Re: Corporate Intranet
- From: Aarón Mizrachi <unmanarc@xxxxxxxxx>
- Date: Wed, 29 Apr 2009 03:57:12 -0430
On Lunes 27 Abril 2009 14:14:52 iadcc escribió:
Has anybody done a penetration test, in trying to access a companies
corporate intranet, from outside the Network? If so can you give me some
pointers how you attempted to do so?
Indeed.
there are various vectors of attack. But, generally, try this scheme.
1. Try to map or figure out how is the network inside... There are too many
ways to do that.
First of all, you must know where are the public IP address of your company.
If you are under blackbox, try using google and maltego to identify useful
information about the company. Other method is sending a legitim request by
email to a coorporative email, and wait for reply...
On reply, you may found useful information.
Next, scan external services and possible ip addresses, sometimes there are
useful information and information leakage over ip external addresses.
2. When the map is done, do an exhaustive service scan and identification over
all ip addresses involved, specially on routers. And If you found exploits on
there (routers), all the work is done.
If no success:
3. With the previous information, make a dictionary, and try bruteforce
attacks on sensitive services (VPN, Router logins, whatever)
4. Try to exploit founded vulns (all depends on updates and configuration of
every service).
- On routers, many exploits involves download config, if you are lucky, you
will found password there. Another option is create a VPN user or a route/nat
entry.
- On Webserver (or similar), if the webserver are shared on the intranet, you
may try to get access on there. Then, you may redirect your connections to the
intranet with a VPN (like openvpn)
- On misconfigured proxies, a common mechanism are the "reverse proxy" method,
remember that you need to know internal ip addresses notation or bruteforce
it.
- On internet browsers combined with Social Engineering, you could try to
identify and exploit internet navigator bugs to put your reverse connection
code inside the network.
5. If no success, you may try to use social engineering to put a trojan inside
the network, then, redirect your connections over the trojan. Outgoing traffic
usually can be bypassed with systems like IODINE, or OpenVPN using 443 port...
To avoid IDS/IPS detection, you could use different ip addresses and delay
timing policies.
And finally, this is a scheme to do that, but never the definitive guide to
external pentesting. All depends on internal configuration, updates, managment
policies, and others.
------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute
Tired of using other people's tools? Why not learn how to write your own exploits?
InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well.
http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html
------------------------------------------------------------------------
- Follow-Ups:
- Re: Corporate Intranet
- From: Zack Payton
- Re: Corporate Intranet
- References:
- Corporate Intranet
- From: iadcc
- Corporate Intranet
- Prev by Date: Re: security tools list
- Next by Date: Re: security tools list
- Previous by thread: Re: Corporate Intranet
- Next by thread: Re: Corporate Intranet
- Index(es):
Relevant Pages
|
