Re: Corporate Intranet

[Aarón Mizrachi <unmanarc () gmail com>]

On Lunes 27 Abril 2009 14:14:52 iadcc escribió:
> Has anybody done a penetration test, in trying to access a companies
> corporate intranet, from outside the Network? If so can you give me some
> pointers how you attempted to do so?

Indeed.

there are various vectors of attack. But, generally, try this scheme.

1. Try to map or figure out how is the network inside... There are too many 
ways to do that.

First of all, you must know where are the public IP address of your company. 
If you are under blackbox, try using google and maltego to identify useful 
information about the company. Other method is sending a legitim request by 
email to a coorporative email, and wait for reply...

On reply, you may found useful information.

Next, scan external services and possible ip addresses, sometimes there are 
useful information and information leakage over ip external addresses.

2. When the map is done, do an exhaustive service scan and identification over 
all ip addresses involved, specially on routers. And If you found exploits on 
there (routers), all the work is done. 

If no success:
3. With the previous information, make a dictionary, and try bruteforce 
attacks on sensitive services (VPN, Router logins, whatever)

4. Try to exploit founded vulns (all depends on updates and configuration of 
every service).

- On routers, many exploits involves download config, if you are lucky, you 
will found password there. Another option is create a VPN user or a route/nat 
entry.

- On Webserver (or similar), if the webserver are shared on the intranet, you 
may try to get access on there. Then, you may redirect your connections to the 
intranet with a VPN (like openvpn)

- On misconfigured proxies, a common mechanism are the "reverse proxy" method, 
remember that you need to know internal ip addresses notation or bruteforce 
it.

- On internet browsers combined with Social Engineering, you could try to 
identify and exploit internet navigator bugs to put your reverse connection 
code inside the network.

5. If no success, you may try to use social engineering to put a trojan inside 
the network, then, redirect your connections over the trojan. Outgoing traffic 
usually can be bypassed with systems like IODINE, or OpenVPN using 443 port... 

To avoid IDS/IPS detection, you could use different ip addresses and delay 
timing policies. 

And finally, this is a scheme to do that, but never the definitive guide to 
external pentesting. All depends on internal configuration, updates, managment 
policies, and others.



------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Tired of using other people's tools? Why not learn how to write your own exploits?
InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for 
Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well.

http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html
------------------------------------------------------------------------