Intranet penetration tests
The intranet penetration test consists from multiple phases, which are performed in accordance with the OSSTMM, chapter 10 – Telecommunications Security Testing. Used tools and procedures are described in the Penetration Testing Framework.
The testing is performed from a viewpoint of potential anonymous attacker, with physical access to the internal network (without the access to AD), as well as from viewpoint of common company employee (with AD access).
The goal is to demonstrate the compromitation of the internal network of the customer (e.g. acquiring of the domain administrator account).
The testing consists of four phases:
- Scan (enumeration) of the complete range of the TCP/UDP ports (1 – 65535) of the given active network device (server, router). It is possible to perform a special anti-IDS scan, which is aimed to evade possible IDS devices (suitable for assessment of the correct IDS function).
- Found services as well as OS/IOS versions are identified during the second phase and potential vulnerabilities are revealed using specialized testing programs. Any non-standard, encrypted (VPN) protocols and usage of IPv6 is also identified. The goal is to map the local network, accessible servers, services, workstations and devices, portscanning the local network (accessible SMTP, DNS, SNMP, SQL, HTTP and other services), acquiring information about the tested environment (IP addresses, hostnames, network topology, etc.)
- The third phase represents the attack on the network infrastructure security (VLAN, HSRP, routing protocols, STP, etc.)
- The fourth phase consists of specific attacks on the server using freely available programs (exploit scripts) on the discovered vulnerabilities and verification of the real impact of the found vulnerabilities. The attempts of exploiting the found vulnerabilities and insufficient configuration in order to break into further systems and devices, escalate privileges and resources access.
Every found service is comprehensively tested against known vulnerabilities leading to server compromise, or eventually leakage of sensitive information.
Testing also includes security analysis:
- Network infrastructure – checking of IP ACL, port security/802.1x, DHCP, possibility of ARP flooding / poisoning, checking of HSRP, SNMP protocols
- User passwords policy – an attempt to change the user password to a simple one (numeric, short, dictionary …) in order to determine the ability to set passwords with poor security standards (inadequate password policy), trying to uncover the password creation scheme when creating new accounts (arrival of a new employee)
- Windows domain – attempt to map the tree structure of users, resources and settings using LDAP access, usage of low safety standards in the domain authentication (NTLM), attempt to obtain a domain administrator
- External and side channels of communication – the possibility of using external mail servers, proxy servers, DNS servers in order to use side channels of communication (HTTP or DNS tunnel) to bypass the access policy to an untrusted target resources (sending spam, web access outside the corporate proxy server) and security logging mechanism, and leaking of information.
- Management interfaces and hardware devices – printers, remote management of servers, switches, copiers, etc.
- Access to corporate Exchange email – the possibility of using insecure protocols (IMAP, POP3), enumeration of existing accounts by observing error codes of the server, option to send mail without authorization (open relay), testing the ability of the server to capture mail infected with a virus or trojan, that will be sent to a particular user.
- Testing DNS zones – except for known vulnerabilities in the specific implementation of the DNS server (Bind, Microsoft DNS server) a test of zones consistency is also performed on all DNS servers specified, checking of the possibility of public “zone transfer”, checking of DNS “caching” vulnerability etc. At the same time a detailed penetration test of each DNS server for the given domain is performed (even outside the customer’s network – in this case it a consent of the operator is required).
Part of the testing are of course dictionary attacks and brute force attacks on identified authentication mechanisms.