Penetration Testing

Penetration testing approach and stages

Goals & Objectives

  • hackerID

    Vulnerability detection, which could potentially be used by external attackers to unauthorized access beyond the outer perimeter of the secure corporate network of the Customer with the aim of harming the organization or to gain financial benefits (intervention in operation of automated systems, gaining access to confidential data).

  • Vulnerability detection, that could potentially be used by internal attackers to unauthorized access of the protected internal IT resources of the Customer with the aim of harming the organization or to gain financial benefits (intervention in operation of automated systems, gaining access to confidential data).
  • Providing the analysis results that include:
    • audit evidence of detected vulnerabilities;
    • ranking of discovered vulnerabilities by the level of risk;
    • recommendations on how to eliminate the detected vulnerabilities;
    • approach to improve the current information security management measures.

Some members of our team are certified, and some are not. We are always asking ourselves: are the bad hackers care about certifications?

Our approach

Open Source Intelligence

Search and verify information about the testing scope, the used software types and versions, employee contact information, domain names, emails, logins, metadata extraction and other data, the usage of which can contribute to the attack on the customer’s IT infrastructure.

It-System Services Scanning, Analysis and Validation

Scanning the hosts specified in scope, searching for activated services with further intelligence. Identify the target hosts for further investigation.

Search and Exploitation of Vulnerability

Search for potential vulnerabilities in IT systems and services, and manually check for exploitation. The vulnerabilities exploitation through the manual validation to remove false-positive findings.

Attacks Designing

The using the discovered and validated vulnerabilities to demonstrate information security risk. Attack models and scenarios development.

Audit Events Collection and Reporting

Audit events collecting as logs, print screens etc. and reporting the Customer about the detected vulnerabilities, its risky ranking and its exploitation and elimination methods.

Stages & Reports

External Penetration Testing

Initialization

Contract conclusion for the service delivery and NDA signing (engagement letter for being entitled to conduct such work within the agreed time-frame).

External penetration testing

Analysis of customer’s outer security zone beyond the corporate network and detailed investigation of hosts and web-services. The scanning process is performed remotely.

  • Testing methods:
    • Black-Box
    • Grey-Box
    • White-Box
  • Testing phases:
  • Open source intelligence
  • Search and analysis of IT systems and services
  • Searching for Vulnerabilities
  • Simulation and conducting of attacks
  • Audit evidence collection and reporting
  • Key phases:
  • Web-applications and services testing
  • Metadata analysis
  • Breaking external corporate network perimeter

Internal Penetration Testing

Analysis of internal security state within the corporate network and detailed investigation/inquiring of hosts, web-services and Wi-Fi SSIDs. The scanning process is performed onsite.

  • Testing methods:
    • Black-Box
    • Grey-Box
    • White-Box
  • Testing phases:
  • Infrastructure exploring
  • Services and hosts enumeration
  • Vulnerabilities searching and exploitation
  • Audit evidence collection and reporting
  • Key phases:
  • Password strength analysis
  • Finding of redundant access to resources and insufficient configurations
  • Obtaining the highest privileges on the network
  • Wi-Fi network security testing

Stage 3 – Analysis Of The Internet / Mobile Banking System Protection

Analysis of internal security state within the corporate network and detailed investigation/inquiring of hosts, web-services and Wi-Fi SSIDs. The scanning process is performed onsite.

Stage 4 – Social Engineering Penetration Testing

Selecting some employees to test. Creation of attack on users’ scenarios (email, Internet, phone calls, etc.), then following by attacks.

ISECOM OSSTMM (Open Source Security Testing Methodology Manual) – a high-level methodology for the security systems testing, developed and supported by the consortium “Institute for Security and Open Methodologies”. During the project, the methodology will be used as a basis for planning and coordinating services, as well as for project results reporting.

OWASP (OWASP Testing Guide) – the industry standard for the penetration testing of Web applications and related technologies. The methodology will be used for web applications testing.

Penetration Testing Model (BSI) – research study methods and approaches in penetration testing. Research will be used to structure the approach and increase the effectiveness of testing.

ISACA IS auditing procedure «P8 Security Assessment – Penetration testing and vulnerability analysis» – A procedure for performing penetration testing.

PCI DSS: Penetration Testing Requirements – the penetration test requirements for compliance with PCI DSS standard. The requirements will be used to verify the approach and scope of the procedures.

ASV Security Scanning Procedure, PCI SSC – the vulnerabilities scanning requirement restricted with PCI DSS compliance. The document will be used to verify the volume of services provided.

PTES (Penetration Testing Execution Standard) – innovative methodology, developed by a group of specialists for penetration testing, security audit and social engineering. The methodology will complement OSSTMM in project planning and coordination and will also be used during the manual search and analysis of vulnerabilities of IT systems in the scope of the test.

NIST SP800-115 (Technical Guide to Information Security Testing and Assessment) – method of instrumental of IT systems security testing. This technique will be used at the stage of automatic search and analysis of vulnerabilities within the scope, as well as during possible imitations of attacks using identified vulnerabilities.

Reporting

A high-level executive summary that includes identified positive aspects of security and the main risks and vector of threat orientation and a detailed technical report with found vulnerabilities, their ranking and recommendations for elimination.

Emails sent:1189
Emails read:636
Emails deleted without being read:48
Auto Replies:59
Users replied to message:43
Number of users, entered credentials:296
Number of users, launched macros:58
Number of times, credentials were entered (POST requests to paramsget.php):660
Number of times, macros was launched (GET requests to login.php with data):168

* We can provide a sample of reporting upon request.

Common usage methodologies

 We preform social engineering attacks using all possible techniques: phishing, vishing, pretexting, baiting, quid pro quo, tailgating (piggyback rides), Techie Talk, whaling attack, in addition our own techniques based on our systems.

The most common options:

  1. Using phishing sites to obtain user credentials.
  2. Using malicious office documents and files to obtain information or remote access.
  3. Spreading portable malicious media to obtain remote access and/or malware code spreading («road apple»)
  4. Social networks interaction to obtain information and spreading malware documents.
  5. Social (Engineer) Networking
  6. Nero-linguistic programming (NLP), anchoring and reframing
  7. Using fake email messages (changing “from”)
  8. Using fake phone calls (our own system of caller ID changing) (pretexting/vishing)
  9. Reverse social engineering

Based on the results of penetration test and social engineering the «road map» will be developed to minimize the risk which related to the identified weaknesses, their elimination and reducing the possibility of recurrence in the future.

 

Based on the results of Preliminary Open Source Intelligence, following data will be obtained:

  • List of email-addresses
  • Employee positions
  • Users credentials
  • Information about external infrastructure
  • Metadata of available files
  •  List of PC in network
  • General file resources
  • List of printers
  • Information about software