PCI-DSS internal pentest

The project goal was to verify the Payment Card Industry Data Security Standard (PCI DSS) compliance of the customer’s internal network. The test was conducted in a gray-box manner. Due to the high security level the pentester worked from the customer provided computer with Kali Linux installed and restricted access to the Internet. The test included infrastructure testing, layer 2 network attacks, network segmentation testing, internal web-application testing. The methodology included PCI Penetration Testing Guidance requirements.


As a result, the customer has received a detailed report with the findings and specification which PCI requirement was violated. Some of the issues that were identified:

  • The lack of IPv6 firewall on the systems. While many of servers had host firewall with IPv4 rules, the IPv6 rules were not implemented, but IPv6 was enabled on the network interfaces. It was possible to join a wide set of services over IPv6, including NFS share with backups. The backups had an SSH private key, which allowed to penetration one of the servers in CDE.
  • The JavaEE application did not have a proper file type and file location filtering, which allowed to upload a JSP web-shell and compromise the application server.
  • The log server applied to serve CDE machines used an Elastic instance to store logs, including commands invoked by the system administrators.
  • The database passwords were recovered from those logs.
This website uses cookies to give you the best experience. Terms & Conditions