Penetration Testing: Advanced professional testing by certified experts
What is a penetration test?
A penetration test is a simulation of a malicious attack on a computer system, a network or an organisation under real-world conditions. The penetration test allows you to determine the resistance of your computer system against real attacks.
Testing and compliance validation are essential parts of the development cycle in nearly all fields involving complex systems and their development. SSL247® carries out penetration tests on not only your system and network, but also any related IT devices.
The penetration tests our teams conduct include:
Which solution is best for your organisation?
Our pentesters have created a tailor-made questionnaire to determine the best services to solve your problems and meet your needs.
Our different tests
Internal Penetration Testing
The internal penetration test is similar to a strategy that would be followed by a person wishing to carry out a malicious act being present on the internal network of the company.
This type of testing involves conducting internal (black box) penetration tests from your main site, potentially followed by:
- A successful physical penetration
- A logical penetration test with the help of an e-mail campaign during social engineering
The goal is to identify the most relevant security loopholes in order to develop a realistic attack scenario aiming to escalate privileges on the network. These privileges would make for an attacker to gain access or obtain particular information.
Our teams place emphasis on extending the penetration scenario as broad as possible. This allows the testing to be as realistic as possible, and covers more elements of your infrastructure.
For most internal penetration tests, our consultants intervene on site and work autonomously based on the access provided to them.
Possible testing strategies include:
- the use of lower level access credentials, such as for a visitor or guest, where the user may only be granted access to an internet connection.
- more specific access options, such as a "standard office" access or the common access that is granted to all employees.
The phases of an internal penetration test are as follows:
Discovery Phase
Aims to obtain the maximum amount of information about the internal network from the physical access gained. This results in passive listening of traffic (the interactions with network and server devices).
Mapping Phase
The goal is to obtain as much information as possible about different targets in order to identify the attack surface and render the attacks more effective. Our team has developed tools that automate a part of this phase, allowing more time for focusing on manual testing.
Penetration Phase
This phase identifies entry points on the internal network and any loopholes that facilitate the taking over of devices, and acquisition of data that identify other vulnerabilities. The penetration phase is a major phase of this type of testing.
Exploitation Phase
This is another major phase of internal penetration testing where vulnerabilities are identified and the increasing elevation of access level can be achieved. The "classic" exploitation phase starts with a vulnerability that allows a machine (workstation or server) to be controlled and ends with the takeover of the domain or machine cluster. This attack pattern replicates a realistic scenario of exploration and lateral movement aimed at data extraction.
External Penetration Testing
An external penetration test imitates the real actions of a hacker that does not start with access to your internal network. The pentester will attack from the outside, via the Internet, without necessarily knowing any details about your organisation's information infrastructure.
External penetration testing consists of searching for vulnerabilities that are present in your infrastructure (that is accessible from the internet) and choosing the least risky, most discreet and most efficient method to gain access to it.
Prerequisites
This type of testing only requires an IP address range and a test authorisation for each host included in the area to be provided.
Simulation of a real attack and its impacts
If necessary, we can attempt an escalation of privilege, allowing the test to extend into networks that are inaccessible from the internet (your internal network, for example). The test will be extended in search of a target, or of sensitive elements. This simulates a real penetration scenario by an attacker targeting your infrastructure.
A valuable resource for decision making
These tests allow the challenging of security of all infrastructure components, including those which are not necessarily visible from the Internet, such as the filtering equipment.
Once the recommendations from the detailed report are evaluated, decision makers are more able to line up their choices, for example, reinforcing the network separation or concentrating efforts on development security.
Reconnaissance Phase
Multiple searches from public sources are undertaken to find information leaks that could be used to establish an attack: These may include search engines, DNS, Whois, pastebin-like etc.
Mapping Phase
The goal is to get as much information as possible on different targets in order to identify the attack surface and render the attacks more effective. Each service is retrieved and categorised to help with processing it in the following penetration phase. This step also makes it possible to identify the borrowed network path and thus potentially the equipment that filters the system and application servers to be audited.
Penetration Phase
This phase identifies entry points on the internal network and any loopholes that facilitate the taking over of devices, and acquisition of data that identify other vulnerabilities. The penetration phase is a major phase of this type of testing:
- Vulnerabilities on Web Services: exploiting vulnerabilities in a Web environment offers more interaction for an attacker than a simple third-party network service such as SMTP, FTP, or SSH. That's why we pay special attention and dedicate a particular methodology to testing Web applications.
- Vulnerabilities on Third party Non-web services :in this case, configuration weaknesses are exploited and attempts such as enumerating passwords or using known exploits are carried out.
Exploitation Phase
This phase confirms the risk level of the identified vulnerabilities and provides visibility on the opportunities a hacker could have to exfiltrate confidential data and modify sensitive elements within your infrastructure. This phase materialises the penetration test and demonstrates the expertise of our consultants.
- In this type of test, the exploitation phase often aims to transform a system / application vulnerability into a means of communication with the internal network. This is done to identify a way to compromise your internal network through an internet exposed infrastructure.
- "Lateral movement" is another part of the exploitation phase that aims to simulate what an attacker would do once on the internal network, such as moving from the compromised web server to the database and then to the company's main directory.
Application Penetration Testing
An application penetration test is a complete test on a website, including research into the most common vulnerabilities as defined by OWASP.
These tests aim to determine whether a malicious attacker could compromise the security of your information system by targeting one or several applications hosted internally, within your IT infrastructure, and externally.
The function of both simple and complex applications will be identified and then manipulated, in an attempt to exploit or bypass their security. An audit of the web application and security of its configuration will be conducted to detect vulnerabilities that may have been created during the integration of the application.
Optional Hybrid Approach: Authenticated Application Penetration Testing
A hybrid approach to application penetration testing can be taken through a malicious attack simulation by a user with self-verification or authentication credentials.
Building on the OWASP methodologies, our teams have developed the following phases of testing:
Network and System Mapping
- This phase was designed to identify the exposure of the server hosting the web application for thorough testing in subsequent phases.
- This phase identifies services that are accessible and confirms the existence of server configuration errors.
- This phase aims to identify vulnerabilities related to the server (such as Apache, IIS, Nginx) that hosts the web application and service.
- Depending on the configuration settings and level of system/software updates, an attacker may be able to compromise the server and applications hosted within.
Application Penetration
Exploitation Phase
Each identified vulnerability is materialised by exploiting it, making it possible to obtain:
- Confidential data: if an isolation defect occurs, for example, we will attempt to recover information on users other than those from a given account.
- Server Control: it can be possible to extend testing to the internal network by obtaining a command prompt on the machine hosting the application. Through this, we can verify the execution of system commands.
- Privileged access: the impersonation of a user’s identity will be attempted to try and gain greater access than that of the given account/user.
Wireless Penetration Testing
Wireless penetration tests and audits follow an approach similar to that used by a person wishing to commit malicious acts within wirless range of physical premises.
The overall aim is to demonstrate how exploitable your network is and to assess the level of competence required to exploit it using wireless vectors.
A security evaluation of clients coming from the different access points can also be carried out by employing false access points.
Discovery Phase
Based on the initial amount of information received, we will first try to identify all Wi-Fi networks belonging to you, to analyse the security technologies implemented and the architecture of the access points. This step evaluates the level of exposure and opacity of your Wi-Fi networks.
Network Mapping Phase
We begin by mapping out all access points on your networks. We will also make sure that foreign/unauthorised networks are not infringing upon your perimeter and that no unauthorised access points are present on your property.
Penetration Phase on Captive Portals
Once the perimeter is defined, we will try to discover possible access point vulnerabilities that may allow an attacker to gain a foothold on the internal network or to obtain sensitive information on your organisation and its services.
The purpose of this is to show the exploitability of the vulnerabilities and to determine the skill-level or competency required to exploit the vulnerabilities.
We will also prove the isolation (or lack thereof) of the network in comparison to other privileged networks.
Penetration phase on Private Access Points
If we discover that “company”, “enterprise” or “protected” networks are in use (networks that are intended for internal, and not public, use), we will try a range of attacks targeted at obtained access to these closed-off networks.
These attacks can target wireless clients (employees), with the aim of stealing login/access details that will give us access to the network.
Voice over IP (VoIP) Infrastructure Penetration Testing
A VoIP penetration test follows an approach similar to that used by a person wishing to commit malicious acts on the IP telephony network by being present on the internal network of the company.
Information Gathering
Between the Ethernet socket and the phone, itself, the goal is to obtain as much information as possible from the VoIP network.
Penetration Attempts on IP Phones
These tests are conducted to target IP phones and analyse their configuration and attack surface. The privacy and integrity of sensitive information exchanged between the phone and the infrastructure will be assessed. An attempt at compromising the network and available services will be made, including by gaining physical access to the IP phone (using identity theft methods, for example).
Penetration Attempts on Phone Infrastructure
These tests target the VoIP infrastructure and any systems and services accessible through the servers. The purpose is to identify security flaws and asses the competence level required to succeed in exploiting them. SSL247® will highlight the risks of wiretapping and fraud.
Prerequisites
VoIP penetration tests generally take place on site, on your premises. We will only require access to one or a few phones to conduct the tests.
Phone Fraud: A risk with Strong Financial Implications
We are also able to conduct external testing on an answering or voicemail system, for example.
This test is composed of the following steps:
Information gathering
Information will be gathered from the available local network connection as well as a physical IP phone to obtain the maximum amount of information on the VoIP network
Penetration Attempts on IP Phones
In this step, IP phones will be targeted and their configuration and attack surface will be analysed to test the confidentiality and integrity of the data exchanged on the network between the telephones and the infrastructure.
Following this, a compromise of the available services will be attempted, including via physical access to the IP telephone.
Penetration attempts on the telephone infrastructure
These tests target the VoIP infrastructure and any systems and services accessible through the servers. The purpose is to identify security flaws and asses the competence level required to succeed in exploiting them. SSL247® will highlight the risks of wiretapping and fraud.
We are also able to analyse the causes and consequences following an attempt of fraud using the telephony infrastructure and how to prevent this risk.
Enterprise/Remote Access Penetration Testing (VPN, Citrix, RDP)
An enterprise access penetration test is a more targeted version of an application penetration test.
The testing focuses on a specific type of application, which requires a separate methodology and environment-specific tools.
The use of remote office environments is increasingly common in today’s professional world, and their security is often difficult to grasp. Therefore, we recommend that you test the security of any remote access services you use (such as VDI/Citrix/Remote Desktops).
Prerequisites
To perform this type of audit, we require the URL of the remote access service(s) and at least one set of authentication credentials used for the virtual application.
Isolation Assessment of Virtual Apps
Our attack simulation will aim mostly at evaluating the possibility of a malicious user breaking through access control restrictions, and thus gaining access to information and services they should not have access to.
Critical Threats
An attacker that can successfully “break through” to other aspects of your remote access service, exposes you to a new range of threats, such as theft of client or employee data, access to a database on your infrastructure or compromising of your domain.
These threats are generally underestimated, and our teams aim to highlight the importance of testing the remote access services you use.
Flexible Recommendations
Numerous solutions exist to offset the risk of use of these types of products. In our reports, we will prove you with the most suitable security recommendations to meet your usage needs of remote access services.
Mapping Phase
We will scan the network to identify use of any remote access services.
Application Partitioning Assessment Phase
In this phase, we assess the risk of an attacker extending their access beyond the access level intended for the user.
This will be done with an approach similar to that of an application penetration test.
Local Exploitation Phase
We will assess the privileges of the server and identify sensitive data.
Post-Exploitation Phase
We will move laterally on the internal network, attempting to comprise the centralised architecture.
These services may also interest you:
Why choose SSL247®?
SSL247® have accredited experts with over 15 years' experience in the security industry and have achieved a variety of accreditations, including the EMEA Symantec Champion Award 2017 and ISO 9001:2015 and ISO 27001:2013.
Responsive and flexible
Our accredited security consultants and certified pentesters are here to respond and advise you on the most appropriate approach to follow.
Technically competent
All our consultants and auditors are regularly trained by third-party organisations to be kept informed about the latest vulnerabilities and attack techniques.
Certified experts
Our consultants hold the following certifications, amongst others: OSCP (Offensive Security Certified Professional), OSCE (Offensive Security Certified Expert) and OPST (OSSTMM Professional Security Tester).
Get in touch
For more information on how Penetration Testing can benefit your business, simply get in touch with one of our friendly accredited consultants for a no obligation discussion:
Test Reports
Our reports are much more than a simple list of vulnerabilities generated with an automated tool. From the methodology and strategies employed to the traces of information, our reports provide as much information as possible, enabling your teams to understand and replicate the exploitation or verification of all identified vulnerabilities.