Core Security Technologies Core Impact v12
Strengths: Flexible, easy-to-use tool with lots of capability at all levels of use.
Weaknesses: None that we found.
Verdict: We have liked this tool for a long time, and every year we expect to see it unseated by one of its competitors. It hasn’t happened yet. In our view, Impact Professional still is top of the heap and we designate it SC Lab Approved again this year.
SummaryCore Impact Professional started life as a pure-play penetration test tool. It was, at the time, the premier product of its type. Today, Impact Pro has a lot of added capability, and touches on both pen testing and vulnerability assessment. For all of that evolution, the product has retained its most beguiling benefit: It is a pen testing tool that works for both old pros and entry-level pen testers. If one has a lot of experience, the tool can do just about anything, including working in tandem with another old favorite, Metasploit, and writing one's own exploit scripts for identifying zero-day vulnerabilities.
If, on the other hand, one is relatively new to the game, Impact Professional has a host of structured capabilities - for everything from typical pen testing tasks to client-side exploits to some sophisticated wireless testing.
We begin our testing by downloading a copy of Impact after receiving a link from Core. Here is where the controls on access to the product begin. Each copy is set up for the customer. The licensed address range is hard-coded into the copy that we downloaded. That copy is, as well, encrypted. By a separate email we receive a key to unlock the encrypted distribution.
Once we download the distribution and unencrypt it, we are ready to install, which goes smoothly. However, we have another step to consider. Core Security is good about developing new exploits to keep the tool current and, of course, if one plans on using Impact in concert with Metasploit there are new exploits for that being developed as well. So the next step is to update our copy. That is a bit time-consuming, but it is, of course, necessary. Users receive frequent - sometimes daily - notifications of updates, so keeping a copy of Impact current is easy.
When we have our copy of Impact updated and ready for testing, we run a quick, scripted discovery scan. There are a variety of canned, or scripted, tasks that even the most novice pen tester can use. The discovery phase is a good example. Impact uses a variant of some old standbys, such as Nmap, for initial discovery scanning. We run our copy of Impact against the same test bed we have used for many of our vulnerability tests, and we add the extra dimension of real-world testing.
Core Impact has been SC Lab Approved for several years, and that has given us ample opportunity to use it on real-test scenarios. Our experience has been that Impact lives up to its advanced billing better than most products we test and use. After we run our discovery scan, we perform an automated network pen test, and Impact has no trouble placing agents on the vulnerable machines in our target range, which sits in a VMware vSphere virtual environment.
We test several of its other advanced capabilities - web vulnerabilities, client-side exploits, etc. - all with excellent results. Its biggest benefit is its production penetration testing at whatever level the organization demands.
Documentation is first-rate, as is support. Although this is not an inexpensive tool, it is priced appropriately for what it offers, and we find that it is an excellent value.