Penetration Testing ServicesInternal and External Expert Penetration Testing by UK Security Cleared Employees
RandomStorm Penetration Testing Services
RandomStorm have a professional Penetration Testing service that can be used to identify vulnerabilities that exist on your internal and external networks. The external testing is done from various Internet data centres and the internal testing is performed from the customer site whilst connected to the customers network in the same way that an internal attacker would connect.
Penetration Testing – Methodology
The Penetration Testing (sometimes referred to as Pen Testing) service consists of five phases once the initial order has been received. These phases start with the requirements gathering and agreement with the customer and end with RandomStorm presenting the results back to the customer, along with any recommendations for remedial action.
These five steps are:
- Initial Scoping
It is important to note that RandomStorm will not carry out any checks which are considered by the tools that are used to be “unsafe”. This also includes any Denial of Service DoS attacks. These checks that can be service affecting are disabled by default in all the tools that we used but they can be carried out at the wish of the customer. The unsafe checks and DoS attacks can provide more information about the vulnerabilities that exist within the customer’s infrastructure but there is a risk of service disruption. However, there is an argument that it is better to find out about these vulnerabilities when conducting an assessment rather than waiting for an attacker to find them.
Once the initial order has been received, the next stage is to carry out the initial scoping. RandomStorm offers both internal and external assessments as part of the Penetration Testing service. These can be further broken down into two distinct methods of assessment. These are White Box, or Black Box testing.
An internal assessment is carried out behind the public perimeter of the customers network. The aim of an internal assessment is to perform the required checks on an inside of the customer’s network. RandomStorm will look at the network design and agree where the internal checks will be carried out from. A good place to start is normally to connect to the network as a general user and also to connect to the network from any available meeting room, to act as an unattended visitor.
An external assessment is carried out in front of the public perimeter of the customers network. The aim of an external assessment is to perform the required checks outside the customer’s network. This type of an assessment looks at the customers public facing services from the same viewpoint as an external hacker.
White Box testing
In White Box testing, the customer will provide RandomStorm with full details about the network, and hosts that exist on the network along with associated addressing schemes. RandomStorm utilise this privileged information to carry out the relevant assessments. A White Box test can be thought of as a test using similar information as an internal attacker would have. The information provided to RandomStorm would normally be available to an attacker on the inside. Therefore this testing gives provides a level of understanding as to the security threats posed from internal staff, and also any third party contractors who have network access.
Black Box testing
Black Box testing is the reverse of White Box testing. In Black Box testing, the customer provides no detailed information to RandomStorm. All that is normally provided is the reason for the assessment and what the requirements of the assessment. In these assessments, RandomStorm will carry out in depth reconnaissance in order to gain the information required for progression with the assessment. This type of assessment is more realistic as to what an actual attacker would carry out.
It is quite normal to mix and match these to meet customer requirements. A common package would be a White Box Internal assessment, combined with a Black Box external assessment. This would cover internal threats from employees and contractors/visitors and also external threats from members of the public who can utilise publicly available services.
Once the scope of the assessment has been agreed, the next step is to carry out the reconnaissance phase. This phase consists of two steps, passive and active information gathering.
Passive information gathering
Passive information gathering is where RandomStorm will utilise public domain information to collect information about the customer, and the target network. Search engines will be interrogated as well as public records to try to collect information which will help in the assessment of the target network. In the case of an internal assessment, passive information gathering will also include sniffing wired and wireless networks in an attempt to collect network protocol information, addressing details, and user credentials etc..
- Unearth initial information
- Locate the network range
Active information gathering
Once the passive information has been gathered, the next step is to move onto active information gathering. Active information gathering is where RandomStorm start probing the network, using the information gathered during the passive information gathering step. Various tools are used to ascertain the active hosts on the target network. Once these hosts are identified, further probes are aimed at the hosts to provide an indication of the ports which are open, and what services are running on the associated ports. Once the ports and services are identified, the next step is use fingerprinting techniques to identify the operating system running on the host.
- Ascertain active hosts
- Discover open ports
- Discover services on ports
- Detect operating systems
- Map the network
Armed with the information gathered through passive and active information gathering, RandomStorm will now carry out the required assessment. The operating systems and services that were found in the Reconnaissance phase are checked against the latest vulnerability databases to ascertain if any vulnerability exists at a host or operating system level. Any medium level vulnerabilities and higher that are identified are manually confirmed to prevent false positives being reported.
For services which can be access via a username and password, RandomStorm will attempt to access these resources both with the default password, and also commonly used username and password combinations.
Common operating system vulnerabilities will be exploited, especially against Microsoft operating systems. This is to ascertain if privileged access can be obtained through operating systems exploits.
Dependant upon the level of assessment the customer has procured, the following advanced assessments will be carried out at the phase:
- Wireless Network Assessment
- Social Engineering Assessment
- War Dialling Assessment
- Web Application Testing
- Network Configuration Review
Once all of the assessment data has been collected, the next phase is to analyse this data and create two reports for the customer. The first report created is an executive summary. This summary provided details about the assessment and summarises the key findings along with the top 10 recommendations for remedial action. A table of hosts will be provided along with the number of vulnerabilities identified at each severity level.
The second report created is the full assessment report. This report goes into great detail and really backs up the information in the executive summary. Each host is represented in a table along with the open ports identified, services available on those ports, identified vulnerabilities and information about remedial action to mitigate the risk on the vulnerabilities being exploited.
Separate sections are included for any additional advanced assessments that were carried out and these will be cross references where applicable to the host assessment data.
The full assessment report, for larger assessments, can turn out to be a very lengthy document. This document is summarised at the start of the report with more technical details than what can be found on the executive summary.
Once the executive summary and full assessment report are created and reviewed, they are uploaded to the secure document area of the RandomStorm Secure Customer Portal. The Customer is normally presented the reports around a week before the follow up meeting is scheduled. In this follow up meeting, one of the engineers who worked on the assessment will be present to formally present the findings of the report. The engineer can field any questions and answer any technical issues arising from the report findings.