
Why Orbit Edge Tech is a Top Next JS Development Company in 2025
mahendraalaska08
 
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
Persuasive AI: risks and opportunities in the age of digital debate
Speck&Tech
 
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
NewMind AI Journal - Weekly Chronicles - July'25 Week II
NewMind AI
 
SFWelly Summer 25 Release Highlights July 2025
Anna Loughnan Colquhoun
 
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
Empowering Cloud Providers with Apache CloudStack and Stackbill
ShapeBlue
 
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
Meetup Kickoff & Welcome - Rohit Yadav, CSIUG Chairman
ShapeBlue
 

Automated Penetration Testing With Core Impact

  • 1. Automated Penetration Testing with CORE IMPACT Tom Eston NEO Information Security Forum February 20, 2008
  • 2. Topics What makes a good penetration testing framework? What is CORE IMPACT? How does it work? Cool features Limitations Live demonstration Network Side RPT (Rapid Penetration Test) Client Side RPT
  • 3. Disclaimer I am not a paid spokesman for Core Security Technologies Opinions are from a customer perspective “ Automated penetration testing does not replace the need for manual, detailed penetration testing!”
  • 4. What makes a good penetration testing framework? Platform independent Install on Windows, Mac, Linux Good exploit collection w/regular updates A intuitive, robust GUI Ability to add new exploits Open source or ability to customize Good reporting tools
  • 5. What frameworks are available? Metasploit Framework Inguma SecurityForest Attack Tool Kit Immunity Canvas ($) CORE IMPACT ($) Some are application or web specific… Orasploit (Oracle) PIRANA (email content filtering framework) BeEF (Browser Exploitation Framework) W3af (Web Application Exploit Framework)
  • 6. What is CORE IMPACT? Commercial penetration testing framework ($$) Uses a common pen test methodology Information Gathering Attack and Penetration Privilege Escalation Clean Up and Reporting Network, client-side and web (SQL Injection and PHP remote file inclusion) RPT functions Detailed logging Easy to use Safe Exploits are extensively tested by the CORE IMPACT team Develop custom modules and exploits (Python) Pretty reports…
  • 7. How does it work? Launch agents and modules against target systems from the console Agents - Small programs you install on compromised systems and use to advance an attack. Memory resident! (think Metasploit’s meterpreter) Level of agents give you additional functionality (pivoting) Modules - Operations that can be launched against target systems OS fingerprinting, port scanning, and targeted exploits View detailed information about target systems Keeps a record of all activity, module output, and the results of attacks
  • 8. Cool Features Pivoting Use compromised host to attack hosts on internal network Collect Windows password hashes in-memory Log keystrokes, sniff passwords and hashes Collect saved login credentials from popular applications such as Internet Explorer, Firefox and MSN Install agents with valid username, password, hash combinations MSRPC fragmentation and traffic encryption Test IDS/IPS defenses
  • 9. Limitations Importing external vulnerability data Nessus, Qualys, etc… Slow and buggy at times Console sometimes unstable Crash will cause agents to disconnect Know Python? Expensive!
  • 10. Live Demonstration Lab Setup VMware Server, CORE IMPACT Console 4 Windows Systems, 1 Linux Network Side Rapid Penetration Test Information Gathering Attack and Penetration w/multiple exploits Clean Up Client Side Rapid Penetration Test Phishing simulation Windows XP target running Outlook Express Microsoft WMF Exploit
  • 11. Questions [email_address] CORE IMPACT from Core Security Technologies http://www.coresecurity.com/