How an Internal Penetration Test Can Help YourOrganization
Every IT department faces the challenge of having to apply limited resources (headcount, technology, 3
partyassessments) against a plethora of potential security risks. Choosing wisely is often the difference between aneffective security strategy and an ineffective one. With that in mind and a number of possible assessmentapproaches available, what benefits can be gained from an internal penetration test?First, since security terminology is
often misunderstood, let’s first define internal penetration testing. An
internal pen test is a very specific scope of work where a security engineer connects to your internal network, orportion thereof, and with nothing other than an internal network connection, attempts to gain access to sensitiveorganizational resources. In an internal pen test the security engineer is network level connected but has noother credentials, such as a user account on the domain or on a corporate software application. Such a test canbe conducted on-site with the engineer working from a conference room with an Ethernet drop, or doneremotely via VPN connection. It is from this restricted vantage point that the engineer attempts to gainunauthorized access to internal systems and data.
Example of a Common Finding
Compromised Web Server
A web application server with sensitive customer and cardholder data can be compromised.
Our internal penetration testing often exposes the ability to compromise a web application server from insidethe firewall.The entry point is usually a host accessible through default credentials. From there we can get JMX consoleaccess and view the microkernel of the JBoss application server.If full control over the JBoss application server can be obtained, we can then start or stop services as well asdeploy or un-deploy Web application ARchives (WAR) files. It is possible to even create a custom WAR fileand embed a JavaServerPages (JSP) payload that when executed, will initiate a reverse connectback to the RPAserver and spawn a shell.From there a user account can be created and added to the local administrators group in order to maintainaccess to the server and use it as a jump point for further testing.Once this user account is created, a fully interactive session can be established by using RDP to connect to theserver. Once connected, it
s possible to dump the password hashes of the local user accounts.