Network Penetration Testing
Network penetration testing can be done on five
different levels
Information Gathering / Reconnaissance : Understand the target network
and gather information about
the target such as how the network is designed, what kind of services are hosted, using google dorks to
gather
much more information on the target.
Scanning : Scanning is broken down into two different categories
Passive Scanning : In Passive Scanning, pen tester doesn’t create noise
in the network, rather he analyses
the different services running in the target . For instance, if a website is running try to understand and
map
the potential attack surfaces in the application which will lead the tester to gain access to the server
Activescanning : in this phase, the pentester engages different toolsets
such as Nmap, Nessus etc.,
to scan the target and identify the open ports, uncover the services running on the port and gather intel
on
it
Gaining Access : Using the identified ports/ services and with the intel
achieved, the pentester tries
to exploit the services with approaches such as using metasploit tool to gain shell, uploading a shell file
through
web apps and then initiate the same to gain access and so on, searching internet for available exploits
from
site like https://www.exploit-db.com and use the same/ modify according to target to gain control over the
server.
Maintaining Access : Once the pentester gains access to the server, he
should make sure that a persistent
connection can be established anytime on the server. Various activites can be done on this part such as
-
Perform privilege escalation based on OS ( Windows/ *nix)
-
Ring 0, 1, 2, 3 breaking
-
Establish a backdoor for persistent connectivity
-
If required, perform Lateral moment and gain access to other servers in the network
Clearing The Tracks : Once connection is established and maintained, It
is required to clear the tracks
so that there is no doubt raised to server admins/ app admins about the compromise. Things that a pentester
will
do at this stage are
-
Clear web server logs/ app server logs
-
Clear windows event and security log files / if it’s Linux OS, then clear /var/log and other log files
-
Make sure that the backdoor runs a computer service and not as any user service for complete resistance
-
If any access level controls where changed do a fallback to the actual state before exploitation