Front | Info | Lists | Newsfeeds | Study Guide | What is BSD? |
Network risk assessment software targets OpenBSD
Last week, CORE SECURITY TECHNOLOGIES announced the release of version 1.1 of the company's CORE IMPACT risk assessment software. The software tool for penetration testing runs on Microsoft Windows 2000 and has agent support for OpenBSD (and other operating systems). CORE says they are working on agents for NetBSD and FreeBSD. When working with CORE IMPACT, a penetration tester first runs "modules" that allows it to compromise target systems. Once a system is compromised, an "agent" is installed on the system. This agent gives the penetration tester complete control of the remote system and allows launching further attacks from that newly compromised system. (And the software provides reporting and logging facilities.) Two of the new modules targeting OpenBSD are Apache web server chunked encoding remote exploit and OpenSSH channel local exploit. The OpenBSD agent is composed of two main components: a communication channel for handling the communication between CORE IMPACT's console and the agent itself; and a syscall server which is the actual interface into the OpenBSD's operating system. "The currently implemented communication channel for OpenBSD includes authenticated and encrypted communications over a TCP connection," Maximiliano Caceres, one of CORE's product engineers, said. "The crypto stuff is implemented with a combination of Elgamal Key Agreement, Blowfish and Rijndael (AES)." The agent's communication channel also allows for chaining multiple agents along an agent route, which is useful when there's no direct way back from the compromised system to the penetration tester's console, Caceres said. "The OpenBSD Syscall server provides functionality to call any available system call in the compromised system. This server is used to make IMPACT modules interact with the compromised system," Caceres said. "In this way, further attacks, both local (for local privilege escalation) and remote, can be launched as if they were coming from this system." An optional server component, called "PCAP server", gives modules the ability to remotely use the compromised system's /dev/bpf to sniff packets from the network and to craft custom packets, Caceres said. "Simply identifying what vulnerabilities exist on a network is necessary but far from sufficient," said Ivan Arce, chief technology officer of CORE SECURITY TECHNOLOGIES. "Only by trying to actually exploit those vulnerabilities can an organization begin to understand the risk and potential business impact of an attack on their particular infrastructure." Various modules are available for compromising other systems. Some of the new modules include: IIS .HTR and .ASP ChunkedEncoding remote exploits; Solaris CDE ToolTalk delete-any-file and format string remote exploits; Solaris rwalld format string remote exploit; and ntpd control message overflow and LPRng format string remote exploits for Linux. The CORE SECURITY TECHNOLOGIES website is at http://www.corest.com/.
DiscussionDiscuss this article below.
Why bother?
|
BSD Links · Advocacy· Drivers · Events · Flavours · FAQs · Guides · Programming · Security · Software · User Groups |