Penetration testing

Gain a realistic understanding of how an attacker can detect and exploit your vulnerabilities

What's a penetration test and what's its purpose?

A penetration test is a security assessment in which a cybersecurity professional attempts to detect and exploit vulnerabilities in a computer system or network.
The main goal of a penetration test is to simulate a real attack in order to identify weak points and security flaws in the system.
It's important to note that those tests are completely legal and are conducted with explicit consent of the system/network owner.

Perspective: external or internal

An external penetration test involves testing the security of a network or system from the outside, as if it were an external attacker trying to access the network or system from the outside. On the other hand, an internal penetration test involves simulating an attack from within the network or system, such as an employee attempting to access sensitive information. The perspective from which the test is performed will affect how the penetration test is planned and carried out.

Approach

Penetration testing simulates real attacks to evaluate the security of a computer system/network, with approaches such as blackbox, whitebox, and graybox depending on the pentester's prior knowledge of the system:

- Blackbox: Tests are performed without any prior knowledge of the target system. The objective is to identify vulnerabilities and weak points from the perspective of a typically unknown external attacker.

- Whitebox: The pentester has full access to the source code, documentation, and other necessary resources, allowing for a comprehensive and detailed evaluation that would be impossible to discover otherwise.

- Graybox: It's a hybrid approach that combines aspects of both blackbox and whitebox testing. The pentester has limited knowledge of the system, such as access to some credentials or relevant information. The goal is to simulate an attack by an internal user or an attacker who has obtained a certain level of prior information.

Methodology

At Intense Security, we use different methodologies depending on the scope and type of the test. We adapt methodologies and frameworks such as PTES, OSSTMM, OWASP, among others, for each situation. The most common phases are:

- Pre-engagement: This phase involves defining the test objectives and scope, planning necessary preparations, and arranging meetings.
- Reconaissance: Collecting information about the target system passively and actively.
- Vulnerablity scans: Discovering, testing, and analyzing vulnerabilities using both automated and manual techniques.
- Exploitation: Attempting to exploit the vulnerabilities to gain access and control of the target system.obtenir accés i control de l'objectiu.
- Post-exploitation: Consolidating the gained access, maintaining it, escalating privileges, or pivoting.
- Reporting: Presenting the results and recommendations in a clear and concise manner.
- Post Verifications: Verifying that the identified vulnerabilities have been fixed and that the system is secure after the penetration test.

Note: These are general activities, and each engagement considers the client's specific circumstances, including legacy systems, client availability, communication methods, contact persons, and other limitations that are discussed before the test.

Our penetration testing services

We perform the following penetration testing services:

Network Penetration Testing

Realistic attack simulations, both internal and external, are performed on the computer network and infrastructure.

Web Applications

The security of web applications, whether published or internal, is evaluated using a methodology to verify known attacks on both web pages and APIs.

Mobile Applications

The main objective is to evaluate the application to identify vulnerabilities and configuration issues in a static and dynamic way.

Others

Cloud systems, IoT devices, or specific Active Directory attacks, among others, are analyzed. Contact us if you have any questions.