Internal Network Penetration Testing Methodology

We follow an industry-standard methodology primarily based on the Open Source Security Testing Methodology Manual (OSSTMM).

Penetration testing of an internal network includes the following stages:

• Target scope reconnaissance
• Service discovery
• Vulnerability scans
• Manual assessment
• Additional testing
• Reporting, triaging, and retesting

The Cobalt security assessment team carries out testing without the following, unless it’s required as part of the pentest scope:

• Detailed network or infrastructure diagrams
• Any accounts or additional user information

However, you’re welcome to add network diagrams and other details when describing your asset.

Prerequisites

Because Cobalt pentesters execute pentests for internal networks remotely, they need:

• Access to the internal corporate network through a stable VPN connection
• A lightweight Linux server inside the network that serves as a jump box from which pentesters can scan and test the internal network during the assessment

Depending on your network setup, do the following:

• For networks running on Amazon Web Services (AWS) machines:
  • Create a Kali Virtual Machine (VM) inside AWS.
  • Set up key-based SSH access for each pentester.
• For networks that don’t use a cloud network setup:
  • Download a Kali VMWare/VirtualBox image.
  • Set up key-based SSH access for each pentester.

Target Scope Reconnaissance

Cobalt pentesters search for all information that a malicious user might find. For example, to connect to the internet, you typically have shared some information:

• To receive email, you need to post a mail server address.
• To set up a web server, you need to post its URL and more.

An attacker may have multiple avenues of exploration. Cobalt pentesters explore all of these avenues to gather information that an attacker could use to gain access to internal resources, such as:

• Brute-forcing credentials by using discovered company email formats
• Building password dictionaries containing public business information from the corporate website

During the initial phase of testing, pentesters determine what information is publicly available. They examine the following:

• Your corporate website. Cobalt pentesters evaluate your website in ways that could interest a potential attacker, including:
  • Locations (URLs)
  • Contact details, such as phone numbers, emails, or physical addresses
  • Domain information
  • Links to other servers within an organization
  • Other companies with links to your website
  • Information on the security policy of your organization
• Other web locations and databases. Cobalt pentesters search for information on your asset from other websites and databases, especially anything related to publicly traded companies. Pentesters then evaluate what information the organization makes public, in particular anything that goes beyond what’s required by local laws. They also evaluate news articles and press releases for more clues about your security policy.
• Your domain names. Cobalt pentesters use “whois” databases to identify the domains that you own. These domains provide information about your network infrastructure.
• Public records. Public records about your organization may include information about the people responsible for administering your domain, such as their name, address, or phone number. Attackers may use social engineering to get additional information, such as the details of hardware and software purchases. It also gives clues about where the best place to target an attack may be.

Service Discovery

After gathering all available information, our pentesters probe the resources belonging to the targeted organization. These tests involve several stages:

• Port scans
• Testing for PCI, if needed
• Further investigation

As certain vulnerabilities and exploits could paralyze, damage, or alter the content of the network, our pentesters do not perform these attacks. They do make note of the possible risks. For example, our pentesters won’t run exploits that:

• Disable certain services
• Deny service from outside systems
• May affect customers (such as with a Denial of Service (DoS) attack)
• Disable the ability of an organization to function

Port Scans

Pentesters perform a complete port scan on the provided internal network ranges. This gives a detailed breakdown of the machines and resources running inside the corporate network and what functions they perform.

For example, the following services require access to the network to function:

• Antivirus
• Backup and file servers
• Mail servers
• Web and patch deployment servers
• Printers
• FTP servers
• Azure Active Directory (AD) servers and clients

All of these services leave characteristic signatures that a port scan can detect.

Testing for PCI

If needed, pentesters test the network segmentation required for the Payment Card Industry (PCI) Digital Security Standard (DSS) compliance. This includes checking whether all out-of-scope systems are prevented from:

• Communicating with systems in the Cardholder Data Environment (CDE)
• Impacting the security of the CDE

Further Investigation

Based on the results of the initial port scan, our pentesters work to identify:

• The types of applications running on externally exposed machines
• Version numbers for identified software
• Operating systems on which the software runs

In some cases, an externally exposed machine may have open services that don’t have functions associated with them. Pentesters can identify and target them for testing.

Vulnerability Scans

Cobalt pentesters follow up by identifying vulnerabilities in the internal-facing portion of the network. Their goal is to penetrate internal endpoints and gain access to the organization’s resources.

If a potential attacker achieves this goal, an organization could face:

• Leaks of sensitive or confidential information from the organization’s network. The exfiltration of trade secrets or internal communication data could damage the affected organization. Such leaks could include:
  • Personnel records
  • Payment data
  • Other financial records
• Attackers who use the mail gateway or website as the source of spam email. Other sites may blacklist the organization’s domain and automatically reject legitimate email correspondence.
• Service disruptions, to the point when organization’s resources become unavailable, either temporarily or permanently.

Manual Assessment

During manual assessment, Cobalt pentesters examine specific resources that they identified. In most cases, pentesters focus on visibly open services:

• Web servers
• FTP servers
• Email servers
• Firewalls
• Routers
• DNS servers
• Azure Active Directory servers and all associated clients
• Printers
• File servers
• Other services that are in place on the internal IP address range

While pentesters perform checks based on the specifics of a given situation, a common scenario involves examining the following:

• Azure Active Directory networks
• Routers
• Firewalls
• Web and FTP servers
• Email servers
• Printers

Azure Active Directory Networks

Azure Active Directory (AD) is a cloud-based identity and access management solution by Microsoft. Organizations use this service on Windows domain networks.

Depending on the configuration and patch level, a pentester might find a path to take over the corporate network by compromising the Domain Controller (DC).

Routers

All connections to the internet typically go through a border router managed by the Internet Service Provider (ISP). However, sometimes routers remain unpatched for an extended period, or default user accounts remain active.

We locate all visible routers, establish the manufacturer and operating system (OS), then check for potential vulnerabilities. Our tests include:

• Checking software, to make sure your routers are patched and up to date
• Default user accounts such as admin
• Attempts to access the router using various databases of well-known default passwords and settings

Firewalls

A firewall is designed to be the main gateway to an organization, with rules to protect internal resources. An attacker may get access to the firewall technology, so we don’t recommend treating it as an “out-of-the-box” solution. An organization should configure a firewall for the specific needs of their business, and keep it up to date through patching and maintenance.

Our pentesters look for configuration errors that could leave a path into the corporate LAN. Pentesters attempt to perform firewall attacks, such as:

• Buffer overflows
• IP spoofing
• Corrupted IP packets
• Attacks against open services

Web and FTP Servers

Web servers are vulnerable to defacement attacks, or could be used as a launching pad for further attacks against hosts based locally to the web server.

Cobalt pentesters scan all web and FTP servers in the internal network for potential exploits and vulnerabilities, such as:

• Poor patching policy
• Default installation
• Insecure credentials

Email Servers

Cobalt pentesters check SMTP, POP3, and IMAP on the mail gateway for open relay vulnerabilities. Your mail servers should:

• Accept mail only for the organization’s domains
• Not relay mail for other domains

Attackers could exploit an open relay to flood the mail server with spam, which could lead to the domain being blacklisted.

Pentesters examine the mail server using a variety of methods, such as sending emails to non-existent domains.

Printers

Printers inside corporate networks can be shared with the entire organization, and in some cases may be a member of an Azure AD network. These devices may use insecure default credentials or be vulnerable to web application attacks.

Our pentesters test printers against all common attacks and make sure that they use secure credentials.

Additional Testing

Cobalt pentesters use various custom and publicly available tools throughout a pentest, such as:

• Port scanners
• Automated vulnerability scanners
• HTTP proxies
• Exploits
• Custom scripts
• Security applications

Reporting, Triaging, and Retesting

Cobalt pentesters report and triage all vulnerabilities during the assessment. You can review details of all findings, in real time, through the Cobalt platform. In these findings, as well as in any report, our pentesters include detailed information on how you can:

• Remediate each finding
• Improve your overall security posture

You can remediate findings during and after the pentest. Then you can submit findings for retest. Our pentesters test the updated components and retest issues to ensure that there are no security-related residual risks.