Once on site, we will connect testing laptops to the network and begin testing. Typically the issues identified can be broken into three types. Patching – Patching is a huge issue and often some boxes or applications are forgotten. Passwords – Users and systems will often have weak, guessable or plain silly passwords. Policy – Build standards and policies are often weak, allowing unnecessary applications or access. All of which could be exploited by a hacker to gain access to a host whereby privileges may be escalated or access granted. The methods used for each test will be different, depending on the network, organization and type of environment.
All testers will have read and understood the scope before starting any testing – before anything is touched any systems ruled out of scope should be null routed or otherwise made inaccessible. Pre-test meetings are also common place when arriving on site, mainly to re-assure the client and re-iterate the scope of the works to ensure nothing goes wrong as well as ensuring certain hosts remain untouched etc.
Upon starting testing the first task to complete is always host discovery, by doing this we will aim to map the entire network and highlight any potential targets for attacking later on in the process. Hosts to attack can also be provided by the client along with any network maps etc – this should be used as a guide line only to speed up discovery, this is also useful if the client has specific hosts they want targeted and have a particular interest in. Such documentation however is somewhat restrictive and tends not to produce the best quality of test in terms of completeness and should be relied on. The port scanning phase follows and often targets the systems discovered in the previous step, every externally available service on a host will have a port assigned to it, by enumerating the open ports we can locate services are likely to be good targets to attack such as Telnet, SSH, web servers, SMB services etc.
Vulnerability scanning follows this step and aims to highlight any obvious attack vectors and vulnerable services, this is usually viewed as a back up to manual testing or as a method of gathering the “Low Hanging Fruit”. Manual testing and further investigation of the issues and hosts highlighted in the previous steps follows and carries the general goal of exploitation of a issue or in some cases issues, this is either done manually (in the case of brute forcing, default passwords or exploits that are not widely known) or by using an exploit framework such as metasploit which holds a number of common pre-built exploits.
Remote Access Testing
Most organizations have embraced mobile and remote working and or they have third parties who need to connect to their systems (suppliers, support companies etc). These are gateways into your organization and it is vital they are tested regularly, to ensure they are secured, only allowing authorized individuals the appropriate level of access. We will evaluate the security of VPN, RAS and dial in solutions, from an unauthorized (an attacker on the internet), authorized (average user) and a configuration review.