The internal and external testing phases are similar in many ways, with the exception of leveraging Open-Source Intelligence (OSINT). These assessments take a comprehensive approach to identifying security vulnerabilities which expose systems and services to potential threats. To accomplish this goal, our consultants leverage a number of resources and techniques to identify, enumerate, and exploit the targeted systems. The following components are included in this phase:

• Information Gathering – During the information gathering phase, we leverage several publicly accessible sources in order to gather as much information about the organization’s environment as possible. This includes doppelganger domains, IP address ranges (if possible), usernames, vulnerabilities listed from sites such as Shodan, as well as metadata harvested from files. Additionally, this process includes analyzing publicly available DNS records to identify information that may be valuable during an attack, such as additional CNAME records, the lack of MX records, etc.

• Host Discovery – We leverage several techniques to facilitate host discovery techniques, including ping sweeps and port scans. Using tools such as Nmap and Masscan, we are able to perform several attempts to identify active systems within the ranges provided to us. This list of discovered hosts is then fed into the platform to facilitate the remainder of the penetration test, including enumeration, exploitation, as well as post-exploitation.

• Enumeration – After obtaining a list of active systems from the host discovery process, the next phase that we perform is enumeration of information. This is based on the ports that were found open within the host discovery process. This process is supported by a combination of tools, including Nmap, Metasploit, Hydra, and proprietary tools. Furthermore, we also analyze network-layer traffic to determine if any vulnerabilities could be discovered, such as the presence of broadcast protocols that may lead to exploitation.

• Exploitation – If a security vulnerability is discovered from the enumeration process, we attempt to perform exploitation against the network service with the intention of gaining remote command execution on the compromised system.

Post Exploitation – After successfully gaining access to a compromised system from the external network environment, we attempt to perform the steps of an internal penetration test with the intention of gaining further access into the internal network environment. This includes pivoting, extracting information from the systems that may be useful for privilege escalation and lateral movement, and more.

This adds

• Vulnerability Analysis – The only process performed during an external vulnerability network assessment is a vulnerability analysis. This includes performing a vulnerability scan across all systems that are accessible via the Internet using a database of known vulnerabilities. All vulnerabilities discovered during this process use the severity rankings and other data extracted from the vulnerability scanner. We do not attempt to manipulate any severity rankings or any information produced by the vulnerability scanner.

• Information Gathering – During the information gathering process for the internal network penetration test, our consultant attempts to learn more information about the internal network environment based on information available without conducting any attacks. Such information including DNS names and FQDN learned from DHCP and internal DNS records.
  
  
• Host Discovery – We leverage several techniques to facilitate host discovery techniques, including ping sweeps and port scans. Using tools such as Nmap and Masscan, we are able to perform several attempts to identify active systems within the ranges provided. This list of discovered hosts is then used to facilitate the remainder of the penetration test, including enumeration, exploitation, as well as post-exploitation.
  
  
• Enumeration – After obtaining a list of active systems from the host discovery process, the next phase that we perform is enumeration of information. This is based on the ports that were found open within the host discovery process. This process is supported by a combination of tools, including Nmap, Metasploit, Hydra, and proprietary tools we developed. Furthermore, we also analyze network-layer traffic to determine if any vulnerabilities could be discovered, such as the presence of broadcast protocols that may lead to exploitation.
  
  
• Exploitation – With as much information enumerated as possible, our consultants perform exploitation, attempting to gain remote access to services or systems. Using tools including (but not limited to) Metasploit, Impacket, CrackMapExec, and proprietary exploitation scripts, We exercise extreme caution to only execute exploits that are known to be safe and avoid negative impact to the confidentiality, integrity, or availability of systems and/or resources.

• Post Exploitation – We use the information gathered within the enumeration and exploitation phase of the penetration test to facilitate post exploitation. The objective of post exploitation is to gain as much access to the environment as possible, followed by the enumeration of sensitive information. This is supported by tools such as Metasploit, smbspider, Plunder, and other tools within Kali Linux. Additional tools are used to parse information extracted from this process with the intention of discovering sensitive information such as credit card numbers, social security numbers, passwords, and more.
  

This adds:

• Vulnerability Analysis – The only process performed during an external vulnerability network assessment is a vulnerability analysis. This includes performing a vulnerability scan across all systems that are accessible via the internal network environment using a database of known vulnerabilities. All vulnerabilities discovered during this process use the severity rankings and other data extracted from the vulnerability scanner. We do not attempt to manipulate any severity rankings or any information produced by the vulnerability scanner.