11. Core Impact Overview
I’m going to show you how we can use Cornback to perform a network assessment and determine the risk present on any given network. To start off, I’m going to enumerate my network. I can import the results from vulnerability scanners and use that as my starting point, but can also go out and perform the discovery myself. I can do this. Over iPV four or iPV Six. I simply provide Impact with the target range and specify how much detail I want to learn about my target networks. When I click on Finish Impact, it’s going to start executing modules first to discover live machines within my target range and then to fingerprint them. It’s going to try and learn about the listing ports and services and the operating systems running on each of these machines.
Now, what I think is rather interesting here is you may have noticed he was using Nmap and some other things to do this. I mean, he’s getting Nmap for free, but he’s charging $80,000 for this product. So I guess if you could do it. Once all the machines have been identified, we can now move on to testing them for security risks. We can see all the machines displayed here. All right, so here what we’ve done, is we’ve done our information gathering, all right? And then we’re going to go through and try and attack them. So we’ve gone through and done several of the chapters already with the scanning and the enumeration and all that kind of thing in my entity view.
And I can simply drag and drop my Attack and Penetration Wizard onto that network, asking it to test all of the machines on that network. This wizard gives me several options. I can choose the type of risk I want to expose these machines to and how long I want the testing to run for. Because multiple exploits have been chosen, I can dictate how they should be ordered. The default is to run the newest exploits first. I can see how I’m going to communicate with machines that I control and whether or not I want to try to evade any IDs or IPS that might be protecting these machines. I can integrate exploits from the Metasploit framework and have those run against these machines as well.
After the core Impact commercial grade exploits have run, and I can have an action automatically perform on any machine that’s been compromised. For example, I could run a screenshot or extract passwords from a machine as soon as it’s been compromised. When I click on Finish, we’re going to see the network Attack and Penetration Wizard start to run. It’ll analyze all the information we’ve learned about these target machines, and based on that information, it will choose and run exploits that are applicable for those machines. Each service will only have one exploit running against it at any given time.
We’re not going to overwhelm these machines by launching hundreds of attacks against a particular service and potentially cause a disruptive event. Core impact is designed, encoded in order to be a safe way to run commercial exploits against production machines. As modules run and are successful. We can see icons appearing next to some of these machines. These are showing me machines. So I wanted to mention to you right here, this means an agent was deployed in memory. That means it’s broken in, kind of like what we did with Netcat, if you recall, and placed that on there. So this machine is broken in in two places, all right, so you go through and maybe find the one that has the highest privileges or maybe go through and see if you can get in escalate your privileges on up.
But you see, it’s already broken into this particular machine right here to this machine. This machine, it’s identified which ones launch those exploits and already broken in. And if you were to right click on this, it gives you a number of features. I’ll let him go ahead and I’ll stop it and explain some of them when he right clicks. Found vulnerable to an attack now have control over these machines. Not only can identify those machines with truly exploitable vulnerabilities, but I can leverage them and demonstrate exactly what level of access those vulnerabilities provide me. All right, so look at some of the things that he can do. He can basically create a shell, all right? It’s a shell in memory, a python shell perhaps.
Or even he can make the shell a little mini shell, which actually writes out to the disk and making it persistent, meaning that if they reboot their machine, it will still allow them to have that shell. He can install a PCAP plug in so I’d be able to sniff maybe passwords or even do an Arp cache poison on this distant machine that I’ve broken into, get the username, get a screenshot, upload files and that kind of thing. There are really a whole host of things that you can do to this. So, for example, I can right click and open a shell and interact with these machines using a command shell. The command shell. I type in commands with the arms sitting on the box and receive the output from the machine. I can also right click and launch a file browser.
With the file browser, I can interact with the machine file system, and I can perform various actions. I can upload download files, change files that are on the system, create new folders, and move files to this machine. All through the simple file browser, every upload, download, and change I make will be recorded and locked and included in some of my reports. If I really want to drill deeper, I can come into my information gathering and my local folder, and I can see a variety of actions available for me to perform. This is what I think is really cool. So he’s got this machine right here highlighted, it looks like Windows machine. And if I pulled that over with the OS, it tell me exactly which one it is.
It’s the I 386 or the X 86 operating system. But here are all of the exploits that are applicable to that machine. So you could drag one over, you can drag them all over, and that kind of thing, which is just really cool on this type of machine through that agent. The modules highlighted in yellow indicate that are applicable for the operating system that agent is running on. This helps me select and choose particular modules and actions that will be successful on this machine. So I don’t spend time attempting to perform actions that will have no bearing. If we look again at that shell output from the IP conflict command, we can see this is a multi home machine. I came in on one interface, but it’s connected to another network.
So basically what happens is if you have a web server on the Internet, it’s going to have two cards. In other words, it’s going to be multi home. One will be supplying the card to the Internet and the other one will be supplying the card back over to your inside machine. So what he’s going to do is he’s going to do that pivot I was talking about. So he’s going to basically try and scan from 1015 22. And I like to describe it like this. It’s like pulling up a chair right in front of that particular machine and starting the whole process all over again. This is a technique known as pivoting. We can leverage that connection and go out and pivot further and deeper into this network.
I’m not confined to simply testing this one layer of the network that I can see, but I can mimic those actions of an attacker, which would be to leverage this control we have on one machine and step further into the network looking for that server, which contains critical infrastructure or critical data for the attacker to leverage and remove from the environment. I’m going to right click, I’m going to choose a set of source option and I’m going to perform the information gathering with it again. But in this instance, it’s going to run from the compromised machine. The machine only had an iPV Four address, so we have to perform a test via iPV four.
We have the network that this machine is present on and I’m just going to enter a Cider notation and I’m going to tell them back to go ahead and perform information gathering from that machine. If we look now, we’re going to see an additional set of machines displayed here in my entity view. Here are these machines being added. All this information gathering which we can see being performed is happening via the compromise Windows machine on that 1921-6836 network. Someone analyzing the network traffic will see that traffic going back to that machine and not going back to the impact machine I’m running on. Now that that Discovery is finished, we can repeat the steps we performed before here.
We can perform attacking penetration against all the machines on this second network. Just like with the information gathering, the source of the attacks will not be the impact machine, but the source windows machine that we’ve been pivoting through. As far as it’s running with this issues attacks we can come into the modules and perform individual attacks. I can either scroll and look for specific exploits I’m interested in running by running up and down this list or I can search. I can search by the name of the exploit, by the CVE, by the target system. So I get to search for all the Mvs RPC exploits and then choose and run individual exploits. You also notice when I select a machine, some of the exploits will be highlighted.
These are exploit candidates for the spots. While we’ve been looking at the exploits, it appears already now compromised machines on the second network. So now we can interact with those machines, including using one of these machines as a source agent and moving even further into this network you can step through. So basically, you’re going to pull your chair up in front of this machine. Do exactly the same thing and pivot further into the network if you possibly can. All the while, that connection that you’re pivoting with is encrypted and no IDs or anything else. Can see what’s going back and forth. And then when you do your cleanup, it knows to grab the furthest connection out, clean it up, then move to the second furthest connection out, and so on.
If you’re doing it manually, you could end up painting yourself into a corner. The way I look at it is, when I was growing up, they’d have the little cartoon where maybe the wolf was chasing after the cat or something and he ended up on the end of the board and somebody else gave him a saw and he was sawing off the board with him sitting on it. So that’s kind of what you’re doing right here. If you end up closing the connection using netcat, using something like this you don’t have to worry about it because it keeps track of all that. And then it builds the report based upon what all you did and analyze exactly the path that an attacker can take to get to the critical infrastructure. When we finish, we simply execute. Clean up.
This will remove our memory resident agents from these machines and leave them in the state of the work. We began this test. Then we can produce reports. We can produce a variety of reports for the different audiences. For the person responsible for this network, we can produce an executive report that it’s a rise of the risks we found as we moved around inside of this environment. For the person responsible for remediating this network. We can produce a vulnerability report we found and how to remediate those issues. We can report on the hosts that we discovered. Either that’s a summary of the information we were able to get from each host or all the activities that we performed around each particular host.
We wanted to provide a visual map of how they’re able to interact with this network. I can run an attack graph that will produce that information for me. All of this information is saved inside of a workspace, and I can come back and open to this workspace at any point in the future. If I tested this network again, I can run trends and data revolves to show how the security of this network is changing over time. So at this point, you’re not saying, wow, this is like the ultimate tool. Then you’d be kidding yourself, because it really is. But by golly, they do charge for it. All right, that concludes this particular section, guys, and I hope you enjoyed that, and I look forward to seeing you in the next section.
