Infrastructure Penetration Test

Objective

The overall purpose of a penetration test is to assess the security level of an IT infrastructure. This achieves multiple goals:

Identification of vulnerabilities by a trusted third party before they are exploited by attackers
Demonstrate your level of security to your customers / partners
Meet legal, contractual, regulatory requirements for obtaining certification, for compliance commitments
Gain and maintain trust
Keep control on your cyber risks

Methodology and steps

The first step is the definition of the terms of the audit, its objectives, its scope, but also the choice of dates, speakers, format of deliverables and types of tests as well as the establishment of prerequisites.

In a second step, the auditors carry out their tests. If a critical vulnerability is discovered during the audit, the client's contact is notified immediately. Once the tests are complete, the auditors focus on writing the audit report. The report includes an executive summary, the list of flaws found and for each of them the description, observations and associated recommendations.

Finally, a closing meeting is set to present the results of the audit, and the deliverables are given to the sponsor. It will be possible to schedule a cross-audit afterwards to ensure that the corrections made are sufficient and not circumventable.

The tests

The penetration test will check the following points (non-exhaustive list) on the infrastructure and the machines (servers, client workstations, network equipment, hypervisors):

Segregation of network segments
Compartmentalization of domain users
Security level of network protocols
Access control
Network share rights management
Exposure of sensitive documents and applications
Misconfigurations
Bypassing security mechanisms
Components and systems not up to date
Accessible and poorly secured services

Vulnerabilities

The following vulnerabilities (non-exhaustive list) are potentially reported during our penetration tests:

Open Guest/Anonymous Access
Insufficient network partitioning
Default SNMP community
Vulnerable components
Insufficient device access control
Obsolete protocols
User enumeration with SID
Weak password policy
Default or weak passwords
Known vulnerabilities (CVE, EternalBlue, ZeroLogon, print nightmare...)
Pass The Ticket (PTT) (Silver/Golden Ticket, Kerberoast)
The Hash Pass (PTH)
Overpass The Hash/Pass The Key (PTK)
Unsupported operating system
Serice vulnerable systems (Juicy Potato, Rotten Potato, AlwaysInstallElevated, unquoted paths)
Exposed administration services (RDP, WinRM, SSH)

Standards

Depending on the type of audit, SEC-IT relies on different recognized standards, among which:

First CVSS v3.1 (Common Vulnerability Scoring System)
PTES (Penetration Testing Methodologies and Standards)
Bugcrowd VRT (Vulnerability Rating Taxonomy)
ISECOM OSSTMM 3 (Open Source Security Testing Methodology Manual)
ISO 19011:2018 - international standard for the audit of management systems

Contact us

Other pentest services

Web Penetration Test

To assess the security of your web applications and APIs

Mobile Application Penetration Test

To assess the security of your Android apps

Cloud Penetration Test

To assess the security of your AWS, Azure, M365, GCP Cloud environments