Core Impact

Trial Registration

Are you interested in a free trial of Core Impact?  If so let us have your details and we will contact you to make the arrangements.

* Required field

* First Name:
* Last Name:
* Work Email:
Company:
Phone number:
Job title:
Message:


Why do we need your details?

Core Impact is regulated in the US in the same way that arms (guns etc.) are.  This means that the product is subject to US export controls.  We need your details so that we can apply for the export license, this is normally a formality, but if you do work for Mr. Putin or Mr. Xi it could be a problem!!

About Core Impact

Core Security, a Help Systems company Logo

Core Impact is the market leading penetration testing framework. It is designed for the professional tester and provides for testing network level exploits, web application exploits and phishing exploits all in one place with consolidated reporting.

For the professional, time and reliability are of key importance so the tool automates as  many processes as possible  and has the industry’s largest database of commercial grade exploits available.

The key benefits to the pen-testing professional are:

  • A malicious attacker may not care if an exploit causes a service to hang or does not un-install correctly. As a professional though this is not an option for you; your reputation is based on trust, trust that you have impeccable integrity and that you will not inadvertently cause any “damage”.
  • Other penetration testing tools are available but they typically rely on “Community sourced” exploits. These exploits like so much in the open source world depend on the reputation of the individual within the community who created them; some are amazing, some not so.
  • Commercial grade exploits go through a formal QA and release process like all other Core software. This means that you can trust the Commercial Grade Exploits to behave correctly. If running an exploit could hang a service Core Impact will tell you before you run it; when you uninstall an agent it will uninstall correctly (nothing is left behind). The exploits only do what they say, there are no “undocumented” or nefarious “features”.
  • Your reputation as a penetration tester is built upon your integrity and trustworthiness. You don’t want to be let down by the tools that you use.
  • Ease of use is a cornerstone of the product; the simple to use interface provides a way for novices and experts alike to quickly orchestrate, schedule, run and report upon tests.
  • ​The product is Windows based, installed with a standard “Setup.exe” and is full of wizards to speed up common tasks. All tasks can be done by hand but even the experienced user typically uses wizards for the common, simple and un-interesting tasks where with other products they would normally write scripts.
  • Training can either be done by Core / S4 or using the wide range of on-line materials (including YouTube videos).
  • When starting on a pen-test Impact will scan the network for you using NMAP to work out what machines are accessible and the services within them.
  • An alternative approach is to feed Impact with the output form a vulnerability scanner (all the market leading vendors are supported) and then ask Impact to work through the list of devices and vulnerabilities attempting to exploit them as it goes.
  • This process will take a very long list of potential issues and rapidly reduce it to a subset of vulnerabilities that can be exploited, in effect prioritising the remediation effort.
  • If prioritisation of vulnerabilities is of interest, then also look at the Brinqa tool as this has even more sophisticated functionality for vulnerability prioritisation.
  • ​Impact comes with a reporting engine (based on Microsoft’s Crystal Reports) and sample reports that allow you to automatically generate the information that your customers / management require.
  • ​This can reduce the documentation phase of any pen-test project to minutes giving your customers tailored reports with your logs, introductions etc.
  • All reports are fully configurable and customisable; other tools often don’t offer this
  • Where a pen-test finds machines that can be exploited organisations will typically take remedial action and then ask that the pen-test be undertaken again to confirm the remediation worked.
  • With just a few clicks the audit log from a pen-test can be re-played against target systems to re-test them and validate the remedial actions.
  • When a pen-test is started a user typically creates a new, password protected Workspace within Impact. All of the auditing, reporting and activity is tied to that workspace.
  • As the pen-test continues and a machine is exploited an agent is deployed to the remote machine. All communication with the agent is encrypted using the workspace specific key, and the agent will only talk to that specific workspace. It is not possible for another Impact user or workspace owned by the same user to connect to that agent.
  • Agents have a variety of different communication mechanisms to evade detection, can be memory resident only, permanent (i.e. survive a re-boot) or permanent for a set amount of time. This means that even if communication between Impact and the agent is lost that the agent will cleanly remove itself when the pen-test is finished.
  • Everything is designed to be secure and default safely for the tester.
  • Impact has a larger number of exploits available than Metasploit but even so there are still some exploits that are available within Metasploit that are not in Impact. To allow testers to have the complete superset from both tools, it is possible to run Metasploit exploits from within Impact. These Metasploit exploits deploy an Impact agent report as normal through the Impact reporting and auditing tools.
  • This highbred approach allows testers to have the widest possible library of exploits at their fingertips.

Core Impact Demo

The video below is a recording of a demonstration of Core Impact based on the 2018.2 release.  The video takes about 40 minutes from start to end and covers network level attacks, web applications attacks, and client side attacks.