This article can also be found in the Premium Editorial Download "Information Security magazine: Defense-in-Depth: Securing the network from the perimeter to the core."
Download it now to read this article plus other related content.
Penetration testers--and their black hat counterparts--have a wide array of freeware tools for probing and piercing network defenses. For white hats, tools such as tcpdump, Nmap and L0phtcrack are invaluable when conducting security assessments. Nevertheless, they don't provide the automated and robust reporting capabilities needed for enterprise-level security assessments.
To address these shortcomings and make life simpler for security pros, CORE Security Technologies developed IMPACT, a Windows-based penetration framework and tool set that combines the power of freeware hacking tools in an easy-to-use GUI console. It provides an audit trail, testing macros and after-action reports. The latest version, IMPACT 3.1, sports several improvements to the testing interface, vulnerability discovery mechanisms and reporting modules.
IMPACT isn't a "hacker-in-a-box" solution. It requires an experienced infosec professional to harness its full capabilities. The application's real value is that it puts a variety of testing tools into a single interface, allowing testers to automate and record their steps when probing Windows, Solaris x86/Sparc and Linux systems.
Through the Looking Glass
From an outside-looking-in perspective, pen testers enumerate their target networks and identify vulnerabilities. They use either readily available scripts or homegrown tools to exploit the holes they find. Both enumeration and exploitation are time-consuming processes. IMPACT shortens these processes by consolidating the discovery and exploitation tools into a single console that automates the pen test.
IMPACT uses active and passive scanning tools to discover network resources. The GUI has multiple windows that show target hosts, enumeration tools and potential exploits. In theory, the console makes easy work of identifying targets, and their operating systems and vulnerabilities. IMPACT provides a vulnerability descriptions database and links to third-party sources of additional information.
Penetrating a system often requires customizing existing exploit code, and getting an exploit to work usually requires changing parameters, such as modifying the particulars of an HTTP or FTP request. IMPACT allows pen testers to tweak, tune and create new modules using Python-based tools. Python is an interpreted, interactive, object-oriented programming language that's often compared to Tcl, Perl and Java. Anyone with C, C++ or Perl experience can usually pick up Python fairly easily.
IMPACT's console displays target machines, potential exploits and reports on the exploits' effects. The system's drag-and-drop functionality allows users to easily execute pen testing attacks.
IMPACT can install agents to gain remote control of the compromised system. When tests are completed, IMPACT automatically removes its agents and reports on the executed actions. IMPACT creates a Findings Report for management and a History Report for the technical staff.
We first tested IMPACT's ability to correctly identify the OSes of two target machines. In both cases, IMPACT gave the wrong answer.
If we were to believe the results of an OS stack probe of our first target--a NT Primary Domain Controller (PDC)--IMPACT would have misled us into believing that we were probing a Linux box using kernel version 2.2. It also misidentified the second target as a Windows 2000 box, when in fact it was Windows Server 2003.
IMPACT allows users to manually override the target OS selection. Since we knew the correct operating systems, we changed the OS setting through a drop-down menu. IMPACT then presented us with new exploit options.
We ran a variety of port scans against both boxes, ranging from a fast SYN and below-the-radar TCP connects, to full scans that would trigger scores of IDS alarms.
A full scan of the Windows NT PDC box took 122 seconds. It had two open ports (80/HTTP and 981/unknown service) in listening mode. Otherwise, it was locked down tight. IMPACT doesn't suggest specific exploits for a port or service, nor could it suggest what might be using port 981, but the Exploits folder highlighted a set of potential exploits based on the target OS. This is a buckshot approach, but it's still better than hunting down specific exploits.
For the Win2003 server, the debug log listed port 135 as "loc-srv," port 139 as "netbios-ssn" and port 445 as "microsoft-ds." The debug log doesn't list these designations in order, requiring users to export the log for some post-scan research. Neither the output window nor the reporting module listed these specific services, which requires combing through the debug log or generating a History Report to see additional information.
In less than 30 seconds, we ran more than a dozen remote exploits against the PDC box--all of which failed. Running exploit code is a tedious exercise. IMPACT's drag-and-drop process makes it trivial. Its automation reduces the grunt work for even mid-sized networks. In addition, IMPACT allows for user-defined macros, which enable admins to run a series of exploits in a prescribed order.
IMPACT found that our Windows NT PDC had the "Microsoft IIS False Content-Length Field DoS" vulnerability. IMPACT noted that this vulnerability is caused by the use of IIS 5.0 on a Win2K server, which was puzzling since our box was running IIS 4.0 on NT. Mismatches and numerous typos in the internal database tarnish IMPACT's capabilities. IMPACT said this vulnerability is used to populate the heap of the IIS inetinfo.exe process with arbitrary characters to run shell code--very bad. But according to most of the popular exploit databases, this exploit is listed as a denial-of-service attack--also bad, but slightly less serious.
IMPACT's agents can be automatically installed as part of a successful exploit. Agents allow testers to run a remote shell and install hacking toolkits. The agent's privileges are the same as those of the exploit used to install it. If you used an exploit based on an anonymous FTP application, the agent would have the same privileges as the anonymous FTP user.
Like hackers, pen testers want to gain as much control over a target system as they can. Using follow-up exploits known as change root breakers, the agent moves the IMPACT toolkit deeper into the compromised system. Instead of uploading code and trying to compile it locally, IMPACT users can run exploits from the agent. This is precisely what a hacker would attempt to do.
For the security of the target machine, agents can make use of encrypted channels to communicate with the IMPACT console. However, the default mode for agent communication isn't encrypted, a design choice made to keep the agents small.
Our experience with IMPACT was hit and miss. There's no denying that IMPACT is a powerful tool, but it's no replacement for an experienced pen tester.
Plagued by frequent OS misidentifications and an inability to suggest exploits, IMPACT could easily lead inexperienced security folks down blind alleys--not good for an application that promised to simplify and improve the pen testing process. Other issues, such as the conflicting or spotty information in the vulnerability database, show that IMPACT is still an immature application.
Nevertheless, in the hands of an experienced pen tester, IMPACT is an excellent timesaver. Its use of automated probing tools and exploits provide a platform for easily hacking into systems and using the compromised hosts to leapfrog deeper into a network. Its use of Python scripting enhances its effectiveness. Agents that can host additional exploit code and amplify the attack make IMPACT superior to existing, stand-alone testing tools.
IMPACT isn't ready for prime time, but it's continued refinement will eventually make into one of the more useful pen testing tools on the market.
CORE IMPACT 3.1
Although it shows promise, IMPACT isn't a replacement for experienced white hat hackers. Shortcomings--such as misidentified operating systems, conflicting information in the exploit database and an inability to suggest specific exploits--show that there's still plenty of room for improvement.
Scott Sidel, CISSP, is a technical editor for Information Security and a senior security engineer at Computer Sciences Corp.
This was first published in June 2003