One of the most impactful methods for securing networks uses offense to inform defenses. A network penetration test is a simulated attack on an organization’s network infrastructure, with the goal of anticipating how an actual cybercriminal would operate and sealing off vulnerabilities they could exploit. To get started, an organization should develop a comprehensive network penetration testing checklist, then consult it during the testing to assess its efficacy.
A Comprehensive Network Penetration Testing Checklist
The checklist laid out in this guide is based upon the four-phase process for pentests laid out in the National Institute for Standards and Technology (NIST) Special Publication (SP) 800-115:
- Phase 1: Planning – Initial negotiation and strategizing for the simulated attack
- Phase 2: Discovery – Reconnaissance and identification of target vulnerabilities
- Phase 3: Attack – Attempts to enter into systems and seize control of resources
- Phase 4: Reporting – Reflection and analysis on findings, leading to repair work
Fully titled Technical Guide to Information Security Testing and Assessment, the NIST guide covers far more than just network penetration testing. Furthermore, the sections below adapt NIST’s generalized advice for all penetration testing to network penetration tests in particular.
Network Pentest Checklist for Phase 1: Planning
Before undertaking any actual testing on your networks, you’ll need to work with the pentesting team to establish the goals and rules to shape your assessment. This often begins once you’ve delegated staff or an external managed security services provider (MSSP) to conduct the test.
But, depending on how far along an organization is in preparing for a penetration test, this first phase may also include the initial research into potential partners and other solutions you might consider instead, such as a vulnerability scan or other analytical approaches. Then, once you’ve settled on the right network pentest partner, it’s time to work with them on strategizing the test proper.
Negotiate Network Test Rules, Objectives, and Limits
Organizations meet with the internal or external pentesting team to establish clear, explicit roles and responsibilities for the test. The test’s specific purpose is also critical to establish, delineating the pentest by:
- Object – Which networks, parts thereof, or related systems are being studied?
- Limits – Are any systems or practices considered “off-limits” for the pentest team?
- Complexity – How deep and advanced of an attack should the team simulate?
- Defense goals – What cybersecurity objectives should inform the test, and how?
Once these and other ground rules have been established, your organization may also consider referencing any legal or regulatory requirements applicable to your networks. Organizations in or adjacent to healthcare must meet HIPAA requirements for networks, for example, and those processing credit card payments must ensure their networks are PCI-compliant. A targeted pentest is one of the best ways to ensure all network compliance requirements are being met.
Network Pentest Checklist for Phase 2: Discovery
After your organization has developed a strategy for the network pentest, it’s time to initiate reconnaissance. The aim at this stage is not to simulate an attack on any vulnerabilities yet.
Instead, you’ll identify the critical weaknesses in your infrastructure—such as missing or incorrect controls—that the pentesters will focus their simulated attacks on in the following phase. This is a combination of verifying previously identified vulnerabilities and monitoring for, detecting, and documenting any new ones. The discovery phase may lead to further strategizing, depending on the findings. Organizations should account for “known unknowns” when planning.
Note: The discovery phase initially happens before the attack phase, but then forms a cycle wherein attacks lead to additional discoveries, prompting further attacks—they’re concurrent.
Gather Information on Networks for Simulated Attack
One element of successful discovery is identifying critical information of, about, and concerning the networks to be tested. Therefore, NIST recommends prioritizing the following information and methods:
- Foundational information – Information about network hosts and endpoints (e.g., Host Name, IP Address) can be gained via DNS interrogation, InterNIC queries, and network sniffing.
- Employees’ contact information – Critical details about personnel, such as personally identifiable information (PII), can be obtained via searches of web or directory servers.
- System names and shares – These details can be gathered via NetBIOS enumeration and Network Information System (NIS) searches, both typically used in internal pentests.
- Application / service information – Version numbers can be obtained via banners.
Note: These are not the only forms of information to collect, nor the only ways to collect them.
Analyze Existing and Potential Network Vulnerabilities
Next, organizations must determine their network’s vulnerabilities to pentest, such as:
- Misconfigurations – Flawed, missing, or default security settings to exploit
- Kernel Flaws – Issues in the OS’s core, which jeopardize the entire security system
- Buffer Overflows – Programs’ lack of input length assessments, leading to arbitrary code being introduced and executed, including inappropriate use of administrator privileges
- Insufficient Input Validation – Failure to validate user input, leading to attacks such as SQL injection (i.e., when web apps embed values from users in database queries, if SQL commands are unfiltered, the user may execute malicious or unauthorized changes)
- Symbolic Links (symlink) – Files that point to other files, allowing for undue changes to permissions, locations, or other critical components via manipulating the files’ names
- File Descriptor Attacks – Manipulations of other file characteristics besides file names
- Race Conditions – Vulnerabilities based in the time it takes to seize control of privileged functions while programs are entering into, shifting between, or exiting privileged modes
- Incorrect File/Directory Permissions – Pre-existing flaws in executable permissions
Once again, this is not an exhaustive list of vulnerabilities; your organization can begin with these as a baseline, then develop a more comprehensive list based on industry, size, etc.
Network Pentest Checklist for Phase 3: Attack
The most essential phase in any penetration test, including network-based pentests, is the actual (simulated) attack. Flowing forth from the strategizing and reconnaissance, this phase should be straightforward. Of course, no two pentests are alike, so no two attack phases are alike. But NIST does recommend a baseline four-part structure to guide this phase, covered below.
Organizations can build upon this prescribed structure, adding or subtracting processes, and should always account for changes to be made based upon what the simulated attacker finds in real-time. Chances are, not every vulnerability ultimately tested will have been fully accounted for in the planning and discovery phases. This is actually ideal, as the more simulated damage a pentester can do, the more insights will be gained to prevent real damage from occurring.
Achieve Illegitimate Access to Targeted Networks
The pentesters begin their attack by selecting one or more vulnerabilities identified during the discovery phase and attempting to exploit it for illegitimate access. Testers will move through all potential attack vectors, seeing which—if any—allow a breach into the network. Consider this flow:
- For an external test, pentesters may begin by attempting to gain access to a network port discovered during reconnaissance as misconfigured (default login credentials).
- Upon successfully breaching this port, the pentester will report back on their status and consult the strategy before penetrating deeper into the network from this vantage point.
- Simultaneously, the same tester (or a colleague) may continue leveraging every other vulnerability to solidify multiple layers or levels of attack to leverage in later sub-phases.
Pentesters should move onto the next sub-phase once they have determined that the access gained is sufficient and stable enough to eventually achieve complete control over desired systems.
Escalate Privileges to Desired Level (Administrator)
Next, the pentesting team will move from obtaining control to maximizing it. All successful entries into the system will now be explored further, with attackers escalating their privileges until they obtain control of their predefined targets. Then, depending on the scope negotiated in the planning phase, the simulated attack may proceed until the pentesters have seized control of the entire system, an entire segment thereof, or any other secondary objective.
Pentesters should continue escalating system privileges until they exhaust all means available, have already seized the target information, or sense mitigation efforts encroaching upon access.
Explore Networks for Other Exploitation Opportunities
This sub-phase may happen concurrently with the last, and it may limit or otherwise inform the steps taken to escalate privileges. The objective here is to explore any attack vectors that might be executed beyond seizing the initial target. These may include, but are not limited to:
- Additional entry points opened up or facilitated by further penetration into systems
- Locations hosting or connected to sensitive data that are newly compromisable
- Connections to other systems within or outside the organization, such as third parties’ networks
- Monitoring and reporting infrastructure that an attacker could feasibly disable
Pentesters should continue browsing around the system until all viable options for further attack or efficient, seamless escape have been exercised or prepared for prior to exiting the systems.
Exit and Install Tools for Further Exploitation or Access
The primary focus here is exiting; the secondary focus is installing other controls on the way out.
Like the prior sub-phase, this process depends heavily on the strategy negotiated during the planning phase.For example, in a traditional external pentest, the focus may be more on the initial entry into systems: most additional controls may focus on facilitating re-entry. But in a traditional internal pentest, the focus is primarily on swift, untraceable movement within a network. As such, the controls installed by pentesting teams may prioritize covering or disrupting monitoring capacities.
Pentesters should aim to exit systems as seamlessly as possible, prioritizing evasion over all other forms of residual exploitation. Additional tools should be installed to the extent possible.
Network Pentest Checklist for Phase 4: Reporting
The ultimate purpose of a network penetration test is awareness and mitigation of all network vulnerabilities. For this reason, reporting is arguably the most critical component. Organizations must compile an accurate report of all test elements and then reference it to create strategies to address all weaknesses.
In some cases, the pentest partner will report and strategize ways to address findings. In others, an organization may elect to work independently or with additional service providers to address the vulnerabilities reported on from the pentest.
Report on Findings During All Network Pentest Phases
While this phase is last in the sequence, it should not be thought of as final per se, as the process is cyclical. Reporting should occur concurrently with planning, discovery, and attacking, as follows:
- Planning phase reporting – Detailed records must be kept of all elements and steps in the negotiation process. The organization’s initial aims may not be the same after initial contact with the pentesters, and recording changes in scope or targets can facilitate later inquiry into how or why the organization may have missed given vulnerabilities prior to the test.
- Discovery phase reporting – Likewise, as the testers conduct reconnaissance, reports provided to the organization will ensure that newly discovered vulnerabilities remain within the agreed-upon scope. Failing to report may result in a breach of ethics, contract, or expectations.
- Attack phase reporting – Finally, reports during the attack phase facilitate visibility on what the pentest team is doing, which ensures adherence to objectives and allows for adjustments requested by the organization. These also facilitate cyclical attacking, as described above, wherein attacks lead to further discovery and, in turn, inform future attacks.
These reports collectively comprise the reporting done during the test, while the final report extends beyond the test and into the measures it informs in the future, short- and long-term.
Strategize Short and Long Term Vulnerability Mitigation
Finally, the last sub-phase occurs both within the pentest proper and after it. It includes all work the organization does, independently or with the pentesting team and other service providers, to address the weaknesses identified and exploited during the network penetration test. This might include building or acquiring new cybersecurity systems, or reviewing existing implementations to identify targeted mitigations. Another option is robust cybersecurity awareness training, for internal and external stakeholders. With respect to compliance objectives, the pentest report might necessitate immediate preventive measures to avoid a costly breach or infraction.
RSI Security is the ideal partner to conduct network pentests and act upon their results.
Get Started with Network Penetration Testing Today!
Equipped with this network penetration testing checklist, your organization is well-positioned to begin a pentesting program, whether internally or with the help of a pentesting partner. Most organizations benefit from outsourcing pentesting to external providers to avoid some common pitfalls of independent testing, such as biases or an inability to fully emulate the motives of an outside attacker.
To avoid these and other pentest challenges, contact RSI Security today!