| What tools will we commonly use on an Internal Penetration Test |
| Burp Suite Pro |
| Dirbuster/Dirb/GoBuster |
| Nikto |
| Sqlmap |
| Nessus |
| Responder |
| Metasploit Framework |
| Nmap |
| Hydra |
| Bettercap/Ettercap |
| Hashcat/John the Ripper |
| Custom Scripts |
| What’s the Process? |
| Our internal penetration testing methodology can be broken into 3 primary stages, each with several steps |
| Planning |
| Gather Scoping Information |
| After initiating the project, scoping/target information will be collected from the client. In the case of internal penetration testing, this information will include all network ranges in scope, compromise goals to help us focus our attacks, and information that can help us prevent issues, such as your account lockout policy and any web forms to avoid. |
| Review Rules of Engagement |
| This process will involve a brief meeting with the client to review and acknowledge the penetration testing rules of engagement, confirm project scope and testing timeline, identify specific testing objectives, document any testing limitations or restrictions, and answer any questions related to the project. |
| Execution |
| Reconnaissance |
| Once the test has officially begun, a start notification will be sent to the client. The first phase will involve passive intelligence gathering, which will include sniffing the network and analyzing the traffic we can see. Additionally, some open source intelligence gathering will be performed to gather information such as user accounts, software information, etc. The goal of this phase is to identify any sensitive information that may help during the following phases of testing. |
| Tools may include: Wireshark, TCPDump, GHDB, custom scripts |
| Threat Modeling |
| For this assessment, the threat modeling phase serves to evaluate the types of threats that may affect the targets that are in scope. The types of attacks and likelihood of these threats materializing will serve to inform risk rankings/priorities that are assigned to vulnerabilities throughout the assessment. This phase of the assessment should also include host and service discovery, combining the passive methods of detection from step 1 with active enumeration. The ultimate goal of an internal penetration test is to emulate an attacker who has already gained access to the internal network or a malicious insider. As such, during this stage we will evaluate the targets in scope and determine an attack path that follows real-world attacks. |
| Tools may include: nmap, responder, Wireshark |
| Vulnerability Analysis |
| The vulnerability analysis phase will start with the active enumeration of all in-scope targets/applications. For each service discovered, automated and manual techniques will be used to attempt to find vulnerabilities on those hosts. The engineer will attempt to identify the version of the service and identify any previously published vulnerabilities. The engineer will also test the unauthenticated portion of any web applications discovered. Each service will be tested for default credentials, misconfigurations will be identified, and the attack surface will be prioritized ahead of the exploit phase. |
| Tools may include: Nessus, nmap, Burp Suite Pro, Metasploit Framework, netcat, dirb, SSLscan |
| Exploitation |
| This phase will involve taking all potential vulnerabilities identified in the previous phases of the assessment and attempting to exploit them as an attacker would. This helps to evaluate the realistic risk level associated with the successful exploitation of the vulnerability, analyze the possibility of exploit/attack chains, and account for any mitigating controls that may be in place. Additionally, we’ll identify any false positives during this activity. That attack team focuses on using the identified vulnerabilities to reach the compromise goals laid out for the assessment, which usually involve accessing/exfiltrating sensitive data and/or taking administrative control of the corporate network. |
| Additionally, for an internal penetration test, there are attacks that take advantage of being on the same local network as in-scope targets. These include NBNS Spoofing, LLMNR Spoofing Attacks, ARP Cache Poisoning, etc. During the exploitation stage, the test team will try to gather credentials throughout the environment in various ways. For each login prompt discovered, password attacks will be attempted to try to gain access to in-scope systems. |
| Tools may include: Metasploit Framework, Responder, Bettercap, Hashcat, BurpSuite Pro, custom scripts |
| Post Exploitation |
| After successful exploitation analysis will continue, including infrastructure analysis, pivoting, sensitive data identification, data exfiltration, and identification of high-value targets/data. Our engineer will attempt to elevate their permissions and eventually achieve domain administrator, or top level permissions, on the domain. Once permissions are elevated, the test team will demonstrate the risk by identifying sensitive information such as credit cards, protected health information, internal communications, etc. We’ll use the information collected here in the prioritization and criticality ranking of identified vulnerabilities. |
| Tools may include: Metasploit Framework, Burp Suite Pro, ExploitDB, custom scripts |
| Post-Execution |
| Reporting |
| After completing the active potion of the assessment, Triaxiom will formally document the findings. The output provided will generally include an executive-level report and a technical findings report. The executive-level report is written for management consumption and includes a high-level overview of assessment activities, scope, most critical/thematic issues discovered, overall risk scoring, organizational security strengths, and applicable screenshots. The technical findings report, on the other hand, will include all vulnerabilities listed individually, with details as to how to recreate the issue, understand the risk, recommended remediation actions, and helpful reference links. |
| Quality Assurance |
| All assessments go through a rigorous technical and editorial quality assurance phase. This may also include follow-ups with the client to confirm or deny environment details, as appropriate. |
| Presentation |
| The final activity in any assessment will be a presentation of all documentation to the client. Triaxiom will walk the client through the information provided, make any updates needed, and address questions regarding the assessment output. Following this activity, we’ll provide new revisions of documentation and schedule any formal retesting, if applicable. |
Комментарии