internal penetration testing
DESCRIPTION
Internal pentestTRANSCRIPT
Internal Penetration Testing
Internal Penetration TestingDefining scope and goalsTools of the TestPresentation of findings
Defining Scope and GoalsDefine specific goals for
assessmentWhat defines success?Identify vs. exploit?Should systems be tagged?Are screenshots enough?
Create timelinesActive assessment
LimitsOut of scope? Not for hackers
Reading email in attempt to gain passwordsAttacking workstations to gain network
credentialsAttacking administrative workstations to gain
admin accessSearching .txt and .doc files on workstationsSearching .txt and .doc files on production
systemsSniffing trafficKeystroke loggersIntentional denial of service
Internal vs. External
What is the difference?less or no access controlstest systemstrust relationships
Tools of the Test
1. Footprint2. Host Identification3. Service Identification4. Service Enumeration5. Host Enumeration6. Network Map7. HSV Scans8. Vulnerability
Mapping/Exploitation
1. Footprint
Goal: identify ranges and domains
net view /domain to identify domains
FootprintIdentify IP ranges
SNMPDNSICMP
2. Host Identification
Identify Hosts
TCP ICMP
Identify domain members using the NET commandnet view /domain:<domain>
Host IdentificationFoundstone net view
3. Service Identification
Identify Ports
TCP UDP
Tool: Fscan –i <ip>
4. Service Enumeration
Identify what is running on listening ports
Tool:Nmap & Nessus
5. Host Enumeration
use all the previous information to make accurate guess at OS and version from Nessus reports
6. Network Map
Should be created to identify hosts, services and access paths.
7. HSV Scans
High Severity Vulnerability (HSV) Scans should be performed to identify systems with high severity vulnerability
NetBIOS weak passwordsSQL weak passwordsWeb Vulnerabilities
Cont.NetBIOS weak passwords
manual guessing techniquesnbtenum ntsleuth.0catch.comnat Network Auditing Tool
SQL weak passwords
Tools
SQLMAPSQLlhfSQLdictSqlping2osql
RemarksSQL can run on alternate ports
Web vulnerabilities
stealthwhisker typhon
8. Vulnerability Mapping/Exploitation
Source port attacks
If you use IPSec don’t forget to use the NoDefaultExempt key
HKLM\SYSTEM\CCS\Services\IPSEC\NoDefaultExec | DWORD = 1
Web Attacks
NetBIOS
SQL Attacks
9. Presentation of findings
Report should be clear and concise
Include screenshots
Use action items for remediation
Categorize findings TACTICAL STRATEGIC
Presentation of findings
Strengthening Microsoft Networks
strong domain architecturesrigid user management hardened applications principle of least privilegesecurity baselines for systems defence in depth network segmentation 3rd party audit
THANK YOU