Once on site we will have a pre-test meeting to re-confirm the scope of the work to ensure everything runs smoothly and ensure no out of scope systems are tested.
Testing will start from a single connection to the network and with no prior knowledge of network layout or any authentication credentials for any device unless otherwise specified or provided.
The target ranges, either supplied or earlier enumerated will be scanned using a number of automated tools in order to identify potential targets of interest, including what software they are running and what services are exposed. Following this, a more thorough automated vulnerability assessment will be performed against all systems as time permits. If any hosts have been explicitly provided as key targets of interest then they will be tested first.
While automated scans are running, manual testing will be performed against the identified hosts, again starting with those explicitly provided. If vulnerabilities enabling access to a host are found, they may be exploited in order to gain access and conduct further tests against this or other related hosts. Unless explicitly scoped otherwise, the initial focus of testing will be to identify the most critical targets as an attacker would see them.
The methods used for each test will be different depending on the organisation, the network and the environment. From our experience, the issues identified during an internal test can usually be broken down into three categories:
Patching is a big issue and often boxes and applications are simply overlooked
Passwords are often weak and easily guessable and sometimes silly passwords are used
Build standards and internal policies are often weak