I came across a scenario where an organization is using micro-service architecture. They are using Amazon AWS as a web service and Kubernetes to maintain micro-services. All the EC2 instances are in private subnet. You have to connect with a VPN to access them. My approach is Black Box testing. We can just access the public domain (xyz.com), subdomains (abc.xyz.com) and publicly exposing APIs. I have just started in this field. What should be my approach to start the testing ? Also, if they are using any vulnerable applications (like outdated Jenkins etc) within the private network, can it be exploited from the outside of the box ?
-
Are you running a test for them? – Shane Andrie Apr 04 '18 at 21:33
-
yes, I already have the permission – Cyberzinga Apr 04 '18 at 21:45
1 Answers
If you have just started in this field, I would suggest that you first get fundamental idea of black box penetration testing. You might also want to look into the scope of your testing. (This is the most important thing to do before you start testing)
There are various approaches you will find on the web. Traditional approach for such kind of testing is:
- Information Gathering and Analysis:
After doing the necessary planning and preparation with the organization (or target) the next step is to gather as much information as possible about the targeted systems or networks. There are lot of tools and online resources available to do the necessary information gathering.
- Vulnerability Assessment:
With so many targets in hand, it is important that you carefully analyze the weaker targets and attack them. At this stage, you start the vulnerability assessment on these systems to evaluate potential vulnerabilities which are exploited. You can perform the vulnerability assessment using well-known tools like Nessus, Nexpose, Open VAS etc. During the vulnerability assessment, you will also notice that many of these systems would be running outdated third party software’s and operating systems which could become easy victims of targeted attacks.
The example you gave about "outdated Jenkins etc" fall in this category.
- Exploitation:
Once you find out some of the outdated software, you find the well-known vulnerabilities into it and try to find how can you exploit it. After multiple attempts, you might manage to exploit the vulnerability successfully and might get a command shell with Local Administrator privileges.
- Post-Exploitation:
Now that you have broken into a domain system and added a backdoor user, you can use post-exploitation on this system. Your aim will be to get the local administrator password of the system and then check if you can login to other domain systems with these credentials.
- Escalating our Privileges:
If you have access to numerous other systems with these credentials, you can use the tools like netscan to look up logged-on users with the Local Administrator Credentials.
- Accessing High-Value Targets:
You can target the high value targets of the network to expose the gravity of the attack.
References: Infosec Institute
- 435
- 1
- 5
- 19