Skip to main content

Internal Network Penetration Testing Methodology

Marcy Bartlett
  • Updated

Cobalt pentesters execute testing without detailed network or infrastructure diagrams and without any accounts or additional user information, unless required as part of the scope. Our pentesters follow a standard methodology based on Open Source Security Testing Methodology Manual (OSSTMM) for pentesting, according to the following steps: 

Internal_Network_Images.png

Logistics

Since all of Cobalt’s internal network pentests are executed remotely, Cobalt pentesters will need access to the internal corporate network through a stable VPN connection, as well as a lightweight Linux server inside the network that can be used as a jump box testers can scan and test the internal network from during the assessment. 

  • For internal networks running on Amazon Web Services (AWS) machines, we will send a link to create a Kali Virtual Machine (VM) inside AWS, and ask you to set up key-based SSH access for each pentester.

  • For networks that do not use a cloud network setup, download a Kali VMWare/VirtualBox image, and set up key-based SSH access for each pentester. 

⚠️  Recommended system resources for the virtual image (VMWare, VirtualBox, or AWS) should be at least:

  • 2 allocated virtual CPUs

  • 8 GB RAM

  • 20 GB of disk space.

Testers also need Root access to the Kali VM, which is mandatory.

 

Reconnaissance

A lot of external information is available to a potential malicious user by default. Just connecting to the Internet requires an initial amount of information disclosure. For example, to receive email, the organization’s mail server must be advertised on the Internet. Any web server’s location and details also require public advertising. 

An attacker may have multiple avenues of exploration. Cobalt pentesters will explore all of these avenues to gather information that could be used to gain access to internal resources, such as brute-forcing credentials by using discovered company email formats and building password dictionaries containing public business information from the corporate website.

ℹ️  During this phase, testers use multiple reconnaissance scanning tools, such as Nmap, Nikto, or Shodan.io.

Note: The tools testers use may vary from test to test.

Sources of information include: 

  • The corporate website: It is important to make sure that any information given on the corporate website is evaluated from a security perspective. Items of interest to a potential attacker include: locations, other group companies that may have links to the site being assessed, contact details including phone numbers, email and physical addresses, domain information, links to other servers within an organization and even details indicating an organization’s security policy. 

  • Other web locations and databases: Much information is available on other websites and databases, especially relating to publicly traded companies. It is important that organizations evaluate what information they make public over and above that prescribed by law. News articles and press releases can provide valuable additional clues as to the security policy of an organization. 

  • Domain Names: An organization’s presence on the Internet is indicated by the domain names that it holds. Once these have been discovered an attacker can begin the process of relating them to the organization’s network infrastructure. Many “whois” databases on the Internet contain information that testers can query to obtain information about the organization’s network.

  • Public Records: Checking the public records of an organization give information about the name, address, and telephone number of the person responsible for administering the domain. This could allow attackers planning social engineering attacks to obtain extra information, such as details of hardware and software purchases. This can also provide clues about where the best places to target an attack may be.

 

Service discovery

After gathering all available information, testers begin work on probing the resources of the targeted organization.

ℹ️ During this phase, testers use multiple service scanning tools, such as Nmap, Nikto, Metasploit, Nessus, or testssl.sh.

Note: The tools testers use may vary from test to test.

This takes several stages: 

  • Pentesters perform a complete port scan against the internal network ranges provided. This gives a detailed breakdown of the machines and resources running inside the corporate network and what functions they perform. Antivirus, backup, mail, file, monitoring, File Transfer Protocol (FTP), web and patch deployment servers, printers, and Active Directory (AD) servers and clients all need to be connected to the network to function, and all leave signatures that a port scan can detect. I

  • If needed, pentesters test the network segmentation required for Payment Card Industry (PCI) Digital Security Standard (DSS) compliance, such as checking whether all out-of-scope systems are prevented from communicating with systems in the Cardholder Data Environment (CDE), or from impacting the security of the CDE.

  • Using the results from the initial port scan, testers carry out further investigations to try and obtain details about the types of applications running on exposed machines, and version numbers for any identified software or Operating Systems (OS) running that software. In many instances, an exposed machine could have open services that do not have functions associated with them, which testers can identify and target. 

For vulnerabilities and exploits that could paralyze, damage, or alter the content of the network, testers do not perform these attacks, but document them. Some examples include exploits that could disable certain services, deny service and affect customers (a Denial of Service (DoS) condition), or disable the ability of the organization to function.

 

Vulnerability scans

After completing the internal scan, testers identify the most vulnerable points in the internal-facing network. Their ultimate goal is to penetrate the internal endpoints and gain access to the organization’s resources.

 ℹ️ During this phase, testers use multiple vulnerability scanning tools, such as Nessus, Acunetix, Metasploit, or Nexpose.

Note: The tools testers use may vary from test to test.

If a potential attacker achieves this goal, an organization could face: 

  • Sensitive or confidential information being leaked from the organization’s network, such as personnel, payments or other financial records. The exfiltration of trade secrets or internal communication data could damage to the affected organization.

  • The mail gateway or web site being used as the source of spam email leading to the organization’s domain being blacklisted and many sites automatically rejecting an organization’s legitimate email correspondence.

  • Disruption to services where one or more of the organization’s resources have been put out of action, either temporarily or permanently.

 

Manual assessment

In this phase Cobalt pentesters will focus on the specific resources that have been identified. Usually we focus on visibly open web servers, active directory servers and all associated clients, FTP servers, email servers, firewalls, routers, printers, file servers, Domain Name System (DNS) servers and any other services in place on the internal IP address range.

 ℹ️ During this phase, testers use multiple testing and exploitation tools, such as Ettercap, Metasploit, sqlmap, Responder, or Hping3.

Note: The tools testers use may vary from test to test.

While pentesters perform checks based on the specifics of a given situation, a normal scenario may examine the following:

  • Active Directory (AD) networks: For organizations that use  user management and access controls effectively, they can use AD, a service developed by Microsoft for Windows domain networks. Depending on the configuration and patch level, a tester might find a path to take over the corporate network by compromising the Domain Controller (DC).

  • Routers: All connections to the Internet generally go through a border router provided by the Internet Service Provider (ISP). However, sometimes routers remain unpatched for an extended period, or default user accounts remain active. We locate all visible routers, establish the manufacturer and OS, then check for potential vulnerabilities. This testing includes attempts to access the router using various databases of well-known default passwords and settings.

  • Firewalls: A firewall is designed to be the main gateway to an organization, which protects an internal set of resources. However, firewall technology can be attacked, and Cobalt does not recommend treating a firewall as an out-of-the-box solution. Firewalls need to be configured for the specific needs of the business, and kept up-to-date through patching and maintenance. Pentesters look for configuration errors that could leave a path into the corporate LAN. Testers attempt firewall attacks, such as buffer overflows, IP spoofing, corrupted IP packets, and attacks against normally open services. 

  • Web and FTP Servers: Web servers are vulnerable to attacks that deface websites, or as a launching pad for further attacks against hosts based locally to the web server. Testers scan all web and FTP servers in the internal network for thousands of potential exploits and vulnerabilities, such as, evidence of a poor patching policy, a “vanilla” based installation, or insecure credentials.. 

  • Email: Cobalt’s pentesters check SMTP, POP3, and IMAP on the mail gateway for open relay vulnerabilities. The mail server should only accept mail for the organization's domains, and should not relay mail for other domains. An attacker could exploit an open relay to flood the mail server with spam email, which could lead to the domain being blacklisted. Testers examine the mail server using a variety of methods, such as sending emails to non-existent domains. 

  • Printers: Printers inside corporate networks printers can be shared with the entire organization, and in some cases may be a member of the AD network. However, those devices could also use insecure default credentials or be vulnerable to web application attacks. The pentesters test those devices against all common attacks and make sure secure credentials are used.

 

Additional testing

Testers use various custom and publicly available tools throughout the pentest, including various port scanners, automated vulnerability scanners, HTTP proxies, exploits, custom scripts and security applications.

 

Reporting, triaging, and additional testing

Pentesters report and triage all vulnerabilities during the assessment itself. We provide details on all of the findings discovered by our pentesters through our online platform. Clients have full visibility over discoveries in real-time through the Cobalt platform. 

In the findings and final report, pentesters provide detailed remediation steps and advice on further improvements of the security posture.

The client can perform remediation efforts on critical discoveries during and after the testing timeframe, and pentesters can test the updated components and re-test the discovered issues to confirm that there is no residual risk for the client from a security perspective.

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk