Episode 52: How to Prepare for an External Penetration Test

Introduction

The video begins with an introduction to the topic of preparing for an external penetration test.

What is an external pen test?

• An external penetration test is an introductory type of pen test that focuses on testing external-facing IPS and on-prem resources.

• It may also include testing cloud resources, such as web apps or software-as-a-service (SaaS) platforms.

• However, the primary purpose of an external pen test is not to conduct in-depth web app assessments or test cloud resources extensively.

Understanding External Pen Tests

This section delves into the background and scope of external pen tests.

Scope of External Pen Tests

• External pen tests typically involve testing externally facing IPS and on-prem resources.

• Additional elements like cloud resources, web apps, or APIs may be included for extra value to clients.

• User enumeration flaws in Microsoft 365 are often tested during external pen tests due to their relevance in further attacks like credential stuffing or brute forcing.

Importance of User Enumeration

This section highlights the significance of user enumeration during external pen tests.

User Enumeration in Microsoft Services

• User enumeration flaws, referred to as "features" by Microsoft, are prevalent in Microsoft 365.

• Enumerating users helps create a concise list for subsequent attacks like credential stuffing or password spraying.

• Organizations usually have lockout policies after a certain number of failed attempts within a specific time period.

• Enumerating users allows testers to optimize attack time and increase the number of attempts.

Goals and Objectives of External Pen Tests

This section discusses the goals and objectives organizations should consider before conducting an external pen test.

Planning for an External Pen Test

• Planning is crucial before initiating an external pen test.

• Organizations should have a clear understanding of the goals and objectives of the assessment.

• Having a well-defined plan helps ensure effective execution and desired outcomes.

Conclusion

The video concludes by emphasizing the importance of planning and understanding the goals and objectives of an external pen test.

Key Takeaways

• External pen tests focus on testing externally facing IPS, on-prem resources, and may include additional elements like cloud resources or web apps.

• User enumeration in Microsoft services plays a significant role in optimizing attack time.

• Planning is essential to achieve successful outcomes in an external pen test.

Understanding Goals and Objectives

In this section, the importance of understanding goals and objectives before conducting an external penetration test is discussed.

Importance of Pre-Scoping for Engagement

• Conducting a thorough pre-scoping process helps in identifying the organization's goals and objectives for the engagement.

• Pin tests are time-limited assessments, so it is crucial to focus on areas that align with the organization's concerns and priorities.

• Examples of specific areas to focus on include cloud-based attack vectors, shadow IT risks, or sensitive information exposure on the dark web.

Communication and Asset Management

• Effective communication between the organization and pen testers is essential to ensure a complete scope of testing.

• Providing accurate asset management information, such as IP addresses and server details, allows pen testers to spend less time finding assets and more time attacking them.

Asset Inventory and Documentation

This section emphasizes the importance of having a comprehensive asset inventory and documentation before conducting a penetration test.

Knowing What You Have

• Conducting a full inventory of assets, including IPs, servers, software versions, etc., helps in providing accurate information to pen testers.

• Understanding who owns, secures, maintains, and updates each asset is crucial for effective vulnerability management.

Streamlining Issue Resolution

• Having clear ownership responsibilities for different assets reduces confusion during issue resolution at the end of the engagement.

• Knowing who to contact for fixing issues related to subdomains or other specific assets saves time in tracking down responsible parties.

Summary

In this transcript summary:

1. The importance of understanding goals and objectives before an external penetration test is highlighted. Pre-scoping helps focus on areas of concern and priority for the organization.

2. Effective communication and accurate asset management information are crucial for a successful engagement.

3. Conducting a comprehensive asset inventory and knowing ownership responsibilities streamline issue resolution during the engagement.

Timestamps provided in square brackets [t=XXXXs] indicate the corresponding part of the video to refer to for further details.

Importance of External Scans and Vulnerability Assessments

The importance of conducting external scans and vulnerability assessments before a pen test is discussed. These assessments help in understanding the organization's external footprint and identifying vulnerabilities that can be fixed prior to the engagement.

Conducting External Scans

• It is recommended to perform external scans, such as Nmap scans or vulnerability assessments, before a pen test.

• These scans provide insights into the organization's external footprint and help identify potential vulnerabilities.

• Fixing discovered vulnerabilities prior to the engagement allows the pen tester to focus on other critical issues.

Benefits of Pre-engagement Vulnerability Assessments

• Fixing TLS and SSL issues before the engagement saves time for the pen tester.

• By addressing these common issues beforehand, more time can be allocated to explore other avenues and vulnerabilities.

• This is especially beneficial for organizations with large footprints or multiple websites, login portals, Edge devices, VPN endpoints, etc.

Establishing a Chain of Command for Effective Communication

The significance of establishing a good chain of command for effective communication during an engagement is emphasized. Open channels of communication ensure timely relay of critical information between parties involved.

Importance of Communication

• Good communication throughout an engagement is crucial for effective collaboration between the client and pen tester.

• Establishing a chain of command ensures smooth communication flow 24/7 via phone and email.

• Having designated individuals responsible for handling critical issues enhances efficiency during the engagement.

Dark Web Searches and Protecting Sensitive Data

The discussion revolves around dark web searches and how clients should approach them in terms of protecting sensitive data. Recommendations are provided regarding breach credential searches on the dark web.

Importance of Dark Web Searches

• Clients should conduct dark web searches to identify any breach credentials associated with their organization.

• Breach credentials often come from individuals signing up with their company email, leading to potential password reuse.

• Searching for such data on the dark web allows clients to identify compromised credentials and prompt users to change passwords.

Intelligence Gathering for Attackers

• Dark web searches also provide valuable intelligence for attackers regarding password creation patterns within an organization.

• Analyzing how users create passwords, such as using street addresses or significant dates, helps attackers exploit potential weak points.

• This information can be used to incrementally modify passwords or target work-related applications where reused passwords are more likely.

The transcript is already in English.

Using Tools for User Account and Password Lookup

The speaker discusses the option of using subscription-based tools to perform user account and password lookup in an organization's environment. These tools can be used to search for breached passwords using the domain name or individual user accounts.

Tools for User Account and Password Lookup

• Organizations can pay for a subscription to use tools that allow them to look up users and breach passwords in their environment.

• These tools enable searching by domain name as well as individual user accounts.

• It is beneficial for organizations concerned about their own account security rather than others'.

Other Preparations before External Penetration Testing

The speaker explores additional steps that organizations should consider before conducting an external penetration test. These steps include understanding goals and objectives, performing asset inventory documentation, running vulnerability scanning (both external and in-house), and searching the dark web for resources.

Preparations before External Penetration Testing

• Understand the goals and objectives of the penetration test.

• Utilize available resources to perform asset inventory documentation.

• Conduct both external and in-house vulnerability scanning to identify vulnerabilities in the external footprint.

• Search the dark web prior to the pen test to gain insights into what pen testers might find.

• These preparations are crucial but not exhaustive, as there are many nuances involved.

Continuous Effort: Goals, Objectives, and Changing Landscape

The speaker emphasizes that preparing for external penetration testing is an ongoing process due to changing goals, objectives, assets, data breaches, infrastructure updates, and new applications. It is important to view these preparations as a continuous cycle rather than a one-time effort.

Continuous Effort: Goals, Objectives, and Changing Landscape

• Goals and objectives may change over time; even if an organization had an external pen test in the past, it is essential to reassess and adapt.

• Assets change, new data breaches occur regularly, and infrastructure evolves.

• People within the organization register for new software-as-a-service (SaaS) applications and products.

• Preparations for external penetration testing should be repeated periodically as part of a continuous process.

Choosing the Type of Penetration Test

The speaker highlights the importance of understanding the type of penetration test desired before engaging with a pen testing team. This includes deciding between a black box assessment where the tester has no prior knowledge or a white box assessment where all information is provided to see what can be compromised.

Choosing the Type of Penetration Test

• Determine whether a black box assessment or a white box assessment is preferred.

• In a black box assessment, the pen tester has no prior knowledge and evaluates security from an outsider's perspective.

• In a white box assessment, all information is shared with the pen tester to assess vulnerabilities comprehensively.

• Communicate your preferences clearly to your pen testing team.

Understanding Expectations and Getting Value from Penetration Testing

The speaker emphasizes that understanding expectations and ensuring satisfaction are crucial when engaging with a pen testing team. It is important for organizations to communicate their objectives clearly so that they receive value from the engagement.

Understanding Expectations and Getting Value from Penetration Testing

• As consumers of penetration tests, organizations must understand what the pen testers will do and how they will do it.

• Clear communication regarding expectations ensures satisfaction and value from the engagement.

Conclusion

The transcript concludes by thanking listeners/watchers for their time. The audience is encouraged to share the episode on social media platforms if they found value in it. Contact information for further exploration is provided.

Timestamps have been included throughout the summary to facilitate easy navigation and reference to the corresponding parts of the video.