Core Impact Adds Mobile Device Exploits, Widens Metasploit Integration

Core Security has introduced mobile device testing and measurement in the latest version of its Core IMPACT penetration testing software. Version 12 also improves Core' integration with the popular open source Metasploit Framework pen-testing tool.

August 3, 2011

2 Min Read
Network Computing logo

Core Security has introduced mobile device testing and measurement in the latest version of its Core IMPACT penetration testing software. Version 12 also improves Core's integration with the popular open source Metasploit Framework pen-testing tool.

Mobile phones, which have been hyped as a coming major attack vector for years, have become a hot-button security issue. Smart phones, capable of both cellular and Wi-Fi connectivity, have grown more powerful and capable of storing large amounts of data. They are commonly used to access corporate email and other standard business applications.

In addition to managed phones, chiefly BlackBerry devices, enterprises are embracing the use of privately owned devices, particularly the iPhone and, increasingly, Android. Attackers can potentially retrieve data or, more likely, read corporate email and/or use the victim’s account to pose as a legitimate user to conduct spear-phishing attacks within the enterprise.

Core Impact Pro v12 allows penetration testers to exploit critical exposures by:

  • Retrieving phone call, SMS and MMS logs

  • Scraping GPS and contact information

  • Taking snapshots using the mobile device’s camera

    The new release also uses social engineering techniques to test user awareness and trust on mobile devices. Testing techniques include phishing emails and texts; Web form impersonation; fake wireless access points; and man-in-middle attacks.

    Core has designed exploits against BlackBerry, iOS and Android. The Droids are particularly susceptible to attack. Earlier this year, for example, 21 malicious apps were pulled off Android Market.

    "Android is a much more popular target," says Alex Horan, Core product manager. "It’s open source, so I can find vulnerabilities myself, and it runs on so many different platforms. Trojans are easier to write, and because it’s Linux-based, attackers will try to perform privilege escalation."

    The enhanced Metasploit integration allows pen testers to run exploits through pivots, which are assets that have already been compromised, to run further attacks. Core Impact now incorporates additional Metasploit exploits and encrypts all exploit traffic for safer penetration testing.

    Also, Core Impact now includes all the OWASP Top 10 Web application vulnerabilities, adding cross-site request forgery, OS command injection, and invalidated redirect and forward exploits.

    Reflecting changes in IT infrastructure, Core Impact now provides security assessments that target IPv6 and 64-bit systems. The federal government has mandated that all its agencies' Internet-facing systems convert to IPv6 by the end of 2012, and domain providers and enterprises are gradually making the shift from IPv4.

    Enterprises may not even be aware of IPv6 in their networks and be open to attacks that security systems that have not been upgraded may not be able to see. Also, while almost all attacks are designed to exploit 32-bit systems, all new systems run 64-bit OSes, and it's a matter of time before attackers shift their focus.

    Core Security will conduct beta testing, primarily for existing customers, through a secure Web portal. Core Impact v12 will be available by the end of the third quarter.

    See more on this topic by subscribing to Network Computing Pro Reports Strategy: Stop SQL Injection (subscription required).

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights