Re: Pentesting tool - Commercial

[Chris McNab <chris.mcnab () trustmatta com>]

Andre Gironda wrote:
> The numbers show that Core Impact is superior to Canvas and Metasploit.
>
> Unfortunately, it also shows that Impact is missing quite a lot.  The
> point I was trying to make is that you can't use only one exploitation
> engine.

In the second edition of my book, Network Security Assessment 
(http://books.google.com/books?id=zKhCEYRGFuYC&printsec=frontcover), I 
have looked at the support for different technologies and services from 
MSF, IMPACT, and CANVAS (including GLEG and Argeniss zero-day packs). 
The analysis between these platforms, including details of the supported 
technologies and exploit modules, is up-to-date as of October 2007.

You can flick through the Google Books edition and see what I mean. It 
contains paragraphs like this:

"MSF has no exploit modules for ProFTPD at the time of writing. CORE 
IMPACT supports CVE-2006-5815 (sreplace() off-by-one bug) and 
CVE-2004-0346 (RETR command overflow). Immunity CANVAS does not support 
any ProFTPD issues at this time."

In general, my high-level analysis is as follows:

MSF is an excellent and well maintained tool, with support for a 
significant number of server software issues in particular. Useful 
modules include those for AIM, CA BrightStor ARCserve, Microsoft RPC 
services, and Veritas Backup Exec.

IMPACT is sometimes too easy to use and therefore can be difficult to 
work with in specific environments and configurations. The number of 
modules for this tool is colossal, with many useful modules for IIS, 
Microsoft RPC services, Veritas, CA, and others. The issue however with 
IMPACT's remote exploit modules, is that there are numerous modules that 
MSF supports which IMPACT does not. IMPACT has a wide range of remote 
exploit modules, but virtually all of them are for the big server 
technologies (Microsoft, CA, Veritas, etc.). Where IMPACT comes into its 
own is with regard to locally exploitable, and client-side 
vulnerabilities. IMPACT support for client-side bugs is astounding.

CANVAS using the GLEG and Argeniss zero-day exploit packs supports a 
large number of interesting remotely exploitable bugs that aren't found 
in MSF or IMPACT. The tool also has some useful database (MSSQL and 
Oracle) testing routines and modules that have value. However, wide and 
deep support for bugs is something that CANVAS does not really cover 
when compared to MSF or IMPACT.


None of these are vulnerability assessment (VA) scanners with 
capabilities like Nessus; they are exploitation frameworks. You should 
not be using IMPACT to run an end-to-end penetration test or assessment 
process. You should use Nmap, Nessus, and other automated VA platforms 
to get a clear idea of the target network and its configuration, then 
use MSF/IMPACT/CANVAS to punch through that with some specific exploit 
modules, and reposition.

Regards,

Chris


--
Chris McNab
Technical Director

Matta Consulting Limited
Falstaff House
34 Bardolph Road
Richmond upon Thames
TW9 2LH

T: 08700 77 11 00
W: www.trustmatta.com

The information contained in this email is intended only for the 
person(s) to whom it is addressed and may contain confidential or 
privileged material or information that is exempt from disclosure under 
applicable law. Information and attachments may be used only for the 
purpose for which they are sent, and copying, disclosure or distribution 
of any information contained herein is strictly prohibited.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------