Internal Network Penetration Test
title: Want to Add Stuff to the Internal Testing Section of the KB? Modify the checklist? Add tools?
Reach out to one of the subject matter experts (SMEs) to ensure the content additions align with testing expectations and deliverables. Or, depending on your confidence, go for it!
Current Internal Network SMEs:
- Jordan jordan@blackhillsinfosec.com
- Alyssa alyssa@blackhillsinfosec.com
- Phil phil@blackhillsinfosec.com
- David david@blackhillsinfosec.comThe objective of the Internal Network Penetration Test is to evaluate the security of the organization’s internal network resources. This engagement typically involves providing a broad analysis of the target organization’s security posture based on validation and exploitation of issues identified in vulnerability scanning results. The tester also analyzes the target environment for latent issues that may not be present in vulnerability scanning results. This engagement typically includes the following elements, although this is not an exhaustive list:
title: Vulnerability Scanning, Validation, and Exploitation
A vulnerability scan is conducted against the in-scope hostnames, IP addresses, and/or network blocks to identify potential vulnerabilities associated with the environment. During testing, the identified conditions are validated, and exploitation is attempted. Vulnerability scanning is conducted against the environment in accordance with best practice for penetration testing outlined in the CIS critical controls and other standards.title: Vulnerability Scan Post-Processing
The vulnerability scan output is processed to aid in identifying latent issues not immediately identified by the scanner. Typical post-processing tasks include enumeration of web services using EyeWitness (or similar) and analysis of exposed services using tools like ParSuite.title: Protocol Abuse and Forced Authentication Attacks
The internal network of an organization typically exposes a much larger attack surface to a tester. The mere presence of certain protocols can present a significant opportunity for attack. As an example, protocols like Dynamic Host Configuration Protocol (DCHP), IPv6, Link-Local Multicast Name Resolution (LLMNR), and NetBIOS Name Service (NBNS) may allow an attacker to harvest or relay credentials (where SMB signing is disabled).
Attacks like NoPac, PetitPotam, SharpSCCM, and Active Directory Certificate Services (ADCS) Abuse can present an easy path to Domain Admin within an environment.
In addition, in its default state, the presence of Cisco SmartInstall may allow an attacker to manipulate network infrastructure and authenticated access (due to password spraying or password cracking) may allow an attacker to harvest Kerberos tickets.title: Password Attacks
Password spraying, password guessing, and default credential checks may allow authenticated access to the environment when other methods of exploitation fail.
Password spraying is typically conducted against any protocol backed by Active Directory during internal testing. That said, password sprays are typically executed using SMB, unless a more attractive protocol or portal is present. Password spraying frequency should be approved by the customer and coordinated with other testers when concurrent testing is performed (simultaneous internal and external penetration test) to avoid account lockout.
Password guessing and default credential checks can be valuable against web interfaces and protocols that may not be subject to a strong domain password policy. Examples include ssh, telnet, mysql, oracle, mssql, among others. Review of the Nessus Service Detection plugin output or parsuite results can help identify these services.title: Content Discovery
Dictionary-based content discovery is performed against web services identified during vulnerability scan post-processing. Discovery of unlinked content is typically useful against custom applications deployed by the organization, application servers that present default web content, and hosts that produce various HTTP error responses.Social engineering is not in scope for an internal network penetration test unless it is explicitly included in the Statement of Work as a non-standard element.
If exploitation is successful during the internal network penetration test, the tester will typically attempt to demonstrate impact on the compromised host or in the context of the organization’s Active Directory environment. This can include privilege escalation, lateral movement, and other post-compromise activities as descrided in the Assumed Compromise (Internal Pivot) Test) overview. Coordination should take place if other testing is scheduled for the customer. For instance, if the customer has a scheduled Assumed Compromise (Internal Pivot) Test, coordinate with that tester to determine the best course of action based on remaining issues to be validated on the internal and the context of successful exploitation.