Penetration Testing mailing list archives
Re: Pentesting tool - Commercial
From: Chris McNab <chris.mcnab () trustmatta com>
Date: Thu, 28 Feb 2008 15:25:22 +0000
Andre Gironda wrote: > The numbers show that Core Impact is superior to Canvas and Metasploit. > > Unfortunately, it also shows that Impact is missing quite a lot. The > point I was trying to make is that you can't use only one exploitation > engine.In the second edition of my book, Network Security Assessment (http://books.google.com/books?id=zKhCEYRGFuYC&printsec=frontcover), I have looked at the support for different technologies and services from MSF, IMPACT, and CANVAS (including GLEG and Argeniss zero-day packs). The analysis between these platforms, including details of the supported technologies and exploit modules, is up-to-date as of October 2007.
You can flick through the Google Books edition and see what I mean. It contains paragraphs like this:
"MSF has no exploit modules for ProFTPD at the time of writing. CORE IMPACT supports CVE-2006-5815 (sreplace() off-by-one bug) and CVE-2004-0346 (RETR command overflow). Immunity CANVAS does not support any ProFTPD issues at this time."
In general, my high-level analysis is as follows:MSF is an excellent and well maintained tool, with support for a significant number of server software issues in particular. Useful modules include those for AIM, CA BrightStor ARCserve, Microsoft RPC services, and Veritas Backup Exec.
IMPACT is sometimes too easy to use and therefore can be difficult to work with in specific environments and configurations. The number of modules for this tool is colossal, with many useful modules for IIS, Microsoft RPC services, Veritas, CA, and others. The issue however with IMPACT's remote exploit modules, is that there are numerous modules that MSF supports which IMPACT does not. IMPACT has a wide range of remote exploit modules, but virtually all of them are for the big server technologies (Microsoft, CA, Veritas, etc.). Where IMPACT comes into its own is with regard to locally exploitable, and client-side vulnerabilities. IMPACT support for client-side bugs is astounding.
CANVAS using the GLEG and Argeniss zero-day exploit packs supports a large number of interesting remotely exploitable bugs that aren't found in MSF or IMPACT. The tool also has some useful database (MSSQL and Oracle) testing routines and modules that have value. However, wide and deep support for bugs is something that CANVAS does not really cover when compared to MSF or IMPACT.
None of these are vulnerability assessment (VA) scanners with capabilities like Nessus; they are exploitation frameworks. You should not be using IMPACT to run an end-to-end penetration test or assessment process. You should use Nmap, Nessus, and other automated VA platforms to get a clear idea of the target network and its configuration, then use MSF/IMPACT/CANVAS to punch through that with some specific exploit modules, and reposition.
Regards, Chris -- Chris McNab Technical Director Matta Consulting Limited Falstaff House 34 Bardolph Road Richmond upon Thames TW9 2LH T: 08700 77 11 00 W: www.trustmatta.comThe information contained in this email is intended only for the person(s) to whom it is addressed and may contain confidential or privileged material or information that is exempt from disclosure under applicable law. Information and attachments may be used only for the purpose for which they are sent, and copying, disclosure or distribution of any information contained herein is strictly prohibited.
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Re: Pentesting tool - Commercial, (continued)
- Re: Pentesting tool - Commercial Andre Gironda (Feb 25)
- RE: Pentesting tool - Commercial Ramki B (Feb 26)
- Re: Pentesting tool - Commercial Andre Gironda (Feb 26)
- RE: Pentesting tool - Commercial Ramki B (Feb 26)
- RE: Pentesting tool - Commercial Foster, Matt (Feb 25)
- RE: Pentesting tool - Commercial Ramki B (Feb 26)
- Re: Pentesting tool - Commercial Andre Gironda (Feb 26)
- Re: Pentesting tool - Commercial Erin Carroll (Feb 27)
- Re: Pentesting tool - Commercial Trygve Aasheim (Feb 27)
- Re: Pentesting tool - Commercial Andre Gironda (Feb 27)
- Re: Pentesting tool - Commercial Trygve Aasheim (Feb 28)
- Re: Pentesting tool - Commercial Chris McNab (Feb 28)
- Re: Pentesting vs VA - was Pentesting tool - Commercial Robert E. Lee (Feb 28)
- RE: Pentesting tool - Commercial Ramki B (Feb 26)
- Re: Pentesting tool - Commercial Andre Gironda (Feb 25)
- AW: Pentesting tool - Commercial puppe (Feb 27)
- RE: Pentesting tool - Commercial Ferris, Joe (Feb 27)
- RE: Pentesting tool - Commercial Trygve Aasheim (Feb 25)
- Re: Pentesting tool - Commercial Terry Cutler (Feb 25)