Conducting large-scale professional pentesting
Working as a professional pentester, I have come across several types of agreements and contracts for testing. Black, gray, white box whatever the experience brings us a lot of elements for a new project.
Whether with the knowledge acquired with project management PMBOK vision in which I remember a lot of lessons learned in each project participated or with techniques pinched from agile management.
One of these projects I participated in was a great challenge. The client requested a list of CIDRs as a scope. The first was a */22. Approximately 1022 addresses to perform the steps of a penetration test.
And now?
A great despair took over the team, but as challenges make us better, the team soon calmed down and waited for news about the project.
The team proceeded normally as it did in all smaller projects (1 url and some ips).
Faced with such a challenge, I went looking for methods and tools to initially carry out black box tests in large infrastructure. I confess that I had not previously worked with a scope of this size. Therefore, I will highlight elements that we use in the setup of the environments.
Infrastructure
Notebooks — The same ones already used by the team;
Cloud Instances — Some Linux instances in the cloud from different providers (AWS, AZURE, GCP) were highlighted;
Connectivity
Rotating Proxies — This service was acquired so that there could be an exchange of ips so as not to interrupt activities and/or alleviate border firewall blocks;
Proxychains — Software to configure paid proxies and possibly others if found;
For an initial setup I was happy but how to use all this arsenal?
I went back to research and found a great tool to use.
Axiom had the skills we needed, especially with the functionality of working in multi-cloud environments, it was a great help. Where initially we were able to perform scans with nmap throughout the environment.
I hope I can help you by sharing the endeavor. I ask you to remember to like and follow to follow the rest of the articles.
