This article explains the differences between internal and external penetration tests. If the topic of pentesting is new territory for you, you can find out more under the tab "Penetration Testing' inform what we mean by a penetration test.
The basic distinction is that the penetration tester is guaranteed access to the company's network during the internal penetration test. In the external penetration test, on the other hand, he has to work with publicly available services and information. External penetration testing is currently still viewed as a traditional approach, but that view is increasingly shifting. This has to do with the large number of attack vectors that allow access to the internal network. First, a detailed distinction is made between the external and internal penetration test.
In the external penetration test, the publicly accessible systems are checked for vulnerabilities and information disclosures. DNS enumeration is performed to identify dependencies related to the company.
Furthermore, log-in areas can also show denial of service and brute force vulnerabilities. In the worst case z. B. by a guessed password access via a publicly accessible admin panel. A classic example would be the log-in area of a CMS system. This results in new attack possibilities or information leaks. Financial damage can also be associated with successful access.
From the point of view of a blackhat, the targets of an external attack can be sensitive information, access to systems, manipulation of the systems, as well as entry points into the internal network. However, the system taken over can also be misused by the attacker for phishing purposes or to damage the image.
To find externally accessible systems, the first step would be DNS enumeration. Here are web pages that provide a comprehensive view of the reachable systems that reside under the main domain.
In addition, banner information is disclosed that may offer new attack surfaces - including operating systems, versions, IPs, protocols and ports. This information may allow exploits to run successfully.
In most cases, an attack from the inside has far greater potential than an attack from the outside, since there are often more vulnerable systems in the internal network.
More profound security measures such as group guidelines, user role concept, network separation and IDS systems are often not available or incorrectly configured.
These security measures, among other things, are checked accordingly during the internal penetration test.
Since there are many ways to gain access to the internal network, it must be secured as well as possible.
In consultation with the company's IT department, the penetration tester is granted access to the internal network. There are different ways to implement this. Appropriate hardware can be installed in the network to which the pentester can connect via VPN. Alternatively, the pentester can also be located in the company and connect to the network accordingly.
The pen test preferably starts with the test in the client network. This simulates a successfully taken over client PC, e.g. B. was compromised by a phishing campaign. In addition, it is valuable for IT to see which areas can be penetrated from the client network if a network separation or a DMZ has already been implemented.
If not all areas of the network can be reached, the pentest hardware can be connected to another network area (e.g. server network). This is called staging.
External and internal penetration tests are interdependent and should be carried out together. If there are no external entry points, there are many ways, as described, to infiltrate the internal network. The internal network basically offers more attack surface, so more testing time should be invested.
Since the infrastructure of a network is constantly changing, the penetration test only represents a current inventory and should be carried out regularly to ensure the most secure IT infrastructure possible. There are several established standards that describe the process of a penetration test.
