Re: RE: Network Exploitation Tools aka Exploitation Engines

[Matthew Watchinski <mwatchinski () sourcefire com>]

I've used CANVAS, Core Impact, and MetaSploit extensively over the last 
couple of months.  Here are some of the advantages and disadvantages I 
see with all of them.  Hopefully this is helpful to someone.

Core Impact:
Advantages.
1. Extensive documentation on both the product and the exploit 
development API's.
2. Well thought out exploit API that makes interacting with most 
services/protocols easy and straight forward
3. Extensive pen-testing tool kit, including scanning, service 
detection, os detection, and a really spiffy scripting API for linking 
multiple modules and attacks together.
4. There sys-call agent proxy that is installed when an exploit works is 
excellent and allows for tunneling exploit through compromised hosts, 
installing sniffers, uploading/downloading files, and a lot more.
5. Core is definitely a professional grade exploit engine.
6. Just about everything these days is written in python and can be 
modified by the user. (GUI is still pretty windows centric)
7. Extensive testing of all exploits released, usually work on 
everything they are suppose to.
8. Support is excellent.

Disadvantages.
1. Expensive licenses start around 25k.
2. It's a Windows only tool :(
3. The learning curve for using the tool and creating exploits is about 
a week.  Not a bad curve but tools like canvas and metasploit definitely 
take less time to learn.
4. With extensive testing comes longer release cycles, sometimes new 
exploits are slow to come by.

CANVAS
Advantages.
1. Works on linux/windows and sorta works on Mac OS X.
2. Exploits can be run on the command line free from the GUI
3. New exploits and releases come out all the time.
4. It is a good value for the cost (1k)
5. Support is great, if you have a problem you get to talk to Dave :)
6. Everything is in python so you can see everything under the hood.

Disadvantages.
1. The structure of the exploits and the exploit building API's are not 
as simples as Core Impacts.
2. The structure of all the exploit modules is not uniform like Core 
Impacts, this sometimes makes it difficult figure out exactly what is 
going on.
3. The modules for scanning, interacting with services, and other 
support modules are not as extensive as Core's.

MetaSploit.
Advantages.
1. Works on everything linux/windows/mac os x/freebsd/openbsd/etc.
2. Supported by a growing community of people writing exploits, so lots 
of exploits to choose from.
3. Written in Perl
4. Extensive command line support no GUI needed to do anything.
5. The exploit building API is pretty easy to use.
6. Support is provided by the community that supports it.
7. It's free

Disadvantages.
1. Lite on documentation, but it's perl.
2. Doesn't have an extensive set of scanning/service interaction/etc 
modules. (However it's perl see CPAN)
3. Quality of the exploits is dependent on who wrote it.
4. Support is provided by the community that supports it.

Cheers,
-matt

Clarke, Tyronne (Contractor) wrote:

> Based upon experienced findings during live testing, which product provides you with most clarity of comprehensive information( CANVAS or CORE Impact? ). You mentioned CANVAS allows you to look under the hood and analyze the exploits but what about CORE Impact. 
>
> -----Original Message-----
> From: Erik Birkholz [mailto:erik () foundstone com]
> Sent: Wednesday, August 18, 2004 7:40 AM
> To: Andy Cuff; pen-test () securityfocus com;
> dailydave () lists immunitysec com
> Cc: erik () specialopssecurity com; focus-ms () securityfocus com
> Subject: RE: Network Exploitation Tools aka Exploitation Engines
>
>
> QUICK NOTE: Andy, I want to thank you for the continued hard work you
> have put into your well-researched and valuable product, tool and
> service classification portal. Thank you. Please keep it up and let me
> know if there is anything I can do to help out in the future.
>
> *OK, back to the (long) post:
>
> I think Exploitation Engine (or Exploit Engine) is an appropriate
> classification or category.
>
> *Now for a reasonably short rant:
>
> -disclaimer: I haven't used metasploit or CORE so i can make no
> assumptions about dev quality, QA and support they offer.
>
> After extensive usage and testing of CANVAS, I can't help but see the
> value these Exploitation Engines provide to the average IT/Security
> Administrator, Engineer, Penetration Tester or Auditor. Not to mention
> my theory that they would be invaluable to a recent CS grad or
> experienced programmer looking to get into the vulnerability research
> and exploitation field. Some of these tools are written in Python
> (CANVAS is for sure), allowing the user to look at the source and learn
> from some of the very best out there in vulnerability research and
> exploitation.
>
> When pitching this purchase (ROI, TCO) to your Management, I would take
> a path similar to this, "Immunity's CANVAS is an exploit engine that can
> be used to verify the implementation and effectiveness of patches pre or
> post solution purchase." You can also use your trusted exploits to
> verify the findings of your VA scanner(s).
>
> I have recommended this tool many times to my customers and speech
> attendees. It solves the very real problem of vulnerability verification
> for customers who have neither the time and/or desire to achieve the
> Black Belt level of exploit creation. This need inevitably forces them
> to head to underground hacker sites to get untested and untrusted
> exploits written by coders without accountability for their exploits
> "true intention". Metasploit (i assume) and CANVAS (i know) offer
> accountability by standing behind each exploit. 
>
> Why would I recommend to my low-medium skill set IT/Security customers
> that they pull down "dirty" and "wild" sploits off the net? By running
> this code (probably on their desktops), they are at great risk of
> getting more than they bargained for. It is probable this increased risk
> out weighs the initial goal of achieving vulnerability validation to
> convince an antagonistic business unit owner to patch or upgrade that
> vulnerable internet facing legacy server. 
>
> Ok, if you are saying, "these morons should test these exploits in a lab
> environment first," then you are missing the point. Not everyone has the
> interest, time, extra computer resources or knowledge of what they are
> even looking for to know how to validate these dirty exploits. The
> answer is that I never would recommend this when low cost (CANVAS) and
> free (MetaSploit) Exploitation Engines allow vulnerability verification
> without fear of running "assembly code from hell" or an evil hidden
> rootkit.  The good news is that Dave Aitel and HD Moore have attached
> their names and corporations to the quality of these products. If/When
> something goes wrong, they will be there to help. Why? Because that is
> how good people run good businesses.
>
>         -Erik Pace Birkholz, CISSP
>                 www.SpecialOpsSecurity.com (erik () specialopssecurity com)
>                 www.Foundstone.com (erik () foundstone com)
>                 323-252-5916 cell
>
>
>
>
>
>
>
> -----Original Message-----
> From: Andy Cuff [mailto:lists () securitywizardry com] 
> Sent: Monday, August 16, 2004 12:44 PM
> To: pen-test () securityfocus com
> Subject: Network Exploitation Tools
>
>
> Hi,
> I have just introduced another category on the site covering the various
> exploitation tools out there.  To my knowledge there are only 3.
> CANVAS, CORE IMPACT and Metasploit.  Firstly, have I captured them all
> or are there some other products of this nature lurking about?
> http://www.securitywizardry.com/exploit.htm
> Secondly, what do we call them, or is Network Exploitation Tools the
> appropriate name?
>
> cheers for any time you can give
> -andy cuff
> PS there are loads of other pages with out of date info, I am currently
> working my way through them
>
> Talisker's Computer Security Portal
> Computer Network Defence Ltd
> http://www.securitywizardry.com
>
>
> -----Original Message-----
> From: Andy Cuff [mailto:lists () securitywizardry com] 
> Sent: Monday, August 16, 2004 12:44 PM
> To: pen-test () securityfocus com
> Subject: Network Exploitation Tools
>
>
> Hi,
> I have just introduced another category on the site covering the various
> exploitation tools out there.  To my knowledge there are only 3.
> CANVAS, CORE IMPACT and Metasploit.  Firstly, have I captured them all
> or are there some other products of this nature lurking about?
> http://www.securitywizardry.com/exploit.htm
> Secondly, what do we call them, or is Network Exploitation Tools the
> appropriate name?
>
> cheers for any time you can give
> -andy cuff
> PS there are loads of other pages with out of date info, I am currently
> working my way through them
>
> Talisker's Computer Security Portal
> Computer Network Defence Ltd
> http://www.securitywizardry.com
>
>
> ------------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. All of our class sizes are
> guaranteed to be 12 students or less to facilitate one-on-one interaction
> with one of our expert instructors. Check out our Advanced Hacking course,
> learn to write exploits and attack security infrastructure. Attend a course
> taught by an expert instructor with years of in-the-field pen testing
> experience in our state of the art hacking lab. Master the skills of an
> Ethical Hacker to better assess the security of your organization.
>
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> -------------------------------------------------------------------------------
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://www.immunitysec.com/mailman/listinfo/dailydave
>
>  

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave