.

Pen Test Scalability

<<

24772433

User avatar

Newbie
Newbie

Posts: 34

Joined: Thu Oct 20, 2011 3:22 pm

Location: UK

Post Tue Jan 29, 2013 9:10 am

Pen Test Scalability

I understand every company, every network is not the same but how long would it take to pen test a company with 2000 PCs & 1000 servers? Naturally, the network is segmented into bite size chunks!

In terms of man hours, could one person conduct a pen test on a site this large and within a reasonable amount of time?  For sites this large, do pen test companies send in teams of testers?

I'd be interested to know what you all think.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Jan 29, 2013 10:26 am

Re: Pen Test Scalability

Pentesting 3000 hosts in details is way too much, even for a team.

Since time is money and the ultimate goal of a pentest is to make your organization more secured, you have to target specific hosts and go from there.

For example, take a few representative workstations, find the vulnerabilities, fix all 2000 workstations (if required), then try again to confirm things are better now. Also, scan for specific services (like port 80 and 443 for web servers) that shouldn't be opened on workstations. You can also check network traffic for odd things and go from there.

For the servers, again go after typical basic installation, start with the ones containing sensitive data or thoses exposed to the internet, etc. You want to make sure that the critical servers are secured first, then move to less critical ones. You will also find that if a server has a vulnerability, chances are that other servers have the same problem and training is required.

So I could go on and on about this, but there is no way you can spend, let's say, half a day on each host. Because after 1500 days of work (With about only 220 working days in the year, assuming you work alone), the first host you would have scanned 6 years ago would probably be vulnerable by now...  :D

So you have to be smart about it...
Last edited by caissyd on Tue Jan 29, 2013 10:53 am, edited 1 time in total.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Jan 29, 2013 1:45 pm

Re: Pen Test Scalability

I've done larger engagements in a week, and I've been with a partner for about the same size of engagement over a week as well. It really comes down to how much you want to spend to obtain reasonable assurance that your network is secure.

Three things to keep in mind: First, every system doesn't need to be tested. Your 2000 user workstations are likely nearly identical. You probably have a mix of fully-patched Windows XP and 7 systems running default services. That there just took a large number down to two. I would focus on systems that deviate from the norm. Did a developer install Tomcat and SQL Server and not bother to even change default credentials? Are there open shares? An so on. That type of information is easy to relatively quickly across a large number of systems. It would be a different matter if each system had something odd like that, but that would be quite a rare occurrence. That'll be true to a lesser extent on the server side as well. If you have 20 domain controllers scatter across all your sites, there probably isn't much value in testing each one if they're configured the same. However, the one that's also running a web server or is a couple service packs behind may be interesting...

Sure, one system could have a local admin using admin/admin credentials, but unless you find something like null session enumeration available, to even determine what local accounts are present, you can spend an infinite amount of time testing what-if scenarios like that. Activities like that are better left to internal audits anyway. Use Powershell to obtain and compare local accounts across your systems and address any abnormalities. Done. There's no value in paying someone to sit and watch Hydra run at random.

Second, it's not a pen tester's job to enumerate every vulnerability on every system. I can usually get a feel for how the engagement is going to go in the first day or two (if not immediately in some unfortunate cases). If I review 10% of your assets and notice rampant patching problems, default credentials, etc., those issues likely extend to the rest of your assets as well. It's easy enough to stop there and say, "Hey, you have serious deficiencies in x, y, and z. Address those and we'll try this again when you're in a better place." It's an iterative process and things are always changing. The important thing is to determine procedural deficiencies and correct them so they don't continue to plague an organization.

Finally, be prepared for the engagement whenever you do it. There is absolutely no reason I should still be finding MS08-067 or unknown NT4 systems. Correct low-hanging fruit, such as ARP and NBNS spoofing attacks, in advance. The better position you're in, the more value you'll get. If you don't currently do vulnerability management, at least pick up a copy of Nessus and do some scanning and remediation yourself. Similarly, be sure to vet prospective vendors and be confident you're hiring someone qualified, or you may get nothing more than a repackaged Nessus scan.
The day you stop learning is the day you start becoming obsolete.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Sun Feb 03, 2013 7:38 pm

Re: Pen Test Scalability

Doing a vulnerability assessment for e.g. 500 live hosts where the total amount of hosts to be checked if they are alive or not is 2000, would take approximately a week to go through depending on if they have been scanned / tested before. That's a vulnerability assessment though, not a penetration test.
I'm an InterN0T'er

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software