Question from a reader

HU asked:

"Do you have any tips or best practices for a penetration testing? We are talking about a corporate network. Thank you."

Answer:

That's a good question, mostly because the corporate environment is a special case. Based on experience, this is what I would make sure to do:

  • Scanning: understand the scope first and foremost. Are they telling you to scan the whole network? Part of it? What's the end-result? A full pen-test or just a vulnerability scanning?
  • Scanning: is it a black box assessment? If not, make sure you have a proper list of all their IP ranges, both internal and external, a diagram of their internet-facing networks with detailed info about their FW, routers, etc.
  • Scanning: Are they providing you with credentials for the scans? Authenticated scans can give you better results, however un-authenticated scans can simulate an attacker better (although a good attacker will eventually get credentials). If you can, perform both.
  • Scanning: scan from the outside in, then from the inside. Try to see what an external attacker would see and then what an internal attacker or a bad guy that managed to get in would see. Assume that an attacker is already inside, so don't forget to perform the internal scan.
  • Function: part of the scope, is your assessment one that will also test the blue team? If so, plan to be the worst case scenario and really test them. This will show the management that you are a professional.
  • During the scan: gather as much info during the initial scan. This includes network information, OS, apps running, services, domain information, etc. Always verify though. Scanners tend to find things that are not there (false positive). Always check each finding as you go, and take lots of screenshots for proof. That vulnerability might go away by the time you write the report.
  • During the scan: document everything, not only how you found the vulnerability, but how you exploited it, the hoops you had to go to get this done. It is important for the report and for the technical team that will fix them.
  • Report: Have a good Executive Summary. This part of the report is often overlooked, but for the management this is the key part. They don't care about whether you used a directory traversal vulnerability or a bruteforce attack, they want to have an overview of what's wrong, how bad and what would take to fix it. List the scope of the scan, how long it took, how many people took part and the results as an easy to read table.
  • Report: the report should provide not only detailed technical findings, but also solutions: how a team of security/IT people should fix the problems. Provide security best practices when possible.
  • After the assessment: re-scan the system again after they have addressed the findings in the report. It is VERY important.

I hope these simple points help you.