Internal Penetration Testing
Internal Penetration Testing
Defining scope and goals
Tools of the Test
Presentation of findings
Defining Scope and Goals
Define specific goals for assessment What defines success?
Identify vs. exploit?
Should systems be tagged?
Are screenshots enough?
Create timelines
Active assessment
Limits
Out of scope? Not for hackers Reading email in attempt to gain passwords
Attacking workstations to gain network credentials
Attacking administrative workstations to gain admin access
Searching .txt and .doc files on workstations
Searching .txt and .doc files on production systems
Sniffing traffic
Keystroke loggers
Intentional denial of service
Internal vs. External
What is the difference?
less or no access controls
test systems
trust relationships
Tools of the Test
1. Footprint
2. Host Identification
3. Service Identification
4. Service Enumeration
5. Host Enumeration
6. Network Map
7. HSV Scans
8. Vulnerability Mapping/Exploitation
1. Footprint
Goal: identify ranges and domains
net view /domain to identify domains
Footprint
Identify IP ranges
SNMP
DNS
ICMP
2. Host Identification
Identify Hosts
TCP
ICMP
Identify domain members using the NET
command
net view /domain:<domain>
Host Identification
Foundstone net view
3. Service Identification
Identify Ports
TCP
UDP
Tool:
Fscan –i <ip>
4. Service Enumeration
Identify what is running on listening ports
Tool:
Nmap & Nessus
5. Host Enumeration
use all the previous information to make
accurate guess at OS and version from
Nessus reports
6. Network Map
Should be created to identify hosts, services
and access paths.
7. HSV Scans
High Severity Vulnerability (HSV) Scans
should be performed to identify systems
with high severity vulnerability
NetBIOS weak passwords
SQL weak passwords
Web Vulnerabilities
Cont.
NetBIOS weak passwords
manual guessing techniques
nbtenum ntsleuth.0catch.com
nat Network Auditing Tool
SQL weak passwords
Tools
SQLMAP
SQLlhf
SQLdict
Sqlping2
osql
Remarks
SQL can run on alternate ports
Web vulnerabilities
stealth
whisker
typhon
8. Vulnerability Mapping/Exploitation
Source port attacks
If you use IPSec don’t forget to use the NoDefaultExempt key HKLM\SYSTEM\CCS\Services\IPSEC\NoDefaultExec | DWORD = 1
Web Attacks
NetBIOS
SQL Attacks
9. Presentation of findings
Report should be clear and concise
Include screenshots
Use action items for remediation
Categorize findings TACTICAL
STRATEGIC
Presentation of findings
Strengthening Microsoft Networks
strong domain architectures
rigid user management
hardened applications
principle of least privilege
security baselines for systems
defence in depth
network segmentation
3rd party audit
THANK YOU