Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Core Impact vs. Canvas vs. Metasploit
From: Ivan Arce <ivan.arce () coresecurity com>
Date: Tue, 02 May 2006 19:01:07 -0300

Hm ok, since somebody is asking I will take the liberty to describe some
specific features of IMPACT that may be of interest.

Moderator: IMPACT is a commercial tool and I work for CORE so if you
deem this post unacceptable, just let me know.

CORE IMPACT goes beyond being a mere exploit framework. To me that
implies that a lot more things than many exploits and a nice GUI are
required. Some of the things product currently (as of v5.1) has are:

- A nice Windows GUI (many pointed this out already) that lets you run
things with point&click, visualize all available information about any
module (exploits and others), hosts, deployed agents, etc., visualize
the networks as you see them from your different vantage points,
automatically collect and keep track of the entire execution log and
output of all modules, search, filter and selection capabilities for
modules based on different criteria. All of this is done within one
single interface with customizable panes.
- Local, remote and client side exploits.
- Server infrastructure for the client-side exploits that is used
automatically when client-side attacks are run.
- Network mapping, OS fingerprinting, port scanning, service
identification and many other information gathering tools.
- A centralized repository for all the information collected during a
penetration test that is updated as the product runs (organized in
- Ability to import network mapping and vuln/port scanning information
from Nmap, Nessus, Retina, GFI Languard and SAINT (with more coming)
- Report generation capabilities (using Cristal Reports) with 4
pre-designed report types than can be exported to various formats.
- Module automation capabilities. Built-in as a 6-step process called
Rapid Penetration Test (RPT) which automates the execution of a bunch of
modules that comprise a pentest from start to end based on user
preferences, what the targets are and our own set of heuristics.
Automation can also be done by linking modules together using macros
generated using the GUI or programatically using python code.
- Multi-threaded agents with strong authentication and encrypted
communications using syscall proxying. These can be made persistent
across reboots and run on their own process space (supplements the basic
syscall proxying,low-footprint,memory-only agents)
- InlineEgg, which is conceptually similar to and pre-dates MOSDEF and
Meterpreter. InlineEgg does not pre-compile or require any specific
language (other than python) but rather provides a Python interface to
do things with payloads.
- DCE/RPC and SMB fragmentation and encryption support for MS RPC
exploit modules
- connect to, connect from, reuse socket and HTTP tunnel connection
methods for payloads
- process enumeration, injection and hoping capabilities
- keystroke logger, sniffer, dll injection, credential collection (SAM
dumping), reuse (pass the hash, NTLM authentication,etc) and export (so
you can crack with external programs) capabilities.
- multimedia tools (grab video frame, record audio, run any MCI command
on target)
- all modules are written in Python so you can inspect, modify them or
write your own from scratch. All the capabilities of Python and its
standard libraries are available to a module.
- All exploits are throughly tested and documented, including the
specific set of platforms they work against. All exploits are regression
tested on a daily basis against all their supported targets with all
payload combinations.

CORE IMPACT v1.0 was launched in April 2002 so many of the things above
have evolved over the past 4 years. I would say that overall the product
is quite mature for something that is entirely new to the market since
its inception but obviously there are still many ways for us to improve
both in maturity and innovation.

From HD Moore's latest presentations I understand that Metasploit 3.0 is
moving forward to incorporate many of the things above using Ruby and  I
am really glad it is actually happening. To me at least, it means that
we are making a difference and that now other projects are also pushing
forward with their technologies. It is a healthy and motivating thing, 5
years ago, the idea of having legitimate and valuable uses for a product
that ships with exploit code seemed alien to many. The evolution of CORE
IMPACT, a commercial product aimed at enterprise usage, and Metasploit,
an OSS exploit research and penetration testing tool, demonstrate that
things have changed.


- CORE IMPACT is a commercial product, and;
- I work for Core Security Technologies

virtuale () hushmail com wrote:

For those who have been using one or more of the subj. products -

How do the products compare? What are the key technical adv/disadvantages of each product?

The cost of the products is different. There must be something about the technical part that is significantly 
different. I'm trying to figure that out.

My personal experience - both canvas and core support advanced agent chaining, modules are python-based.

I'm not sure how level2-3 agents in core map to canvas's helium but level0 seem to be pretty similar in the way 
syscalls are proxied/socket reuse (strikingly similar, i'd say :)

Encoders are similar in all three, e.g. xor, chunk, unicode/widechar. Is the price the only differentiator?

"Buy the ticket, take the ride" -HST

Ivan Arce


PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A

This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]