Remote Access Infrastructure Testing

Today, providing customers, employees, partners, suppliers with remote access into corporate network and applications has become a business necessity. However, a misconfigured remote access implementation would be a direct route into your corporate data. Is essential for your business to properly secure your remote access services to prevent unauthorised access from malicious entities to your internal infrastructure.

The Remote Access Infrastructure Testing Methodology is divided into three distinct phases; Profiling, Assessment and Exploitation.

Additionally, testing will be performed for the supporting infrastructure for hosts and systems within the scope (See External/Internal Infrastructure Methodology for more details).

Profiling Phase

Information Gathering (Reconnaissance) techniques such as Enumeration, Footprinting and Fingerprinting will be performed to gather as much information as possible about the customer’s remote access infrastructure.

Specifically, the following techniques will be used to find and assess any security-related information:-

Information Gathering (Reconnaissance)

VPN/IPSec

Citrix

Identify Supported Modes (Main, Aggressive)

Enumerate Citrix Applications

Encryption Algorithms and Hashes

Enumerate Citrix Servers

Authentication Protocols (Pre-Shared, Digital Certificates)

Identify Citrix Gateways and Firewalls

Diffie-Hellman Group and Lifetime

 


Assessment Phase

Both automated and manual vulnerability assessment will be performed –based on the information found from the Profiling Phase– against the customer’s remote access infrastructure to ensure that all known and unknown vulnerabilities will be identified.

 

Specifically, the following vulnerability assessment techniques will be used:-

Vulnerability Assessment

VPN/IPSec

Citrix

Lack of Patching – Identifying the out-of-date systems and services

Lack of Patching – Identifying the out-of-date systems and services

Force Aggressive Mode – Possibilities to enable insecure aggressive mode

ICA/RDP Command Fixation – Possibilities to execute commands through ICA/RDP configuration files

Capture Pre-Shared Key – Possibilities to capture the Pre-Shared Key

Command Execution Through GUI – Possibilities to execute commands through Hotkeys, Shortcuts, Scripts, etc.

Weak IKE/IPSec Transforms – Identify weak IKE/IPSec Transforms

Exploitation Phase

At the exploitation stage we will try to exploit and validate the existence of the identified vulnerabilities. Both online and offline password cracking techniques (e.g. Guessing, Dictionary, Hybrid, Brute-force) will be performed against password hashes (e.g. MD5) and/or authentication points found from previous steps of testing. In case of successful exploitation we will try to escalate privileges within applications, hosts and networks.