The test analyzes the security of a network as well as probing different methods for exploitation of actives services, protocols, and devices such servers, routers, firewalls and others). The service is divided into two categories as well.

Internal Network Penetration Test (LAN)

A commonly overlooked aspect of the generic security concept is the internal organization within the company. The general belief is that the internal network (intranet) is not accessible from external assets and is therefore not likely to be prone to an attack. Contrary to that, the weakest link in almost every cyber defense is the organization’s employees. They dispose with access to internal assets and are trusted when it comes to security practices.

The main reason for this is that most attacks are expected to originate from the outside. However, latest researches show that internal means of attacks are rapidly increasing and steadily gaining more popularity.

We can test the security of the local network remotely or on-site (the latter being the more commonly preferred).

External Network Penetration Test (WAN)

Contrary to the internal, the external network penetration test simulates a black box attack against a company’s internet-facing infrastructure. For the purpose of the test, the penetration testers are only given a scope (typically this includes IP ranges, typologies and others). The test takes place remotely and does not require user interaction.

Both categories also include a web application penetration test for services running a web server. Network penetration tests represent a compact solution comprised of the following:

Target Identification

Host discovery
Fingerprinting vendor(s)

Outlining The Scope

Port scanning
Service identification
Service enumeration

Assessment

Rule-set review
Automated testing
Manual probing
Verification of identified issues

Exploitation

Testing for common vulnerabilities
Testing for logical flaws in organizational units
Usage of known exploits
Usage of custom scripts or modified public exploits
Leveraging identified vulnerabilities

A report is issued at the end of the penetration test in order to provide an easily comprehensible description of the findings as well as recommendations on how to mitigate the vulnerabilities.