This is one of the presentations that should be watched by any IT Manager or Chief Security Officer.
People tend to focus their security posture in the vulnerabilities instead of a sound design that protect their critical assets and, even, penetration testers commit the same mistake. Of course, bad penetration testers.
In my career in IT, I have seen many so called penetration testers that just run vulnerability scanners and then send the report to the customer. It is plainly wrong (rubbish?) because I do not need to pay a company to scan my own network for vulnerabilities, since I can do it by myself, with the same results.
Then, what is a penetration test? It is meant to emulate a real attack, that tries to reach our core business by making use of any possible attack vector.
A penetration tester must try all the possible attack vectors. This includes: mis-configurations, bad network designs, vulnerabilities, social engineering, protocol weaknesses, etc. Just because an skilled attacker, the one that is motivated and can cause a big damage, will do.
H.D. Moore is the Chief Security Officer of Rapid7 and Founder & Chief Architect of Metasploit.
This presentation shows the techniques that can be used by a skilled penetration tester in order to gain full access to the network without exploiting a single vulnerability.
It includes: attacking the users, password testing, design weaknesses in the Windows platform (NTLM hashes and NTLM relay), exploit the SMB design weaknesses to gain privileges up to the domain controler, layer 2 attacks, IPv6, etc..