Advanced External Infrastructure Assessment

April 2nd, 2024 Posted in Penetration Testing

What is an advanced external infrastructure assessment?

We previously covered the difference between internal and external infrastructure penetration testing. Today, we’re going to take a deeper dive and focus on one facet of cybersecurity – External Infrastructure Testing. Unlike internal infrastructure pen testing, external testing scrutinises the defences against threats originating from beyond the organisational boundary and takes the form of a critical assessment in safeguarding digital assets against the ever-evolving landscape of cyber threats. 

So how do we do this? At the core of Evalian’s external infrastructure methodology lies a three-pronged approach, meticulously designed to offer a holistic assessment of external vulnerabilities. Our methodology not only aims to identify potential entry points for cyber adversaries but also to strengthen the security measures and settings in place that protect your organisation’s valuable data and resources. 

The Three-Pronged Methodology  

The First Prong: Digital Perimeter Assessment

Our journey begins with the Digital Perimeter Assessment. This takes the form of a thorough evaluation of your organisation’s publicly facing servers and services. Imagine the digital equivalent of testing the locks, alarms, and walls that protect a physical building. Using advanced tools and manual fuzzing we meticulously analyse these external entities to unearth vulnerabilities that could serve as gateways for unauthorised access. This mostly entails looking at the entity’s public facing infrastructure, for example, a publicly routable server and the services running on it. This phase remains ongoing as targets are added and information is gained during the following two phases. 

The Second Prong: Intelligence Harvesting

Moving deeper into our analysis, comes the Intelligence Harvesting phase. Here, your penetration tester will leverage the power of Open-Source Intelligence (OSINT) techniques to gather and analyse publicly available information about your company. From GitDorks and Google dorks to breach databases,  the tester will sift through the public data that could potentially be exploited by cyber attackers. This  part of the process focuses on understanding the shadow your organisation casts on the digital landscape, turning every stone to ensure no piece of information can be used against you. 

The Third Prong: Connectivity Evaluation

The final piece of our triad is the Connectivity Evaluation. This phase is dedicated to scrutinising how your employees connect to your network, particularly through remote access solutions like VPNs, Microsoft 365, or SharePoint. In today’s era of flexible work environments, ensuring secure and resilient connections is paramount. Our analysis in this domain aims to fortify these lifelines against interception or disruption, safeguarding the integrity and confidentiality of your digital communications. 

Together, these three prongs form a comprehensive approach to external infrastructure testing, each playing a crucial role in strengthening your organisation’s cybersecurity posture.  

The Difference between a standard external infrastructure test and an advanced external infrastructure assessment

Traditionally security testing firms would only offer a single-pronged approach to external infrastructure testing. It’s essential to understand both the inherent strengths and limitations of focusing solely on the Digital Perimeter Assessment. Here’s a breakdown of what makes “Advanced External Infrastructure Testing” distinct, alongside the benefits and limitations of maintaining a focus exclusively on the first  aspect. 

Benefits of focussing on the Digital Perimeter Assessment only: 

Strengths: 

  • Focused Security: Concentrating on public servers and services, this approach offers a targeted evaluation of the most visible and accessible parts of your infrastructure to external threats. It’s akin to thoroughly checking the locks on the front door. 
  • Cost-Effective: For organisations with limited cybersecurity budgets, focusing on the digital perimeter can provide a relatively inexpensive way to identify and mitigate glaring vulnerabilities. 
  • Quick Turnaround: Without the depth of a full-scale assessment, organisations can quickly receive and act on the findings, making it suitable for companies needing immediate improvements in security posture. 

Limitations: 

  • Surface-Level Insights: While this approach identifies immediate vulnerabilities in public-facing assets, it offers limited insight into deeper, potentially more advanced security flaws. 
  • Neglecting Comprehensive Threat Landscape: It does not account for the sophistication of attackers who use information gathered from public sources or exploit weak points in remote connectivity to orchestrate more complex attacks.  

Benefits of an advanced approach to external infrastructure testing

“Advanced External Infrastructure Testing” broadens the scope by incorporating Intelligence Harvesting and Connectivity Evaluation into the cybersecurity arsenal. This comprehensive approach not only scrutinises the digital façade but also delves into the strategic use of publicly available information and the security of remote connections.  

Enhanced Benefits: 

  • Deeper Security Insights: By integrating OSINT and connectivity assessments, organisations gain a more nuanced understanding of their security posture, uncovering vulnerabilities that go beyond the surface and are hidden deeper. 
  • Proactive Threat Intelligence: Intelligence Harvesting can pre-emptively identify potential threats by analysing how information about the company is used in the wild, allowing for pre-emptive countermeasures. 
  • Resilient Remote Work Security: Evaluating remote connectivity ensures that the increasingly popular remote work models do not become the Achilles’ heel of an organisation’s security framework.  

While the comprehensive approach demands more time and investment upfront, it offers significant long-term savings by mitigating the risk of severe security breaches that could result in substantial financial and reputational damage. The initial higher costs are offset by the robustly defined mechanism it builds, protecting against a broader range of threats and reducing the likelihood of costly breaches.  

The process

The importance of Scoping 

Scoping isn’t just a preliminary step; it’s the blueprint of your penetration testing strategy. When you’re gearing up for an external Pentest, the scope outlines the battlefield. It also dictates how much your penetration test will cost, so it’s important to get it right.  

Key questions to ask include the target domains, any off-limits areas, and specific approaches—be it a black-box, white-box, or a blend in hybrid testing. This phase determines how you’ll proceed, affecting everything from the depth of your testing to the tools and techniques you’ll deploy. 

In the realm of Pen testing, the approach you select can drastically alter your path. Black box testing offers a raw, unfiltered challenge, simulating an attacker with no inside knowledge of the system. It’s akin to being parachuted into unknown territory with nothing but your wits and skills to rely on. On the flip side, white box testing is like having the blueprint of the fortress you’re trying to infiltrate, allowing for a more focused and efficient assault. You can read more here about the differences between black-box testing and white-box testing.  

Hybrid testing merges these worlds, starting with limited knowledge and progressively deepening the engagement based on initial findings. It’s a strategic choice, allowing teams to adapt and target the test efficiently. Each approach has its merits, tailored to different organisational needs and security objectives. 

Intelligence Harvesting 

Domain Information: Unveiling the Digital Territory

The initial step in the OSINT process involves gathering domain-related information. This phase is all about understanding the digital landscape of your target—mapping out the structure of their online presence. By examining domain registrations and infrastructure, testers can uncover valuable data such as associated IP addresses, server locations, and even contact information tied to domain registrations. This information lays the groundwork for identifying potential entry points and understanding the broader network architecture of the target. 

Email Addresses and Password Leaks: Sifting Through Digital Footprints

Next up is the search for email addresses and any associated password leaks. This step is crucial for identifying potential targets within the organisation, such as employees or system administrators, whose credentials could be used to gain unauthorised access. It involves scouring data breaches and leak databases to find email-password combinations linked to the target domain. The intelligence gathered here not only aids in crafting targeted attacks like phishing or password spraying but also highlights the need for robust password policies and awareness training within the organisation. 

Metadata Finder: The Devil in the Details

Exploring metadata from documents and files associated with the target can reveal a goldmine of information. Metadata, often overlooked, can include details such as author names, software versions, and editing times—clues that paint a picture of the internal operations and technologies used by the target. This insight can be instrumental in crafting social engineering attacks or identifying software vulnerabilities to exploit. 

API Leaks Search: Exposing Hidden Data

APIs (Application Programming Interfaces) are the lifeblood of modern web services, facilitating data exchange and functionality. However, improperly secured APIs can expose sensitive data or offer unintended access to internal systems. The OSINT process includes searching for these leaks, focusing on discovering unsecured endpoints or misconfigured APIs that could be leveraged for data exfiltration or as entry points for further exploitation. Learn more about securing your APIs. 

Google Dorks: Mining the Search Engine Giant

“Google Dorking” is the art of using advanced search syntax to uncover information hidden in plain sight on the internet. This technique exploits specific Google search parameters to find sensitive information, such as exposed credentials, sensitive files, or administrative interfaces, that are publicly accessible but not easily found through standard search queries. It’s a powerful method for identifying overlooked vulnerabilities and information exposures. 

GitHub Dorks: Digging Through Code Repositories

Much like Google Dorks, GitHub Dorks utilise advanced search techniques, but focus specifically on GitHub and similar code repository platforms. This step involves searching for sensitive information accidentally uploaded by developers, such as hard-coded credentials, API keys, or proprietary code, which could be exploited by attackers. The information gleaned from this process highlights the critical importance of secure coding practices and the need for regular audits of publicly accessible code repositories. 

GitHub Org Analysis: Assessing the Open-Source Footprint

The final step in the OSINT process is a thorough analysis of the target’s GitHub organisation and repositories. This involves examining the public and, where possible, private repositories for security vulnerabilities, exposed secrets (like passwords and tokens), and other sensitive data that could be exploited. Tools that specialise in this area look for patterns indicative of secrets or vulnerabilities, providing a detailed view of the potential security risks present in the codebase. 

By meticulously following these steps, cybersecurity professionals can gather a wealth of information about their target, laying the foundation for a successful penetration test. This intelligence not only informs the test strategy but also highlights areas where the target organisation needs to bolster its security posture, from tightening access controls to improving data handling practices. OSINT, in this light, is not just about finding vulnerabilities—it’s about understanding the target’s digital ecosystem, paving the way for more informed and effective cybersecurity measures. 

Subdomain Enumeration

Subdomain enumeration is a critical process in the initial stages of an external penetration test, serving as the foundation for understanding the target’s digital terrain. It involves systematically identifying the subdomains associated with the organisation’s primary domain. This step is pivotal because each subdomain can represent a distinct application or service, potentially with its unique set of vulnerabilities. By mapping out these subdomains, testers can gain a comprehensive view of the target’s online presence, highlighting areas that require further security analysis. 

The Significance of Subdomain Enumeration

The primary objective of subdomain enumeration is to uncover as many active subdomains as possible. These subdomains often host different parts of a business’s online operations, including external services like web applications, APIs, or specific internal systems exposed for remote access. Since each subdomain may run on different technologies or frameworks, they each represent a unique potential point of entry for attackers. Identifying these subdomains allows penetration testers to conduct focused assessments on each, ensuring no part of the organisation’s digital footprint goes unchecked. 

Connectivity Evaluation 

Password spraying: why it works

In the complex world of cybersecurity, password spraying stands out as a surprisingly simple yet effective technique for attackers and testers alike. Unlike traditional brute-force attacks, which attempt a wide range of passwords on a single account, password spraying flips the script by applying a few common passwords across many accounts. This strategy exploits a fundamental weakness in human nature: the tendency to use simple, easy-to-remember passwords. 

Understanding Password Spraying

Password spraying is predicated on the statistical likelihood that out of a large set of users, some will have set their passwords to one of a few commonly used options (think “password,” “123456,” or “admin”). This method is particularly effective in evading account lockout policies designed to block access after a certain number of failed login attempts. By spreading the attempts thinly across many accounts, the attacker significantly reduces the chances of triggering these security measures. 

Common Password Use: Despite years of warnings and security advisories, the use of common passwords remains rampant. Password spraying leverages this weak link in security to gain unauthorised access. 

Low and Slow Approach: By making only a few attempts on each account before moving on to the next, attackers fly under the radar, avoiding detection mechanisms that look for rapid succession of failed logins on a single account. 

Volume Game: With the sheer number of user accounts available to target, especially in large organisations, even a low success rate can yield access to several accounts. 

Underestimation of Risk: Organisations often underestimate the risk posed by seemingly benign common passwords, focusing their security efforts on defending against more sophisticated attacks. 

Digital Perimeter Assessment 

Initial Reconnaissance: Mapping the Digital Landscape

Initial reconnaissance in the context of infrastructure testing is akin to laying the groundwork for a comprehensive security audit. It’s the stage where the security team gathers as much information as possible about the target’s publicly accessible digital assets. This involves identifying all the public-facing components, such as websites, web applications, network interfaces, and server endpoints, that could potentially be vulnerable to attacks. The goal here is to create a detailed map of the organisation’s external digital presence, providing a clear overview of the attack surface that needs to be scrutinised for weaknesses. 

This phase is crucial because it sets the stage for more focused testing efforts. By understanding the breadth and scope of the target’s public-facing infrastructure, testers can prioritise their efforts, allocate resources more efficiently, and tailor their testing strategies to the specific characteristics of the infrastructure. Initial reconnaissance is about knowing the terrain before going into battle, ensuring that no stone is left unturned in the quest to identify vulnerabilities. 

Port and Service Identification: Discovering Gateways and Guardians

Once the digital landscape has been mapped out during initial reconnaissance, the next step is to drill down into the specifics of the infrastructure by identifying open ports and the services running on them. This step is vital because every open port on a device is a potential entry point for an attacker, and the services associated with these ports determine the nature of the vulnerabilities that might be present. 

Port scanning involves systematically checking the target’s systems to identify which TCP or UDP ports are open and listening for incoming connections. This scan reveals valuable information about the network’s configuration and the types of services that are exposed to the internet. Each identified service is then further analysed to understand its version, configuration, and any known vulnerabilities associated with it. 

This detailed inventory of ports and services is a critical component of the security assessment, as it helps to pinpoint which parts of the infrastructure are potentially vulnerable to specific types of attacks. For instance, an outdated web server software version exposed on a specific port might be susceptible to exploitation due to known vulnerabilities. 

Vulnerability Scanning: Probing for Weaknesses

With a comprehensive understanding of the target’s publicly accessible digital assets and the specific services they are running, the next step is vulnerability scanning. This phase involves using automated tools to scan for known vulnerabilities within those assets, based on the information gathered during the initial reconnaissance and port and service identification phases. 

Vulnerability scanning is designed to identify security weaknesses quickly and efficiently across a wide range of systems and applications. These scans look for issues such as outdated software, misconfigurations, exposed databases, or insecure APIs that could be exploited by an attacker. The results of these scans provide a snapshot of the target’s security posture, highlighting areas where improvements are needed. 

The key to effective vulnerability scanning is not just in identifying vulnerabilities but in accurately assessing their potential impact on the organisation’s security. This requires a combination of automated scanning tools and expert analysis to understand the context of each vulnerability within the larger security landscape of the organisation. By prioritising vulnerabilities based on their severity and the likelihood of exploitation, security teams can focus their remediation efforts where they will have the most significant impact. 

Conclusion 

Whilst there are benefits to a standard one-prong approach to external infrastructure testing, there’s no doubt that having your penetration testing providers take a more advanced approach through a 3-pronged assessment – gives your organisation a more comprehensive view of its security posture and a more detailed remediation plan within the pen testing report.  

This method is invaluable and can ensure that your assets have a much better chance of remaining secure, ultimately giving you the confidence that your infrastructure has been tested thoroughly and allowing you to concentrate on the other important parts of your business operations. However, it’s important to remember that although an advanced external infrastructure test is comprehensive, it’s not fail-safe and you should ensure that your infrastructure is regularly tested for vulnerablities 

Get a quote for external infrastructure testing 

If your organisation needs help running a penetration test on an application or infrastructure, we’re here to help. We can assess your environment and run a full penetration test. We can also advise you on any follow-up actions or remediations from our findings. Contact us for a friendly chat.    

Rory Hattingh

Written by Rory Hattingh

Rory is a seasoned Penetration Tester with deep roots in both the networking and development sectors. Rory started his career in networking and has vast experience in web application security, infrastructure network penetration testing, and executing red teaming security assessments, among other specialties. Rory certified in Offensive Security Certified Professional (OSCP) and is a CREST Registered Penetration Tester.