Penetration Testing: Advanced professional testing by accredited experts
Penetration tests performed by our certified experts
What is a penetration test ?
A penetration test is a simulation of a malicious attack on a computer system, a network or an organisation under real-world conditions. The penetration test allows you to determine the resistance of your computer system against real attacks.
Testing and compliance validation are essential parts of the development cycle in nearly all fields involving complex systems and their development. SSL247® carries out penetration tests on not only your system and network, but also any related IT devices.
The penetration tests our teams conduct include:
Our different tests
Internal Penetration Testing
What is internal penetration testing?
The internal penetration test is similar to a strategy that would be followed by a person wishing to carry out a malicious act being present on the internal network of the company.
Why carry out internal penetration testing?
This type of testing involves conducting internal (black box) penetration tests from your main site, potentially followed by:
- A successful physical penetration
- A logical penetration test with the help of an e-mail campaign during social engineering
The goal is to identify the most relevant security loopholes in order to develop a realistic attack scenario aiming to escalate privileges on the network. These privileges would make for an attacker to gain access or obtain particular information.
Our teams place emphasis on extending the penetration scenario as broad as possible . This allows the testing to be as realistic as possible, and covers more elements of your infrastructure.
The different steps of internal penetration testing
For most internal penetration tests, our consultants intervene on site and work autonomously based on the access provided to them.
Possible testing strategies include starting with:
- the use of a less privileged access (lower level) access, such as "visitor" access, where the user is normally only granted access to an internet connection.
- more specific access options, such as a "standard office" access or the common access that is granted to all employees.
A possible variation is to perform the penetration tests on the wireless networks in order to validate the isolation between these networks and the internal network.
The methodology phases of internal testing are as follows:
- Discovery Phase
Aims to obtain the maximum amount of information about the internal network from the physical access gained. This results in passive listening of traffic (the interactions with network and server devices).
- Mapping Phase
The goal is to obtain as much information as possible about different targets in order to identify the attack surface and render the attacks more effective. Our team has developed tools that automate a part of this phase, allowing more time for focusing on manual testing.
- Penetration Phase
This phase identifies entry points on the internal network and any loopholes that facilitate the taking over of devices, and acquisition of data that identify other vulnerabilities. The penetration phase is a major phase of this type of testing.
- Exploitation Phase
This is another major phase of internal penetration testing where vulnerabilities are identified and the increasing elevation of access level can be achieved. The "classic" exploitation phase starts with a vulnerability that allows a machine (workstation or server) to be controlled and ends with the takeover of the domain or machine cluster. This attack pattern replicates a realistic scenario of exploration and lateral movement aimed at data extraction.
External Penetration Testing
What is external penetration testing?
An external penetration testing imitates the real actions of a hacker who does not start with access to your internal network. The pentester will attack from the outside, via the Internet, without necessarily knowing the infrastructure of your organisation.
Why carry out external penetration testing?
External penetration testing consists of searching for vulnerabilities that are present in your infrastructure that is accessible from the internet and choosing the least risky, most discreet and most efficient method of penetration.
This type of testing only requires an IP address range and a test authorisation for each host included in the area to be provided.
Simulation of a real attack and its impacts
If necessary, we can attempt an escalation of privilege, allowing the test to extend into networks that are inaccessible from the internet (your internal network, for example). The test will be extended in search of a target, or of sensitive elements. This simulates a real penetration scenario by an attacker targeting your infrastructure.
A valuable resource for decision making
These tests allow the challenging of security of all infrastructure components, including those which are not necessarily visible from the Internet, such as the filtering equipment.
Once the recommendations from the detailed report are evaluated, decision makers are more able to line up their choices, for example, reinforcing the network separation or concentrating efforts on development security.
The different steps of an external penetration test
- Reconnaissance Phase
Multiple searches from public sources are undertaken to find information leaks that could be used to establish an attack: These may include search engines, DNS, Whois, pastebin-like etc.
- Mapping Phase
The goal is to get as much information as possible on different targets in order to identify the attack surface and render the attacks more effective. Each service is retrieved and categorised to help with processing it in the following penetration phase.This step also makes it possible to identify the borrowed network path and thus potentially the equipment that filters the system and application servers to be audited.
- Penetration Phase
This phase identifies entry points on the internal network and any loopholes that facilitate the taking over of devices, and acquisition of data that identify other vulnerabilities. The penetration phase is a major phase of this type of testing:
- Vulnerabilities on Web Services:exploiting vulnerabilities in a Web environment offers more interaction for an attacker than a simple third-party network service such as SMTP, FTP, or SSH. That's why we pay special attention and dedicate a particular methodology to testing Web applications.
- Vulnerabilities on Third party Non-web services:in this case, configuration weaknesses are exploited and attempts such as enumerating passwords or using known exploits are carried out.
- Exploitation Phase
This phase confirms the risk level of the identified vulnerabilities and provides visibility on the opportunities a hacker could have to exfiltrate confidential data and modify sensitive elements within your infrastructure. This phase materialises the penetration test and demonstrates the expertise of our consultants.
- In this type of test, the exploitation phase often aims to transform a system / application vulnerability into a means of communication with the internal network. This is done to identify a way to compromise your internal network through an internet exposed infrastructure.
- "Lateral movement" is another part of the exploitation phase that aims to simulate what an attacker would do once on the internal network, such as moving from the compromised web server to the database and then to the company's main directory.
Application penetration tests
What is the aim of an application penetration test?
These tests aim to determine whether a malicious attacker could compromise the security of your information system by targeting one or several applications hosted internally, within your IT infrastructure, and externally.
The function of both simple and complex applications will be identified and then manipulated, in an attempt to exploit or bypass their security. An audit of the web application and security of its configuration will be conducted to detect vulnerabilities that may have been created during the integration of the application.
Optional Hybrid Approach: Authenticated Application Penetration Testing
A hybrid approach to application penetration testing can be taken through a malicious attack simulation by a user with self-verification or authentication credentials.
The different steps of an application penetration test
Building on the OWASP methodologies, our teams have developed the following phases of testing:
- Network and System Mapping
This phase was designed to identify the exposure of the server hosting the web application for thorough testing in subsequent phases.
This phase identifies services that are accessible and confirms the existence of server configuration errors.
This phase aims to identify vulnerabilities related to the server (such as Apache, IIS, Nginx) that hosts the web application and service.
Depending on the configuration settings and level of system/software updates, an attacker may be able to compromise the server and applications hosted within.
- Application Penetration
This is the most important phase, and consumes the largest amount of a consultant’s time. This phase aims to challenge the security of the developed code or the solution that is already in place (for example a CMS) by testing each function in detail.
If an authenticated application penetration test is performed, this phase will also include a detailed security analysis of the various means of authentication and maintenance of the session. We will also verify if it is possible or not for the authentication mechanisms to be bypassed, and if the session data of each user are isolated or not.
- Exploitation Phase
Each identified vulnerability is materialised by exploiting it, making it possible to obtain:
- Confidential data : if an isolation defect occurs, for example, we will attempt to recover information on users other than those from a given account.
- Server Control: it can be possible to extend testing to the internal network by obtaining a command prompt on the machine hosting the application. Through this, we can verify the execution of system commands.
- Privileged access: the impersonation of a user’s identity will be attempted to try and gain greater access than that of the given account/user.
Wireless Penetration Testing
What is a wireless penetration test?
Penetration tests and wireless audits follow an approach similar to that used by a person wishing to commit malicious acts within wirless range of physical premises.
What is the aim of wireless penetration test?
The overall aim is to demonstrate how exploitable your network is and to assess the level of competence required to exploit it using wireless vectors.
A security evaluation of clients coming from the different access points can also be carried out by employing false access points.
The different steps of a wireless penetration test
- Discovery Phase
Based on the initial amount of information received, we will first try to identify all Wi-Fi networks belonging to you, to analyse the security technologies implemented and the architecture of the access points. This step evaluates the level of exposure and opacity of your Wi-Fi networks.
- Wi-Fi Networks mapping phase
We begin by mapping out all access points on your networks. We will also make sure that foreign/unauthorised networks are not infringing upon your perimeter and that no unauthorised access points are present on your property.
- Penetration Phase on Captive Portals
Once the perimeter is defined, we will try to discover possible access point vulnerabilities that may allow an attacker to gain a foothold on the internal network or to obtain sensitive information on your organisation and its services. The purpose of this is to show the exploitability of the vulnerabilities and to determine the skill-level or competency required to exploit the vulnerabilities. We will also prove the isolation (or lack thereof) of the network in comparison to other privileged networks.
- Penetration phase on Private Access Points
If we discover that “company”, “enterprise” or “protected” networks are in use (networks that are intended for internal, and not public, use), we will try a range of attacks targeted at obtained access to these closed-off networks. These attacks can target wireless clients (employees), with the aim of stealing login/access details that will give us access to the network.
Voice over IP infrastructure penetration testing
What is a VoIP penetration test?
A VoIP penetration test follows an approach similar to that used by a person wishing to commit malicious acts on the IP telephony network by being present on the internal network of the company.
What is the aim of a VoIP penetration test?
Between the Ethernet socket and the phone, itself, the goal is to obtain as much information as possible from the VoIP network.
Penetration Attempts on IP Phones
These tests are conducted to target IP phones and analyse their configuration and attack surface. The privacy and integrity of sensitive information exchanged between the phone and the infrastructure will be assessed. An attempt at compromising the network and available services will be made, including by gaining physical access to the IP phone (using identity theft methods, for example).
Penetration Attempts on Phone Infrastructure
These tests target the VoIP infrastructure and any systems and services accessible through the servers. The purpose is to identify security flaws and asses the competence level required to succeed in exploiting them. SSL247® will highlight the risks of wiretapping and fraud.
VoIP penetration tests generally take place on site, on your premises. We will only require access to one or a few phones to conduct the tests.
The different steps of wireless penetration tests
This test is composed of the following steps :
- Information gathering
Information will be gathered from the available local network connection as well as a physical IP phone to obtain the maximum amount of information on the VoIP network.
- Penetration attempts on IP phones
In this step, IP phones will be targeted and their configuration and attack surface will be analysed. The confidentiality and integrity of the data exchanged on the network between the telephone and the telephony infrastructure will be validated. Following this a compromise of the available services will be attempted, including via physical access to the IP telephone (identity theft, for example).
- Penetration attempts on the telephone infrastructure
Here, the VoIP infrastructure will be targeted and we will attempt to discover which systems and services are available on the servers. The objective is to demonstrate security flaws and to assess the level of competence required to exploit them. SSL247® highlights the risks of illegal listening and fraud.
We are also able to analyse the causes and consequences following an attempt of fraud using the telephony infrastructure and how to prevent this risk.
Enterprise/Remote Access Penetration Testing (VPN, Citrix, RDP)
What is an enterprise/remote access penetration test?
The enterprise access penetration test corresponds with a more targeted version of the application penetration testing. The testing focuses on a specific type of application, which requires a separate methodology and environment-specific tools.
What is the aim of an enterprise/remote access penetration test?
The use of remote office environments is increasingly common in today’s professional world, and their security is often difficult to grasp. Therefore, we recommend that you test the security of any remote access services (such as VDI/Citrix/Remote Desktops) in use.
To perform this type of audit, we require the URL of the remote access service(s) as at least one set of authentication credentials used for the virtual application.
An Isolation Assessment of Virtual Apps
Our attack simulation will aim mostly at evaluating the possibility of a malicious user breaking through access control restrictions, and thus gaining access to information and services they should not have access to.
An attacker that can successfully “break through” to other aspects of your remote access service, exposes you to a new range of threats.These include theft of client or employee data, access to a database on your infrastructure or compromising of your domain. These threats are generally underestimated, and our teams aim to highlight the importance of testing the remote access services you use.
The different steps of an enterprise/remote access penetration test
This test is composed of the following steps:
- Mapping Phase
We will scan the network to identify use of any remote access services.
- Application Partitioning Assessment Phase
In this phase, we assess the risk of an attacker extending their access beyond the access level intended for the user. This will be done with an approach similar to that of an application penetration test.
- Local Exploitation Phase
We will assess the privileges of the server and identify sensitive data.
- Post-Exploitation Phase
We will move laterally on the internal network, attempting to comprise the centralised architecture.
Our reports are much more than a simple list of vulnerabilities generated with an automated tool. From the methodology and strategies employed to the traces of information, our reports provide as much information as possible, enabling your teams to understand and replicate the exploitation or verification of all identified vulnerabilities.
This service may also interest you:
Why choose SSL247® ?
SSL247® have accredited experts with over 12 years' experience in the Web Security industry and have achieved a variety of accreditations, including the EMEA Symantec Champion Award 2014 and the certification ISO 27001:2013.We are specialists in Online Business Continuity.
Get in touch
For more information on how Penetration Testing can benefit your business just get in touch with one of our friendly accredited consultants for a no obligation discussion