Internal and External Penetration Testing
The following section provides a detailed description of X10’s network penetration testing methodology:
Discovery / Footprint Analysis
A profile or “footprint” of external holdings is developed based on computer addresses and other public information associated with the firm. X10 will identify active and inactive blocks by checking them against public Autonomous System mappings. This initial “footprint” details the ranges used in routing tables and helps us to outline an inventory of Internet-connected hosts. This enables a sound methodology when performing deeper reconnaissance efforts later.
Enumeration: Identification of Live Hosts
The next step is to conduct host enumeration against in-scope network blocks or systems to identify specific live hosts and services. This would begin with a ping sweep (send ICMP probe requests) across the network followed by a scan of 5-7 common web service ports, such as 25, 80, 443 and others. A small subset of UDP ports will also be included in the live host scanning. These efforts will be accomplished using a port scanning and ping sweep with Nmap.
For those network blocks identified during the Discovery phase as not containing any live hosts, a ping sweep and a “light” port scan will be performed. If any live hosts are identified, they will be added to the list of live hosts for further testing.
“Light” scanning consists of a port scan of common services leveraging less-commonly filtered requests, such as SYN, ACK and RST, which will be used to detect additional responsive systems.
Full Port Scanning and Service Enumeration
At the end of this stage a list of live hosts and their IP addresses has been produced. Port scans of all 65,535 TCP ports and UDP ports 1-1024 will be performed on these hosts using the Nmap port scanner. All active services and ports on the live hosts will be documented during this process.
Enumeration involves active connections to the systems and direct queries. Some additional operations and techniques used include:
For identified systems, X10 will provide a port to service level mappings for TCP and UDP as a component of reporting. As port-scanning results will be integral to identifying hosted applications, services indicative of applications will be catalogued and used to create an inventory of applications included in later assessment phases.
Using the information gathered during the testing (e.g., operating system versions, applications, and open services), the X10 team will perform research on the vulnerabilities that may affect the specific target systems. The team will then attempt to confirm if these vulnerabilities actually exist on the system.
Infrastructure Vulnerability Scanning
In addition to identifying vulnerabilities based on the previous phases’ information, the X10 team will programmatically scan the target systems using appropriate proprietary tools and techniques.
For those systems that appear to be inactive, or otherwise un-responsive to gratuitous requests, X10 will limit the scanning of those systems to just common service scanning. (i.e. ports 1 – 1096, 1433 MS SQL, 3389 Terminal Services).
Manual Vulnerability Identification
During the course of this engagement, all identified vulnerabilities will be verified and assessed as to the likelihood of exploitation. Due to the limitations of scanning tools, the team will use both automated and manual methods to confirm these vulnerabilities to the extent possible without exploitation.
False Positive Elimination
While commercial scanning tools provide a solid foundation for vulnerability detection, they have several limitations. Many of the tools generate inconclusive reports due to false positives, false negatives, and inherent ambiguity in automated scanning techniques. X10 carefully evaluates each tool’s results and, where possible, manually verifying the existence of difficult to detect vulnerabilities to ensure accurate reporting.
X10 will use such techniques, as it deems necessary to prove vulnerabilities exist; however, proof does not require the full execution of the vulnerability when X10 believes that a course of action progressing further may cause damage.
Discussions and Finding Verification
X10 will maintain daily contact with designated customer’s management and technical personnel. Should any critical vulnerability be discovered during our assessment, or system failure incurred as a result of assessment, pre-arranged emergency contacts will immediately be notified.
Following assessment completion, X10 will meet with the customer’s project management and designated SMEs to review findings and identify any immediate false positives, and/or identify indicators of a corrupted or otherwise flawed assessment.