Generally, the team will start with a connection to the internal network, a low-privileged user account, and a typical workstation provided by the client. Depending on the scenario, the team may also have the ability to use a dedicated suite of tools to more rapidly assess the internal network, and may be provided with a limited amount of privileged information, such as a network diagram.
The team will typically work through the following phases, and depending on their progress, may repeat stages several times to ensure the best possible coverage can be obtained in the time allowed:
- Reconnaissance – Understanding the internal network and prioritising targets.
- Scanning – Automated detection of potential vulnerable services.
- Privilege Escalation – Manual and automated attempts to evade and escape from any restrictions applied.
- Network Traversal – Manual and automated attempts to move to other systems, with a view to gaining more access and control over the network.
- Masquerading – Use of acquired or captured credentials to obtain unauthorised access to systems or information.
- Password Guessing – Attempt to gain privileged access through guessing of passwords for more privileged accounts.
- Password Cracking – Breaking of encrypted or hashed passwords, or retrieval from sources such as password vaults or password lists.
- File and Share Hunting – Seeking interesting files and shares that can provided additional information or accesses.
- Application Testing – Seeking and exploiting vulnerabilities in any applications or websites found on the internal network.
- Cleanup – Wherever possible, leaving minimal evidence of the engagement.
- Offline Analysis – Obtaining and analysing any data obtained to understand the potential impact of compromise to the client.
- Reporting – Ensuring that the client gets a full understanding of the findings of the engagement, and recommended solutions to address any issues identified.