Internal Penetration Testing

CNS Hut3 - The Internal Penetration Testing Experts

Internal penetration tests are designed to emulate the risk of an attacker who has penetrated the network defences, or someone with access who wishes to escalate it. e.g a contractor, non IT staff, temporary staff etc.

At CNS Hut3 we're experts in providing a rigorous, end-to-end testing process to ensure that our client's networks are totally secure from internal attacks.

There is more information about our internal penetration testing services below, however if you'd like to have a chat with one of our experts feel free to call us on or get in touch online.

Service Description

Once on site, we will connect testing laptops to the network and begin testing. Typically the issues identified can be broken into three types. Patching - Patching is a huge issue and often some boxes or applications are forgotten. Passwords - Users and systems will often have weak, guessable or plain silly passwords. Policy - Build standards and policies are often weak, allowing unnecessary applications or access. All of which could be exploited by a hacker to gain access to a host whereby privileges may be escalated or access granted.  The methods used for each test will be different, depending on the network, organisation and type of environment.

All testers will have read and understood the scope before starting any testing - before anything is touched any systems ruled out of scope should be null routed or otherwise made inaccessible. Pre-test meetings are also common place when arriving on site, mainly to re-assure the client and re-iterate the scope of the works to ensure nothing goes wrong as well as ensuring certain hosts remain untouched etc.

Upon starting testing the first task to complete is always host discovery, by doing this we will aim to map the entire network and highlight any potential targets for attacking later on in the process. Hosts to attack can also be provided by the client along with any network maps etc - this should be used as a guide line only to speed up discovery, this is also useful if the client has specific hosts they want targeted and have a particular interest in. Such documentation however is somewhat restrictive and tends not to produce the best quality of test in terms of completeness and should be relied on.

The port scanning phase follows and often targets the systems discovered in the previous step, every externally available service on a host will have a port assigned to it, by enumerating the open ports we can locate services are likely to be good targets to attack such as Telnet, SSH, web servers, SMB services etc.

Vulnerability scanning follows this step and aims to highlight any obvious attack vectors and vulnerable services, this is usually viewed as a back up to manual testing or as a method of gathering the "Low Hanging Fruit". Manual testing and further investigation of the issues and hosts highlighted in the previous steps follows and carries the general goal of exploitation of a issue or in some cases issues, this is either done manually (in the case of brute forcing, default passwords or exploits that are not widely known) or by using an exploit framework such as metasploit which holds a number of common pre-built exploits.

Process Overview

1. TOR - The Terms of Reference states what we will be doing, who exactly will be doing it, when, any exclusions, restrictions, targets etc. This must be in place before testing can commence. This is drawn up following communication between the test leader and the client.
2. Host Discovery - If a list of target hosts to scan is not given in the TOR, CNS will perform host discovery on the internal network in order to generate a list of target IP addresses and ranges. This can be a lengthy process, so if addresses and ranges can be provided in the TOR, it would grant CNS more time for vulnerability testing.
3. Port Scanning - CNS will scan all possible IP addresses either within the range given or within the generated list in the previous step, for all possible TCP and UDP Ports.
4. Vulnerability Scanning - CNS will scan the IP addresses and active ports identified in the previous step with a number of automated tools. This will quickly identify any simple vulnerabilities, e.g Default Passwords.
5. Manual Identification and Fingerprinting - CNS will connect to open ports and running services that were identified, and attempt to work out the operating system and service versions (fingerprinting).
6. Identification of Outdated, High Risk or Potentially unnecessary services - CNS will look at each service and if it is possible to identify it, will list any that are out of date, of a high risk, or unnecessary. e.g Old versions of IIS, Telnet Administration Port, Web servers with no content / default content.
7. Identification of Default Configurations - CNS will connect to every open port and service looking for default configurations, such as default passwords on firewalls or default web server installations.
8. Identification of Information Leakage - CNS will connect to every open port and service looking for any information that is being provided, that is unnecessary and could provide an attacker with intelligence on targets to attack, e.g. internal IP addresses, usernames, or even passwords.
9. Identification of Vulnerabilities - CNS will using all previous stages to conduct a very detailed manual examination of every port and service, identifying and rating vulnerabilities for Likelihood (how easy the vulnerability is to exploit) and Impact (how much damage can be done by a successful exploit).
10. Domain Exploitation - For Windows networks, CNS will try to exploit vulnerabilities in order to gain access to the Domain Admin account. If access is obtained, password hashes for domain accounts will be dumped and CNS will attempt to crack these passwords. These credentials can also be used in authenticated testing.
11. Authenticated Testing - If credentials are provided for hosts, or they are discovered via an exploit, CNS will do authenticated scanning of these hosts. This will reveal issues that cannot be easily determined by unauthenticated testing, such as missing patches and updates, as well as the potential installation of unauthorised software such as instant messaging clients.
12. Documentation - CNS will then document all results and issues identified, providing a detailed executive summary, results table, statistics page, and detailed technical explanation for each page.
13. Quality Assurance - The report will then be passed through our internal QA process where a second senior tester will review the report and the issues identified. The report will then be passed to the testing manager for a final review. The report will continue to go through this process until it is accepted by the team.
14. Report Release - The report will then be provided to the client using the chosen method, by default this will be on an encrypted CD sent via registered post.
15. Optional Retest - As an optional extra, CNS can conduct further testing to verify any fixes applied.
16. Post Testing Debriefing - CNS will then conduct a debriefing for the client.

Remote Access Testing

Most organisations have embraced mobile and remote working and or they have third parties who need to connect to their systems (suppliers, support companies etc). These are gateways into your organisation and it is vital they are tested regularly, to ensure they are secured, only allowing authorised individuals the appropriate level of access. CNS will evaluate the security of VPN, RAS and dial in solutions, from an unauthorised (an attacker on the internet), authorised (average user) and a configuration review.