Skip to content

Run an Internal Pentest

NodeZero can assess all of your environments, from the attack surface of your hybrid cloud to your on-premise network infrastructure, helping you continuously find and fix your internal and external attack vectors before criminals exploit them. Follow these steps to run a pentest within your network.

How to Run an Internal Pentest

1. Navigate to Pentests to Run an Internal Pentest

Once you've established a NodeZero Host that meets to requirements, navigate to Pentests to start a pentest.

Screenshot

2. Click + Run a Pentest

Click + Run Pentest to open Test Categories screen, and select "Insider Threat Testing" from the "Operational Scenario Testing" category.

Screenshot Screenshot

3. Configure the Internal Pentest

3.1 Name the Internal Pentest

Name the Internal Pentest and select a pentest template.

Pro-tip: Naming scheme

Determine and follow a naming convention to allow you to quickly find a pentest from your pentest list.

An example: [date]|[library]|[NodeZero Src]|[scope]

2021-09-01|NodeZero|East-Coast-Bizops|Full: This indicates that the NodeZero host was placed in the East Coast Bizops network and the scope was the entire enterprise.

Screenshot

3.2 Select a Scope

The pentest scope is a set of IPs and/or subnets (in CIDR notation) that you want NodeZero to test.

Depending on where your NodeZero host is deployed, reachability to the provided scope can be affected by how much privilege, access, and authentication NodeZero can capture or is given.

Unlike vulnerability tools that scan for device fingerprints and services, NodeZero enumerates devices in scope and then chains together context, exploitable vulnerabilities, misconfiguration, insecure or weak controls, and any data or loot that it captures, to identify attack paths by priority of impact while providing proof. Typically, the larger the scope, the more findings you'll see, as NodeZero has much more to chain together.

There are three options for the Include section (defined below):

  • Intelligent Scope
  • Full RFC 1918 (192.168.0.0/16, 172.16.10.0/24, 10.0.0.0/8)
  • Custom IP(s) or Subnet(s)
    • Auto-expand (Optional)

If you are running NodeZero in a more complex environment, we recommend setting the scope to cover as many subnets as possible. Be sure to ask your Network Administrator for a list of CIDR annotated subnets.

The Exclude section stops NodeZero from scanning or exploiting a set of IPs or subnets. The IPs within this section may be discovered by NodeZero via various techniques within the pentest, but NodeZero will not touch them. They may show up in the Out of Scope list within the pentest results. Note that this parameter also requires CIDR notation.

Additional CIDR notation reference and calculator app:

Intelligent Scope - Uses the IP of the NodeZero Host you are deploying the test from and enumerates then tests against the /16 subnet it's a part of. NodeZero then moves into /23 subnets to continue identifying other potential assets in its vicinity, then repeats the cycle until it can't see additional devices. The blast radius varies depending on the level of privilege and access NodeZero captures or is given.

Pro-tip: Intelligent Scope

Great for scenario testing - what can an attacker see and do from the position of my NodeZero host?

Full RFC 1918 (192.168.0.0/16, 172.16.10.0/24, 10.0.0.0/8) - The most thorough approach as it explicitly instructs NodeZero to attempt to enumerate and test every IP in the private IP range.

Pro-tip: Full RFC 1918

Great for ensuring complete coverage - what exists in my infrastructure today and what are its priorities from an attacker's perspective?

Custom IP(s) or Subnet(s) - Provide any IP(s) or subnet(s) in CIDR notation for NodeZero to test from its position. The option to auto-expand allows NodeZero to include in its test any additional devices that it's able to enumerate While NodeZero can be scoped to singular IPs, it's recommended to cast wider nets to maximize coverage and identify potential vulnerabilities across the network more effectively.

Pro-tip: Custom IP(s) or Subnet(s)

Great for testing small scopes and validating controls - what could an attacker chain together in the scope of focus and, if auto-expand is turned on, how could they pivot out to other segments?

Screenshot

When satisfied with your scope, scroll down.

3.3 AWS Accounts

Optionally add AWS accounts here. All cloud resources under these accounts will be treated as in scope.

Screenshot

3.4 Add Open-Source Intelligence

Optionally add Domains, Company Names, Weak Password Terms, or Git accounts

Screenshot

3.5 Tripwires

If your organization has purchased Tripwires, use this option to allow NodeZero permission to drop tokens in exploitable assets during the pentest. No more than 100 tripwires will be deployed per test.

Screenshot

3.6 Advanced Configuration Options

Select the types of services and vulnerabilities NodeZero will attempt to enumerate and exploit.

Screenshot

3.7 Duration

Add a minimum or maximum amount of time to allow some attacks to have more time

Screenshot

3.8 Runner

Use a NodeZero Runner to automatically deploy NodeZero on your Docker host.

Screenshot

3.9 Review the Internal Pentest Configuration

Once satisfied with your pentest selections, check the box to indicate you've reviewed all advanced configuration settings. Then click Run Pentest, which launches the internal pentest.

Screenshot

4. Deploy NodeZero

While the pentest is provisioning, its companion one-time-use software module, NodeZero, is made ready for deployment on your NodeZero Host.

Screenshot

Copy the Launch Script and paste it into the shell of your NodeZero Host.

This script will validate the Docker installation, download the most up-to-date NodeZero Docker image, and begin the pentest. In the Portal, you will see the status of the pentest transition from Ready to Running.

Click Go to Real-Time View to open the Real-Time view, from where you can Inject Credentials and monitor pentest progress, or click Copy Script and Close to copy the script and return to the Pentest Page.

Screenshot

You've started an Internal Pentest

NodeZero sends an email once the Internal Pentest completes.

Tip

NodeZero can also run pentests from an authenticated perspective. Go to the Real-Time View and Inject Credentials to see the impact an attacker would have by leveraging compromised credentials!