Hi all, in this post i want to talk about what can we do when testing large networks in penetration testing. Let’s start with talking.
In my opinion, 1 pentester can test 150-200 IPs in one project. More IP addresses could be unmanageable for us. In this case, we must scan lots of IPs, we can use some automation (we must, I think 🙂 ). Let’s start with methodology and tricks.
Firstly, we must find which IP addresses alive, which is dead. We can simply identify with ping (ICMP packets), that’s not true for every case, maybe firewall rule will stop ICMP traffic or machine was configured for that. We should use this technique but additionally, we should use some common ports to identify alive hosts. We should know which scanner is best for your claim. For example Zmap fastest for a single port scan but if you want to use a full scan option it is painful a little bit :), you should use common ports in this scan for example 21,22,80,443, etc. After this scan, you should concatenate outputs and grep it.
More information about scanners:
For example, you can create a port list for that and :
for a in $(cat ports.txt);do zmap -p $a IPBlock1/16 IPBlock2/24 IPBlock3/24 >> $a.txt & done (Multiple files)
OR
for a in $(cat ports.txt);do zmap -p $a IPBlock1/16 IPBlock2/24 IPBlock3/24 >> output.txt & done (One file for output)
(Extra: you can use Nmap ping scan for ICMP enabled hosts)
We found alive hosts, NİCE JOB! Now we want to scan all ports for these hosts but this takes much more time. We MUST spend less time for scanning, we MUST do more enumeration and vulnerability scanning. We use masscan for full port scanning for found hosts, masscan scans faster than Nmap via parallelism. Later that, we can use Nmap scans via IPs and ports. Masscan Link
Now, we found alive IP addresses and open ports fastly. We use these pieces of information for scanning vulnerabilities. Q: “Why we did host and port discovery ?” or “Can not vulnerability scanners do that ?” A: Actually, scanners can do that process but not effective for a limited time. If we use default scanners for these phases, we can spend lots of time. Now that we find addresses and ports, we must include these Infos to scan options. This scan will be finished earlier than the default.
We scanned vulnerabilities. What is our next step? In this step we must find our main scope for manual testing, some IP addresses won’t contain any important vulnerability; separate from the main scope these type of machines which can not be found high or medium severity vulnerability. I recommend that you should sort hosts severity based on high to low.
Finally, we created our main scope for testing. Thus we may test this network more easily than default options. Try found vulnerabilities despite the possibility of false-positive and you must see the exploitability of vulnerabilities. Other phases of the test, up to you and depends on your pen-testing knowledge. Happy testings and good luck for reporting. :)) Thank you for your time, I hope this post helped you.
Berk KIRAS | PwC – Cyber Security Specialist