Now Hiring: Are you a driven and motivated 1st Line IT Support Engineer?

Infrastructure Penetration Testing

  • Home
  • Infrastructure Penetration Testing

Infrastructure Penetration Testing

visio-1024x622-1

nfrastructure penetration testing or “network penetration testing” is one of the most common types of penetration testing. The servers, routers, switches – practicly any device that is connected to the network – are tested for a wide range of vulnerabilities including missing security patches, misconfigurations, known and unknown vulnerabilties that will negatively impact your security posture.

Infrastructure penetration testing could be:

External
The pentest will be conducted from Internet, targeting your devices reachable from outside of the organization; Usually this assessment will include DNS, mail, web servers, routers, firewalls, and any network service that allows for connections from Internet to inside of the company, like VPNs, RDP and so on.
Internal
The pentest will target internal IT infrastructure as a whole or selected network zones, branches, offices. It is common for a Bank for instance, to test it’s ATM network zone or SWIFT network zone and this is an internal infrastructure penetration testing. There are situations when the assessment can be conducted from remote, through a VPN, or can be conducted on-site, being connected directly to the in-scope infrastructure. It is also common for an internal infrastructure penetration testing assessment to validate your network segregation efficiency, by validating your internal’s firewalls rules and ACLs.

We are providing both Black-Box and White-Box infrastructure penetration testing services, to accomodate customer’s needs and requirements. For  a Black-Box pentest type, we wil require only minimum information as possible (like IP Addressess or network ranges), while on a White-Box pentest type we will require detailed inforamtion about the infrastructure, discuss on network diagrams, understand your network’s setup in order to develop a threat model and a personalized test plan.

We are following the Pentest Execution Standard (PTES) methodology detailed in the steps below:

Pre-engagement Interactions
This is one of the most important steps in the process, as we will be defining the scope of the project, expectations, define contacts and timeline. Scope definition is a first factor for success. We will ensure that this is clearly defined, stated, and undestood by both parties. Allocated time for the project is also extremly important. The effort must be correctly sized to allow good results. Another very important aspect is represented by limitations and constrains – if there are some time intervals when the pentest should limit to, wether there are critical servers/services that should not be tested without backups or tested with special care. If there are third-parties impacted by our pentest, like ISP, cloud providers, externalized IT support, etc. – they must be identified and notified about the project, according to any legal requirements defining your business relationship.
Intelligence Gathering
Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. Here we will determine the “alive” hosts from the scope, using both automated tools like network scanners and manual interaction. Understandig the business, gathering OSINT data about the company, theiy phisical locations, offices, divizions etc. will also contribute to the identification of potential targets. At the end of this phase, we will have a map with all the targets, their open ports, running services, DNS names and any other usefull data that will aid reaching the establised goal.
Threat Modeling
The threat modeling phase of any penetration testing engagement is critical for both the testers, as well as the organization. A threat model will be created to explore assets, threats, attack vectors and conditions required for successful attack. Additionally, it enables the tester to focus on delivering an engagement that closely emulates the tools, techniques, capabilities, accessibility and general profile of the attacker.
Vulnerability Analysis
This is the step where we will focus on discovering flaws in systems and applications which can be leveraged by an attacker. These flaws can range anywhere from host and service misconfiguration, or insecure application design. Although the process used to look for flaws varies and is highly dependent on the particular component being tested, some key principals apply to the process.
Exploitation
The exploitation phase of a penetration test focuses solely on establishing access to a system or resource by bypassing security restrictions. Using previously identified vulnerabilities, in accordance with the scope and depth of the project, we will proceed to exploit the vulnerabilities to confirm them and explore the potential impact on your organization.
Post Exploitation
The purpose of the Post-Exploitation phase is to determine the value of the machine compromised and to maintain control of the machine for later use. There are situations where systems are exploitable but they do not host sensitive information, or the exploit is successful but accessing sensitive data fails because of other defence-in-depth countermeasures. There is always a context, your particular setup, and this is one of the reasons our services bring value to you because we put exploitation in your context.
Reporting
This is the final step of the assessment and one of the most important in the process. We believe that quality reporting of the identified vulnerabilities along with practical remediation recommendations ensures the project’s success. Also, the impact and severity scores associated with each vulnerability will be thoroughly explained from both management and technical perspectives.

Using commercial, open source, and proprietary tools, SafeByte implements a structured testing methodology based on OWASP’s Mobile Security Testing Guide (MSTG) to make the mobile application assessment as efficient as possible. During the testing, we simulate a multitude of attacks, both general application attacks and mobile dedicated attacks. The testing simulates a real hacker and what he can do to penetrate the application and retrieve confidential information.

Do not postpone testing your IT ifrastructure, whether from external or internal access points. Any single vulnerability could allow malicious actors to get to your data, to impact your operations, your image and your business.

Discover vulnerabilities before anyone take advantage of them
Benefit from senior-level penetration testers
Take smarter decisions, based on real security risks identification
Reduce costs by preventing security incidents
Test your implemented defences efficiency