Infrastructure penetration testing is another important type of penetration testing that can be performed in two different categories as internal and external. The main goal of the infrastructure penetration testing is to identify all security vulnerabilities in the target infrastructure and to make POC for exploitable ones. Our tests are carried out both with automated tools and manual methods and the vulnerabilities identified are exploited and reached to the last point. This usually results in having a user with domain admin rights, especially near all internal penetration tests.

Infrastructure Penetration Testing helps you to:

  • To see how vulnerable your internal and external infrastructure are.
  • To know about all your exploitable issues
  • Minimize risks that are associated to your business continuity
  • Identify vulnerable hosts so that you can harden your systems
  • Have a great point about what is the next step you have to do for keeping your security
  • Detect known or unknown vulnerabilities that could be exploited
  • Identify non-compliant installations with your internal policy
  • Identify all miswritten firewall rules
  • Learn how much your security investments protect you.
  • Get security verifications of the systems you employed in your company
  • See the big picture about security posture of your internal and external infrastructure.

Some of our external infrastructure penetration testing steps;

  • Try to discover all external subnets with information gathering technique if it is black box test
  • Look at the whois to find out subnets.
  • Information gathering via Shodan,Google,Robtext,bing,yandex
  • Find out IPS/WAF/FW and try to bypass this device.
  • Try to discover all external websites if it is a black box test
  • Try to discover all subdomains if it is a black box test
  • Try to discover all subdirectories and common files with common extensions
  • Try to discover mail server and dns servers.
  • Try to test Zone Transfer on the DNS servers.
  • Perform a bruteforce to identify subdomains via DNS server
  • Try to perform more spesific test related to DNS server.
  • Perform Mail server Open Relay Tests.
  • Try to send different malicious extensions(pdf,exe) to see if the target systems is blocking.
  • Perform SPF Record test
  • Try to get local IP information via email headers.
  • Try to perform more spesific tests related to mail server
  • Discover all up systems for external subnets
  • Scan all up systems with automate scanner
  • Perform full TCP and UDP scan(to identifiy services that is working on non-default ports)
  • Try to map the version of the service on the target systems.
  • “Try to find out all vulnerabilities related to these versions
  • (exploit-db,packetstormsecurity.com or somewhere else)”
  • If you come acroos, try to find out systems that is behind of SYN proxy
  • Try to login to authenticated services with most common passwords
  • Try to identify credentials without password(telnet,ftp etc)
  • Try to identify SMB file sharing that accessible anonymously
  • Try to identify NFS file sharing on the unix/linux systems.
  • Try to find out all anonymous FTP accounts, and analyze all data that you accessed
  • List all authenticated services and try to find their default credentials.
  • Discover all software and applications in the external view
  • Try to brute force attack if these systems.
  • Try to scan most popular bugs such as ms08-067,heartbleed,shellshock for all networks with nmap
  • Try to find out all tomcat application and take a step further to execute arbitrary command
  • Try to identify find out Sun Glass Fish Services and take a step further to execute arbitrary command
  • Scan all jboss application and take a step further to execute arbitrary command
  • Perform a manuel test for all most common http ports(80,443,81,8080 etc) as much as possible
  • Perform a manuel test for the other most popular services as much as possible.
  • Discover and exploit systems that have default SNMP Community word.
  • Try to find external web applications in the client subnets, and then find out and exploit web vulnerabilites
  • Analyse all vulnerabilites that found out on the automate scanner and try to exploit them
  • Try to more critical files on the compromised systems.
  • Try to dump cleartext windows passwords from the memory to post-exploitation on compromised systems.
  • Try to find out domain admin tokens throughout internal network if we compromised any system.
  • Password Cracking tests
  • if we compromised any system, try to pivoting,port forwarding for advanced post-exploit
  • Mail GW tests,bypass methods

Some of our internal penetration testing steps;

  • Discover all up systems in the internal network
  • Scan all up systems with automate scanner
  • Perform full TCP and UDP scan(to identifiy services that is working on non-default ports)
  • Try to map the version of the service on the target systems.
  • “Try to find out all vulnerabilities related to these versions
  • (exploit-db,packetstormsecurity.com or somewhere else)”
  • If you come acroos, try to find out systems that is behind of SYN proxy
  • Try to login to authenticated services with most common passwords
  • Try to identify credentials without password(telnet,ftp etc)
  • “Try to identify SMB file sharing that accessible
  • anonymously”
  • Try to identify NFS file sharing on the unix/linux systems.
  • Try to find out all anonymous FTP accounts, and analyze all data that you accessed
  • List all authenticated services and try to find their default credentials.
  • Discover all software and applications in the LAN(if you need ask to client)
  • Try to brute force attack if these systems does not have a lock policy(before test ask account lock policy to client)
  • “Try to MITM attack to see if there is a prevention
  • in the LAN”
  • Try to perform DHCP spoofing/ICMP redirection something like that, if the client envirement is available.
  • “Try to find out systems that use same local administrator
  • passwords(Pass the hash)”
  • Try to scan most popular bugs such as ms08-067,heartbleed,shellshock for all networks with nmap
  • Try to find out all tomcat application and take a step further to execute arbitrary command
  • Try to identify find out Sun Glass Fish Services and take a step further to execute arbitrary command
  • Scan all jboss application in the LAN and take a step further to execute arbitrary command
  • Perform a manuel test for all most common http ports(80,443,81,8080 etc) as much as possible
  • Perform a manuel test for the other most popular services as much as possible.
  • Discover and exploit for a PoC systems that have default SNMP Community word.
  • Try to bypass NAC systems with IP spoofing, Mac changing
  • Try to bypass 802.1x or other NAC restrictions via printer port
  • If you need, try to discover internal subnets.
  • Try to find internal web applications, and then find out and exploit web vulnerabilites
  • Try to get screenshots of all web interfaces automatically via some spesific web ports to test easily
  • Try to test access controls between VLAN and DMZ
  • Try to test access controls between VLANs
  • Try to perform VLAN hopping tests.
  • Analyse all vulnerabilites that found out on the automate scanner and try to exploit them
  • Try to more critical files on the compromised systems.
  • Try to dump cleartext windows passwords from the memory to post-exploitation
  • Try to find out domain admin tokens throughout internal network
  • Password Cracking tests
  • Pivoting,port forwarding for advanced post-exploit
  • Antivirus bypass tests

If you would like to find out how Infrastructure Penetration Testing Service can be beneficial for your company or more information about our service, please contact our security experts to get a free quick consultation.