Articles

Infra Security: Assessment vs. Pentesting Deep Dive

March 24, 2026 5 min read

An infrastructure security assessment doesn’t just find vulnerabilities; it reveals the inherent brittleness of your security posture under realistic attack conditions.

Let’s walk through a typical assessment, focusing on the process and what we’re actually looking for.

Phase 1: Reconnaissance and Planning

Before touching any systems, we gather intel. This is passive, like a spy watching from afar. We’re looking for publicly exposed information: domain names, IP ranges, employee names, technologies used (often revealed in job postings or public code repositories), and any known vulnerabilities associated with those technologies.

Example: A quick whois lookup on example.com might reveal the registrar, registration dates, and nameservers. A dig NS example.com confirms those nameservers. If a nameserver is misconfigured or vulnerable, that’s an immediate entry point.

The planning phase is where we define the scope, objectives, and rules of engagement. Are we testing external defenses only? Internal systems? What are the allowed times? What systems are off-limits? This prevents accidental damage and ensures the assessment stays focused.

Phase 2: Scanning and Enumeration

This is where the active probing begins. We use tools to identify live hosts, open ports, and running services.

Tool: nmap Command: nmap -sV -p- -T4 --open 192.168.1.0/24 -oA scan_results

  • -sV: Service version detection. Crucial for finding outdated or vulnerable software.
  • -p-: Scan all 65535 ports. Thorough, but can be slow.
  • -T4: Aggressive timing. Faster, but can be detected.
  • --open: Only show ports that are open.
  • -oA scan_results: Output results in all major formats (normal, XML, grepable).

Example Finding: nmap might report an open port 8080 on 192.168.1.150 running "Apache Tomcat/9.0.30". A quick search reveals CVE-2020-1938 (Ghostcat) affects this version, allowing remote file inclusion.

We also enumerate users, shares, and network configurations. For Windows environments, this might involve tools like enum4linux or querying Active Directory. For Linux, it’s checking /etc/passwd, /etc/shadow (if we have root), and shared NFS mounts.

Phase 3: Vulnerability Analysis

Once we have a map of the landscape, we look for weaknesses. This involves:

  1. Automated Scanning: Tools like Nessus, OpenVAS, or Nikto scan for known vulnerabilities based on service banners, configurations, and patch levels.
  2. Manual Verification: Automated tools have false positives and negatives. We manually test interesting findings. If Nikto reports a potential SQL injection on /login.php, we’ll try injecting payloads like ' OR '1'='1 to confirm.
  3. Exploitation (Controlled): This is the "proof of concept" phase. We attempt to exploit identified vulnerabilities to demonstrate impact. This is done with extreme care, often on isolated test environments, or with explicit permission on production systems during defined windows.

Example Exploit: For the Tomcat Ghostcat vulnerability (CVE-2020-1938), we’d use a publicly available exploit script. A successful exploit might allow us to read /etc/passwd or even upload a malicious JSP file to gain remote code execution.

Phase 4: Post-Exploitation and Lateral Movement

If we gain initial access, the assessment doesn’t stop. We explore what else we can reach.

  • Privilege Escalation: If we’re a low-privileged user, can we become an administrator? This might involve exploiting kernel vulnerabilities (e.g., Dirty COW on Linux), misconfigured SUID binaries, or weak service permissions.
  • Lateral Movement: From one compromised machine, can we access others? Techniques include:
    • Pass-the-Hash (PtH): Using stolen NTLM hashes to authenticate to other Windows machines without needing the plaintext password. Tools like mimikatz can extract these hashes from memory.
    • Exploiting Trust Relationships: If ServerA trusts ServerB, and we compromise ServerA, we might be able to pivot to ServerB.
    • Credential Reuse: Finding the same weak passwords or default credentials on multiple systems.

Example Lateral Movement: After compromising a web server, we might find cleartext database credentials in a configuration file. Using these credentials, we log into the database server and find administrative credentials for other internal systems.

Phase 5: Reporting and Remediation

The final, and arguably most important, phase is documenting everything. Findings are prioritized by severity (CVSS score, business impact), and actionable remediation steps are provided.

Example Report Entry:

  • Vulnerability: Apache Tomcat Remote Code Execution (CVE-2020-1938)
  • Affected System: 192.168.1.150:8080
  • Severity: Critical
  • Impact: Attacker can read arbitrary files, write arbitrary files, and potentially gain remote code execution.
  • Remediation: Upgrade Apache Tomcat to version 9.0.50 or later. If upgrading is not immediately possible, disable the AJP Connector in server.xml by setting address="localhost" or commenting out the connector entirely.
  • Evidence: Screenshot of /etc/passwd being read via exploit.

The true value lies not just in finding the flaws, but in understanding the chain of vulnerabilities that an attacker could use to move from an external foothold to a critical internal system.

The next challenge after fixing all reported vulnerabilities is often addressing the human elementsocial engineering and insider threats.

Want structured learning?

Take the full Infrastructure Security course →