External Penetration Test - Nethemba

Network and System Security

External Penetration Test

01

This type of testing consists of several phases that are realized in accordance with OSSTMM.

Tools and processes used during the testing are defined in Penetration Testing Framework

The blackbox type of penetration test is realized from the perspective of an anonymous attacker from the Internet who does not have any information about testing typology and testing services.

Testing is divided into three phases:

1. The first phase represents the full-range scan (enumeration) of TCP/UDP ports of the particular active element (server, a router in Internet/DMZ). It is possible to perform a special anti-IDS scan, where the chance of its detection by eventual IDS is reduced (it is suitable to verify the correct functionality of IDS). In case of enumeration TCP SYN (Half-Open), TPC (full connect), TPC, fragments are used in reverse order with UDP scan.

2. Discovered services and versions OS/IOS are identified in the second phase. Potential vulnerabilities are revealed by a set of specialized testing programs. Substandard encrypted protocols (VPN) and usage of IPv6 are detected at the same time. In the case of detected VPN services (IKE hosts), the version and type of implementation are analyzed which leads to identification of potential vulnerabilities.

3. The third phase consists of specific attacks against servers with use of freely available software packages (exploit scripts) to attack detected vulnerabilities that verify the real threats of discovered vulnerabilities.

Testing includes:

  • Vulnerability control – application of security scan to detect existing vulnerabilities in services identified during port-scan
  • Penetration – attempt to exploit available vulnerabilities and insufficient configuration, for the purpose of penetration to other systems and devices, increase of user rights and access to resources
  • Information collection – all information about the target system is collected, identified and analyzed, including the version of the web server, modules used, programming platform, WAF and access points to the application
  • Enumeration and Scanning of Vulnerabilities – by means of intrusive methods and techniques (specially constructed HTTP requests), potential vulnerabilities are identified (using special security scanners, fault-injection proxies as well as manual verification)

  • Use of vulnerabilities – attempt to gain access by using vulnerabilities identified in the previous phase of testing. The goal is to obtain user or privileged (Administrator) access to the application or operating system by using special exploit scripts and exploit methodology
  • Testing of mail server – in addition to the testing of known vulnerabilities (of the concrete MTA server implementation), several detailed SMTP tests are deployed to verify any relaying problems of the MTA server. All the possibilities for abuse of the SMTP server by spammers and also the resistance of MTA server to potential DOS attack are discovered. The test covers all the MX servers for a given test domain. Simultaneously, vulnerabilities and weaknesses of any anti-virus and anti-spam implementations that could be potentially exploitable are discovered
  • Testing of DNS zones – in addition to the testing of known vulnerabilities of the concrete implementation of the DNS server (Bind, Microsoft DNS server), also performed is the test of consistency of all the zones on all particular DNS servers. The possibility of public zone transfer and vulnerability of DNS caching attacks are checked as well. At the same time, penetration tests of each DNS server for a given domain (out of the network of the client – if the consent of the operator is available) are performed