Deployment Options
The launch point of your NodeZero Host may change based on what you want to learn from the pentest. The following are a few options you may find helpful in making this decision.
Extended Description
NodeZero deployment options are displayed as a table with six columns numbering from one to six across:
| Custom Scope | Intelligent Scope | RFC 1918 | OSINT | |||
|---|---|---|---|---|---|---|
| NodeZero Placement | 1. Inside the Scope | 2. Outside the Scope | 3. Outside @ Endpoints (i.e., /32s) | 4. Attack Starting Point | 5. Full Private Scope | 6. Note: CloudZero launches externally |
| Intent | I want to limit the scope and see what an attacker could exploit from inside that defined range | I want to limit the scope to see if an attacker can access hosts and data | I want to look at specific endpoints to check for host vulnerabilities and misconfigurations | I want to see what an attacker can discover and access from a specific starting point | I want to search every nook and cranny of private IP space accessible in my environment | I want to see what publicly available data makes our business vulnerable to an attacker |
| Will enumerate and exploit: |
✓ in-scope hosts, services, domain, web, credentials, & data
resources ✓ ProTip: ensure a DC is "in scope" |
✓ in-scope hosts, services, web, credentials (except MITM and PTH attacks) and cloud assets | ✓ specified hosts, ports, services, web and certs, exploitable vulnerabilities | ✓ discovered hosts, services, domain, web, credentials & data resources | ✓ discovered hosts, services, domain, web, credentials & data resources | ✓ publicly available user names, subdomains (from TLDs), and web-facing attack surface |
| Won't execute | ✕ on anything outside the prescribed scope | ✕ man-In-The-middle attacks | ✕ on infrastructure nor chained vulnerabilities and misconfigurations that could lead to compromise | ✕ on inaccessible hosts, services domain, web, credentials | ✕ on inaccessible hosts, services, domain, web, credentials |
✕ on internal assets * NOTE: when combined with an - internal op w/ access to a DC, will verify user/password access |
| Use cases |
internal pentest SOC SLAs verify policies verify EDM/SIEM |
internal pentest verify segmentation verify access to a sensitive VLAN third party security assessment |
test EDR assess endpoint vulnerabilities |
internal pentest verify segmentation verify policies verify EDR/SIEM test blast radius test zerotrust |
internal pentest environmental and asset discovery assess hybrid env verify policies verify EDR/SIEM |
public-facing reconnaissance company recon user recon subdomain recon * cred stuffing |
1. Inside Custom Scope
If you want to limit the scope and see what an attacker could exploit from inside a defined range, place the NodeZero host within the scope you want to test. When you configure the scope for your pentest, ensure the NodeZero Host is within one of the specified CIDR range(s) for the test.
Ensure a Domain Controller is in-scope as well, and NodeZero will attempt to exploit any vulnerabilities or misconfigurations on this host, as well as verify weak domain defaults & credentials
This is your high-speed assessment; enabling a lean Find-Fix-Verify loop to initiate an agile security posture
Extended Description
Use cases include the following interconnected items (from left to right):
- scrutinize security ops center SLAs
- periodic internal Pentest
- validate regulatory requirements
- prove industry audit and accreditation
- verify policy implementation
- test endpoint detection
- check SIEM logging and alert
2. Outside Custom Scope
If you wanted an “outside-in” perspective to see if an attacker could access critical data and assets inside a specific scope, place the NodeZero Host outside the scope you want to test. When you configure the scope for your pentest, ensure the NodeZero Host is NOT within the specified CIDR range(s) for the test.
When NodeZero is not in the same IP range as the scope, it will not execute Man-In-The-Middle and pass-the-hash attacks
This is your unrestricted assessment; providing true insight into what is accessible, valuable, and vulnerable from any starting point
Extended Description
Use cases include the following interconnected items (from left to right):
- assess third party security rules and tools
- periodic internal Pentest
- test cardholder data environment (CDF) accessibility
- prove PCI DSS scoping and segmentation
- verify access to sensitive data
- check EDR & SIEM logging and alerts
3. Endpoints Only Scope
If you want to quickly verify if the vulnerability you just remediated had the effect you desired, select a single host or range of hosts by /32s. When you configure the scope for your pentest, ensure the NodeZero host has access to the specific host identified by the /32 CIDR range(s) for the test but is NOT within the specified CIDR range(s) for the test.
When NodeZero is not in the same IP range as the scope, it will not execute Man-In-The-Middle and pass-the-hash attacks. Further, with this restricted scope, NodeZero will chain neither weaknesses nor paths as you have limited the scope to a specific endpoint for this assessment
This is your restricted assessment; a quick turnaround op to verify your fix-action was implemented and a vulnerability is now presenting less severity to your attack surface
Extended Description
Use cases include the following interconnected items (from left to right):
- verify a vulnerability was remediated
- single host assessment (out of context)
- test telemetry of an online asset
- check EDR &n SIEM logging and alerts
4. Intelligent Scope
If you wanted to see what a non-credentialed attacker could enumerate and exploit from a specific starting point in your network – a true “black box” pentest – use Intelligent Scope. In the Scope section of your Op configuration, select the "Intelligent Scope" option and leave the “Include” box blank. As the initial scope, NodeZero will start with the /16 subnet of the NodeZero host IP it was deployed on then continue to expand organically through the infrastructure during the pentest as more hosts and subnets are discovered or visible, similar to how an attacker would. The more that's exploitable, the more visibility is achieved, and the more NodeZero will test against, demonstrating how an attacker could crawl similarly through the environment by chaining together TTPs and findings from exploiting vulnerabilities, weaknesses, and misconfigurations.
This is your proactive assessment; providing true insight into what is accessible, valuable, and vulnerable from any starting point
Extended Description
Use cases include the following interconnected items (from left to right):
- online asset and service discovery
- visualize attack core and surface paths
- determine ransomware's blast radius
- verify network access controls and segmentation
- test your zerotrust implementation
- check EDR &n SIEM logging and alerts
- periodic internal pentests
5. All Private IP Scope (i.e., RFC 1918)
Use RFC 1918 to run a private scope pentest, enumerating everything accessible quickly and safely.
When you configure the scope for your pentest, check “Use RFC 1918” and NodeZero will take care of the rest. If there are IP addresses or ranges you do not want to be assessed, add them to the "Exclude" box when configuring the scope for this pentest.
This op may take a bit longer as NodeZero enumerates any IPs and DNS names it can access…including edge routers; if yours are misconfigured for routing private IPs, NodeZero may attempt to enumerate those external private IPs.
if you want to see EVERYTHING, put NodeZero in an unrestricted ACL so it can discover every nook and cranny online in your environment
This is your unrestricted and holistic enterprise assessment–and should be run regularly.
Extended Description
Use cases include the following interconnected items (from left to right):
- shadow IT discovery
- assess hybrid environments
- improve SOC accountability
- evaluate multi-environment credentialed connections
- surface sensitive data accessibility
- test and tune EDR and SIEM logging and alerts
6. OSINT Focused
Available with any of the pentest types is our Open-Source Intelligence (OSINT) assessment, where NodeZero will gather publicly available information to use as part of the pentest. The second step of configuring your pentest offers you the ability to take a true external perspective; your company name will be auto-filled for you, and you can provide TLDs and weak password terms you’d like NodeZero to test with any discovered information.
NodeZero’s OSINT gathering operates outside your environment so NodeZero placement isn’t as critical, however, when combined with an internal pentest with a domain controller in-scope, NodeZero will verify domain users and passwords with those found publicly giving your further insight into your attack surface risk.
This is your external reconnaissance capability to see what attackers see and use to start their campaigns and establish a foothold in your environment
Extended Description
Use cases include the following interconnected items (from left to right):
- conduct public-facing reconnaissance
- research company and user profile
- assess potential for employee credential stuffing
- verify subdomain footprint and use
- identify web-facing attack surface
- discover cloud stored data available to public
Use this table as a reference for all your pentest operations!
Extended Description
The table displays the following data:
| Custom Scope | Intelligent Scope | RFC 1918 | OSINT | |||
|---|---|---|---|---|---|---|
| NodeZero Placement | Inside the Scope | Outside the Scope | Outside @ Endpoints (i.e., /32s) | Attack Starting Point | Full Private Scope | Note: CloudZero launches externally |
| Intent | I want to limit the scope and see what an attacker could exploit from inside that defined range | I want to limit the scope to see if an attacker can access hosts and data | I want to look at specific endpoints to check for host vulnerabilities and misconfigurations | I want to see what an attacker can discover and access from a specific starting point | I want to search every nook and cranny of private IP space accessible in my environment | I want to see what publicly available data makes our business vulnerable to an attacker |
| Will enumerate and exploit: |
✓ in-scope hosts, services, domain, web, credentials, & data
resources ✓ ProTip: ensure a DC is "in scope" |
✓ in-scope hosts, services, web, credentials (except MITM and PTH attacks) and cloud assets | ✓ specified hosts, ports, services, web and certs, exploitable vulnerabilities | ✓ discovered hosts, services, domain, web, credentials & data resources | ✓ discovered hosts, services, domain, web, credentials & data resources | ✓ publicly available user names, subdomains (from TLDs), and web-facing attack surface |
| Won't execute | ✕ on anything outside the prescribed scope | ✕ man-In-The-middle attacks | ✕ on infrastructure nor chained vulnerabilities and misconfigurations that could lead to compromise | ✕ on inaccessible hosts, services domain, web, credentials | ✕ on inaccessible hosts, services, domain, web, credentials |
✕ on internal assets * NOTE: when combined with an - internal op w/ access to a DC, will verify user/password access |
| Use cases |
internal pentest SOC SLAs verify policies verify EDM/SIEM |
internal pentest verify segmentation verify access to a sensitive VLAN third party security assessment |
test EDR assess endpoint vulnerabilities |
internal pentest verify segmentation verify policies verify EDR/SIEM test blast radius test zerotrust |
internal pentest environmental and asset discovery assess hybrid env verify policies verify EDR/SIEM |
public-facing reconnaissance company recon user recon subdomain recon * cred stuffing |