External Infrastructure Testing

Corporate network perimeter security is essential and any security threats could lead to the compromise or abuse your external and possible internal infrastructure. This could impact negatively on your business and reputation. Our skilled security consultants, using proven and advanced methodologies, can help to identify, evaluate and remediate possible issues and ensure that you follow industry security best practices and standards.

The External Infrastructure Testing Methodology is divided into three distinct phases; Profiling, Assessment and Exploitation.

Profiling Phase

Information Gathering (Reconnaissance) techniques such as Enumeration, Footprinting, Fingerprinting and DNS/SMTP Reconnaissance will be performed to gather as much information as possible about the customer’s network Infrastructure and social structure.

 

Specifically, the following techniques will be used to find and assess any security-related information:-

Information Gathering (Reconnaissance)

Active Gathering

Passive Gathering

Port Scanning (TCP/UDP)

Visit Customer’s Websites

Ping Sweeps (TCP/ICMP)

Public Documents (Metadata)

Traceroutes (TCP/UDP/ICMP)

Search Engines

Common Protocol Queries (SNMP/SMB/IKE/LDAP/DB)

Whois Databases (IP/Domain)

DNS Lookups & Zonetransfers (Forward/Reverse/Bruteforce)

PGP Key-servers

SMTP Enumeration (VRFY, EXPN, MAIL FROM/RCPT TO)

Online Network Tools (Robtex, Netcraft)

SMTP Bounce Emails

Social Network & Blogs

OS & Service Fingerprinting

Mailing Lists, News Groups, Forums, Jobs Posting, IRC

Using Information Gathering techniques we will be able to profile customer’s network infrastructure and social structure as described below:-

Network Infrastructure

Social Structure

Host names - Including Domains, Subdomains, Virtual Hosts

 

Organization - Identifying organizational structure and security-related information such as Head-quarters/Office Addresses, Email Addresses, Departments/Roles, Services/Products, Phone/Fax Numbers and Documents

IP Addresses - All IP Addresses/Network blocks related to Customer’s Network

 

Network Devices - Including Firewalls(IDS/IPS/WAF), Routers, Switches, VPNs

 

Employees - Identifying employees contacts and public posts exposing technical and/or network information

Servers - Identifying any Server running within the network infrastructure (Such as Name, Email, Web, File, Database, Domain Servers)

Subsidiaries/Partners - Identifying organizations which shares same network resources with the customer’s organization

Exterior Routing - Identifying routing protocols and AS Numbers

 

Assessment Phase

Both automated and manual vulnerability assessment will be performed - based on the information found from the Profiling Phase - against the customer’s external infrastructure to ensure that all known and unknown vulnerabilities will be identified.

Specifically, the following vulnerability assessment techniques will be used:-

Vulnerability Assessment

Automated Assessment – Vulnerability Scanners will be used to identify potential risks.

Information Leakages – Applications can unintentionally leak information about their configuration or internal workings (E.g. Banners exposing version details / Error messages reveal SQL syntax etc.).

 

Input Validation – An assessment for input validation will be performed to identify application and services that fail to fully validate the input they receive from users (E.g. Buffer Overflows, SQL Injections etc.).

Misconfigurations – Misconfigured security settings, particularly insecure default settings, are usually easily exploitable.

 

Lack of Patching – Identifying the out-of-date systems and services.

Insecure Protocols – Identifying protocols which allow authentication credentials to travel in clear-text format and are vulnerable to sniffing attacks.

Exploitation Phase

At the exploitation stage we will try to exploit and validate the existence of the identified vulnerabilities. Both online and offline password cracking techniques (e.g. Guessing, Dictionary, Hybrid, Brute-force) will be performed against password hashes (e.g. MD5) and/or authentication points found from previous steps of testing. In case of successful exploitation we will try to escalate privileges within applications, hosts and networks.