Definition
In an infrastructure penetration test, the focus is on
- data server,
- web server,
- and file servers,
- network components,
- clients,
- and other IP-enabled components.
A pentester checks predefined network areas. The vulnerability and exploitability of individual systems is assessed using publicly available, commercial and self-developed frameworks and tools. Advanced methods such as “lateral movement” and “privilege escalation” are used, depending on the defined test depth.
The aim of the pentester is to move from compromised systems to other infrastructure elements, usually critical servers such as domain controllers. Ultimately, the aim is to determine the number of vulnerable and exploitable systems in order to establish how these can be exploited and what countermeasures should be taken.
Requirements
To ensure that a penetration test can be carried out smoothly and successfully, some organizational and technical preparations must be made.
Scope
With the introduction of the hacker paragraph (§202c StGB), an “ethical hacker” is obliged to define the test scope with the client in advance.
Intensity
Penetration tests can be designed differently and more or less invasively depending on the situation. DriveByte offers three intensities for penetration tests defined by the BSI.
Location
The test location must be defined for individual test objects or for the project in general. In most cases it is possible to check all test objects via the Internet during penetration tests by using a “jump host”, so the physical presence of a pentester is not necessary.
Conditions
Various test conditions can be defined for all or individual test objects. The test conditions can be defined by the customer and bindingly recorded in the template.
Timeline
A regulated and pre-defined test period is a prerequisite for the efficient execution of a penetration test. Depending on the customer's wishes and the availability of the service provider, the customer sets a binding test period in the template.
Responsibilities
For a successful penetration test, the client and contractor must define who is responsible for the project to be carried out. A project manager and a technical contact person must be defined on the client's side.
Procedure
DriveByte recognizes the Penetration Testing Execution Standard PTES as a reference framework for the execution of penetration tests. The PTES consists of seven main sections:
startPre-Engagement
searchIntelligence Gathering
crisis_alertThreat Modelling
bug_reportVulnerability Analysis
dangerousExploitation
dynamic_feedPost-Exploitation
summarizeReporting
Documentation
The vulnerabilities found are grouped according to criticality and affected test objects and documented in detail. DriveByte uses the widely used Common Vulnerability Scoring System CVSS 4.0 to assess the vulnerabilities found.
descriptionDescription of Scope
listList of Test Conditions
shortcutExecutive Summary
startProcedure Description
terminalVulnerability Listing
flagRecommended Countermeasures
Do you know how secure your IT systems are?
Identify security gaps in your IT infrastructure and avoid costly consequences. Arrange a free consultation now.
Frequently asked questions
We will answer the most important questions in advance so that you are well informed.
What does an infrastructure penetration test cost?
What are black, white and grey box penetration tests?
How long does an infrastructure penetration test take?
Will a penetration test affect business operations?
What are the prerequisites for a penetration test?
How does the penetration test differ from the vulnerability analysis?
What happens if a vulnerability is found?
Is a penetration test a one-off measure?
Is there a final report following the test?