Introduction
Infrastructure penetration testing includes all internal computer systems, associated external devices, internet networking, cloud and virtualization testing.
Whether it’s concealed on your inner business network or from a government point of perspective, there’s always a chance that an attacker can leverage that can damage your infrastructure.
If your defense is strong enough for Application layer attacks does not assure the security from Network Layer.
Infrastructure Penetration Testing involves rigorous testing of the controls, frameworks and processes designed for the networks related to the system.
It lays out procedures to penetrate into key networks of the system with an aim to identify security susceptibilities and mitigate them much before the attackers do from multiple entry points at different levels.
Methodology
Automated
We would identify the vulnerabilities present for the in-scope asset with the help of automated tools and eliminate the false-positives. Ideally, such an assessment should be used for non-critical assets.
Manual
The analyst would identify every exploitable vulnerability w.r.t the in-scope network assets. Utilizing manual effort, we fetch for every open port and the services running on the assets within the scope. After that, we test them for vulnerabilities depending on their level of exploitability and availability on the environment they exist in. We verify and validate these vulnerabilities based on the standard benchmark.
Types of Testing
Black Box
In a black-box assessment, the auditor has no internal knowledge of the target system. A Black Box security assessment determines the vulnerabilities in a system that are exploitable from outside the network. Black Box penetration testing will be performed on all publicly discoverable servers, network and security devices, etc.
Grey Box
In gray-box assessment, typically, the auditor has some knowledge of the internal network, potentially including design and architecture documentation and internal access to the assets. The purpose of gray-box assessment is to provide a more efficient & focused security assessment of in-scope network assets than a black-box assessment. This activity helps to simulate an attacker with longer-term access to the in-scope network.
Security Controls
| Control Group | Control Group Specification | Description |
|---|---|---|
| Access Control | Authentication | Authentication is the process of verifying that an individual, entity or node is who it claims to be. In infrastructure, there are different types of authentication protocols being used such as Kerberos. |
| Authorization | An authentication protocol is a type of computer communications protocol or cryptographic protocol specifically designed for the transfer of authentication data between two entities. | |
| Data Security | Data at Rest | The controls in this group are checked against data stored on media such as system hard drives, external USB drives, storage area networks (SANs), and backup tapes. |
| Data in Transit | The controls in this group are checked against data that is transmitted over a network including internal networks using wired or wireless methods and public networks such as the Internet. | |
| User Input Handling | The vulnerabilities like SQL injection, Cross-Site Scripting, Insecure file upload, OS Command Injection, HTTP Response Splitting, etc which falls under this group are checked. | |
| Risk Management | Updates and Upgrades | The controls in this group are checked against asset specifications within the network like firmware version, OS patches, hotfixes, etc. |
| Log Management | Logging and Monitoring | Logging controls evaluate the network for the information stored on the client-side/server-side logs or logging methodology. |
| Configuration Management | Misconfiguration | Controls in this group evaluate the network for its configuration, without which a network might end up disclosing internal/sensitive information. |
| System Security | Password Management | The controls in this group are checked against the network which implements password management. |
How It Works?
Intelligence Gathering
Discovery
Fingerprinting
Open Ports & Services Enumeration
Vulnerability Analysis
Verification
Exploitation
Post Exploitation
What can be tested?
Servers
Network Devices
Firewalls
Load Balancers
Proxy
IDS/IPS
