Network Infrastructure Penetration Test
Many organisations open up to the Internet to conduct business without realising the risks associated with it. A remote infrastructure penetration test can provide you with a better understanding of your security exposure. The goal of this test is to attempt to gain access to sensitive company systems or information from a remote location. If we achieve remote access, further tests can be carried out to demonstrate the impact of the vulnerabilities identified.
This can help you identify risks and gives you a chance to know your weaknesses. Fixing these may prevent unwanted disturbances.
What do we cover?
This service covers systems exposed to the Internet which often includes testing of the following:
- Mail servers such as Microsoft Exchange and Lotus Domino
- Firewall and network equipment, to test the external perimeter
- Virtual Private Network (VPN) systems
- Remote access systems such as SSH and Remote Desktop
- Monitoring services such as SNMP
- Video conferencing and phone system (see our VoIP Pentest service)
Some of the techniques used are associated with vulnerability scanning to do tests that need to be automated, such as:
- Network scanning using various methods (e.g. SYN scans, UDP scans, ACK scans)
- Vulnerability scanning to identify various low-hanging vulnerabilities
- DNS footprinting, enumeration, interrogation
- Web server related tests
However, for a Penetration Test to be effective, we perform a large number of manual tests allowing us to simulate real attackers. This often includes:
- IPSec / VPN tests (enumeration of transforms, leakage of PSK, bruteforce attacks)
- Manual security tests on web applications found on the target systems
- Checks for weak administrative passwords on the various exposed services (e.g. HTTP, SSH, SNMP, FTP)
- SNMP tests (community string brute-force and further tests if we obtain access)
- Research into public vulnerabilities affecting the software and equipment exposed externally
- Private vulnerability research of vendor products and systems exposed externally
As part of this service, we often research and test the products and software exposed on your external perimeter (when available to us) in our lab environment.
Which methodology is used?
We make use of the Penetration Testing Execution Standard (PTES) and NIST SP800-115 to ensure a standard level of coverage. We might take a black box or white box approach. However, just like real attackers, we do not limit ourselves to particular rigid methodologies. Instead, we tailor our actions according to the goals and needs of the test.
Usually the attacks are launched remotely, over the Internet.
How does the process look like?
Most of our engagements follow these steps:
- First step is that you contact us
- We ask you a number of questions to understand what you have in mind, the goals for the exercise and the scope
- We perform a scoping exercise to better understand the size of the project; in the case of an external penetration test, the scoping exercise often involves port scanning to better understand the exposure and therefore tailor our proposed work to your needs
- We verify with you our scope where appropriate
- We work on a proposal which describes the goals, the scope, the methodology, deliverables, dates allocated for the project, terms and conditions and the price
- The actual work takes place during the allocated dates; your IT staff involved in the project often need to be available during the tests
- Upon completing the tests, we work on the reports and often provide a brief report of the main findings so that your staff are informed of the results immediately
- The deliverables are provided to you
- Often the process also includes testing of the security fixes once applied
What are the deliverables?
To view a public technical report that we published, check out the Bug Bounty Bout 0x01 report.
At the end of the project, the client usually receives the following:
- Executive report, which is an easy to follow 4 page report that includes information about the penetration test, list of the findings and a short explanation of the security fixes or mitigation techniques
- Technical report, which includes the following sections:
- Introduction, which describes the scope, methodology and purpose of the work
- Findings and recommendations which are categorised as High security threats, Other security threats and Other concerns and recommendations
- Each finding that is considered a security threat includes:
- a description of the security issue as it affects the target system
- our assessment of the impact of the vulnerability
- details on how to reproduce the issue found
- solutions and recommendations, which are tailored for the target audience and can go into quite some detail
- Methodology, which describes our tests to explain what was covered and how; this would include both tests that led to vulnerability discoveries, and also those that did not
- Other material is sometimes provided such as:
- video demonstrations showing exploitation of your systems
- dedicated exploit code to reproduce the security issues found
What costs can one expect?
Prices for similar penetration tests start at 4000 EUR. Cost is dependent on the size and complexity of the system on test and the level of rigor in which testing is to be performed. This is determined through pre-sale client discussions and scoping questionnaires. The price of an engagement will be delivered as a fixed bid quote.