1

What are common phases of a network infrastructure penetration test?

Staring with discovering IP's and ports? A simple vulnerability assessment, checking version information of banners from different services on different ports against CVE(-like) databases? Checking availability from outside the network? Start to monitor the network traffic for some time using sniffing?

With the purpose to get an overview of possible security issues and vulnerabilities regarding the network infrastructure and configuration.

Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
  • 1
    The two books [Penetration Testing: A Hands On Guide To Hacking](https://www.nostarch.com/pentesting) and [The Hacker's Playbook 2](http://thehackerplaybook.com/dashboard/) do a great job outlining the general practices for penetration tests – DKNUCKLES Jul 14 '16 at 17:56

2 Answers2

3

When I engage in penetration testing, my goals go above beyond finding open ports, to finding "information" that could be used to gain access, or negatively impact the company. If you solely focus on ports (services), or CVE information, you will likely miss common indicators, and information that an attacker will not miss. Usually my penetration tests, begin as vulnerability assessments:

  1. NMAP / Unicorn Scan (network mapping tools)
  2. Nessus / OpenVAS (vulnerability scanners)
  3. Separate laptop running Wireshark + SpiderLabs' Responder

Network mapping may paint a decent picture, but an off the shelf NMAP scan will not yield as much information as say a Nessus/OpenVAS scan, that can show open shares. A typical first day may include nothing more than discovery (arp scans, nmap scans, vulnerability scanning) so that I can create an attack surface.

Once an attack surface is built, work splits into automation, and manual checking. I will never run an exploits against a vulnerability, where that exploit may trigger a denial of service. Defeats the purpose, whereas I can document: "exploits are available, however they were not run due to a Denial of Service" I make this understood to client: "Door is open, attacker will come in, we didn't because we would cause chaos."

For services, I take HTTP+HTTPS servers and send them off to be tested using Nikto, Wikto, Burpsuite, and AppScan. Rinse and review, wait for output, analyze data, and go from there. For services on specific devices (e.g. SSH on a Cisco switch), I will attempt a brute force for top 50 passwords ONLY. There is a reason for this: I need to check whether I have access to ATTEMPT to make a change, and whether I (as an attacker) I will be blocked after N attempts. There is no need for me to go further than the top ten, as I can word it properly: "Attacker has the capability to repeatedly bruteforce the device unchecked. Due to the amount of time in this engagement, we checked 50 top passwords..." Again, makes no sense to attack with say RockYou password list. The reality is, given enough time an attacker may bruteforce the password... They are not being blocked from attempting it.

Information is king. For example, on many Nessus scans, I always look at the informational data. Often I find I will see something like "NFS Share World Readable" to where I can remove myself from a domain, mount a share, and lo and behold, many times I have obtained access to PST files, company confidential material. What do you think is more business critical, telling a client: "I zero day'd your SRX gateway (that you can't fix, but will have to rely on a vendor) versus: I was able to mount 10.10.10.2:/backups/CEO/backup.pst"

I disagree with the banner checking comment in the above, as organizations under some mandates are supposed to create their own banners: "Restricted use anyone will be prosecuted" not to mention it is easy for NMAP to throw out a lot of false positives. For fingerprinting, I will rely on p0f.

I often look for internal relays, as it is easier to bypass spam filters, and may send an employee a phishing email in order to test multiple things: 1) Employee awareness (did they open the email) 2) Technological mitigations (spam filters) 3) Patch management (if my attachment has client sides against IE8.0 were they triggered).

I suggest looking at Penetration Testing Execution Standard for more information that will help you with your question. There will be multiple answers to this question, but there is also using experience to begin chaining attacks. E.g. so you found a null share against a Windows machine. Take the output and build a list of users (since some null scans will get this for you), build a list of networks you didn't know about (obtained from say a public snmpwalk), chain these together with a 50 top password bruteforce against say a printer, share, etc.

---- (Added)

Also take note, prior to running any tool, if you can plug into a network and see traffic, that itself is a finding (there is no Network Access Control). If you can run Wireshark and Responder, more findings. There is a lot to do outside of firing off nmap, Nessus, Metasploit, etc. Information should be analyzed as best as possible, and with that said, experience is the biggest tool you will have in your arsenal

munkeyoto
  • 8,682
  • 16
  • 31
1

In addition to the book references left in my comment, I think you can set the following as your high-level steps.

  1. OSINT (includes recon on the company, DNS records recon, etc)
  2. IP Scans
  3. Banner checking for vulnerabilities
  4. Web application scans & testing (Burp, Nikto, etc)
  5. Social engineering of employees
  6. Privilege escalation (if required because limited access was acquired from compromised server)
  7. Password strength checking (brute force, check against known passwords, compare if password was in a recent dump)
  8. Lateral movement through a network / pivoting / domain credential theft

With that said, I know that some companies are fore-going the entire "breaching the perimeter" thing these days because the mentality is that "Spear Phishing always works". Red teams are given a box on the network, or an entry point via another means, and do what they can to work laterally through your network and see what they can compromise.

It goes without saying that each network and test is different, but by in large the aforementioned steps are what you will likely see on most pen tests.

EDIT

Resources as requested (note I don't have any affiliations with the books other then I'm a happy owner of both). While they each cover much of the same ground, each sections that the other does not.

DKNUCKLES
  • 9,237
  • 2
  • 37
  • 47