External Network Penetration Test
title: Want to Add Stuff to the External Testing Section of the KB? Modify the checklist? Add tools?
Reach out to one of the subject matter experts (SMEs) to ensure the content additions align with testing expectations and deliverables. Or, depending on your confidence, go for it!
Current External Network SMEs:
- Jordan jordan@blackhillsinfosec.com
- Alyssa alyssa@blackhillsinfosec.com
- Phil phil@blackhillsinfosec.com
- David david@blackhillsinfosec.comThe objective of the External Network Penetration Test is to evaluate the security of the organization’s internet facing infrastructure. The tester typically attempts to penetrate the perimeter defenses of the organization to illustrate the impact and severity of findings.
The target organization identifies the assets included in scope for testing and shares that information with BHIS before testing begins to ensure full coverage of the target network. This engagement typically includes the following elements, although this is not an exhaustive list:
title: Reconnaissance
Open-source intelligence is gathered about the target organization. The purpose of reconnaissance is to identify hostnames, IP addresses, network blocks, third-party services, employee information, and other details that might be useful to an attacker.
Visit the [[../Reconnaissance/0. Overview|Reconnaissance]] overview for an outline of typical reconnaissance activities.title: Vulnerability Scanning, Validation, and Exploitation
A vulnerability scan is conducted against the in-scope hostnames, IP addresses, and/or network blocks to identify potential vulnerabilities associated with the environment. During testing, the identified conditions are validated, and exploitation is attempted. Vulnerability scanning is conducted against the environment in accordance with best practice for penetration testing outlined in the CIS critical controls and other standards.title: Vulnerability Scan Post-Processing
The vulnerability scan output is processed to aid in identifying latent issues not immediately identified by the scanner. Typical post-processing tasks include enumeration of web services using EyeWitness (or similar) and analysis of exposed services using tools like ParSuite.title: Password Attacks
Password spraying, password guessing, and default credential checks may allow authenticated access to the environment when other methods of exploitation fail.
Password spraying is typically conducted against any protocol backed by Active Directory during internal testing. That said, password sprays are typically executed using SMB, unless a more attractive protocol or portal is present. Password spraying frequency should be approved by the customer and coordinated with other testers when concurrent testing is performed (simultaneous internal and external penetration test) to avoid account lockout.
Password guessing and default credential checks can be valuable against web interfaces and protocols that may not be subject to a strong domain password policy. Examples include ssh, telnet, mysql, oracle, mssql, among others. Review of the Nessus Service Detection plugin output or parsuite results can help identify these services.title: Content Discovery
Dictionary-based content discovery is performed against web services identified during vulnerability scan post-processing. Discovery of unlinked content is typically useful against custom applications deployed by the organization, application servers that present default web content, and hosts that produce various HTTP error responses.The ”Black Box” form of this test involves the tester determining the network assets associated with the target network through reconnaissance. Once reconnaissance is complete, the discovered networks are shared with the customer for validation. The customer should be encouraged to add any missing network resources to ensure full visibility into the state of the network. Any resources not discovered during reconnaissance should be called out in the report.
Social engineering is not in scope for an external network penetration test unless it is explicitly included in the Statement of Work as a non-standard element.
If a tester gains access to the internal customer network during an external network penetration test, the tester will notify the customer and ask how to proceed. Options include pursuing internal privilege escalation, lateral movement, and other post-compromise activities to demonstrate the impact of the exposure, but some customers will want the tester to keep to the original scope of externally-facing assets only.
If the customer has other testing scheduled, the tester doing the External must coordinate with the other testers to ensure good coverage and avoid duplicated effort.