This chapter covers two major commercial exploit frameworks: Core Impact and Canvas. Both are important for the PT0-002 exam under Objective 3.1 (Attacks and Exploits) because they represent the highest tier of automated penetration testing tools. While open-source alternatives like Metasploit are more common, the exam tests your understanding of what distinguishes commercial frameworks—their automation, reporting, and multi-stage attack capabilities. Expect 1-2 questions on their unique features, licensing models, and typical use cases. Mastering these frameworks will help you select the right tool for different penetration testing scenarios.
Jump to a section
Think of an exploit framework like a Swiss Army knife designed for a specific job. Core Impact is the industrial-grade Swiss Army knife used by professional locksmiths: it has a built-in lockpick set, a tension wrench, a bump key, a decoder, and a pick gun—all in one case. The locksmith doesn't need to carry separate tools; the knife organizes them, provides instructions, and even tells you which tool works best on which lock type. Canvas, on the other hand, is like a specialized lockpick set used by competitive lock-sport athletes: it focuses on high-quality, precision picks for specific, often rare, locks. The athlete buys individual picks (exploits) and assembles them into a custom kit. While the locksmith's knife is easier to use and more comprehensive, the athlete's set might have a pick that opens a lock no other tool can. Both are valid, but they serve different users: the locksmith (penetration tester) needs reliability and breadth, while the athlete (exploit developer/researcher) needs depth and cutting-edge capability. The framework doesn't replace skill—it amplifies it by providing a structured, tested set of operations that can be combined in sequence, just as a Swiss Army knife's tools are used one after another to solve a problem.
What Are Exploit Frameworks and Why Do They Exist?
Exploit frameworks are integrated platforms that bundle exploit code, payload generators, auxiliary modules, and post-exploitation tools into a single, scriptable environment. They exist to solve a fundamental problem in penetration testing: exploits are often written by different researchers for different platforms, with incompatible interfaces and dependencies. A framework standardises the way exploits are loaded, configured, and executed. It also provides a common payload infrastructure, meaning you don't have to write a reverse shell for every exploit—you just select a payload from the framework's library.
For the PT0-002 exam, the key distinction is between open-source frameworks (like Metasploit) and commercial frameworks (Core Impact and Canvas). Commercial frameworks offer advantages in terms of technical support, guaranteed updates, and advanced features like automated chaining of exploits and post-exploitation actions. They also include proprietary exploits that are not available in the public domain. The exam expects you to know these differences and when to recommend a commercial framework.
Core Impact: Architecture and Workflow
Core Impact is developed by Core Security (now part of HelpSystems). It is a fully commercial product with a per-seat licensing model. The framework is built around a modular architecture:
Console: The main user interface, which can be graphical (GTK-based) or command-line (`impulse`). The console manages sessions, modules, and the attack workspace.
Modules: Individual pieces of code that perform specific actions—reconnaissance, exploitation, post-exploitation, or reporting. Modules are written in Python and can be extended.
Agent: The payload that runs on a compromised target. Core Impact uses a custom agent called Core Agent (or simply "agent") that provides a rich set of post-exploitation features, including file system access, registry manipulation, keylogging, and pivoting.
Workspace: A project file that stores all targets, credentials, loot, and session data. Workspaces are saved in a proprietary format and can be shared among team members.
Workflow in Core Impact typically follows these stages:
Reconnaissance: Use built-in modules to scan networks, enumerate services, and identify vulnerabilities. Core Impact includes a port scanner, service enumerator, and vulnerability scanner.
Exploitation: Select an exploit module, configure its parameters (target host, port, payload), and launch it. If successful, an agent is deployed on the target.
Post-Exploitation: Interact with the agent to gather data, escalate privileges, move laterally, or install backdoors. The agent supports commands like `shell, upload, download, and screenshot`.
Reporting: Core Impact automatically generates detailed reports in PDF, HTML, or Word format, including screenshots of successful attacks and evidence of compromise.
Key technical details for the exam:
Core Impact uses a centralized database (PostgreSQL) to store workspace data.
The agent communicates over TCP using a custom protocol on a configurable port (default 4444 for reverse connections).
Core Impact supports multi-platform agents: Windows, Linux, macOS, and even some embedded systems.
The framework includes social engineering modules (e.g., phishing email creation) and web application testing modules.
Canvas: Architecture and Workflow
Canvas is developed by Immunity (acquired by Invicti). It is also commercial but uses a subscription-based licensing model. Canvas is written in Python and is known for its rapid inclusion of new exploits—often within hours of a vulnerability disclosure.
Key components of Canvas:
Canvas GUI: A graphical interface built with wxPython. It provides a tree view of modules, a target list, and an exploit execution pane.
Modules: Called "exploits" in Canvas terminology, these are Python scripts that follow a specific API. Each exploit has a class that defines its targets, dependencies, and execution logic.
Payloads: Canvas uses Mona (a custom payload generator) to create shellcode. Mona supports various encodings and output formats (C, Python, Ruby, etc.).
Listeners: Canvas can set up listeners for reverse connections, typically on ports 80, 443, or 4444.
Workspace: Canvas does not use a database; instead, it saves state in a binary file (`.canvas` file) that contains all targets, sessions, and results.
Workflow in Canvas:
Import Targets: Add target IP addresses or ranges manually or from a file.
Run Reconnaissance: Use the built-in scanner or import results from external tools (Nmap, Nessus).
Exploit: Select an exploit, configure options (target, port, payload), and run it. Canvas provides a "Brute Force" mode that tries multiple exploits against a target.
Post-Exploitation: Canvas offers a limited set of post-exploitation commands compared to Core Impact, but it does support shell access, file upload/download, and keylogging via its Canvas Agent.
Report: Canvas can generate simple text reports, but its reporting is less sophisticated than Core Impact's.
Key technical details for the exam:
Canvas modules are Python classes that inherit from a base exploit class. The framework provides a rich API for socket handling, shellcode generation, and protocol parsing.
Canvas supports MOSDEF (a custom shellcode format) and can generate shellcode for multiple architectures (x86, x64, ARM).
Canvas has a community edition called "Canvas Community" (free but with limited exploits).
Canvas is often used by exploit developers because its modular architecture makes it easy to add new exploits.
Comparison of Core Impact and Canvas
Both frameworks share common features:
Both are commercial, requiring a license.
Both are written primarily in Python.
Both provide a GUI and a command-line interface.
Both support multiple platforms (Windows, Linux, macOS).
Both include a library of exploits that are updated regularly.
However, they differ in several important ways:
| Feature | Core Impact | Canvas | |---------|-------------|--------| | Licensing | Per-seat, perpetual license | Subscription-based (annual) | | Reporting | Advanced, automated reports with screenshots | Basic text reports | | Post-Exploitation | Extensive agent capabilities | Limited agent capabilities | | Social Engineering | Built-in modules (phishing, etc.) | Not included | | Exploit Library | Large, but many exploits are older | Smaller, but includes cutting-edge exploits | | Ease of Use | More user-friendly, wizard-driven | More complex, requires Python knowledge | | Typical User | Enterprise penetration testers | Security researchers, exploit developers |
How Exploit Frameworks Interact with Other Tools
Both Core Impact and Canvas can integrate with external tools:
Nmap: Import scan results to populate target lists.
Nessus/OpenVAS: Import vulnerability scan results to automatically select relevant exploits.
Metasploit: Some testers use Core Impact or Canvas to launch initial exploits and then pass sessions to Metasploit for post-exploitation.
Burp Suite: Core Impact includes modules for web application testing that can work alongside Burp Suite.
Configuration and Verification Commands
Core Impact:
Launch the console: `/opt/core-impact/impulse` (typical installation path).
List available modules: `module search <keyword>`.
Set a global option: `setg RHOSTS 192.168.1.0/24`.
Run an exploit: `exploit <module_name>`.
View active sessions: `sessions -l`.
Canvas:
Launch Canvas: `./canvas` from the installation directory.
List exploits: `show exploits`.
List payloads: `show payloads`.
Set options: `set RHOST 192.168.1.10`.
Run exploit: `run`.
Exam-Relevant Values and Defaults
Default reverse listener port for Core Impact: 4444.
Default reverse listener port for Canvas: 4444 (but often changed to 80 or 443 to evade detection).
Core Impact's agent is called Core Agent; Canvas's agent is called Canvas Agent.
Core Impact uses a PostgreSQL database; Canvas uses a binary file.
Core Impact's reporting formats: PDF, HTML, Word.
Canvas's community edition: Canvas Community (free, limited exploits).
Reconnaissance and Target Enumeration
In this step, you use the framework's built-in scanning modules to discover live hosts, open ports, and running services. Core Impact provides a 'Network Scan' module that performs TCP SYN scans, service version detection, and OS fingerprinting. Canvas has a similar 'scanner' module. The output populates the target list. For the exam, know that Core Impact's scanner can import Nmap XML results directly, while Canvas expects a simple IP list or Nmap output in text format. The reconnaissance step is critical because it determines which exploit modules are applicable. A common mistake is skipping this step and trying exploits blindly, which wastes time and may trigger alarms.
Vulnerability Mapping and Exploit Selection
After reconnaissance, the framework correlates discovered services with its exploit database. Core Impact has an 'Auto Exploit' feature that automatically selects and runs exploits based on scan results. Canvas requires manual selection, though it has a 'Brute Force' mode that cycles through multiple exploits. At the protocol level, the framework sends crafted packets to the target's open ports. For example, if a target runs SMB on port 445, Core Impact might try the EternalBlue exploit (MS17-010). The exam tests that Core Impact's automatic mapping is a key differentiator—it reduces the need for manual vulnerability research.
Exploit Execution and Payload Delivery
Once an exploit is selected, the framework configures it with target-specific parameters (IP, port, payload). The exploit module sends malicious data to the target service. If successful, it triggers a buffer overflow or other vulnerability, allowing the framework to execute arbitrary code. The payload—typically a reverse shell or a Meterpreter-like agent—is sent to the target. Core Impact's agent is a multi-threaded executable that connects back to the framework's listener on a configurable port (default 4444). Canvas uses Mona-generated shellcode. The exam emphasizes that commercial frameworks often have custom payloads that are less likely to be detected by antivirus than Metasploit's standard payloads.
Post-Exploitation and Lateral Movement
After gaining a foothold, the framework's agent provides interactive access. In Core Impact, you can issue commands like 'shell', 'upload', 'download', 'screenshot', and 'keylog'. The agent also supports pivoting—using the compromised host as a proxy to attack other hosts. Canvas offers a similar but more limited set of commands. A key exam point: Core Impact's agent can be upgraded to a 'service agent' that persists across reboots, while Canvas's agent is typically in-memory only. Lateral movement is achieved by using captured credentials or exploiting trust relationships.
Reporting and Evidence Collection
Both frameworks generate reports summarizing the attack chain. Core Impact's reporting is superior: it automatically captures screenshots of successful exploits, logged keystrokes, and looted data. The report includes a timeline of activities and recommendations for remediation. Canvas generates a simple text log. For the exam, know that Core Impact's reporting is a major selling point for enterprise clients who need compliance evidence. A common wrong answer is that Canvas has better reporting—it does not.
Enterprise Scenario 1: Large-Scale Internal Penetration Test
A penetration testing firm is hired to assess a Fortune 500 company's internal network of 10,000 hosts. The team uses Core Impact because of its automated reconnaissance and exploit mapping. They set up a Core Impact console on a laptop plugged into the internal network. The first step is a network scan using Core Impact's 'Network Scan' module, which completes in about 30 minutes. The scan reveals thousands of hosts with SMB, RDP, and SQL services. Core Impact's 'Auto Exploit' feature then runs relevant exploits in parallel against vulnerable hosts. Within two hours, the team gains initial access to 50 hosts via EternalBlue and BlueKeep exploits. Post-exploitation agents are deployed, and the team uses Core Impact's pivot functionality to reach the core network. The final report includes screenshots of each compromised host, captured credentials, and a network diagram showing the attack path. The client uses this report to prioritize patching. A common issue in this scenario is Core Impact's agent being detected by endpoint protection—the team must pre-configure the agent to use less common ports and encryption.
Enterprise Scenario 2: Zero-Day Exploit Validation
A security research team at a vendor discovers a zero-day vulnerability in a widely used VPN appliance. They need to develop a working exploit and prove it can be used in a real attack. They choose Canvas because of its rapid exploit development capabilities. The researcher writes a Python exploit module following Canvas's API, using Mona to generate shellcode that bypasses ASLR. Within a day, the exploit is functional. They run it against a test target in a lab environment. Canvas's listener captures the reverse shell, and the researcher demonstrates privilege escalation. The findings are reported to the vendor. In this scenario, Canvas's flexibility and lack of a heavy database make it ideal for quick prototyping. However, Canvas's limited post-exploitation means the researcher must rely on manual commands or external tools for deeper analysis.
Common Misconfigurations
Firewall blocks: Both frameworks require outbound connectivity for reverse shells. If the target network blocks outbound traffic on common ports (80, 443, 4444), the exploit may succeed but the agent cannot connect back. Solution: use reverse HTTP or DNS tunnels.
License expiry: Commercial frameworks require active licenses. If the license expires mid-engagement, the framework may stop working. Always check license validity before starting.
Incorrect target selection: Running exploits against production systems without proper authorization can cause outages. Always ensure the target is in scope.
What PT0-002 Tests on Core Impact and Canvas
Under Objective 3.1 (Attacks and Exploits), the exam expects you to:
Compare and contrast commercial exploit frameworks (Core Impact, Canvas) with open-source alternatives (Metasploit).
Identify the primary use cases for each framework.
Recognize key features: Core Impact's automated reporting, Canvas's rapid exploit updates, and both frameworks' agent capabilities.
Understand licensing models: Core Impact is per-seat perpetual; Canvas is subscription-based.
Common Wrong Answers and Why Candidates Choose Them
"Canvas is better for enterprise reporting." Wrong. Core Impact has superior reporting with automatic screenshots and compliance-ready formats. Candidates confuse Canvas's community edition with its full version.
"Core Impact is open-source." Wrong. Both are commercial. Candidates may assume because Core Impact has a free trial, it's open-source.
"Both frameworks use the same agent." Wrong. Core Impact uses Core Agent; Canvas uses Canvas Agent. They are not interchangeable.
"Canvas includes social engineering modules." Wrong. Core Impact includes social engineering; Canvas does not. Candidates may think all commercial frameworks have similar features.
Specific Numbers and Terms That Appear on the Exam
Default listener port for both: 4444.
Core Impact's database: PostgreSQL.
Canvas's payload generator: Mona.
Core Impact's agent name: Core Agent.
Canvas's community edition: Canvas Community.
Core Impact's reporting formats: PDF, HTML, Word.
Edge Cases and Exceptions
Both frameworks can be run from Linux, but Core Impact also has a Windows version. Canvas is Linux-only.
Core Impact's agent can be configured to use DNS tunneling for outbound communication, bypassing firewall restrictions. Canvas does not natively support DNS tunneling.
Canvas's exploit modules are written in Python 2.7 (legacy), while Core Impact supports Python 3. This can be a compatibility issue on modern systems.
How to Eliminate Wrong Answers
Apply the underlying mechanism: If a question asks about automated reporting, choose Core Impact. If it asks about rapid exploit development, choose Canvas. If it asks about post-exploitation features, Core Impact is more extensive. If it asks about licensing, remember Core Impact is perpetual, Canvas is subscription. Use process of elimination: eliminate any answer that claims open-source status for commercial frameworks.
Core Impact is best for enterprise penetration tests requiring automated reporting and extensive post-exploitation.
Canvas is best for exploit developers needing rapid inclusion of new exploits and a lightweight framework.
Both frameworks are commercial; do not confuse them with open-source Metasploit.
Default reverse listener port for both is 4444.
Core Impact uses PostgreSQL; Canvas uses a binary file.
Core Impact's agent is called Core Agent; Canvas's agent is called Canvas Agent.
Canvas includes Mona for shellcode generation; Core Impact has its own payload generator.
These come up on the exam all the time. Here's how to tell them apart.
Core Impact
Per-seat perpetual license
Advanced automated reporting (PDF, HTML, Word)
Extensive post-exploitation agent capabilities
Built-in social engineering modules
Uses PostgreSQL database for workspace
Canvas
Subscription-based annual license
Basic text-only reporting
Limited post-exploitation agent capabilities
No social engineering modules
Uses binary .canvas file for workspace
Mistake
Core Impact and Canvas are open-source tools like Metasploit.
Correct
Both are commercial products requiring paid licenses. Core Impact uses a per-seat perpetual license; Canvas uses an annual subscription. Neither is open-source.
Mistake
Canvas has better reporting capabilities than Core Impact.
Correct
Core Impact has far superior reporting, generating detailed PDF/HTML/Word reports with screenshots and evidence. Canvas produces only basic text logs.
Mistake
Both frameworks include built-in social engineering modules.
Correct
Only Core Impact includes social engineering modules (phishing, etc.). Canvas does not have such modules.
Mistake
The default listener port for both frameworks is 80.
Correct
The default listener port for both Core Impact and Canvas is 4444, though it can be changed to 80 or 443 to evade detection.
Mistake
Canvas uses a PostgreSQL database to store workspace data.
Correct
Canvas stores workspace data in a binary .canvas file, not a database. Core Impact uses PostgreSQL.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Core Impact uses a per-seat perpetual license—you buy a license for each user and own it indefinitely, though maintenance may be required for updates. Canvas uses an annual subscription—you pay yearly and lose access if you stop paying. For the exam, remember: Core Impact = perpetual; Canvas = subscription.
Core Impact is better. It automatically generates professional reports in PDF, HTML, and Word formats, complete with screenshots and evidence of compromise. Canvas generates only basic text logs. If the exam asks about reporting, always choose Core Impact.
Yes, some testers use both: Core Impact for initial exploitation and reporting, and Canvas for specific exploits not available in Core Impact. However, they are separate tools and do not natively integrate. You would need to manually transfer sessions or use a common listener.
Mona is Canvas's payload generator. It creates shellcode in various formats (raw, C, Python, etc.) and supports encoding to bypass filters. It is a separate tool that comes bundled with Canvas. The exam may ask about Mona as a Canvas component.
Core Impact is available for both Windows and Linux. Canvas is Linux-only (though it can run on Windows via WSL or a VM). The exam may test that Canvas is primarily a Linux tool.
The default is port 4444 for both Core Impact and Canvas. However, it is common to change it to 80 or 443 to blend in with normal traffic. The exam expects you to know the default is 4444.
Only Core Impact includes social engineering modules, such as phishing email creation and fake website cloning. Canvas does not have these capabilities. If a question mentions social engineering, the answer is Core Impact.
You've just covered Exploit Frameworks: Core Impact and Canvas — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?