Core Impact provides multiple information-gathering modules, which include network discovery, port scanner, OS detection, RPC dumper, DNS zone transfer, and local modules. These modules, while efficient and adequate to complete these tasks, are not as robust as in some other similar software packages. For example, eEye Retina, Nmap, or QualysGuard are designed specifically for these tasks and therefore usually perform at a higher level. So, is not unusual to perform a network vulnerability assessment with one of these tools, find several unsecured areas in your network, and then import the results into Core Impact in order to pinpoint the vulnerabilities and use the information to perform penetration testing. However, as mentioned, the tools in Core Impact can be used to perform all those discovery tasks in addition to the penetration testing. It is up to the network administrators to decide what works best for their network.
Figure 9-3 presents the task tree selection for performing discovery tasks using Core Impact. The tasks are split into three sections, allowing the user to perform different types of reconnaissance. The modules are not all appropriate all the time; an ARP discovery works well within a switched network, but is useless if there is a router or gateway between your host and the target. The TCP Connect scan provides better results than a Fast-SYN, but also leaves a log on the target host. Most OS fingerprinting methods use a statistic analysis to reach a conclusion, which some target hosts can evade. For more information on network discovery and port scanning, refer to Chapter 2.
Core Impact allows you to import information from multiple sources, such as eEye retina, Nmap, Qualys, Nessus, and Saint. As a result, you can start penetration testing without having to rescan the whole network, which leads to noise that might trigger defense systems. Being able to import results from previous vulnerability assessments is a very good feature. Since tools such as Qualys and Nessus specialize in network discovery, host identification, and vulnerability identification, they are usually better at performing those tasks than Core Impact's scripts. However, before importing, you need to know your vulnerability scanner's limitations; eEye Retina, for example, is very good at identifying Windows hosts, but tends to misinform you when run against Unix-based hosts. While misidentifying hosts can be a small mistake during a vulnerability assessment, during an exploitation, this information is crucial: the way the exploit is crafted, especially the return address, can change with OS versions, transforming a valid exploit into a denial of service. All of Core Impact's import modules can be found on the module interface under the Import-Export section.