Technical Details

Penetration Testing

External
An external penetration test differs from a vulnerability assessment in that it actually exploits the vulnerabilities to determine what information is exposed to the outside world. An external penetration test mimics the actions of an actual attacker exploiting weaknesses in the network security – obviously without the usual dangers. This test examines external internet-accessible devices and services such as web servers, firewalls, routers, DNS and remote access. The internet-facing components (website, email servers, etc.) of the organizations network are constantly exposed to threats from cyber criminals.

Test Criteria includes:

  • Public information & information leakage
  • DNS analysis & DNS bruteforcing
  • Footprinting
  • Port scanning
  • System fingerprinting
  • Services probing
  • Exploit research
  • Manual vulnerability testing and verification of identified vulnerabilities
  • Intrusion detection/prevention system testing
  • Password service strength testing.

Internal
An internal penetration test has a ‘behind the firewall’ focus and tests the threat of internal breaches from unauthorized access; malware that has code execution on the network; infected laptops and mobile devices brought into the network; pivot attacks of internet breached facing systems and other internal issues.

Test Criteria includes:

  • Internal network scanning
  • Port scanning
  • System fingerprinting
  • Services probing
  • Exploit research
  • Manual vulnerability testing and verification
  • Manual configuration weakness testing and verification
  • Limited application layer testing
  • Firewall and ACL testing
  • Administrator privileges escalation testing
  • Password strength testing
  • Network equipment security controls testing
  • Database security controls testing
  • Internal network scan for known Trojans

Social-Engineering
Usually part of an internal penetration test this is an attempt to manipulate an organization’s employees into allowing unauthorized access to confidential information. Examples are Spear phishing – which is a targeted email with website links or attachments that have specially crafted JavaScript; malware embedded in a PDF file; or one of the thousands of options that provide a backdoor into the system from the internet. This is a highly effective way to test intrusion detection systems, firewall filtering, proxy servers and the client’s antivirus product.

Client-side exploits cover threats that target:

  • Endpoint applications: web browsers, email clients, instant messaging, media players, business applications and productivity tools, etc.
  • Endpoint security solutions: antivirus, anti-phishing, anti-malware, host-based intrusion detection and prevention systems, etc.
  • Endpoint operating systems and services: Windows, Mac, Linux, etc.

Web Application
Web applications have become common targets for attackers. Attackers can leverage relatively simple vulnerabilities to gain access to confidential information – most likely containing personally identifiable information. We use a wide range of commercial and open source tools to perform web application penetration testing. Automated scanning and manual verification of vulnerabilities help reduce false positives and false negatives. Burp Suite Professional, in particular, is a tool very often used for hard-core manual testing of the reported results. Often we use testing of a development or staging system, as to not affect the live site. Internal, intranet and internet facing sites are all good candidates for testing on a monthly or quarterly basis as sites change often. Outsourcing site development and technologies like ColdFusion and PHP have their technical challenges to keep secure.

Our web application testing practices are based on the Open Web Application Security Project (OWASP) methodology, which includes:

  • Crawl web pages and identify URLs to test
  • Import results from popular web application vulnerability scanners, including Acunetix® Web Security Scanner, Cenzic Enterprise®, HP WebInspect®, IBM Rational AppScan® and NTOSpider®
  • Filter scan results and identify significant points of exposure
  • Fingerprint applications to select and run known exploits for off-the-shelf web applications
  • Gather information for dynamically creating exploits for custom applications
  • Impersonate authenticated users
  • Impersonate several browsers, including mobile browsers
  • SQL Injection – traditional and blind (OWASP A1)
  • OS Command Injection (OWASP A1)
  • Cross-Site Scripting (OWASP A2)
  • Broken authentication and session management (OWASP A3)
  • Insecure direct object references (OWASP A4)
  • Cross-site request forgery (OWASP A5)
  • Security misconfiguration (OWASP A6)
  • Insecure cryptographic storage (OWASP A7)
  • Failure to restrict URL access (OWASP A8)
  • Insufficient transport layer protection (OWASP A9)
  • Unvalidated redirects and forwards (OWASP A10)
  • Test PHP applications against remote and local file inclusion
  • Exploit WebDAV configuration weaknesses
  • Evade firewalls reveal weak HTTPS encryption

Wireless
Many wireless networks are not configured properly or, even worse, wireless networks are installed by non-IT staff to extend their networks and result in exposing an organization’s internal network. A comprehensive assessment of wireless technology, type of encryption used and strength of passwords are tested via packet injection to test all known security vulnerabilities. When included with an internal penetration test, almost 50% of the time a breach is found due to weak encryption or authentication mechanisms.

Test Criteria includes:

  • Key capabilities discovery of both known and unauthorized Wi-Fi networks and access points
  • Identification of devices interacting with the network
  • Information gathering on network strength, security protocols and connected devices
  • Attack and penetration of networks encrypted with WEP, WPA-PSK and WPA2-PSK
  • Man-in-the-Middle (MiTM) attack replication
  • Beaconing machine detection
  • SSID impersonation
  • Automated traffic sniffing for finding streams of sensitive data
  • Capabilities for joining cracked networks and testing backend systems
  • Comprehensive reporting of wireless testing activities and findings
  • Seamless pivoting between wireless, network, web application and endpoint tests, replicating multi-staged attacks that trace chains of vulnerabilities to sensitive backend data

Mobile
We can demonstrate the exploitability of iPhone®, Android™ and BlackBerry® smart phones using the same attack techniques employed by criminals today. We demonstrate how mobile devices in your environment can be compromised, but also reveal how attackers can access and manipulate device data to obtain your organization’s intellectual property and potentially defraud, defame or blackmail its end-users.

Examples include:

  • Phishing – Enables you to send emails and texts that determine whether your organization’s employees would fall prey to phishing and spear phishing attacks by clicking through to malicious sites and/or installing nefarious mobile apps.
  • Web form impersonation – Assess data leakage threats by conducting phishing tests seeded with links to web forms designed to capture and record user-entered data, such as usernames and passwords.
  • Fake wireless access points – Impersonate valid wireless access points in an attempt to trick users into connecting their devices to them.
  • Wireless man-in-the-middle (MITM) attacks – Identifies and monitors wireless networks that have either no encryption or WEP-based encryption and observe any connected devices.