Phase 2: Service Enumeration and Vulnerability Identification

advertisement

Penetration Testing Services

Verizon conducts Vulnerability Assessment or Penetration Tests of Internetfacing or internal infrastructure and associated systems. The objective is to identify security weaknesses that could be exploited by motivated malicious individuals to gain unauthorised access to systems or data. Verizon’s consultants take an offensive approach, analysing the environment to identify easy-todetect vulnerabilities (“low-hanging fruit”) as well as more complex attacks exploiting chained vulnerabilities.

Verizon distinguishes between three major types of Penetration

Tests:

 Classical Penetration Test: Internal or External network based penetration test. The goal of the assessment is to find, document and exploit holes in the security posture;

 Blended Threat Penetration Test: In addition to the above, this service covers modern attack vectors such as

Spear Phishing, Open Source Intelligence, Social

Engineering and Client-Side code execution;

 Goal-oriented Penetration Test: All contractually agreed means are available to Verizon to reach a specified goal, which could be Intellectual Property or other valuable assets. This may include employing physical, digital and other means of reaching the goal.

Classical

Penetration Test

Blended Threat

Penetration Test

Goal oriented

Penetration Test

Classical Penetration Test

The Classical Penetration Test includes the Web Application layer in an automated form – this means that automation will be employed to assess the security of the discovered web applications.

For a more thorough assessment of the security of web applications, Verizon recommends our “Web

Application Vulnerability Assessment (WAVA)” service. The WAVA service covers all controls and mitigations put in place to protect a Web Application, and goes much deeper than the Classical Penetration Test.

After the identification of vulnerabilities, penetration testing will be conducted to demonstrate the ability to gain unauthorised access to system resources and/or disrupt system services. Verizon uses a range of security tools, both manual and automated, and a proprietary methodology to identify, validate, and exploit security vulnerabilities.

All activities are coordinated to help minimise negative impact to the systems being tested. Throughout the engagement, the Verizon team will share results with your authorised personnel to maximise information transfer and expedite the correction of security issues.

Where we identify critical or high-risk vulnerabilities on external-facing assets, your designated project pointof-contact will be notified immediately. Moderate and low-risk vulnerabilities will be detailed in the final report of findings. Testing will be conducted in five phases.

Phase 1: Network Mapping and Host Discovery

During this phase, Verizon will attempt to characterise the target network and develop an understanding of the network architecture. Reconnaissance activities will be performed to gather information including registration data, operating system version and patch level, and service version and configuration.

Host Identification: Identify live hosts;

Network Route Mapping: Map the network route to each system using trace route;

IP ranges: Using Whois, Ripe, and other public databases we will try to identify which IP ranges belong to the your organisation;

DNS name brute force: Once we identify Domains, we can perform DNS brute force to enumerate potential valid hostnames / subdomains on them;

DNS reverse lookups: This technique will allow getting hostnames, performing a DNS reverse lookup of an IP;

DNS names harvesting: Using search engines and public databases like PGP key servers, Verizon will try to identify hostnames and subdomains used by your organisation;

Metadata: Using metadata from public documents we will try to identify internal hosts and usernames;

Virtual hosts: Using search engines we can obtain information on which virtual hosts are hosted in an IP that acts as a Web server.

Phase 2: Service Enumeration and Vulnerability Identification

Verizon uses a combination of commercial and open-source tools to identify security vulnerabilities in the targeted network. Activities will focus on scanning previously discovered hosts for potential vulnerabilities.

Operating System Identification: Identify the operating system of each host through analysis of responses to specially crafted TCP/IP packets. Techniques such as packet fragmenting and loose-source routing may be used in an attempt to bypass filtering routers and firewalls;

Network Service Enumeration: Enumerate the services available on each system through TCP and UDP port scanning, to include all common services, such as FTP, Telnet, SSH, DNS, SMTP, SNMP, HTTP, etc. and all

65,536 TCP ports, as well as the most commonly used and exploited UDP ports;

For internal penetration tests, Verizon will discover weak routing protocols and will analyse the presence of weak or insecurely configured routing or network protocols such as VRRP, HSRP, RIP among others.

Phase 3: Verification of Discovered Vulnerabilities

All identified vulnerabilities will be confirmed by Verizon’s security staff within the confines of the rules of engagement to minimise false positives to the greatest extent possible. At this stage the assessment will be limited to cross referencing banner information with security vulnerability databases or vulnerability scanning tools.

Network Service Exploration: Build a detailed profile of each service through automated and manual banner grabbing and service exploration without exploiting any service vulnerabilities including performing nonintrusive network probing and making connections to services that are unlikely to affect the stability or availability of the target system;

Vulnerability Identification: Use commercial and open-source vulnerability scanners to identify known vulnerabilities on each system;

Confirmation of insecure configurations in Transport and Routing Protocols.

Phase 4: Exploitation of Discovered Vulnerabilities

Verizon invests in professional-grade exploitation tools and frameworks with reliable payloads. Should Verizon be in the possession of a suitable and reliable exploit for a discovered vulnerability, it will be exploited within the confines of the rules of engagement to minimise the impact to systems.

Verizon will try to gain active unauthorised access to the systems discovered as vulnerable and will use these systems as means of pivoting further into other segments and vulnerable systems. All credentials compromised during this phase will be used and re-used to further compromise other systems by accessing them remotely with the discovered credentials.

Once further access has been gained on the target system, the previously completed phases will be repeated where relevant to penetrate deeper into the network and demonstrate the risk posed to your organisation.

Privilege escalation will be attempted in order to take control of the most important accounts in the environments like Domain administrators, Root users of critical servers, DBA accounts, etc.

Phase 5: Analysis and Reporting

Verizon will analyse data collected and generate descriptions of findings,potential impacts and recommendations to mitigate the vulnerabilities discovered. The recommendations will be relevant and specific to your environment.

If target systems were penetrated, the attack vectors and paths used will be documented for easier comprehension.

Verizon will use feedback from personnel to complete the Report of Findings and will issue the final report once the approved changes are made.

Download