OpenBSD Journal

Network risk assessment software tool

Contributed by jose on from the south-american-hacker dept.

Jeremy C. Reed writes :
"Recently, Mr. OpenBSD wrote: "... if you don't follow our erratas, what the HELL DO YOU EXPECT?"

The latest CORE IMPACT release for Windows 2000 supports OpenBSD as one of its target platforms; it includes attack modules for compromising OpenBSD systems and an OpenBSD agent for taking control and module execution on these. (Of course, this penetration testing software has more modules and agents for other operating systems.)

You can read about it at .

(I am guessing it is out of the "script-kiddies" price range.) "

You can learn more about Impact on the Core website , or from the Impact presentation at Blackhat 2001 . Luckily, this is priced well outside of script kiddie hands.

(Comments are closed)

  1. By anonymous () on

    Since when have script kiddies cared about price? If they really want it then someone will subvert what ever licensing protections were put in place.

  2. By Anonymous Coward () on

    *every* program out there makes it to the warez scene, and those that cost mucho $$$ get there faster than the others. Just patch your systems.

    1. By Peter N. M. Hansteen () on

      If I read the article correctly, the kit they are marketing simply tries to exploit two relatively recent flaws, both of which have been patched out of existence by all sane admins.

      This essensially leaves us with a story about somebody who felt a need to brag about being able to break into OpenBSD boxes. It somehow fails to excite me.

  3. By RC () on

    Patch (blah, blah, blah) systems
    When (blah, blah, blah) run services as a user
    Every (blah, blah, blah) be chroot'ed
    Do not (blah, blah, blah)
    Best practices (blah, blah, blah)

    You've heard it before. Now why don't people actually do it?

    1. By Mike () on

      Contrary to what you may believe or what would happen in a perfect world, not every OpenBSD server has an admin with the time or patience to stay on top of every security issue.

      For the people who are already at, there is an availibility bias -- "I keep my system patched, everyone I talk to keeps their system patched."

      In the real world, people often have things they deem more important than subscribing to certain mailing lists, checking web news sites, etc. Or they just might not trust their skills.

      Here's the thing -- Suppose you have a server running off in your closet, never seeing the light of day but chugging along, passing a few packets back and forth on the internet, it does what it is supposed to. Do you think that machine will continue functioning as consistently if no one admins it at all or someone who thinks they no what they are doing is actively adminning it? That had been a safe enough bet until the SSH hole came out.

  4. By jose () on

    so its easy to think "oh, this is not a big deal" and "oh, who cares how much it costs, script kiddies will get it." while some kids may get it, we'll see if they do.

    however, impact isn't simply nessus and isn't really all that simple. its a very intelligent penetration testing tool. this is a huge leap forward in such technology, and this probably threatens to put some penetration testers out of business. they have some really bright people writing their code (the core team is a huge intellectual brain store) and writing their exploits (think really good exploit writers, i wont name names). this is really worth reading up on, you'll learn a lot.

    in that it targets openbsd, its a representation of how far openbsd has come. its now being taken into consideration as a target for penetration testing tools, its being recognized as being that pervasive in the business. this is good.

    oh, and many of the core guys (current and past) contribute to openbsd.

  5. By Anonymous Coward () on

    ...just pay them in their local currency. (Argentina)

  6. By Anonymous Coward () on

    and quakes like a duck is it ...... EXTORTION

    Why is a computer and it's contents treaded any differnt that YOUR house, card , bank account?
    What difference does make if it belong to YOU or YOUR company. And offer the information with the implied thread that if you don't PAY UP I'll ......


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]