Core Security Technologies Core Impact 7.5
- Easy to use attack wizards; new reporting interface; reports on testing activity, hosts, end users, and their vulnerabilities are a snap to generate
- Once a client Trojan is in place, it tries to connect to Core Impact only once and misses out on other opportunities; it doesn't run on a server as a service
Core Impact is a powerful tool for assessing network security, allowing experienced and inexperienced penetration testers alike to compromise network hosts quickly and easily. Version 7.5 expands the scope with Web application security checks, and it refines the valuable e-mail phishing feature for assessing the security savvy of end-users. Core's smart dashboard, friendly UI, attack configuration wizards, and focused reports make penetration testing easier than ever to conduct and interpret.
Price$ 10,000.00 (AUD)
With Version 7.5, the tried-and-true attack toolkit becomes easier to use, leverages the fallibility of users to gain access to host systems, and adds security checks for Web-based databases.
In serious security geek circles, you may get picked on for using Core Impact because it is so simple, but then again you're likely to have more free time to think of retorts. Whether you're a seasoned penetration tester or a neophyte, the new reporting interface and idiot-proof attack wizards make it a breeze to discover and exploit the vulnerabilities remaining in both your silicon- and carbon-based infrastructures.
In Version 6.0, Core Impact introduced valuable client-side attacks that tested the security awareness of end-users by sending Trojans embedded in a legitimate-looking e-mail. By using these types of phishing attacks, you can directly assess the security awareness of your end-users. Do they readily click Yes and turn over control of their machines to malicious software applications, or do they report a potentially infected attachment to the help desk as taught in their yearly security training?
Version 7.5 makes configuring e-mail phishing attacks much simpler. First off, this version allows you to harvest e-mail addresses via several methods and by integrating with search tools, including Google, Yahoo, AltaVista, MSN Live Search, and MetaCrawler. Impact is able to search the Internet for corporate e-mails that black hats and spammers are scavenging as you read this. Other methods for importing a corporate target's e-mail addresses include harvesting DNS, Whois, and PGP key servers or by crawling the target corporation's Web site. The tool can easily import e-mail addresses from a list as well.
Once Impact is loaded with e-mail addresses, you feed it the template of an e-mail message that looks to have been drafted by someone important (your CEO, for example). Then you pick your exploit or Trojan, select how to embed the malicious payload (Excel spreadsheets and zip files work well), and pull the trigger. The e-mail is sent to the victims on your list and sits in their inboxes with all of their other mail. When a user opens the attachment, the Trojan calls back to Core Impact, setting up an agent tunnel ready for exploitation and giving you a look at which of your users need additional training in Information Assurance.
There's one shortcoming we spotted in this feature: once a client Trojan is in place, it tries to connect to Core Impact only once; if Impact isn't available when the exploit is first executed, the potential compromise is lost. We'd like to see a timer added to the exploit to allow it to continue trying (every 10 minutes, every hour, once a day) if it doesn't connect the first time. Additionally, we'd like to see Impact itself able to run on a server as a service, especially since an e-mail with a Trojan payload may not be opened for several days. Having Impact available to receive the call at any time would make this feature much more effective.
Among the UI improvements in Impact 7.5 is the separation of the attack wizards and reports for human vulnerabilities from those for network holes. You can now get a report on your least savvy users independently from the missing patches on your networked devices, and you can view the two attack domains separately in the dashboard. With the new dashboard, you can easily sift through thousands of unique entry points into the network and their vulnerabilities, and drill down to the smallest client detail.
Reports on testing activity, hosts, end users, and their vulnerabilities are a snap to generate, and they deliver the relevant information needed in an aesthetically pleasing form that executives will appreciate, though an interface that allowed different users to get different views according to their areas of responsibility would be a welcome improvement.
Also noteworthy in the 7.5 upgrade are two new Web application checking techniques. The first exposes vulnerabilities in Web apps that allow for SQL injection attacks. This tool removes all the heavy lifting involved in exploiting databases with Web front ends, and it should help open the eyes of security-obtuse Web programmers.
Although Core Impact doesn't provide fuzzing-level analysis of application security, it does a very thorough job of looking for proprietary SQL injection bugs, checking whether your database server is vulnerable to these types of attacks. Impact also provides information on other SQL databases linked to your database, identifying these potential targets.
In our testing, Impact was able to correctly fingerprint our (unsecured) ASP application and its Microsoft SQL Server back end, and it enabled us to successfully extract protected information from the database. Impact was even able to deploy an agent to our database server through SQL injection. The second major new addition to Impact's arsenal of exploits is the checking for RFI (Remote File Inclusion) on PHP applications. If you're not familiar with this type of exploit, it occurs when an attacker passes his own custom PHP code to the Web server, along with a request to execute the code. Many PHP designers have unwittingly written code that easily allows this type of attack to work. In the test lab, Impact was able to give us a shell window after a successful RFI attack on our PHP site. We could install and run any PHP code on the server we wanted. Impact even allows you to take screen captures from the compromised host.
A couple of improvements that arrived with Version 7.0 are worth noting. First, the multiple client-side agents that facilitated different levels of attack in previous versions of Impact have been replaced by a single, do-everything agent. Still in-memory (on by default), the client agent can now use all network connections through a single listener port, providing a greater degree of flexibility to bypass firewalls and other security devices. The agent also now supports runtime plug-ins that open the door for customised, client-side actions such as patching, installing security software, and gathering forensic information.
Version 7.0 also added support for FreeBSD as a target OS, a long-overdue addition, as well as full pivoting from Vista machines – the ability to attack additional machines from compromised Vista targets.
Core Impact's automated penetration testing is still quick and effective, and because Impact is not a network vulnerability scanner, its tests are 100 per cent free of false positives, which is the primary reason we consider it an essential testing tool. Version 7.5's redesigned attack wizards, enhanced user interface, upgraded agent, and Web application attacks are significant improvements to an already compelling product that can help you improve your organisation's security posture by compromising both the machines that reside on your network and the people that use those machines on a daily basis.
Join the newsletter!
Panasonic OLED 4K Ultra HD TV - TH-77EZ1000U
Apple iPhone X
Panasonic OLED 4K Ultra HD TV - TH-55EZ950U
cloudandco Smart Cane
SanDisk MicroSDXC™ for Nintendo® Switch™
Dyson Supersonic™ Hair Dryer Fuchsia/Iron
WD MY PASSPORT™ X Gaming Storage
Bang and Olufsen BeoVision 14
Breitling Superocean Heritage Chronographe 44
Nespresso Creatista Coffee Machine
Toys for Boys
LaCie Rugged USB-C Portable Hard Drive
Lego Mindstorms EV3
Propel Star Wars T-65 X-Wing Drone
Leica M10 Digital Rangefinder Camera
Google Daydream View VR Headset
Ubiquiti Network’s Front Row Camera
Onyx Smart Walkie Talkie
Bose SoundLink Micro
UBTech First Order Stormtrooper Robot
Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K
WD MY CLOUD™ HOME Personal Cloud Storage
Xbox One X
Dearear Endear In-ear Wireless Earphones
Nest Protect Smart Smoke Alarm
iRobot Roomba 980 Vaccum Cleaning Robot
Belkin Pocket Power 10,000mAh
Amazon Echo Bluetooth Speaker
PETKIG Go Smart Dog Leash
Panasonic Hi-Fi - SC-UA7GS-K
Toffee Bags Commuter Satchel
Fallout Geeki Tikis
Urbanworx Full HD Action Camera
Raspberry Pi Starter Kit
Lexon Flip Alarm Clock
Ikea NORDMÄRKE Wireless Charging Pad
Razer DeathAdder Expert Ergonomic Gaming Mouse
Tile Pro Bluetooth Tracker
Panasonic Portable Splashproof Fun - RF-D20U
Kogan Bluetooth Soundbar
Logitech Doodle Collection Wireless Mouse
3SIXT 3-in-1 Smartphone Lens Kit
Most Popular Reviews
- 1 TCL X2 review: QLED escapes the premium market
- 2 Fitbit Ionic review: Impressive but not quite iconic
- 3 Acer Spin 5 review: Value for money but conditions apply
- 4 Huawei Mate 10 Pro Review: A solid winter flagship that cribs from the best
- 5 Sony LF-S50G review: Google Assistant and then some
Latest News Articles
- Businesses jump on Amazon’s Alexa after Australian launch date revealed
- Officeworks hops on voice interface bandwagon with Google Assistant integration
- Amazon confirms early 2018 Australian launch for Alexa and Echo
- JBL join smart speaker arena with the portable, waterproof and (Google-powered) JBL Link range
- University of Sydney Signs World-First Agreement with Dropbox
PCW Evaluation Team
I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.
It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.
Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.
The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.
The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.
The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic
- CES 2018: Belkin go big on wearables accessories
- Amazon Alexa and Echo set for Febuary launch
- OPPO Load Up A73 Smartphone With Flagship Features
- What's the difference between an Intel Core i3, i5 and i7?
- Laser vs. inkjet printers: which is better?
Product Launch Showcase
- CCCyber Security Team/stream LeadVIC
- FTNetwork Engineer (RUN-BAU)VIC
- FTProject Manager | 12mth ContractOther
- FTProgram Manager - Digital AND Agile essentialOther
- TPQuality ManagerQLD
- CCLead Technical Specialist ? Storage & BackupsVIC
- FTScrum MasterOther
- FTNetwork ArchitectACT
- FTCyber Security ArchitectOther
- CCSenior Scrum MasterVIC
- FTIT Contract Analyst/ ManagerOther
- TPRemote Sensing OfficerACT
- FTFront End DeveloperVIC
- FTClass Super - Application Support Analyst - SMSF solutionsOther
- CCIteration Manager - TelcoVIC
- CCFront-End DeveloperNSW
- CCBusiness AnalystWA
- FTDesktop Support EngineerOther
- FTDevops EngineerVIC
- FTNetwork Administrator - HP SwitchesOther
- CCMobile Transmission Planning Engineer x 3NSW
- FTIT Support/ Service Desk ManagerNSW
- FTNatural/ADABAS ProgrammerOther
- CCSenior System EngineerNSW
- FTProject Control AnalystSA