This article deals with the differences between the internal and external penetration tests. If the topic of pentesting is new for you, you can find out what we mean by a penetration test under the “Penetration Testing “tab.
The basic distinction is that in internal penetration testing, the penetration tester is guaranteed access to the company’s network. In external penetration testing, on the other hand, he must work with publicly accessible services and information. External penetration testing is currently still considered a traditional approach, but this view is increasingly shifting. This has to do with the multitude of attack vectors that allow access to the internal network. First, a detailed distinction is made between external and internal penetration testing.
External penetration testing
During external penetration testing, publicly accessible systems are checked for vulnerabilities and information disclosures. DNS enumerations are performed to identify dependencies related to the company.
Furthermore, log-in areas can also show Denial of Service as well as Bruteforce vulnerabilities. In the worst case, for example, a guessed password can be used to gain access via a publicly accessible admin panel. A classic example would be the log-in area of a CMS system. This results in new attack opportunities or information leaks. Financial damage can also accompany successful access.
Targets of an external attack from the perspective of a blackhat can be sensitive information, access to systems, manipulation of systems, as well as entry gates into the internal network. The system taken over can also be misused by the attacker for phishing purposes or image damage.
Common externally accessible systems are as follows:
- Mail server
- CMS systems
- File shares (FTP, SMB, other shares)
- Test server
In order to locate externally accessible systems, the first step would be a DNS enumeration. There are websites that show a comprehensive representation of the accessible systems that are located under the main domain. In addition, banner information is revealed that may offer new areas of attack – including operating systems, version statuses, IPs, protocols, and ports. This information can potentially be used to successfully carry out exploits.
Internal penetration testing
In most cases, an attack from the inside has a far greater potential than an attack from the outside, as there are often more vulnerable systems in the internal network.
More extensive security measures, such as group guidelines, user role concept, network separation, and IDS systems are often not available or incorrectly configured.
During the internal penetration test, these security measures, among others, are checked accordingly.
Since there are a number of ways to get access to the internal network, it must be secured as effectively as possible.
Possible entry points into the internal network are:
- Phishing campaigns (infecting a client PC or accessing credentials)
- Physical access with the aim of connecting appropriate hardware in the network
- Get access via an externally accessible system
- Watering Hole Attacks
In consultation with the company’s IT, the penetration tester is given access to the internal network. There are various possibilities for implementation here. Appropriate hardware can be installed in the network to which the pentester can connect via VPN. Alternatively, the pentester can also sit in the company and connect to the network accordingly.
The pentest preferably starts with the test in the client network. This simulates a successfully taken-over client PC that has been compromised by a phishing campaign, for example. In addition, it is valuable for IT to see which areas can be accessed from the client network, provided that a network separation or a DMZ has already been implemented.
If not all areas of the network are accessible, the pentest hardware can be connected in another network area (e.g. server network). This is called staging.
An internal penetration test focuses on testing the following modules :
- Patch management & end of live systems
- Default passwords
- Checking the network separation & VLANs
- Utilization and resilience of the network
- Encryption / men in the middle protection
- Accessibility of sensitive systems
- User awareness (e.g. phishing)
External and internal penetration testing are interdependent and should be carried out together. If there are no external entry points, there are many ways to infiltrate the internal network, as described above. The internal network basically offers more attack surface, so more testing time should also be invested.
Since the infrastructure of a network is constantly changing, the penetration test is only a current inventory and should be performed regularly to ensure that the IT infrastructure is as secure as possible. There are several established standards that describe the process of a penetration test.