Skip to main content

External Network Penetration Testing Methodology

Marcy Bartlett
  • Updated

The Cobalt security assessment team carries out testing without detailed network or infrastructure diagrams and without any accounts or additional user information, unless required as part of the scope. At Cobalt we follow a standard methodology based on OSSTMM for penetration testing, according to the following steps:

External_Network_Pentest_image.png

Reconnaissance

Testers search for as much external information as is available to a potential malicious user. connecting to the Internet requires an initial amount of information disclosure. For example, to receive email, an organization’s mail server must be advertised on the Internet. Any web server’s location and details also require public advertising. Testers determine what information is available during this initial phase of testing.

During this phase, testers use multiple reconnaissance scanning tools, such as Nmap, dirbuster, Nessus, or Shodan.io.

Note: The tools testers use may vary from test to test.

This includes examining:

  • The corporate website: Testers evaluate any information on the corporate website from a security perspective. Items that could interest a potential attacker include: locations, contact details (such as phone numbers, email, and physical addresses), domain information, links to other servers within an organization, other group companies with links to the site being assessed, or details indicating an organization’s security policy. 

  • Other web locations and databases: Testers search for any information available on other websites and databases, especially anything related to publicly traded companies. Testers then evaluate what information the organization makes public, especially anything above what local laws prescribe. News articles and press releases can also provide additional clues about the security policy of an organization. 

  • Domain names that the organization holds: Once these have been discovered, an attacker can begin the process of relating them to the organization’s network infrastructure. There are many “whois” databases available on the Internet that testers can query to yield information about the organization’s network.

  • Public records about the organization: These can give testers information about the name, address and telephone number for people responsible for administering the domain. This gives potential for attackers to use social engineering to obtain extra information, such as, details of hardware and software purchases. It also gives clues about where the best place to target an attack may be.

Cobalt pentesters use tools like Shodan and Censys.io to find IP addresses, networks, open ports, webcams, printers, and any other devices that are connected to the internet.  Pentesters use these tools to identify potential weaknesses, including accidental leaks of sensitive information, open ports or unsecured internet-connected devices, unpatched software, and leaked or exposed assets on pastebins.

 

Service discovery

After gathering all available information, testers begin work on probing the resources belonging to the targeted organization.

During this phase, testers use multiple service discover tools, such as Nmap, Aquatone, EyeWitness, or testssl.sh.

Note: The tools testers use may vary from test to test.

This testing includes several stages: 

  • Performing complete port scans on the specific IP ranges provided. This gives testers a detailed breakdown of which machines and resources are public-facing and what functions they perform. Firewalls, mail servers, Office 365 services, and web and FTP servers all have to give access to the outside world to function, and all of them leave tell-tale signatures on a port scan.

  • Using the results from the initial port scan, testers carry out further investigations into obtain  the types of applications running on externally exposed machines, version numbers for identified software and Operating Systems (OS) that run the software. In some instances, an externally exposed host may have open services that do not have functions associated with them, which testers can identify and target for testing.

Considering that certain vulnerabilities and exploits could paralyze, damage, or alter the content of the network, testers do not perform these attacks, but instead note possible instances. For example, this includes exploits that disable certain services, deny service from the outside and affect customers (a Denial of Service (DoS) condition), or disable the ability of the organization to function.

 

Vulnerability scans

After the external scan has taken place, we attempt to identify the most vulnerable points in the external-facing portion of the network. The ultimate goal is to penetrate external endpoints and gain access to the internal LAN and the organization’s resources.

During this phase, testers use multiple vulnerability scanning tools, such as Metasploit, Nessus, Nmap, Burp Suite Community/Pro or Nikto.

Note: The tools testers use may vary from test to test.

If a potential attacker achieves this goal, an organization could face: 

  • Sensitive or confidential information being leaked from the organization’s network, such as personnel, payments or other financial records. 

  • The mail gateway or website being used as the source of spam email leading to the organization’s domain being blacklisted and many sites automatically rejecting an organization’s legitimate email correspondence.

  • A website being defaced. An organization could have experience a loss of reputation or potential customers, if users log in to see an attacker’s version of their website.

  • Services being disrupted, to the point that one or more of the organization’s resources have been put out of action, either temporarily or permanently.

Manual assessment

During this phase Cobalt pentesters focus on the specific resources that have been identified. Usually we focus on visibly open web servers, FTP servers, email servers, firewalls, routers, DNS servers, and any other services that are in place on the external IP address range, including Office 365 services.

During this phase, testers use manual testing and exploitation tools, such as Burp Suite Community/Pro, Metasploit, sqlmap or Postman.

Note: The tools testers use may vary from test to test.

While pentesters perform checks based on the specifics of a given situation, a normal scenario may examine the following:

  • Domain Name System (DNS): For organizations to use the Internet, their network users need to have the ability to query DNS servers. Some organizations have their own DNS server, and some rely on external DNS servers. If an organization‘s internal DNS server fails, this could cause their Internet connection to go down. Attackers can also obtain internal knowledge from a DNS server, such as how the domain sends and receives email, or its website locations. An example of a serious DNS configuration errors occurs when an organization allows unknown internet users to perform a DNS zone transfer, which could allow an attacker to access to valuable information about the network.

  • Routers: All connections to the Internet generally go through a border router provided by the Internet Service Provider (ISP). However, sometimes routers remain unpatched for an extended period, or default user accounts remain active. We locate all visible routers, establish the manufacturer and Operating System (OS), then check for potential vulnerabilities. This testing includes attempts to access the router using various databases of well-known default passwords and settings.

  • Firewalls: A firewall is designed to be the main gateway to an organization, which protects an internal set of resources. However, firewall technology can be attacked, and Cobalt does not recommend treating a firewall as an out-of-the-box solution. Firewalls need to be configured for the specific needs of the business, and kept up-to-date through patching and maintenance. Pentesters look for configuration errors that could leave a path into the corporate LAN. Testers attempt firewall attacks, such as buffer overflows, IP spoofing, corrupted IP packets, and attacks against normally open services. 

  • Web Servers: Web servers are vulnerable to defacement attacks, or could be used as a launching pad for further attacks against internal networks. Pentesters scan all web servers on the client site for potential exploits and vulnerabilities, such as a poor patching policy or a default installation, that could leave an open door for a potential attacker.

  • Email: Cobalt’s pentesters check SMTP, POP3, and IMAP on the mail gateway for open relay vulnerabilities. The mail server should only accept mail for the organization's domains, and should not relay mail for other domains. An attacker could exploit an open relay to flood the mail server with spam email, which could lead to the domain being blacklisted. Testers examine the mail server using a variety of methods, such as sending emails to non-existent domains. 

  • Remote Sites and Virtual Private Network (VPN): Corporate network infrastructures may require connections to several other subsidiary offices around the globe over a VPN. While the VPN is a secure way of using the Internet to communicate, it can be vulnerable to the same configuration problems as firewalls, because firewalls handle the VPN. A badly configured VPN to a subsidiary site could be an attack vector to a main corporate network. 

  • Verifying use of secure versions: As researchers discover vulnerabilities and security flaws in software, software vendors release patches for their products. Pentesters search for outdated and unpatched version of software to test against published and patched exploits. Older versions have lower security thresholds and leave data vulnerable. According to the SANS institute, some the most common vulnerabilities lie within outdated versions of Office 365, which Cobalt can test.

  • Ensuring Legacy protocols are secured: Legacy protocols, such as POP3, IMAP, and SMTP need to be secured to account for known vulnerabilities. Cobalt pentesters will check if the use of these protocols is secured against documented security flaws.

Additional testing

Cobalt uses a variety of custom and publicly available tools throughout the penetration test exercise, including various port scanners, automated vulnerability scanners, HTTP proxies, exploits, custom scripts, and security applications.

Reporting, triaging, and remediation tracking

Pentesters report and triage all vulnerabilities during the assessment itself. We provide details on all of the findings discovered by our pentesters through our online platform. Clients have full visibility over discoveries in real-time through the Cobalt platform. 

In the findings and final report, pentesters provide detailed remediation steps and advice on further improvements of the security posture.

The client can perform remediation efforts on critical discoveries during and after the testing timeframe, and pentesters can test the updated components and re-test the discovered issues to confirm that there is no residual risk for the client from a security perspective.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk