Internal Penetration Test
Introduction
An internal penetration test is generally done after the completion of an external pen test. It imitates an insider threat and identifies the ways an attacker can compromise or damage the network, sensitive data, or systems. Initially, the tester may start with the most obvious or common scenarios like:
- An unhappy rogue employee (malicious insider) who can compromise or damage the system network.
- An external malicious attacker who accesses the system through social engineering, phishing scam, or stolen credentials.
Mostly, organizations on external threats but, it has been proved that a majority of data breaches happens dur to internal threats and they can come from-
- Weak or shared passwords
- Weak access controls
- Insecure file sharing or unencrypted data
- Network misconfigurations
- Lack of awareness about social engineering and phishing
- Ransomware attacks
- Insecure remote devices and networks
It is very important to address these issues on priority and internal penetration testing does just that.
Internal Discovery
Firstly, a penetration tester try to look for other hosts. Hence, according to the noise he wants to make, he might use the tools, like netdiscover, that do not generate much noise or traffic in the network so he can stay undetected. A penetration tester needs to be undetected and discreet but, it's quite a difficult feat to achieve once inside the network. However, following techniques might help the tester i these aspects:
- TTL Manipulation- Sending some packets with a TTL long enough to reach the IDS (Intrusion Detection Systems) or IPS (Intrusion Prevention Systems) but not long enough to reach the target system. After that, send some more packets with same sequences so that the IPS/IDS mistake them for repeats and fail to inspect them even if they contain malicious material. This can done through nmap's (ttlvalue parameter).
- Avoid Signatures- In order to avoid getting caught with a known malicious signature, nonces or garbage data to the packets. This can be achieved with the help of nmap's (data-length parameter).
- Fragmented Packets- This is a very successful technique. Just split the packets and send them apart so that any IDS/IPS they come across will reassemble these packets and realize that they are malicious ones. It can be done via nmap's (-f parameter).
- Invalid Checksum- For this to work properly, the IDS/IPS should either not be setup to handle invalid checksums or be misconfigured.
- Uncommon IP and TCP Options- The target host might accept the packet immediately after reception, a sensor may ignore packets with certain flags and options specified inside the IP and TCP headers.
- Overlapping- While fragmenting the packets, some of the bytes between different packets might overlap. This makes it difficult for IDS/IPS to reassemble them and leads to misinterpretation of the packets in different ways than the destined host.
Conclusion:
In this part we discussed in more detail about the Internal Penetration Testing and its techniques.
Comments
Post a Comment