Skip to content

Network Pentest or... not?

What Network Pentest usually refers to...

Oftentimes when I think of the term network pentest, the thing that comes to my mind would be an OSCP AD environment, eCPPT or even eCPTX kind of pentest where it is usually a vulnerable HTTP application, misconfigured FTP service, running some exploit to get a shell and then lateral move from there.

A simple google search also seems to suggest that what is described above is considered as Network Pentest - 1, 2

OSI layer

Below is a picture of OSI layer. Pasted image 20220601183712.png As we can see from above things we mention like FTP, HTTP and the services involved all involves the Application Layer rather than the Network Layer and the nature of the exploit as mentioned above seems to be targeting the Application and rather than the Network equipments.

Network Layer (Layer 3) Pentest

Which of these are considered Layer 3 Pentest?

As can be referenced from the links below, we can see that there are instances where an attack on router a Layer 3 device. 3,4,5 The attacks in the scenarios within the post is However could Layer 3 Pentest also mean these too? 6,7,8

From the above posts, we can see that the despite the similarity in framework(MITRE), and even though the device attacked is the same, the skillsets required to conduct both types of pentest are different. One is the exploitation of software while the other is the exploitation of the protocol used to communicate. Thus the former would require an extensive knowledge of software exploitations while the other would require an extensive knowledge of routing protocols as well as inter-device communication protocols.

Granular and Precise Term

Therefore I think a more precise term of Pentest should be coined rather than Network Pentest as the network based on the OSI model can include the Application Layer, the Transport Layer, the Network Layer, Data Link Layer and even the Physical Layer.

Afterthought

It is likely during the scoping phase of a pentest that the the extent of a network pentest is discussed however, from scouring the web pages of services provided looking at trainings provided, Network Pentest seems to suggest pentest of Layer 5 Services and Layer 4 and Layer 3 Protocols seems to not be mentioned alot...

After all this is also a pentest but the scope of this test is way bigger. Just thought that perhaps, we can give a more granular and precise name to the kind of network pentest conducted like how we differentiated Web Application Pentest from Cloud Pentest due to the niche skillsets involved in conducting the pentest...