Corporate network perimeter security is essential and any security threats could lead to the compromise or abuse your external and possible internal infrastructure. This could impact negatively on your business and reputation. Our skilled security consultants, using proven and advanced methodologies, can help to identify, evaluate and remediate possible issues and ensure that you follow industry security best practices and standards. |
The External Infrastructure Testing
Methodology is divided into three distinct phases; Profiling, Assessment and
Exploitation.
Profiling Phase
Information Gathering (Reconnaissance) techniques such as Enumeration, Footprinting, Fingerprinting and DNS/SMTP Reconnaissance will be performed to gather as much information as possible about the customer’s network Infrastructure and social structure.
Specifically, the following techniques will be used to find and assess any security-related information:-
Information Gathering (Reconnaissance) |
|
Active Gathering |
Passive Gathering |
Port
Scanning (TCP/UDP) |
Visit
Customer’s Websites |
Ping
Sweeps (TCP/ICMP) |
Public
Documents (Metadata) |
Traceroutes
(TCP/UDP/ICMP) |
Search
Engines |
Common
Protocol Queries (SNMP/SMB/IKE/LDAP/DB) |
Whois
Databases (IP/Domain) |
DNS
Lookups & Zonetransfers (Forward/Reverse/Bruteforce) |
PGP
Key-servers |
SMTP
Enumeration (VRFY, EXPN, MAIL FROM/RCPT TO) |
Online
Network Tools (Robtex, Netcraft) |
SMTP
Bounce Emails |
Social
Network & Blogs |
OS &
Service Fingerprinting |
Mailing Lists, News Groups, Forums, Jobs Posting, IRC |
Using Information Gathering techniques we will be able to profile customer’s network infrastructure and social structure as described below:-
Network Infrastructure |
Social Structure |
Host names - Including Domains, Subdomains, Virtual Hosts
|
Organization - Identifying organizational structure and security-related information such as Head-quarters/Office Addresses, Email Addresses, Departments/Roles, Services/Products, Phone/Fax Numbers and Documents |
IP Addresses - All IP Addresses/Network blocks related to Customer’s Network
|
|
Network Devices - Including Firewalls(IDS/IPS/WAF), Routers, Switches, VPNs
|
Employees - Identifying employees contacts and public posts exposing technical and/or network information |
Servers - Identifying any Server running within the network infrastructure (Such as Name, Email, Web, File, Database, Domain Servers) |
Subsidiaries/Partners - Identifying organizations which shares same network resources with the customer’s organization |
Exterior Routing - Identifying routing protocols and AS Numbers
|
Assessment Phase
Both automated and manual vulnerability assessment will be performed - based on the information found from the Profiling Phase - against the customer’s external infrastructure to ensure that all known and unknown vulnerabilities will be identified.
Specifically, the following vulnerability assessment techniques will be used:-
Vulnerability Assessment |
|
Automated Assessment – Vulnerability Scanners will be used to identify potential risks. |
Information Leakages – Applications can unintentionally leak information about their configuration or internal workings (E.g. Banners exposing version details / Error messages reveal SQL syntax etc.).
|
Input Validation – An assessment for input validation will be performed to identify application and services that fail to fully validate the input they receive from users (E.g. Buffer Overflows, SQL Injections etc.). |
Misconfigurations – Misconfigured security settings, particularly insecure default settings, are usually easily exploitable. |
Lack of Patching – Identifying the out-of-date systems and services. |
Insecure Protocols – Identifying protocols which allow authentication credentials to travel in clear-text format and are vulnerable to sniffing attacks. |
Exploitation Phase
At the exploitation stage we will try to exploit and validate the existence of the identified vulnerabilities. Both online and offline password cracking techniques (e.g. Guessing, Dictionary, Hybrid, Brute-force) will be performed against password hashes (e.g. MD5) and/or authentication points found from previous steps of testing. In case of successful exploitation we will try to escalate privileges within applications, hosts and networks.