Unfortunately, businesses today are painfully realizing the importance of cybersecurity. Penetration testing is a valuable tool that can test and identify possible attackers that exploit vulnerabilities in your assets. Penetration tests help prioritize, speed, and effectiveness to prevent financial losses, protect brand reputation and maintain customer trust.
External penetration testing identifies vulnerabilities in network downtime by discovering open ports and applications accessible over the internet, live troubleshooting systems, services, and hijacking system banners.
External pen testing helps system administrators identify and calibrate unused ports, additional services, headers, troubleshooting services, and configurations of firewall rules. You should test everything to ensure there are no vulnerabilities in your environment.
In the external penetration test checklist, you can find the steps to be performed according to the penetration test stages and the checklists for each penetration test step.
Information Collection Phase
The first stage in the external penetration test checklist is to collect as much information about your target network as possible. The information you collect should be information that could potentially be used to exploit security vulnerabilities.
First, you need to have the IP addresses or URLs to test, at which point a tool like Nmap can be used to enumerate the IP DNS records.
Nmap is an information-gathering tool that will provide you with DNS records of an IP address such as A, MX, NS, SRV, PTR, SOA, CNAME records. With Nmap, you can detect all hosts on the network, what services they provide, and the server software and running versions.
Another critical piece of information needed before formulating an attack model is the availability of open ports. Again using Nmap, you can discover and list all open ports on the whole network.
Open ports are the most common openings for malicious hackers to gain unauthorized or backdoor access to a network and install malicious scripts.
The external penetration test checklist that can be used during the information gathering phase is as follows:
- DNS Querying: Use tools to attempt zone transfers and perform queries from target Domain Name Service (DNS) servers. The goal is to identify targets, verify ownership, and detect anomalies. DNS query helps enumerate DNS records such as those that resolve to the target domain (A, MX, NS, SRV, PTR, SOA, CNAME).
- Host Discovery: Host discovery is the first and essential step in gathering information about target systems. Network scanning technologies such as advanced IP scanner, NMAP, HPING3, and NESSUS can detect live hosts or accessible hosts in the target network.
- Port Scanning: Use TCP and UDP port scanning tools to discover services sending requests to possible application layer services such as HTTP and SSH. The goal is to identify all listening services and possible firewall rules. You can use tools like Nmap or Hping3 to do port scanning. These tools help you probe a server or host on the target network for open ports. Open ports are a gateway for attackers to break in and install malicious backdoor applications.
- Fingerprint: Use tools to review listening services. The aim is to determine the nature and function of all listening services. You can perform header capture or OS fingerprinting using Telnet or NMAP tools, thereby determining the operating system of the target host. You can discover vulnerabilities and exploit methods after you know the target’s version and operating system.
- SNMP Enumeration: Use tools to try to examine SNMP services. Identify unsafe SNMP services, learn about endpoints, and identify vulnerabilities that allow attackers to reconfigure endpoints.
- Packet Sniffing: Capture various network communication samples. Collect samples for later analysis.
Vulnerability Analysis Phase
Once you’ve obtained all of the data you can on the target network, it’s time to put it to use. The second stage of the external penetration test checklist is to run tests on the target system with the collected data and search for vulnerabilities.
An attempt is made to list all the vulnerabilities in the network without needing to move forward to attack the targets and see if they are exploitable. You can also use automated tests to scan for network system vulnerabilities, but a more thorough process requires penetration testers to perform manual tests.
At this point, a network penetration testing tool such as the Metasploit framework can obtain critical information about vulnerabilities in the target system. It usually finds all loopholes and security flaws in a target with a meager percentage of false positives.
Other vulnerability scanner tools like Nessus or Qualys are also great for finding software bugs and possible ways to breach software security.
You can also use Nmap to find known vulnerabilities for potential target exploits with information about operating systems and versions. Once the vulnerability assessment tools have generated the reports, it’s time to review these reports and classify the vulnerabilities according to their severity.
You can examine the results of vulnerability assessment tools to formulate an attack plan to exploit real-world attack vectors. The vulnerability analysis phase aims to identify exploitable targets so as not to waste time performing unnecessary tasks.
At this point, you can also draw a network diagram to help you understand the logical network connection path. You can also set up proxies to use to keep yourself anonymous. Testing the recognition and response of an attack can also be part of the pen testing process. It is also essential for the targeted organization’s IT team, to know whether a hacker has gained access to their network or how soon they noticed the attack.
At this point, once you have identified attractive targets for exploitation, you can locate the most appropriate attack vectors for the identified vulnerabilities.
The external penetration test checklist that can be used during the vulnerability analysis phase is as follows:
- Unauthenticated Vulnerability Scanning: Use automated tools without credentials to identify known vulnerabilities in-network services and related systems. Identify vulnerabilities in the operating system and network services.
- Authenticated Vulnerability Scanning: Use automated tools that use valid credentials to authenticate systems and identify known vulnerabilities with the installed software. Vulnerabilities in the operating system and installed software should be placed.
- Vulnerability Verification: Manually verify findings from automated tools whenever possible. Assemble and combine results when appropriate. Combine the findings and remove any false-positive findings you identify.
- Packet Capture Analysis: Examine network traffic samples and look for protocols with known vulnerabilities such as session hijacking, weak authentication, or weak/no encryption protection. Combine the findings and remove any false-positive results you identify.
The exploitation phase means investigating networks’ vulnerabilities to determine if they are exploitable. The exploitation phase is crucial because it shows you which vulnerabilities you need to fix immediately.
Tools frequently used for exploits at this point include Metasploit, Burp Suite, and Wireshark. Depending on the penetration test scope, password cracking tools such as Aircrack or Cain & Abel can also be used to discover the strength of network passwords.
The exploitation phase can consist of time-consuming vulnerability exploit attacks such as SQL injection, password cracking, buffer overflow, and operating system commands. In external penetration testing, the exploitation phase can also include other heavy manual testing tasks that are often time-consuming. In addition, social engineering tests can also be used during the exploitation phase, depending on the scope of the penetration test.
The external penetration test checklist that can be used during the exploitation phase is as follows:
- Identify Areas of Attack: Review all findings and outputs from previous missions and identify reasonable attacks with a moderate chance of success. Prioritize these potential attacks based on probability and the tester’s ability to execute them. Organize and plan the next steps.
- Vulnerability Exploitation: Create proof-of-concept attacks to demonstrate the feasibility and business risk posed by discovered vulnerabilities. After a vulnerability has been exploited, try to rotate and identify additional vulnerabilities to exploit. Verify the default business risk created by the identified vulnerabilities and identify different opportunity targets.
- Post-Exploit: Remove any code, data, or configuration added to the system as part of the assessment. Return systems to their pre-evaluation state.
Delivery and reporting stages are critical in penetration tests. An excellent external penetration test report should provide an overview of the entire penetration testing process and include the most critical network vulnerabilities that need to be addressed in order of importance.
A good penetration test report should also include a summary of vulnerability statistics with screenshots of exploit attempts and outline a clear remedial plan for any vulnerabilities discovered.
The external penetration test checklist that can be used in the reporting phase is as follows:
- Executive Summary: The penetration test report should include a short 1-2 page section discussing the overarching root causes of vulnerabilities and high-level business strategies for addressing these root causes.
- Introduction: The report should include a short section describing the objectives of penetration testing, the components in and out of scope, the specific limitations of testing, and the team involved in testing.
- Methodology: A brief section of the report should focus on the technical reasons for testing and the penetration testing methodology used.
- Findings and Recommendations: This report section has traditionally been the longest, most detailed, and highly technical. The finding and recommendation portion is the core of the report for future use and reference. The finding and recommendation section can also discuss the probability and impact of each vulnerability in the context of a proposed or current deployment.
- Conclusion: A section summarizes the main findings and recommendations, similar to the executive summary but with more technical depth. The conclusions section should also discuss key questions or objectives of the evaluation, such as the team’s recommendations to buy before trying a product.
It is always essential to follow a good network and external penetration testing methodology. With this checklist, organizations can now understand how a properly trained penetration tester will formulate a large-scale attack on a network without any loopholes.
While there is no one-size-fits-all checklist for performing internal, external, and application penetration testing, the steps above will provide a good foundation for virtually any organization seeking network penetration testing training.