Run an Internal Pentest
This guide will help you understand how to configure and run an internal penetration test using NodeZero. It will walk you through the steps to set up the test, define the scope, customize the parameters, and analyze the results to improve your network’s security posture.
What is an Internal Pentest?
A NodeZero Internal Penetration Test is a simulated attack on your organization’s internal network designed to identify vulnerabilities that could be exploited by attackers within your own infrastructure. This test mimics the behavior of a malicious actor attempting to exploit weaknesses in your internal systems, applications, and devices. By performing this test, you can gain insights into potential security gaps before they are discovered and exploited by real-world threats.
Instructions
Follow these steps to run an internal pentest within your network.
1. Access NodeZero Portal
After setting up your NodeZero Host, log in to the NodeZero Portal and click the Pentests button. Select Pentests from the dropdown menu.
2. Select Internal Pentest
Choose the option to + Run Pentest.
Select Infrastructure Attack Test. Then, select Internal Pentest.
3. Configure internal pentest
3.1 Name the internal pentest
Assign a meaningful name to the Internal Pentest and select an appropriate pentest template.
Naming Conventions
Establish a consistent naming convention to easily identify pentests in your pentest list.
Example Naming Convention:
[date]|[location/network]|[NodeZero source]|[scope]
Example:
2021-09-01|East-Coast-Bizops|NodeZero|Full
This name indicates that the NodeZero host was placed in the East Coast BizOps network, and the scope covered the entire enterprise.
3.2 Select scope
The pentest scope defines the IPs and/or subnets where you want to run the pentest. A broader scope yields more comprehensive results. Unlike traditional vulnerability scanners, NodeZero assesses your environment holistically, using discovered data and context to identify and exploit vulnerabilities, misconfigurations, and poor cybersecurity practices.
- Configure the following scope options:
-
Intelligent scope This feature utilizes the IP of the NodeZero host from which the test is deployed, enumerating and testing against the /16 subnet it belongs to. NodeZero then expands into adjacent /23 subnets, continuously identifying and testing nearby assets. The cycle repeats until no additional devices are detected. The scope of the test depends on the level of privilege and access NodeZero has, either through capture or granted permissions.
Tip
Great for scenario-based testing - assess what an attacker can view and do from the perspective of your NodeZero host.
-
Add full private IP space: Adds the following IP address range to the scope (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
- Selecting this option allows NodeZero to enumerate your local network looking for any RFC 1918 address, which should not be publicly routable.
- RFC 1918 is a standard published by the Internet Engineering Task Force (IETF) that defines private IP address spaces for use in internal networks. These IP addresses are not routable over the public internet, meaning they are used for local communication within private networks.
Tip
Ideal for comprehensive coverage – understanding what’s in your infrastructure and prioritizing from an attacker’s viewpoint.
-
Auto-expand scope If selected, NodeZero will automatically include any additional devices it can discover during the test. While NodeZero can be scoped to specific IP addresses, it’s recommended to broaden the scope for better coverage. This approach helps identify potential vulnerabilities across a wider range of devices, improving the overall effectiveness of the test.
-
Included scope The include section in an internal penetration test lets you specify specific areas or systems within your network that you want to focus the test on. This is useful when you want to target particular assets, such as high-value servers or applications, for in-depth testing. By using the Include section, you ensure that only the designated parts of your infrastructure are tested, while other areas are not affected.
-
Inclusions require Classless Inter-Domain Routing (CIDR) notation.
Tip
Example: If your environment uses
192.168.0.1with a subnet mask of255.255.255.0, add192.168.0.0/24to the Include section.Example
For segmented environments, use comma-separated CIDR notation to cover multiple subnets.
192.168.0.0/16,172.16.10.0/24,10.0.0.0/8In more complex environments, set the scope to include as many subnets as possible. Consult your Network Administrator for a list of subnets in CIDR notation.
-
-
Excluded scope The exclude section in an internal penetration test allows you to specify areas of your network or systems that should be excluded from testing. This feature is useful when you want to avoid testing sensitive systems, applications, or environments that should not be tested for security reasons, such as production environments or systems with critical data.
Use this section to specify IPs or subnets that NodeZero should avoid scanning or exploiting. Excluded IPs may still appear in the Out of Scope list in the pentest results if they are discovered during the test. Exclusions require CIDR notation.
Once you're satisfied with the scope, proceed to the next step.
3.3 Amazon Web Service (AWS) Accounts
Optionally, add AWS accounts here. All cloud resources under these accounts will be treated as in scope.
3.4 Add open-source intelligence
Optionally add details such as domains, company names, weak password terms, or Git account information.
3.5 Tripwires (Optional)
Not required for Quickstart.
If your organization has purchased Tripwires, enable this option to allow NodeZero to deploy tokens in exploitable assets during the pentest. A maximum of 100 tripwires will be deployed per test.
3.6 Attack configuration
Choose the specific services and vulnerabilities that NodeZero should enumerate and exploit during the pentest.
3.7 Duration
Specify a minimum or maximum duration to provide more time for certain attacks to execute effectively.
3.8 Runner (Optional)
Not required for Quickstart.
Choose a NodeZero Runner to automatically deploy NodeZero on your Docker host.
3.9 Review config
Once you’ve finalized your pentest selections, confirm your review of all advanced configuration settings by checking the designated box.
Finally, click Run Pentest to initiate the internal pentest.
4. Deploy NodeZero
As the pentest provisions, a one-time-use curl script is prepared for deployment on your NodeZero host.
Deployment instructions:
- Copy the launch script
- Execute the script in the shell of your NodeZero host
The script will: - Validate the Docker installation. - Download the latest NodeZero Docker image. - Initiate the pentest.
In the Portal: - The pentest status will update from Ready to Running. - An email notification will be sent by NodeZero once the internal pentest is completed.
5. Monitor in Real-Time
Click Real-Time View to track the progress of the pentest, watch identified vulnerabilities, and gain instant feedback on any issues that arise.
6. Review Test Results
After the pentest is complete, review the findings to identify vulnerabilities, misconfigurations, and potential attack vectors.
7. Take Action
Prioritize and address the vulnerabilities identified during the pentest. NodeZero provides recommendations and remediation steps to help you secure your environment.
Additional Options
Inject Credentials
Gain deeper insights by running the pentest from an authenticated perspective.
For a more comprehensive test, you can Inject Credentials to simulate an attacker with authenticated access. This gives you deeper insights into the potential impact of compromised credentials.
Congratulations, you've completed an internal pentest.
You've successfully completed the step-by-step guide to running an internal pentest with NodeZero. You're now ready to assess and improve the security of your network environments. Continue exploring NodeZero for further guidance and advanced features to stay ahead of potential threats.