After initiating the project, we collect the scoping/target information from the client. This information includes all network ranges in scope, compromise goals to help us focus on particular attacks, and information that can help us prevent issues, such as dynamically changing IP addresses, account lockout policy and any production web forms to avoid. This process also involves a brief meeting with the client to review and acknowledge the rules of the penetration testing engagement and confirm project scope and testing timelines.
The first phase involves gathering passive intelligence, which includes sniffing the network and analysing the traffic passing through the network. Additionally, some open source intelligence gathering will be performed to collect information such as user accounts, software related information, internal applications etc. This data will help us to understand the internal operating conditions of the organisation, which allows us to assess the risk accurately as the engagement progresses.
The vulnerability analysis phase starts with the active enumeration of all in-scope targets/applications. We scan the network using a variety of automated scanning tools and scripts to identify vulnerabilities associated with the target systems. Attempts are made to identify the version information of running services and any previously published vulnerabilities associated with them. We also test for unauthenticated segments of any web applications discovered during scanning. Each identified service is tested for default credentials, misconfigurations, and the attack surface will be prioritised ahead of the exploit phase.
In this phase we attempt to exploit the vulnerabilities identified in previous phases of the assessment. We also eliminate the false positives identified by the automated scanning tools. After successful compromise of the systems/devices, we proceed to escalate the privileges to root or domain administrator user accounts. Attempts are also made to try and gain access to in-scope systems by launching password attacks on each login prompt discovered. This helps to evaluate the realistic risk level associated with the successful exploitation of the vulnerability that could exist in the internal infrastructure.
After completing the assessment, SecureTriad provides an assessment report which includes executive summary and technical findings. The executive summary is written for management consumption and is a high-level overview of assessment activities, scope, most critical issues discovered, and overall risk scoring. We also include strategic recommendations to assist business leaders in making informed decisions regarding the information systems/devices. The technical findings include all vulnerabilities listed individually, with details for recreating the issue with necessary screenshots, understanding of the potential risk, recommended remediation actions, and helpful reference links.