Penetration Testing

PENETRATION TESTING

– whether it’s internal or external, white-box, grey-box or black-box – uncovers critical issues and demonstrates how well your network, infrastructure and applications assets are protected. DTS Red Team thinks and acts like an attacker, you can discover critical vulnerabilities and remediate them before they are exploited. DTS Red Team simulates external and internal threat actors with the ultimate goal of obtaining privileged access to your critical systems, with the aim of exfiltrating sensitive data and penetrating deep into your network and systems by performing lateral movement. Such simulations support executive management to understand the impact level of a potential data breach subsequently providing the necessary support to ensure risks are mitigated.

Our penetration testing engagements identify the threats to your organization, key assets that may be at risk, and the threat agents that may attempt to compromise them. Each engagement is customized to your requirements and may span from breaching a single host to gaining deep network access.

An experienced penetration tester can mimic the techniques used by criminals without causing damage. These tests are usually conducted outside business hours or when networks and applications are least used, thereby minimising the impact on everyday operations.

We begin by identifying assignment objectives, scope of work, systems under test and execute a rule of engagement based on the OSSTMM methodology to ensure all parties understand the obligations towards conducting a penetration test. DTS then performs the various attack vectors and scenarios, in many cases getting extremely creative in putting test scenarios together. Throughout the engagement, we provide ongoing status reports, immediate identification and reporting of critical risks, and knowledge transfer to your technical team. At the end of the process, we ensure you have a complete understanding of the exploitable vulnerabilities in your environment as well as recommended remediation strategies from a technical and management perspective.

PASSIVE RECON PHASE



Performing passive reconnaissance provides the tester large amounts of knowledge that has already been previously created and captured by various sources without sending any data directly at the target. Some of the sources are part of the infrastructure required by the Internet, such as DNS information, IP databases (ARIN), Domain Registrars, and other information that can be queried by different WHOIS requests.

In addition to the WHOIS information, data can also be gained by looking at Social Networking sites, such as LinkedIn, Twitter, and Facebook, a target’s website, any Internet forums linked to the target, geographic and physical information around the target’s business presence, and information indexed by search engines like Google and Bing.

This information can be used in Social Engineering attacks, if they are allowed, in which the tester uses information gained from the passive recon activities to manipulate employees or contacts of the target into providing sensitive information. Examples of this could be calling a Help Desk using public information to authenticate a user’s identity for the purposes of changing a password or forwarding a phone number.

The results from the passive recon phase would be a knowledge base of potentially useful information about the target’s Internet presence, key employees, IP addresses, domain names, products, or services that would be targeted in further phases.


ACTIVE RECON PHASE



Performing passive reconnaissance provides the tester large amounts of knowledge that has already been previously created and captured by various sources without sending any data directly at the target. Some of the sources are part of the infrastructure required by the Internet, such as DNS information, IP databases (ARIN), Domain Registrars, and other information that can be queried by different WHOIS requests.

In addition to the WHOIS information, data can also be gained by looking at Social Networking sites, such as LinkedIn, Twitter, and Facebook, a target’s website, any Internet forums linked to the target, geographic and physical information around the target’s business presence, and information indexed by search engines like Google and Bing.

During the active recon phase, the tester takes the target network’s domain names and IP addresses and starts port scanning. This is the first time the tester actually sends traffic to the target. From the port scan output, the tester will start enumerating and documenting services that are open on the target. Enumeration can be done via a “banner grab” method where the tester connects to the service to document what information is directly returned. In addition to the manual banner grab method, automated tools can be used to fingerprint the service based on banner, flags set in the packet header, and other data related to the service’s operation.

The output from this phase is a list of hosts detailing the running services, ideally with service version identified.


Enumeration



  • Network mapping and host discovery
  • Service identification, vulnerability scanning, and web application discovery
  • Identification of critical systems and network protections
  • RESEARCH AND DEVELOPMENT



    In this phase, the tester will correlate the detected services against different vulnerability databases. This can be done manually by matching services, or automated using a vulnerability scanner to match the service version to a known vulnerability.

    If no known vulnerabilities exist, or the client requests for 0-day vulnerabilities (vulnerabilities that have not been known to be exploited) to be used, then the process to find or research 0-day vulnerabilities will begin.

    From this phase, a list will be created of hosts with the vulnerabilities specified.

    ATTACK PHASE



    For the attack phase, the tester will take the list of hosts with corresponding services that have documented vulnerabilities and determine if an exploit exists. As in the R&D phase, searching can be performed manually using exploit databases, or using automated tools such as Metasploit or Core Impact. DTS will only use commercially available exploits or exploits developed/tested internally to ensure that unsafe exploit code is not used.

    If exploit code does not exist, it can be created, however this will take longer for a custom exploit than one readily available. Once a tested exploit is available for a specific vulnerability, it will be launched against the target.

    Proof of exploit will be captured using flag files (non-executable file creation,) screenshot, terminal capture, or other agreed-upon methods.


    Exploitation

  • Research exploits and attacks based on enumerated information
  • Active exploitation of vulnerable systems and applications
  • Manual testing tailored to the deployment and business purpose of the target

  • POST-EXPLOITATION PHASE (OPTIONAL)



    In this optional phase, the tester can attempt to pivot by leveraging the exploited system to move into other areas of the target’s infrastructure, including systems that are not meant to be directly accessed from the Internet.

    If this test is meant to be undetected by the system and network administrators, then the tester will attempt to cover the evidence of the exploit by deleting logs or creating false information to disguise the attempt.

    In some cases, for longer-term testing, a back door access will be left or rootkit installed to allow the tester access after the initial exploit. From this access the tester will be able to pilfer or look for sensitive or targeted information relevant to the engagement.

    Escalation

  • Escalate privileges and compromise credentials
  • Leverage compromised systems to gain new access further into the network
  • Attempt to access business-critical systems or information to demonstrate impact

  • PENETRATION TEST REPORT



    After completion of the testing, the findings will be categorized, risk ratings assigned based on likelihood and impact of exploitation, and mitigations recommended to prevent others from using the same exploits and vulnerabilities. The findings will be contained in a report that will contain summarized data as well as individual data that can be passed to technical remediation teams in order to create a Plan of Action and Milestones (POAM)

    Why Choose DTS as your Penetration Testing Partner



    More than 300+ clients rely on our comprehensive technical security assessment services because we:
    • Extend beyond the tools: Our approach goes beyond the use of automated tools and processes to include deep knowledge of how compromises can occur in government, financial and commercial organizations.
    • Follow a time-efficient process: We ensure all assessments are effectively executed within limited engagement windows by prioritizing the testing of critical devices and components and its respective potential vulnerabilities and ensuring we abide by the rule of engagement.
    • Deliver deep insight: Our assessments provide you with valuable and actionable insights into discovered vulnerabilities, potential attack paths, business impact of breaches, and remediation steps.
    • Help you address the issues: Experienced, skilled tests develop our comprehensive reports, so you can easily understand the actionable information contained within them.
    • Stay ahead of the evolving landscape: Our team members undergo extensive training, participate as industry thought leaders, participate in hackathons and CTFs, and have earned industry certifications, including LPT, GCIH, GWAPT, CREST CRT, MCSE, RHCT, OSWP, OSCP, OSCE, CEH, eWPTX, PMP, and CISSP.

    Contact us to learn more about Penetration Testing

    Contact us