Immunity CANVAS for Penetration Testing and Red Team Operations. Immunity CANVAS is world leading commercial security assessment tools (SAT) allowing penetration testing, hostile attack simulations and exploit research and development.
CANVAS for Penetration Testing
Immunity CANVAS or simply just CANVAS, is one of the top and leading commercial security assessment tools (SAT) allowing penetration testing, hostile attack simulations and exploit research and development. CANVAS is a suite of pentesting including reliable development and testing framework, comes with hundreds of exploits ready to be used sort by different use case category, and exploits library extendability to penetration testers and security professionals worldwide. One uniqueness of Canvas is it allows 3rd party exploitation packs to expand the private zero-days exploits known as Canvas exploitation pack (CEP) to make each pentesting system licensed tailored for the respective users needs and requirements.
For red team operations, a unique feature called Canvas Strategic can be activated for over two users and license to collaborate for at least one commander and one operator to perform red team operations, typically involving more pentesters users and require mobilizing one common campaign objectives and target under the commander leadership.
Feel free to contact E-SPIN for your project and licensing requirement.
CANVAS for Breach and Attack Simulation (BAS)
Make use of CANVAS exploit automation and other features, breach and attack simulation are easy to handle for ethical hackers, pentesters to exploit researchers or red team to make sure the enterprise operations are secure.
Breach and Attack Simulation (BAS) is needed for those who carry the role and duty to test the existing infrastructure security components, processes and procedures implemented within an enterprise IT infrastructure, or for those who have been outsourced and appointed to perform the ethical hacker role for the said enterprise. Every simulated breach that makes it through via the tool, provides useful insights into attack vector path and mitigation strategy, remediation processes and cyberdefense intervention.
Business need driven security breach simulations at a minimum, typically be run on an annual basis or when major add or change occurs and follow with throughout review, and carry out what is necessary. CANVAS can be adopted as a BAS tool for the enterprise, and you can custom tailor it with an extensive range of Canvas exploitation pack (CEP) add-on.
CANVAS for Vulnerability Research and Exploit Development
CANVAS can be adopted for Vulnerability Research and Exploit Development. It has been actively used by exploit researchers to develop and make it available in the form of CANVAS exploitation pack (CEP) add-on. As a user, you can use it to develop your own exploit and test it for the Vulnerability Research and Exploit Development purpose.
From a security researcher’s point of view, make use of exploits and can see how it is crafted and you can modify it, by itself, save a lot of the time to adapt exploits to fit a more specific area or use case with your intent on a needed basis.
You may open 0-day exploits or other popular exploits to study and understand how they are crafted with the Canvas built in exploits or extensive private 0-days exploits from various Canvas exploitation packs (CEP). Use it to learn and help you jump start and write complex exploits against modern software and operating systems.
Feature: CANVAS Graphical User Interface (GUI)
CANVAS has an interesting design, that at first might look a bit confusing to you. Once you understand some of the basic components, you will be able to easily find your way around more advanced scenarios to get your job done with CANVAS.
CANVAS provides a command-line interface and an XML-RPC interface which is designed to be used by modules and code rather than a human user.
In CANVAS, you can run most of the modules and exploits independently! It means you would not need to load the entire framework, just to run a small command or tool from it.
Canvas is fully IPv6 compatible! It means you can also set your IPv6 interface address as the default listener, or attack IPv6 targets.
Feature: CANVAS Modules
Modules in Canvas are categorized based on type of module, type of attack (Local,Remote,Web,Clientside,DoS) and Operating System they can be run against.
Under the hood, most of the modules are categorized within a hierarchy in the exploits directory under the CANVAS root directory.
Favorites Here you will find some of the favorite modules that you can start playing around with, or are most common to be used.
New This section is updated with every new realease of CANVAS to highlight the latest modules and exploits that were added.
Exploit modules are arranged and categorized based on the vector, followed by the operating system. This makes it quick and easy to narrow down a list of exploits, once the Operating System of the target has been identified.
Exploit Pack. Canvas built-in modules are not the only inventory of tools and exploits that you can use. There are multiple 3rd party companies that provide exploit-packs for CANVAS. This allows you to boost your Canvas capabilities by purchasing and installing those packs to be able to attack even wider ranges of softwares and services using Canvas. Moreover, some of the 3rd party exploit providers offer 0day exploit modules, which is a great way to challenge your network security with real-world threats.
Commands :This group of modules, also categorized by OS type, is used to perform a series of common actions against the active node.
Trojans : Tojans allow you maintain access to a host you have already gained access, by either installing presistence MOSDEF trojan, or by installing the rootkit (HCN) that is included in the CANVAS.
Recon: Recon modules are focused on the tasks such as footprinting and detection of services or operating system version, as well as remote enumeration of data where possible, from relevant services.
DoS: Denial of Service exploit modules that are intended to crash a remote service, cause BSOD or make the system reboot.
Tools: This category contains modules that are developed based on CANVAS internal libraries and other modules, to perform a series of automated tasks.
Reporting: From the moment CANVAS is started until it is closed, every action performed in CANVAS is logged and time stamped. CANVAS can export the session activities into an Open-Office odt document format. This generated report includes the following items and sections:
- Summary Tables
- Attempted Exploits
- Successfull Attacks
- Unsucces Attacks
- Appendix (Attack outputs, Exploit descriptions, Severity Level reference)
Servers: This category contains CANVAS modules that are used to operate as a server for client-side attack modules (HTTP or SMB server).
Configuration: Here you can find the CANVAS basic configuration module.
Fuzzers: Two basic fuzzers for MS-RPC endpoints and TFTP are included in CANVAS.
Listeners: This module brings up the Listener-Shell GUI, which if you have already have a live exploited node, will automatically connect to the active node.
Feature: CANVAS Command-line
As comfortable as it is to use the powerful CANVAS GUI, there will be some times when it is necessary to run CANVAS or a specific module from a terminal or command-line interface, for example over SSH. Most of the features provided through the GUI can be used from the command-line interface. It is possible to directly call modules (which are basically Python scripts) and provide the parameters and switches they required.
CANVAS also provides a tab in its GUI, that allows you to interact with Canvas by typing commands.
One of the benefits of having this CMDline interface in the GUI, beside its standard commands, is the Python shell which allows direct interaction with CANVAS objects from Python.
Feature: CANVAS Listeners
Once you successfully exploit a remote machine via any of the available modules, CANVAS automatically opens a news ‘Listener-shell’ window, which is basically an GUI for interacting with MOSDEF to perform various actions. This is more powerful than a a simple remote shell, providing the ability to browse files on the remote machine, upload or download files, pipe and run OS commands or spawn new processes.
The listener-shell can be of different types, depending on the machine, service or the (web) application you are exploiting. Therefore some of the functions of the listnener-shell might not be available on all node types.
Feature: CANVAS Strategic
The Canvas Strategic essentially allows live communication between multiple instances of Canvas and sharing the information (knowledge, performed actions, obtained shells) with a central commander instance, which is a machine running the the Commander module from the Canvas. This feature is specially useful when a team of users are working together on an engagement and activities, progress and achievements needs to be coordinated and collaborated. Moreover it can be also used as a central activity monitoring and logging for multiple canvas instances. Canvas Strategic allows creating multiple channels for multiple simultaneous engagements as well as a simple chat server that Canvas users could join and communicate with.
Feature: CANVAS Integrated Pentesting Platform
CANVAS is easier to use and master than free open source tools, due to integrated penetration testing and exploit development framework is special craft and for that result in mind. Which means it is easier for less-experienced penetration testers to jump start the penetration testing, as well as for experienced ethical hackers use it for craft special red team campaigns like running multiple licenses as for red team operation.
Some of the typical use case example
Exploiting Windows Remotely
Suppose we are in a network and our goal is to scan, identify and exploit some Windows machines, remotely. There are many different modules targeting Windows machines available in Canvas, aimed at different versions of Windows. Of course it very rare to find a Windows machine exposed over the Internet that is vulnerable to some old known RPC vulnerability, but auditing and penetration testing internal networks is a different story. It is likely that in larger networks you discover systems vulnerable to issues from a few years back. When possible, Canvas takes care of version detection automatically so there is no need to worry about which version of payload to select unless you are already certain about it.
Exploiting Windows Locally (Privilege Escalation)
Scenarios in which we have successfully exploited a node, but the access rights are limited on the system. In such cases, privilege escalation may be accomplished by exploiting a vulnerability in a Windows OS components or service, or any 3rd party softwares and services that are running with administrator/SYSTEM privileges. To use any of the privilege escalation exploits available in CANVAS, the target machine must be running an active MOSDEF callback, for instance a remote web or client-side exploit was used to gain access or possibly the target executed a MOSDEF trojan.
Exploiting Client-Side Vulnerabilities
CANVAS is well suited to serving and handling client-side attacks in addition to remote attacks. Since there are a wide range and different classifications of vulnerabilities are supported by CANVAS, the exploitation methods used by CANVAS are dependent on the type of exploit. In most cases when dealing with client-side vulnerabilities, the vulnerability can be triggered from a web-browser. For these situations, CANVAS provides a dedicated engine for automatically selecting, serving and handling browser based exploits. Vulnerabilities in the browser or third party plugings (Adobe Reader, MS-Office, etc.) are examples of such cases.
Once we have access to the node, you will likely want to gather information from that node to further penetrate the network. Depending on the privilege gained, it is possible to gather file and registry information, dump password hashes or even attack other machines inside the network from the exploited machine. Persistent Access: Relying on a session that has been obtained from an exploit for lateral movement an extended period of time may not be the best idea. In such cases, one of the first actions on the remote machine should be stablizing access so that you can connect back to the same machine without much effort and resume your work. In other words, plant a backdoor on the remote machine. Pivoting: in CANVAS terms, is using a compromised machine as a stepping stone to reach and exploit other machines that might not be otherwise accessible. CANVAS does not limit you in the number of hosts you can pivot from. If you are in a complicated and restricted network, you can go through the same steps and use this third host as your pivot point to reach yet another machine three levels deep inside the network.
CANVAS is a product developed completely using Python, thus technically any platform and operating system that can run Python and meet the package dependencies can be used to run CANVAS. However, Immunity officially supports the installation of CANVAS only on Windows and Linux (Ubuntu, Kali). CANVAS can also be installed and used within a virtual machine, this is our recommended method of using CANVAS on unsupported platforms, or simply to have a clean and isolated environment. Users who are running CANVAS on restricted environments might also prefer to use a virtual machine. CANVAS is mainly developed and tested to run on Linux, and it is the platform that CANVAS shines on. You might notice that you may lose a few features of CANVAS if you run it on Windows. Some of the features of CANVAS (a few number of modules and tools) also require privileged access to the operating system to run correctly.
CANVAS is very lightweight and can be used on any system that is capable of running Linux or Windows. It is recommended to have at least 5GB of disk space and 1GB of memory on the system or virtual machine that is being used for CANVAS. One of the interesting features of CANVAS is that it can also run on headless systems in command line mode, in which it requires even less hardware resources. This means you can even run CANVAS on your Android based phones or tablets, although it is not officially supported by Immunity.
CANVAS used to support macOS but due to GTK2 deprecation and issues, CANVAS can no longer officially support CANVAS on macOS. CANVAS generally runs but it breaks on most UI operations, CANVAS will keep providing the installer for all those users that will want to try and fight the beast on their own (or simply install it on older versions of macOS).
Last checked and updated: 25-Aug-2022 latest version at the time is 7.35 released on 2022-Aug-11.
Other post you may interest