Strategic Penetration Testing

Vulnerability testing and exploitation will consist of the following types of web application attacks:

• Buffer Overflows, command execution;
• SQL Injection;
• Cross Site Scripting (XSS);
• Directory Traversal;
• Parameter (url) tampering;
• URL obfuscation;
• Cross site request forgery;
• Input and Data Validation;
• Authentication and Authorization;
• Encryption and Key Management; and
• Error handling, auditing, and logging application management.

Initial testing phases will follow traditional network testing methodologies, however will be expanded to specific testing towards Cloud and containers, assessing risky permissions and roles, dump tokens, attempt role bindings, accessing secrets, attempt access to pods and containers. The tasks section of this methodology outline the specific checks and test pertaining to Cloud and storage containers. Description: In this activity the penetration tester will perform various tests and checks to assess the security configurations of the Cloud infrastructure and container systems, perform enumeration, identify vulnerabilities and attempt exploitation for misconfigurations. The tester will write various scripts/payloads and use tools to test the security settings and weaknesses accordingly.

Tasks:

• Cloud cluster testing for risky permissions 
• Identify risky Roles\ClusterRoles 
• Identify risky RoleBindings\ClusterRoleBindings
• Identify risky Subjects (Users, Groups and ServiceAccounts) 
• Identify risky Pods\Containers 
• Dump tokens from pods (all or by namespace) 
• Get associated RoleBindings\ClusterRoleBindings to Role, ClusterRole or Subject (user, group or service account) 
• List Subjects with specific kind ('User', 'Group' or 'ServiceAccount') 
• List rules of RoleBinding or ClusterRoleBinding 
• Show Pods that have access to secret data through a volume or environment variables 
• Get bootstrap tokens for the cluster 
• Cloud RBAC audit for risky roles 
• Listing secrets - Utilizing the listing secrets permission 
• Creating a pod with a privileged service account (attempt to gain permission to create a pod in the “cloud-system” namespace) 
• Attempt to impersonating privileged accounts 
• Reading a secret – brute-forcing token IDs (attempt to find tokens with permissions to read secrets)
• Creating privileged RoleBindings (attempt to bind that allows a user to create a RoleBinding with admin ClusterRole) 
• Seeking for Exposed Services
• Checking Cloud (Read Only Port) Information Exposure 
• Checking for Anonymous Access 
• Checking Anonymous Access to the API Server 
• Searching for a privileged service account token 
• Checking service account API authorization 
• Kernel exploit vulnerabilities 
• Check Containers’ security configuration 
• Check for Sensitive files inside the container

A complete review of network architecture, design and segment isolation to identify any risk exposure recommendations for security enhancements and provide a strategic roadmap for remediation activities.

Network device (routers/switches/firewalls) configurations will be reviewed using offline configuration scanning and best practices policies (via uploading device configurations to scanning tools).

Tests for access to network through open ports, ARP poisining, MAC spoofing and capturing of hashes for network accounts.

Configuration management software will be used to review server configurations against security best practices policies.

Scans and Firewall/Router ACL (ruleset) reviews to ensure segmentation of the corporate networks.

Review of VPN configurations and test to ensure strong encryption.

Wireless sysems will be tested for security configurations flaws, weak passwords and encryption. These tests are performed using a specialized wireless sniffing tool which captures traffic from the access points.

Cracking attempts for traffic captures containing WPA handshakes and SSID keys will occur, using dictionary and brute force attacks (no impact to routers).
Any access points successfully cracked will be exploited by logging in with SSID credentials to gain access to the network. Router login attempts and network sniffing will then occur.

Testing for WPA2 Enterprise is done using Fake Radius servers and certs.

The penetration tester will walk the perimeter, and use the Long Range Wifi adapter from a distance to detect Rogue access points and to test the encryption and security of wireless access points.

The social engineering phase of the penetration test will include safe techniques through simulation phishing emails (non-malicious) which track user clicks/downloads or spoofed form completions (e.g. surveys or fake Facebook logins), USB drives dropped in parking lots and random on-site locations containing simulation software (non-malicious) to detect if users plug into computers. Additionally, testing will include user imposters (via telephone calls or Instant Messaging) to see if employees can be tricked into escalating account privileges or providing confidential information to a possible attacker (e.g. ‘reverse social engineering’ pretending to be help desk support requesting login credentials to fix an issue on their corporate machines). Tailgating attempts will occur to building entrances and sensitive areas, and lastly access attempts to entrance of buildings and sensitive areas using flattery and social tricks to gain access.

The purpose of our social engineering exercises is to provide focus areas for policies and security awareness priorities for employee training. All social engineering exercises will be closely coordinated with the Single Point of Contact prior to execution, and will not consist of threatening behavior.