Penetration Testing: Advanced professional testing by certified experts

What is a penetration test?


A penetration test is a simulation of a malicious attack on a computer system, a network or an organisation under real-world conditions. The penetration test allows you to determine the resistance of your computer system against real attacks.



Testing and compliance validation are essential parts of the development cycle in nearly all fields involving complex systems and their development. SSL247® carries out penetration tests on not only your system and network, but also any related IT devices.

The penetration tests our teams conduct include:





Which solution is best for your organisation?

Our pentesters have created a tailor-made questionnaire to determine the best services to solve your problems and meet your needs.



Our different tests

Internal Penetration Testing


The internal penetration test is similar to a strategy that would be followed by a person wishing to carry out a malicious act being present on the internal network of the company.

This type of testing involves conducting internal (black box) penetration tests from your main site, potentially followed by:

  • A successful physical penetration
  • A logical penetration test with the help of an e-mail campaign during social engineering

The goal is to identify the most relevant security loopholes in order to develop a realistic attack scenario aiming to escalate privileges on the network. These privileges would make for an attacker to gain access or obtain particular information.

Our teams place emphasis on extending the penetration scenario as broad as possible. This allows the testing to be as realistic as possible, and covers more elements of your infrastructure.

Steps of an interal penetration test

More detail
For most internal penetration tests, our consultants intervene on site and work autonomously based on the access provided to them.

Possible testing strategies include:
  • the use of lower level access credentials, such as for a visitor or guest, where the user may only be granted access to an internet connection.
  • more specific access options, such as a "standard office" access or the common access that is granted to all employees.

The phases of an internal penetration test are as follows:

Discovery Phase

Aims to obtain the maximum amount of information about the internal network from the physical access gained. This results in passive listening of traffic (the interactions with network and server devices).

Mapping Phase

The goal is to obtain as much information as possible about different targets in order to identify the attack surface and render the attacks more effective. Our team has developed tools that automate a part of this phase, allowing more time for focusing on manual testing.

Penetration Phase

This phase identifies entry points on the internal network and any loopholes that facilitate the taking over of devices, and acquisition of data that identify other vulnerabilities. The penetration phase is a major phase of this type of testing.

Exploitation Phase

This is another major phase of internal penetration testing where vulnerabilities are identified and the increasing elevation of access level can be achieved. The "classic" exploitation phase starts with a vulnerability that allows a machine (workstation or server) to be controlled and ends with the takeover of the domain or machine cluster. This attack pattern replicates a realistic scenario of exploration and lateral movement aimed at data extraction.

 
Penetration Tests - External

External Penetration Testing


An external penetration test imitates the real actions of a hacker that does not start with access to your internal network. The pentester will attack from the outside, via the Internet, without necessarily knowing any details about your organisation's information infrastructure.

External penetration testing consists of searching for vulnerabilities that are present in your infrastructure (that is accessible from the internet) and choosing the least risky, most discreet and most efficient method to gain access to it.

Prerequisites

This type of testing only requires an IP address range and a test authorisation for each host included in the area to be provided.

Simulation of a real attack and its impacts

If necessary, we can attempt an escalation of privilege, allowing the test to extend into networks that are inaccessible from the internet (your internal network, for example). The test will be extended in search of a target, or of sensitive elements. This simulates a real penetration scenario by an attacker targeting your infrastructure.

A valuable resource for decision making

These tests allow the challenging of security of all infrastructure components, including those which are not necessarily visible from the Internet, such as the filtering equipment.

Once the recommendations from the detailed report are evaluated, decision makers are more able to line up their choices, for example, reinforcing the network separation or concentrating efforts on development security.

Steps of an exteral penetration test

More detail
Reconnaissance Phase

Multiple searches from public sources are undertaken to find information leaks that could be used to establish an attack: These may include search engines, DNS, Whois, pastebin-like etc.

Mapping Phase

The goal is to get as much information as possible on different targets in order to identify the attack surface and render the attacks more effective. Each service is retrieved and categorised to help with processing it in the following penetration phase. This step also makes it possible to identify the borrowed network path and thus potentially the equipment that filters the system and application servers to be audited.

Penetration Phase

This phase identifies entry points on the internal network and any loopholes that facilitate the taking over of devices, and acquisition of data that identify other vulnerabilities. The penetration phase is a major phase of this type of testing:

  1. Vulnerabilities on Web Services: exploiting vulnerabilities in a Web environment offers more interaction for an attacker than a simple third-party network service such as SMTP, FTP, or SSH. That's why we pay special attention and dedicate a particular methodology to testing Web applications.
  2. Vulnerabilities on Third party Non-web services :in this case, configuration weaknesses are exploited and attempts such as enumerating passwords or using known exploits are carried out.
Exploitation Phase

This phase confirms the risk level of the identified vulnerabilities and provides visibility on the opportunities a hacker could have to exfiltrate confidential data and modify sensitive elements within your infrastructure. This phase materialises the penetration test and demonstrates the expertise of our consultants.

  1. In this type of test, the exploitation phase often aims to transform a system / application vulnerability into a means of communication with the internal network. This is done to identify a way to compromise your internal network through an internet exposed infrastructure.
  2. "Lateral movement" is another part of the exploitation phase that aims to simulate what an attacker would do once on the internal network, such as moving from the compromised web server to the database and then to the company's main directory.
 
Penetration Tests - Application

Application Penetration Testing


An application penetration test is a complete test on a website, including research into the most common vulnerabilities as defined by OWASP.

These tests aim to determine whether a malicious attacker could compromise the security of your information system by targeting one or several applications hosted internally, within your IT infrastructure, and externally.

The function of both simple and complex applications will be identified and then manipulated, in an attempt to exploit or bypass their security. An audit of the web application and security of its configuration will be conducted to detect vulnerabilities that may have been created during the integration of the application.

Optional Hybrid Approach: Authenticated Application Penetration Testing

A hybrid approach to application penetration testing can be taken through a malicious attack simulation by a user with self-verification or authentication credentials.

Steps of an application penetration test

More detail
Building on the OWASP methodologies, our teams have developed the following phases of testing:

Network and System Mapping
  • This phase was designed to identify the exposure of the server hosting the web application for thorough testing in subsequent phases.
  • This phase identifies services that are accessible and confirms the existence of server configuration errors.
  • This phase aims to identify vulnerabilities related to the server (such as Apache, IIS, Nginx) that hosts the web application and service.
  • Depending on the configuration settings and level of system/software updates, an attacker may be able to compromise the server and applications hosted within.
Application Penetration
  • This is the most important phase, and consumes the largest amount of a consultant’s time. This phase aims to challenge the security of the developed code or the solution that is already in place (for example a CMS) by testing each function in detail.
  • If an authenticated application penetration test is performed, this phase will also include a detailed security analysis of the various means of authentication and maintenance of the session. We will also verify if it is possible or not for the authentication mechanisms to be bypassed, and if the session data of each user are isolated or not.
  • Exploitation Phase

    Each identified vulnerability is materialised by exploiting it, making it possible to obtain:

    1. Confidential data: if an isolation defect occurs, for example, we will attempt to recover information on users other than those from a given account.
    2. Server Control: it can be possible to extend testing to the internal network by obtaining a command prompt on the machine hosting the application. Through this, we can verify the execution of system commands.
    3. Privileged access: the impersonation of a user’s identity will be attempted to try and gain greater access than that of the given account/user.
     
    Penetration Tests - Wireless

    Wireless Penetration Testing


    Wireless penetration tests and audits follow an approach similar to that used by a person wishing to commit malicious acts within wirless range of physical premises.

    The overall aim is to demonstrate how exploitable your network is and to assess the level of competence required to exploit it using wireless vectors.

    A security evaluation of clients coming from the different access points can also be carried out by employing false access points.

    Steps of a wireless penetration test

    More detail
    Discovery Phase

    Based on the initial amount of information received, we will first try to identify all Wi-Fi networks belonging to you, to analyse the security technologies implemented and the architecture of the access points. This step evaluates the level of exposure and opacity of your Wi-Fi networks.

    Network Mapping Phase

    We begin by mapping out all access points on your networks. We will also make sure that foreign/unauthorised networks are not infringing upon your perimeter and that no unauthorised access points are present on your property.

    Penetration Phase on Captive Portals

    Once the perimeter is defined, we will try to discover possible access point vulnerabilities that may allow an attacker to gain a foothold on the internal network or to obtain sensitive information on your organisation and its services.

    The purpose of this is to show the exploitability of the vulnerabilities and to determine the skill-level or competency required to exploit the vulnerabilities.

    We will also prove the isolation (or lack thereof) of the network in comparison to other privileged networks.

    Penetration phase on Private Access Points

    If we discover that “company”, “enterprise” or “protected” networks are in use (networks that are intended for internal, and not public, use), we will try a range of attacks targeted at obtained access to these closed-off networks.

    These attacks can target wireless clients (employees), with the aim of stealing login/access details that will give us access to the network.

     
    Penetration Tests - VoIP

    Voice over IP (VoIP) Infrastructure Penetration Testing


    A VoIP penetration test follows an approach similar to that used by a person wishing to commit malicious acts on the IP telephony network by being present on the internal network of the company.

    Information Gathering

    Between the Ethernet socket and the phone, itself, the goal is to obtain as much information as possible from the VoIP network.

    Penetration Attempts on IP Phones

    These tests are conducted to target IP phones and analyse their configuration and attack surface. The privacy and integrity of sensitive information exchanged between the phone and the infrastructure will be assessed. An attempt at compromising the network and available services will be made, including by gaining physical access to the IP phone (using identity theft methods, for example).

    Penetration Attempts on Phone Infrastructure

    These tests target the VoIP infrastructure and any systems and services accessible through the servers. The purpose is to identify security flaws and asses the competence level required to succeed in exploiting them. SSL247® will highlight the risks of wiretapping and fraud.

    Prerequisites

    VoIP penetration tests generally take place on site, on your premises. We will only require access to one or a few phones to conduct the tests.

    Phone Fraud: A risk with Strong Financial Implications

    We are also able to conduct external testing on an answering or voicemail system, for example.

    Steps of a VoIP penetration test

    More detail
    This test is composed of the following steps:

    Information gathering

    Information will be gathered from the available local network connection as well as a physical IP phone to obtain the maximum amount of information on the VoIP network

    Penetration Attempts on IP Phones

    In this step, IP phones will be targeted and their configuration and attack surface will be analysed to test the confidentiality and integrity of the data exchanged on the network between the telephones and the infrastructure.

    Following this, a compromise of the available services will be attempted, including via physical access to the IP telephone.

    Penetration attempts on the telephone infrastructure

    These tests target the VoIP infrastructure and any systems and services accessible through the servers. The purpose is to identify security flaws and asses the competence level required to succeed in exploiting them. SSL247® will highlight the risks of wiretapping and fraud.

    We are also able to analyse the causes and consequences following an attempt of fraud using the telephony infrastructure and how to prevent this risk.

     
    Penetration Tests - Remote Access

    Enterprise/Remote Access Penetration Testing (VPN, Citrix, RDP)


    An enterprise access penetration test is a more targeted version of an application penetration test.

    The testing focuses on a specific type of application, which requires a separate methodology and environment-specific tools.

    The use of remote office environments is increasingly common in today’s professional world, and their security is often difficult to grasp. Therefore, we recommend that you test the security of any remote access services you use (such as VDI/Citrix/Remote Desktops).

    Prerequisites

    To perform this type of audit, we require the URL of the remote access service(s) and at least one set of authentication credentials used for the virtual application.

    Isolation Assessment of Virtual Apps

    Our attack simulation will aim mostly at evaluating the possibility of a malicious user breaking through access control restrictions, and thus gaining access to information and services they should not have access to.

    Critical Threats

    An attacker that can successfully “break through” to other aspects of your remote access service, exposes you to a new range of threats, such as theft of client or employee data, access to a database on your infrastructure or compromising of your domain.

    These threats are generally underestimated, and our teams aim to highlight the importance of testing the remote access services you use.

    Flexible Recommendations

    Numerous solutions exist to offset the risk of use of these types of products. In our reports, we will prove you with the most suitable security recommendations to meet your usage needs of remote access services.

    Steps of a remote access penetration test

    More detail
    Mapping Phase

    We will scan the network to identify use of any remote access services.

    Application Partitioning Assessment Phase

    In this phase, we assess the risk of an attacker extending their access beyond the access level intended for the user.

    This will be done with an approach similar to that of an application penetration test.

    Local Exploitation Phase

    We will assess the privileges of the server and identify sensitive data.

    Post-Exploitation Phase

    We will move laterally on the internal network, attempting to comprise the centralised architecture.

     



    Test Reports

    Our reports are much more than a simple list of vulnerabilities generated with an automated tool. From the methodology and strategies employed to the traces of information, our reports provide as much information as possible, enabling your teams to understand and replicate the exploitation or verification of all identified vulnerabilities.


     

    SSL247 Penetration Test Report







    Why choose SSL247®?

    SSL247® have accredited experts with over 15 years' experience in the security industry and have achieved a variety of accreditations, including the EMEA Symantec Champion Award 2017 and ISO 9001:2015 and ISO 27001:2013.

    Responsive

    Responsive and flexible

    Our accredited security consultants and certified pentesters are here to respond and advise you on the most appropriate approach to follow.

    Technical

    Technically competent

    All our consultants and auditors are regularly trained by third-party organisations to be kept informed about the latest vulnerabilities and attack techniques.

    Certified

    Certified experts

    Our consultants hold the following certifications, amongst others: OSCP (Offensive Security Certified Professional), OSCE (Offensive Security Certified Expert) and OPST (OSSTMM Professional Security Tester).


    Get in touch

    For more information on how Penetration Testing can benefit your business, simply get in touch with one of our friendly accredited consultants for a no obligation discussion:


    sales@ssl247.co.uk