5.5 Penetration Tests

Physical Penetration Testing

A security assessment focused on gaining unauthorized physical access to a facility.

• Physical access to a device can bypass nearly all digital protections.

• An attacker could alter the boot process, load their own media, or tamper with system files.

• Servers are typically housed in secure data centers.

• Testers attempt to enter a building without proper credentials, exploring all possible entry points like doors, windows, and elevators to evaluate the strength of physical security measures

Red team

Offense

• They attack systems, they look for vulnerabilities, and they attempt to exploit those vulnerabilities.

Blue Team

Defensive

• Identify the attacks coming in real time and block any of these attacks from occurring

Purple team

The best combination would be to integrate these two teams together

• Have a system that is constantly providing feedback on itself.

• You’ll have the red team constantly attacking systems.

• And when they identify an opening, they pass that information to the blue team to be able to patch it and better identify it next time.

Known environment

Full disclosure of all of the systems that we’ll be attacked during this penetration test.

Partially Known Environment

Only some of that information is provided to the pen tester.

• A mix between the known environment and the unknown environment.

• Often used when you want the pen testers to be sure to attack certain systems within your environment.

Unknown environment

No information is provided to the pen tester.

• Have to find all of the information on their own.

• Often referred to as a blind test

Passive Reconnaissance

Gathering information from sources that don’t tie us directly back to the customer’s network.

• Finding information on social media about the customer’s networks.

• There might be details on a corporate website where you can browse and learn more about the company.

• Online forums or Reddit posts that can gather information about what’s in that company’s infrastructure.

• Perform social engineering to try to get information out of people who may work in the company.

• Talk to third-party companies that do business with that organization to learn what they might know about that customer’s infrastructure.

Active Reconnaissance

A much more direct way to gather information because you’re going into the network and querying devices that might be there.

• We can be easily seen on this network because we’re sending packets across their network

• Very often the evidence that we were there is stored in log files that may be on a firewall or some other device.

Examples

• A ping scan or a port scan of a device

• Perhaps a DNS query to the corporate DNS server

• Performing operating system scans or operating system fingerprinting.