Internal Penetration Testing

Performing internal penetration tests allow to identify how a potential attacker can cause a threat to your system after getting the first unauthorized access from outside. Internal attacks have the potential of being much more destructive than an external attack because the attacker has a pre-knowledge of what's important within the network and where those targets are located. RedDefense Global uses different enumeration techniques and procedures to mimic advanced internal cyber-attacks to see the extent a malicious adversary can go after their first access in your network.

RedDefense

INFORMATION GATHERING AND DISCOVERY PHASE

The objective of this first step is to identify paths of attacks that hackers can use to dominate your Active Directory environment. This includes:

  • Identification of Access Control List permissions and unsafe computers and users’ configurations that can allow unauthorized access on domain controllers
  • Identification of unsafe GPOs that can lead to domain exploitation
  • Detection of Active Directory trusts that can lead to forest exploitation
  • Detection of delegation rules on users and computers that can lead to unauthorized access on domain controllers
  • Detection of unsafe Kerberos tickets that can lead to domain dominance
  • Evaluation of MSSQL databases configurations and identification of vulnerabilities on database servers
  • Identification of privilege escalation paths on each computer and user profiles

DETECTION – ENUMERATION PHASE

The results obtained from the information gathering and discovery phase will disclose different vulnerability paths that can allow domain dominance if an adversary has unauthorized access on the internal network. Well-known internal Microsoft misconfigurations are:

  • Kerberoasting
  • Golden and silver ticketing
  • AS-REP Roasting
  • Domain compromise via unrestricted Kerberos delegation
  • Abusing active directory ACLs/ACEs
  • Privileged accounts and token privileges vulnerabilities
  • MSSQL Trustworthy and linked server vulnerabilities
  • LLMNR/NBNS Spoofing

All those misconfigurations are just a few that can allow access to member servers, host machines, and domain/forest dominance. This is what hackers do; they abuse these misconfigurations on internal networks to get enterprise admin permissions.

EXPLOITATION PHASE

This phase simulates attempts to verify the exploitability of the internal misconfigurations through manual exploitation. THE PURPOSE OF THIS IS TO IDENTIFY REAL PATHS TO GET UNAUTHORIZED ACCESS TO DOMAIN CONTROLLERS, MEMBER SERVERS AND PIVOTING STRATEGIES. THIS WILL PROVIDE US WITH A CLEAR UNDERSTANDING RELATED TO THE CONTERMASURES IN PLACE.

During this phase we will make use of PowerShell. To provide a threat profile in the most realistic way, we have a wide range of internal attacking procedures, which we will simulate.
We define in advance the results of a "successful" exploit procedure in consultation with our contact point. These tests are closely coordinated with the client's system administrators and are programmed under their supervision.

ANALYSIS PHASE

All our findings, recommendations, and suggestions are contained in a report. They concern specific Microsoft misconfigurations, unsecured IT practices, configuration management, and patching procedures.

POST-ASSESSMENT BRIEFING

In addition, we offer an information session after each evaluation. The information session includes a discussion on techniques used to compromise the target system, patching techniques, and a direct question and answer session with the evaluation team. This is an essential part of our service.