Internal Penetration Test - IPT

description

The goal of a penetration test is to try and identify exploitable weaknesses in the target. Often, something that is exploited does not directly result in a true or complete breach but may offer a toe-hold which creates another avenue or vector by which the attacker can use to continue attacking the target. This toe-hold concept is known as pivoting. During our testing, E3 will attempt to identify possible pivot points in order to identify possible means of data ex-filtration, device compromise, or denial-of-service.

• Internal Network Penetration test for authorized LAN/WAN segments

• Vulnerability identification and risk ranking

• Threat modeling and exploitation attempts for identified vulnerabilities

• Brute force testing

• Data ex-filtration attempts

• Review of monitoring/alerting for intrusion attempts

TESTING OBJECTIVES

There are many methods to employ pivoting techniques with technical and non-technical attacks. Ultimately, the goal is to find a weakness which can be exploited to gain access to sensitive information. E3 will try and identify weaknesses when conducting these tests and then attempt to exploit them as a malicious attacker would.

There are essentially three types of penetration test approaches. The first approach is the black box testing approach wherein the tester is given little or no information about the target and has no real communication with the target’s internal staff.

The second approach is known as white box testing. This testing is done with full knowledge of the target’s internal staff, and the target generally gives the tester information about its target in advance.

In white box testing, for example, it is common for an application’s source code to be provided. It is common for configurations of firewall and other network devices to be given in advance of threat modeling and vulnerability testing. This approach gives the tester inside knowledge that an outsider would not have. This approach effectively decreases the amount of time required to identify possible vulnerabilities or attack vectors.

The third type of testing approach is known as grey box testing. Grey box testing, as one might expect, is a hybrid between black and white box testing. The degree of advanced knowledge given to the tester is generally worked out during the scoping phase of the test.

Most penetration testing employs various methods of social engineering unless otherwise directed by the target.