Release notes for Core Impact 19.

1 - 2019-08-12
===============================================

System Requirements
-------------------

* Intel Core i5 (4th generation)

* 8GB RAM minimum
* 4GB Free Hard Disk Space (space requirements increase with the quantity of
workspaces)
* A Windows-compatible Ethernet networking card
* NOTE: Core Impact works with wireless network interface cards
* Internet Explorer 11.0 or later
* Screen resolution: 1024 x 768 minimum (1280 x 1024 recommended)
* Certified on the following platforms:
* Windows 10 Enterprise 64 bit (May 2019 Update - Version: 1903)
* Windows 10 Pro 64 bit (May 2019 Update - Version: 1903)
* Supported on the following platforms:
* Windows Server 2016 Standard
* Windows Server 2019 Standard

NOTES
* Core Impact's WiFi Fake Access Point requires the use of a Pineapple Nano
(http://www.hak5.org) wireless network auditing tool. The following devices may
also work, Tetra and Mark V. However, these are not officially supported or tested
by our development team.

Installation Requirements
-------------------------

Installation must be performed locally. Installation via Terminal Services, RDP or

other remote access method is not supported.

Installation must be performed while logged in to the system using a local account
(not a domain user) that has full Administrator rights to the machine.

The account used to install Core Impact should be the same account that will be
used to run the software.

The installation of Core Impact within a Virtual Machine (VM) based on VMWare
technology IS supported.

Ensure the Windows Firewall Service is enabled and active to allow Core Impact to
add itself for exclusion. This is recommended even if the Windows Firewall will be
disabled on the system. After Core Impact has been installed, the Windows Firewall
may be disabled.

Disable Anti-Virus (AV) software prior to installation of Core Impact. Core Impact
contains "live" exploit code that AV may detect. After Core Impact has been
installed the AV software must be configured to exclude the directories associated
with Core Impact or remain disabled. For AV applications that perform process
scanning, the processes associated with Core Impact must also be excluded. See the
list of directories and processes to exclude below.

Notes:

* Files and subdirectories to exclude for AV scanning are:

%ProgramData%\IMPACT\*

If you have any further questions, please do not hesitate to contact Customer
Services via email (support@coresecurity.com) or by telephone (678) 304-4485

Watermarking and time-limits

----------------------------

Each licensed Core Impact binary is electronically watermarked for its particular
license holder. Additionally, each distribution is limited to the time defined in
the license agreement or sales quotation. When the general license expires the
product will stop functioning.

Error reporting
---------------

Please report any problems to Core Security

(mailto:support@coresecurity.com) and include the following information:
- Build number
- Distribution key
- License holder

This information is available from Core Impact's about box (press the 'Copy Info'
button).

When reporting a module error, please include the Log/Debug information generated
by the module. Keep in mind that the Module Log window is set by default to filter
messages with a medium priority. Most Python trace-backs for debugging are not
printed in this level, so it will be necessary to set the detail level in the
Log/Debug window to High, using the window's context menu (see the User Guide for
more information), before copying the information into the clipboard.

Major support changes

---------------------

- Core Impact version 19.1 dropped support for the use of the AirPcap device for
running WiFi vector attacks, as the device is no longer available nor supported by
the vendor. The use of WiFi Pineapple devices is recommended instead.
- Core Impact version 19.1 removed support for modules associated with Insight
Enterprise
- Core Impact version 19.1 removed support for modules associated with obsolete
mobile devices
- Core Impact version 19.1 removed support for modules associated attacking
surveillance cameras
- Core Impact version 19.1 removed support for modules obsolete PatchLink VMS and
STAT Guardian importers

Usage Considerations - Installation

---------------------------

#33601: Core Impact service not being closed during re-installation

- Description: While installing a new Core Impact distro over an existing Core
Impact instance installed and running, the 'Core Impact Service' is not closed
before initializing the installation.
- Workaround: Verify the 'Core Impact Service' is in stopped state before
initiating an upgrade process.

#16721: During install, if the database migration is canceled, a new, empty

database is created.
- Description: If the database migration process is canceled, a new empty database
is created during the next execution of Core Impact.
- Workaround: Do not cancel the database migration process. If it is cancelled, the
data can be accessed by using the Import/Export wizard to Import the workspaces
from the previous database, which will be in the directory where the Core Impact
database is stored.

Usage Considerations - GUI

-------------------

#23386: In some circumstances local stats may not show

- Description: In some circumstances where a workspace contains extreme amounts of
records the stats generation module takes too long to process and the local
statistics will not show any results.
- Workaround: Archive the offending workspace from the database

#25416: Certain Characters cannot be used to start a Workspace name

- Description: The following characters cannot be used to start a workspace name:
space, \\, /, :, *, ?, \, ", <, >, | ,"
- Workaround: Do not use those characters to start a workspace name.

Usage Considerations - Wizards

----------------------

#13792: Client-Side Information Gathering modules abort if Unicode is used.

- Description: The Client Side Information Gathering modules abort if Unicode
strings are entered as a parameter
- Workaround: Do not enter Unicode into the Client Side Information Gathering
module parameters.

#32341: Search Engines Email Grabber module does not currently work with Yahoo API
- Description: Yahoo has updated their API to perform web queries and has changed
the authentication mechanism used to interact with it. This module does not
currently support this authentication mechanism and thus the functionality is
disabled.
- Workaround: Use another available search engine, such as Google.

Usage Considerations - IPv6

-------------------

#23042: When deploying an agent on Windows XP through HTTP proxy and over IPv6 the
Windows XP machine fails to appear
- Description: If an agent is deployed on Windows XP through HTTP proxy and over
IPv6 (via Serve Agent in Web Server for example) the IP address of the proxy will
be committed.
- Workaround: There currently is no workaround for this scenario. The agent is
usable but visually appears to be running on the proxy IP.

Usage Considerations - Web Applications

-------------------------------
#14706: Web App Attack and Penetration wizard does not support Unicode in Custom
Error Page Detection.
- Description: If Unicode is used in a Custom Error Page Detection field the wizard
will fail.
- Workaround: Do not use Unicode in any fields defined in the Customer Error Page
Detection of the wizard.

#19560: Right Clicking on a multi selection of Scenarios changes the view to look
like only a single scenario is selected
- Description: If you use CTRL or SHIFT to select multiple Scenarios (in the Web
Apps view) and then right click the selection the GUI will change to appear as
though only a single scenario is selected. However Core Impact will carry out the
selected action (ie Delete) on all scenarios that had been selected.
- Workaround: No workaround, the user must be aware that multiple scenarios had
been selected and any action selected from the context menu will be carried out
against all of the previously selected scenarios.

Usage Considerations - Wireless

----------------------

#20510: After uninstalling the TAP interface running the Core Impact 3rd party
installer may not reinstall the TAP Adapter
- Description: If the TAP Interface is uninstalled, in some circumstances rerunning
the CORE_IMPACT_3rdparty.exe executable will not recreate the Interface.
- Workaround: Contact support for assistance, though installing OpenVPN will also
create the TAP interface.

#20559: Fake AP HTTP Phishing (Web Form Impersonation) Module not working with
responses with fragmented packets
- Description: The Fake AP HTTP Phishing (Web Form Impersonation) module is not
able to alter the web form on pages when the HTML is delivered in fragmented
packets.
- Workaround: Test the targeted forms prior to performing Fake AP HTTP Phishing
(Web Form Impersonation) for that form to determine if the responses are sent in
fragmented packets.

Usage Considerations - Agents

---------------------

#2805: The Reuse connection method does not work when the source Agent is behind a
NAT enabled device.
- Description: Exploits executed from an Agent behind NAT using the Reuse
Connection method will not work.

#14577: cmd.exe runs after shell is closed if cmd.exe is still working.

- Description: If you run a continuous command in the shell running on a windows
machine (ie a persistent ping: ping x.x.x.x t) and close the shell, the cmd.exe
process continues to run on the target machine.
- Workaround: Stop any running actions (using CTRL+C) in the shell and then use the
'exit' command to end the shell.

#26620: Install Agent via VNC is not reliable

- Description: Install Agent using VNC does not always deploy an agent.
- Workaround: Report any failure of the module to deploy an agent to Customer
Support via email (support@coresecurity.com) or by telephone (617-695-1122)

#28174: Agent Connection policy not running on agents deployed using 'Connect To'
or 'Reuse Connection'
- Description: When an agent is deployed using 'Connect To' or 'Reuse Connection'
agent communication options the 'Set Agent Reconnection Policy' is not
automatically run.
- Workaround: This behavior is by design, reconnection is only supported on agents
deployed using 'Connect From' as the communication method.

#28236: Memory leak when using pcap on agents in some circumstances

- Description: When using an agent with pcap installed and any of the following
communication methods: Reuse Connection, HTTP channel, HTTPS channel or DNS channel
the memory used by the Core Impact process can grow.
- Workaround: This is caused by the fact that the agent is not filtering the
packets that it sends, limit the amount of network activity when using pcap on a
deployed agent.

#28620: Install agent using SSH sometimes fails on non-Linux IPv6 based systems.
- Description: The Install agent using SSH module will sometimes fail on non-Linux
IPv6 based systems where network connectivity is slow due to timing issues.
- Workaround: Retry the module a few times or choose a different deployment method
to install an agent on the target host.

#35820: Agent reconnection does not work for 'Reuse Connection' and 'Connect To'.
- Description: Setting Reconnection Policy by default for agents with 'Reuse
connection' and 'Connect To', after disconnection, the agent can't reconnect.
- Workaround: Use another agent communication method.

Usage Considerations - Reporting

-------------------------------
NONE

Usage Considerations - Exploits and Modules

-----------------------------------

#14614: Using HTTP Channel and send agent by e-mail, if multiple agents are
deployed and the modules stopped, additional agents cannot be deployed.
- Description: If you use the HTTP Channel communication method and multiple agents
are deployed on the same machine in the same process additional agents cannot be
deployed after the modules are stopped. This occurs after as few as 2 or as many as
10 agents. It is required to restart the process on the target system before new
agents can be deployed.
- Workaround: Limit the number of agents deployed (via the same process) using the
HTTP Channel or use an alternate communication channel.

#15178: Debugger cannot debug modules using Reuse Connection.

- Description: If you attempt to debug a module that implements the Reuse
Connection communication method the module throws an exception and closes.
- Workaround: Do not use the Reuse Connection communication method in conjunction
with the debugger.

#23164: Inject agent into virtual machine via 64bit agent fails.
- Description: Attempting to run the module Inject Agent Into Virtual Machine via a
64bit agent causes the agent to crash.
- Workaround: Deploy a 32bit agent on the target and run the module from the 32bit
agent.

#23943: HTTP Email Address Grabber and Sensitive Data Crawler not committing (at)
email addresses found in Word Documents
- Description: When the HTTP Email Address Grabber or Sensitive Data Crawler
process a word document they do not commit email addresses where the @ symbol is
replaced with (at).
- Workaround: Search the document for '(at)' and manually add those emails to Core
Impact.

#26636: Search Engines Email Grabber has trouble parsing some PDF files
- Description: The Search Engines Email Grabber has issues when parsing some PDF
files.
- Workaround: There is no current workaround, currently you will need to parse
those PDF files by hand. Also submit the PDF files to support so Core can analyze
the PDF files and attempt to find the cause.

#38858: HTTPS Channel isn't supported on Windows XP SP2 and Windows Server 2003 SP2
or earlier
- Description: There are exploits that target multiple versions of Windows, in some
of which the HTTPS Channel connection method is supported (Windows XP SP3 or
later), and some of which where it's not supported (Windows XP SP2 or earlier).
- Workaround: If expected targets of a client-side exploit are running Windows XP
SP2 or earlier, the user should configure a connection method other than HTTPS
Channel.

#40413: In some circumstances exploits might report the 'An agent was already
deployed on this target' error
- Description: There are certain exploits that under some circumstances when no
port information is available and multiple service are listed in the target host
entity will improperly show the "An agent was already deployed on this target"
error.
- Workaround: No workaround required, the affected exploits already have safeguards
to validate if an agent is already deployed on the target.

Usage Considerations - Teaming

----------------------

#28264: When team leader goes offline the member copies of Core Impact take a few
minutes to recover
- Description: When the team leader copy of Core Impact goes offline the team
member copies of Core Impact may hang while the local copy of Core Impact
reconfigures itself to work locally.
- Workaround: As a member, close the teaming workspace before the team leader goes
offline.

Usage Considerations - Miscellaneous

----------------------------

#18928: Quality Agent cannot submit crash reports via an authenticating proxy
- Description: If the Quality Agent attempts to submit a crash report to Core
Security Technologies, and the outbound traffic must pass through an authenticating
proxy the crash submission will fail.
- Workaround: Either remove the authenticating proxy or email the crash files
(found in "%ProgramData%\IMPACT\Panic") to support@coresecurity.com