Internal Penetration Testing Services

Initial scoping

Perform information gathering/reconnaissance piece to identify what infrastructure can be found. In the reconnaissance phase of a penetration test, the tester will attempt to find out information regarding a target in a completely passive manner.

Perform fingerprinting to determine infrastructure device types, services (open ports or potential access points). This will include the use of active scanning techniques.

Target Enumeration

Commence Target Enumeration, the tester will determine or enumerate the threats facing an asset. For example, if the tester has performed reconnaissance for an engagement and identified a selection of servers as target assets, the tester will attempt to identify a list of services running on the hosts/s. This could be done via passive monitoring of the network in internal environments, or could be achieved with active scanning techniques such as port scanning.

Vulnerability Mapping

Use a comprehensive list of the services/capabilities available to an attacker from any given asset, to determine if any of these vulnerabilities could compromise the data assets or services. Common techniques for this activity include manually probing applications, networks or devices in terms or identifying exact versions of software or hardware in use on the asset.

The goal of this test phase is to quickly identify which services would allow DigitalXRAID and therefore an attacker, to compromise the host in the most damaging way possible. It is important to distinguish though, that at this stage, all vulnerabilities identified are ‘potential’, and not guaranteed to exist until proven with suitable exploitation. However, on finding a critical vulnerability the customer should be informed and the test paused as detailed in the Alert Customer Process.

Target Exploitation

During this phase, we shall validate vulnerabilities mapped earlier and provide evidence they could be used to compromise the assets in question.

Complete all exploits in a controlled manner, avoiding disruption to service or assets. For this reason, attacks such as Denial of Service attacks are avoided or shall be tested very cautiously in dedicated time frames agreed with the customer. Exploits which may be unreliable or known to work in such a way that damage or cause disruption, are shall be completed in a simulated test environment rather than against the real asset; this is particularly true for sensitive production environments.

Privilege Escalation

Upon identifying the vulnerabilities and successful exploitation as above, then see if it could take the attack further by escalating access privileges. This will prove if the asset can be exploited further or used to compromise further assets. For example, if the test is being performed against a web application, the application may segment certain functionality and permit access to it only for users with certain permissions. In an event where the attacker can obtain illegitimate, yet non-privileged, access to an account within the application using a vulnerability/exploit, they would likely attempt to discover a method of escalation onto a privileged access account, using another vulnerability/exploit. Another example of this is if the tested asset is a laptop running a Windows Operating System, and the tester can compromise an account on it and gain access, then the tester/attacker will both likely be looking for methods of compromising an account within the OS with SYSTEM-level privileges, which would allow them to perform any action within the OS, including removing security features.

Maintain Access and Lateral Movement

Assuming some level of compromise has already been achieved it might be prudent to ensure that for the duration of the test we are able to maintain the level of access, so as not to have to start the exploitation process from scratch. The tester may step in a maintaining access phase, whereby they use the level of compromise already gained to ensure that they are able to keep that level of compromise in the future, even if the vulnerability they originally used to get it, no longer exists. There are many ways to achieve this and it depends heavily on the type of test being performed. The maintain access activities could include ‘back-door’ to the system by creating additional user with administrative privileges or install a malicious piece of software which would give them access again. From there the tester can continue to compromise the asset further or use it to pivot their attacks deeper into the infrastructure. All this is evidenced within the report and clean up after the test is completed.

Clean up

Perform a clean-up of any user accounts, text files or small benign changes removed before the testing is completed. During any internal test that actively exploits misconfigurations and vulnerabilities, it is often the case that small and benign changes are made to a Customer system such as creating a text file on a vulnerable SSH server or adding a new user to a Linux host etc. DigitalXRAID shall ensure that they are all removed before the test is completed. Where it is not possible to fully restore the system/application to the state it was in prior to commencing the test (such as changes to a database), any residual traces of the test will be communicated to the client contact daily and documented in the Penetration Test Report in sufficient detail to enable the Customer to remove them if required.