As a consultant, I get to see a wide variety of networks and styles for engaging penetration testers. While a good number of the clients I work with are engaging us for PCI-related penetration tests, we do deal with a fair number of non-PCI related engagements. The strategies for both types of assessments are similar, but scopes tend to differ, as do the overall goals of the test. While NetSPI has their own methodology for doing penetration testing, I’ve seen many internal teams attempting to do their own testing beforehand. Without a solid testing methodology to follow, you may end up missing important vulnerabilities on your internal network. I’ve compiled a list of five top strategies to help guide internal penetration tests. Hopefully these help close any gaps you may be missing in your own testing practices.
Here are my top five strategies for network pen testing.
1. Test all the things
In many environments that I’ve worked in, the IT security group is primarily concerned with their most sensitive data stores when it comes to penetration tests. This can create huge gaps in the vulnerability identification (and remediation) process that could allow an attacker to easily pivot to sensitive systems. Make sure you hit your sensitive data stores, but pay close attention to the other hosts on your domain that could be compromised and used to get to sensitive data stores.
2. Networks, networks, networks
I see network layer protocol issues on almost every network penetration test. From ARP spoofing (old) to NBNS and LLMNR spoofing (newer), network issues typically play a huge role in a penetration test. Most of these issues put an attacker in a man-in-the-middle position that’s perfect for capturing credentials (unencrypted and hashes) and relaying credentials. Additional network issues that should be tested include VLAN hopping (tag spoofing) and DTP spoofing. These issues can grant an attacker access to sensitive VLANs and/or all of the traffic headed to and from those VLANs.
3 . Brute Force All the Seasons
If you’re testing internally, I can’t stress this enough. Do routine audits (weekly, monthly, and/or quarterly) of weak passwords. This can be as simple as doing a quick one password check (Winter2014), to dumping and cracking your domain hashes. If you’re going the dump and crack method, make sure you are taking extra precautions to protect those hashes during and after cracking. Any users identified with a weak password should get a friendly notification email, followed by a forced password reset, if they don’t change it by the end of the day. If you want to incentivize users, inform users of the plan to audit passwords and have some small prize for users that are on the good list.
Interested in building your own cracking system for internal password auditing? Come see Eric Gruber and me at our “GPU Cracking, On the Cheap” talk on Wednesday (9:45 AM).
4. Automated Scanners – Trust, but Verify
You can typically trust (most) automated scanners, but they can be filled with false positives. Even worse, they may cause you to miss critical (entry point) vulnerabilities that show up in the lower severities. Take memcached for instance. The Nessus plugin (52633) shows up as a medium, however I’ve seen memcached store database and local administrator credentials in cached data. This has resulted in immediate local administrator access to systems. Do your best to fully vet out listening services, even if there’s no scan data indicating serious vulnerabilities.
5. Check Your Web Apps
We frequently use web applications as entry points during internal penetration tests. For external testing, web apps are an extremely common entry point. Even light testing on internal apps can expose critical vulnerabilities, like directory traversal and SQL injection. Making sure you test your applications along with a network test will help cover your bases.
Speaking of web applications, keep an eye on the blog for my follow up to this post – 5 Must-Have Web Application Penetration Testing Strategies.
Hopefully, you’re already taking of these steps during your penetration tests. If not, I hope these gave you some insight into what’s working for us during network penetration tests. To find about more about what’s working during network penetration tests, come see our talk at Secure360 2014.
Interested in learning how you can start doing penetration testing for your organization? Make sure you sign up for the “Introduction to Penetration Testing” course (all-day Monday) with Scott Sutherland and myself.