Dailydave mailing list archives
Re: RE: Network Exploitation Tools aka Exploitation Engines
From: Matthew Watchinski <mwatchinski () sourcefire com>
Date: Mon, 06 Sep 2004 14:45:13 -0400
I've used CANVAS, Core Impact, and MetaSploit extensively over the last couple of months. Here are some of the advantages and disadvantages I see with all of them. Hopefully this is helpful to someone.
Core Impact: Advantages.1. Extensive documentation on both the product and the exploit development API's. 2. Well thought out exploit API that makes interacting with most services/protocols easy and straight forward 3. Extensive pen-testing tool kit, including scanning, service detection, os detection, and a really spiffy scripting API for linking multiple modules and attacks together. 4. There sys-call agent proxy that is installed when an exploit works is excellent and allows for tunneling exploit through compromised hosts, installing sniffers, uploading/downloading files, and a lot more.
5. Core is definitely a professional grade exploit engine.6. Just about everything these days is written in python and can be modified by the user. (GUI is still pretty windows centric) 7. Extensive testing of all exploits released, usually work on everything they are suppose to.
8. Support is excellent. Disadvantages. 1. Expensive licenses start around 25k. 2. It's a Windows only tool :(3. The learning curve for using the tool and creating exploits is about a week. Not a bad curve but tools like canvas and metasploit definitely take less time to learn. 4. With extensive testing comes longer release cycles, sometimes new exploits are slow to come by.
CANVAS Advantages. 1. Works on linux/windows and sorta works on Mac OS X. 2. Exploits can be run on the command line free from the GUI 3. New exploits and releases come out all the time. 4. It is a good value for the cost (1k) 5. Support is great, if you have a problem you get to talk to Dave :) 6. Everything is in python so you can see everything under the hood. Disadvantages.1. The structure of the exploits and the exploit building API's are not as simples as Core Impacts. 2. The structure of all the exploit modules is not uniform like Core Impacts, this sometimes makes it difficult figure out exactly what is going on. 3. The modules for scanning, interacting with services, and other support modules are not as extensive as Core's.
MetaSploit. Advantages. 1. Works on everything linux/windows/mac os x/freebsd/openbsd/etc.2. Supported by a growing community of people writing exploits, so lots of exploits to choose from.
3. Written in Perl 4. Extensive command line support no GUI needed to do anything. 5. The exploit building API is pretty easy to use. 6. Support is provided by the community that supports it. 7. It's free Disadvantages. 1. Lite on documentation, but it's perl.2. Doesn't have an extensive set of scanning/service interaction/etc modules. (However it's perl see CPAN)
3. Quality of the exploits is dependent on who wrote it. 4. Support is provided by the community that supports it. Cheers, -matt Clarke, Tyronne (Contractor) wrote:
Based upon experienced findings during live testing, which product provides you with most clarity of comprehensive information( CANVAS or CORE Impact? ). You mentioned CANVAS allows you to look under the hood and analyze the exploits but what about CORE Impact.-----Original Message----- From: Erik Birkholz [mailto:erik () foundstone com] Sent: Wednesday, August 18, 2004 7:40 AM To: Andy Cuff; pen-test () securityfocus com; dailydave () lists immunitysec com Cc: erik () specialopssecurity com; focus-ms () securityfocus com Subject: RE: Network Exploitation Tools aka Exploitation Engines QUICK NOTE: Andy, I want to thank you for the continued hard work you have put into your well-researched and valuable product, tool and service classification portal. Thank you. Please keep it up and let me know if there is anything I can do to help out in the future. *OK, back to the (long) post: I think Exploitation Engine (or Exploit Engine) is an appropriate classification or category. *Now for a reasonably short rant: -disclaimer: I haven't used metasploit or CORE so i can make no assumptions about dev quality, QA and support they offer. After extensive usage and testing of CANVAS, I can't help but see the value these Exploitation Engines provide to the average IT/Security Administrator, Engineer, Penetration Tester or Auditor. Not to mention my theory that they would be invaluable to a recent CS grad or experienced programmer looking to get into the vulnerability research and exploitation field. Some of these tools are written in Python (CANVAS is for sure), allowing the user to look at the source and learn from some of the very best out there in vulnerability research and exploitation. When pitching this purchase (ROI, TCO) to your Management, I would take a path similar to this, "Immunity's CANVAS is an exploit engine that can be used to verify the implementation and effectiveness of patches pre or post solution purchase." You can also use your trusted exploits to verify the findings of your VA scanner(s). I have recommended this tool many times to my customers and speech attendees. It solves the very real problem of vulnerability verification for customers who have neither the time and/or desire to achieve the Black Belt level of exploit creation. This need inevitably forces them to head to underground hacker sites to get untested and untrusted exploits written by coders without accountability for their exploits "true intention". Metasploit (i assume) and CANVAS (i know) offeraccountability by standing behind each exploit.Why would I recommend to my low-medium skill set IT/Security customers that they pull down "dirty" and "wild" sploits off the net? By running this code (probably on their desktops), they are at great risk of getting more than they bargained for. It is probable this increased risk out weighs the initial goal of achieving vulnerability validation to convince an antagonistic business unit owner to patch or upgrade thatvulnerable internet facing legacy server.Ok, if you are saying, "these morons should test these exploits in a lab environment first," then you are missing the point. Not everyone has the interest, time, extra computer resources or knowledge of what they are even looking for to know how to validate these dirty exploits. The answer is that I never would recommend this when low cost (CANVAS) and free (MetaSploit) Exploitation Engines allow vulnerability verification without fear of running "assembly code from hell" or an evil hidden rootkit. The good news is that Dave Aitel and HD Moore have attached their names and corporations to the quality of these products. If/When something goes wrong, they will be there to help. Why? Because that is how good people run good businesses. -Erik Pace Birkholz, CISSP www.SpecialOpsSecurity.com (erik () specialopssecurity com) www.Foundstone.com (erik () foundstone com) 323-252-5916 cell -----Original Message-----From: Andy Cuff [mailto:lists () securitywizardry com] Sent: Monday, August 16, 2004 12:44 PMTo: pen-test () securityfocus com Subject: Network Exploitation Tools Hi, I have just introduced another category on the site covering the various exploitation tools out there. To my knowledge there are only 3. CANVAS, CORE IMPACT and Metasploit. Firstly, have I captured them all or are there some other products of this nature lurking about? http://www.securitywizardry.com/exploit.htm Secondly, what do we call them, or is Network Exploitation Tools the appropriate name? cheers for any time you can give -andy cuff PS there are loads of other pages with out of date info, I am currently working my way through them Talisker's Computer Security Portal Computer Network Defence Ltd http://www.securitywizardry.com -----Original Message-----From: Andy Cuff [mailto:lists () securitywizardry com] Sent: Monday, August 16, 2004 12:44 PMTo: pen-test () securityfocus com Subject: Network Exploitation Tools Hi, I have just introduced another category on the site covering the various exploitation tools out there. To my knowledge there are only 3. CANVAS, CORE IMPACT and Metasploit. Firstly, have I captured them all or are there some other products of this nature lurking about? http://www.securitywizardry.com/exploit.htm Secondly, what do we call them, or is Network Exploitation Tools the appropriate name? cheers for any time you can give -andy cuff PS there are loads of other pages with out of date info, I am currently working my way through them Talisker's Computer Security Portal Computer Network Defence Ltd http://www.securitywizardry.com ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------------- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- RE: Network Exploitation Tools aka Exploitation Engines Erik Birkholz (Aug 18)
- Re: RE: Network Exploitation Tools aka Exploitation Engines Adegbite Stephen (Aug 18)
- <Possible follow-ups>
- RE: Network Exploitation Tools aka Exploitation Engines Clarke, Tyronne (Contractor) (Sep 03)
- Re: RE: Network Exploitation Tools aka Exploitation Engines Kurt Seifried (Sep 04)
- RE: RE: Network Exploitation Tools aka ExploitationEngines Clement Dupuis (Sep 04)
- RE: RE: Network Exploitation Tools aka ExploitationEngines Clement Dupuis (Sep 04)
- RE: RE: Network Exploitation Tools aka ExploitationEngines Clement Dupuis (Sep 08)
- RE: RE: Network Exploitation Tools aka ExploitationEngines Clement Dupuis (Sep 10)
- Network Exploitation Tools aka Exploitation Engines brennan stewart (Sep 11)
- Re: RE: Network Exploitation Tools aka Exploitation Engines Matthew Watchinski (Sep 06)
- Re: RE: Network Exploitation Tools aka Exploitation Engines Dave Aitel (Sep 06)
- Re: RE: Network Exploitation Tools aka Exploitation Engines Halvar Flake (Sep 06)
- Re: RE: Network Exploitation Tools aka Exploitation Engines Lance Spitzner (Sep 06)
- Re: RE: Network Exploitation Tools aka Exploitation Engines Mordy Ovits (Sep 07)
- Re: RE: Network Exploitation Tools aka Exploitation Engines Darryl Luff (Sep 07)
- Re: RE: Network Exploitation Tools aka Exploitation Engines Kurt Seifried (Sep 04)
- Re: RE: Network Exploitation Tools aka Exploitation Engines Ben Hawkes (Sep 06)
- Re: RE: Network Exploitation Tools aka ExploitationEngines Kurt Seifried (Sep 06)