Architecture Components

At a basic level, Core Impact architecture achieves the following:

  • Performs actions on behalf of the user (these actions are represented by modules).
  • Deploys and controls agents on the target network. Agents perform the actions (modules) the user indicates.
  • Centralizes the collection of information and keeps track of every performed action.
  • Generates reports.

Core Impact architecture consists of a number of components working together to first compromise and then interact with the target host or application. The three primary components of the architecture are Agents, Modules and the Console. All knowledge obtained during assessments is consolidated in a central repository of information called the Entity Database. These components are described in the sections below.

Agents

Agents are a fundamental component of Core Impact's architecture. For Network and Client Side tests, an OS agent is a program that is installed by Core Impact on a compromised system immediately following a compromise. For Web Application tests, an agent represents knowledge of an exploitable vulnerability in the web application, but does not represent any code Core Impact has placed in the Web Application. The agent's primary purpose is to perform operations requested by the Console host (ultimately representing the user's orders) on the compromised system. Agents can also perform operations on other agents, a process known as "chaining." For more details about agents, see Controlling Agents.

Modules

Modules are individual operations, or a group of operations, that are executed by an agent. For example, modules can launch specific attacks against a target host, such as a web server, and perform information gathering tasks ranging from packet sniffing to active port scanning. Modules can also call and execute other modules.

See Working With Modules for more information on how to run and manage modules in Core Impact. If you are interested in developing modules for Core Impact, please refer to the "Core Impact Developer's Guide."

The Console

The Console consists of Core Impact Graphical User Interface and serves as an initial launching point for all modules, a management tool to visualize the network being attacked, and a reporting tool for outputting resultant information. The Console is the centralized gathering point for all information obtained from agents that may be deployed across multiple targets and varying operating systems. The Console provides visualization of data ranging from a specific network scan output to a module's successful exploit against a remote system.

The Console comes with an embedded agent that, by default, is the starting point of any penetration test. This agent is called the "localagent".

By interacting with the Console, you control the execution of Core Impact modules. Since modules run on a specific agent, there is always a selected agent for execution. This agent will be referred to in this document and in the Console itself as the default source agent. By default, when the Console starts, the "localagent" is selected as the default source agent.

Entity Database

The Entity Database constitutes the single and centralized repository of information gathered by Core Impact. It contains information such as module output, complete activity logs, information about target systems (hosts that are known, client side information, operating systems, open ports, etc.), and agent deployment. This information is entered either manually by the user or through the automatic processing of module output. You can assess the state of the whole penetration test simply by looking at this database at any time.

Structured information such as target networks, hosts, client emails, vulnerable web pages, deployed agents, open ports on a host, and found user accounts are represented as objects in this database. These database objects are referred to in the product as "entities."

An entity is any object that can be managed by the database. All entities can serialize and de-serialize themselves to and from XML, allowing you to easily manipulate the data in other programs. Any findings of a module that can be shared are in the form of entities. Entities also include the functionality to compare different revisions of themselves and resolve conflicts (for example, allowing the user to choose between different port scan results for the same hosts). Upon initialization, some default entities are created and added to the database. These entities are:

  • A host entity representing the local console host ('localhost')
  • The local agent ('localagent')

See Core Impact Entities for a more in-depth look at the Entity Database and how to manage it from Core Impact's Console.