Penetration Testing

SilentCitadel Penetration Testing Service™ is designed to show how an attacker can exploit vulnerabilities to gain unauthorized access to your firm’s environment and use these compromised systems as a base for attacks deeper into your network.

An important advantage to your firm gained through our pen-testing process is that it gives your security personnel real experience in dealing with an actual intrusion.

Your company may have all the appropriate policies and procedures in place, but it is only through the practice of safe “fire drills” that the incident response team can develop a working strategy on how to proceed in an otherwise unusual environment.

Penetration Testing – A Multi-Part Process

A penetration testing procedure should be ordered after each significant alteration to your organization’s IT infrastructure, and at least once a year. The testing should consist of several elements, including:

  1. Planning and Preparation
  2. Real-world and Online Reconnaissance
  3. Vulnerability Scanning
  4. Vulnerability Assessment
  1. Vulnerability Exploitation
  2. Privilege Escalation
  3. Maintaining Access
  4. Report to Management & Technical Staff
1. Planning and Preparation
The preparation and planning stage is the single most important step contributing towards a successful penetration test. We schedule meetings with your firm to determine the scope, objective(s) of the penetration test and the parties involved.
The goals of a penetration test must be defined and agreed upon by both the pen-testers and your firm (the owner of the network). Just as important are the limits that we as pen-testers must not cross.
In most cases the objective of a penetration test is to demonstrate that exploitable vulnerabilities exist within an organization’s network infrastructure. The scoping of the penetration test is done by identifying the machines, systems and network, operational requirements and the staff involved. The form in which the results or outcome of the test is presented should also be agreed upon the penetration testers and the organization.
2. Real-world and Online Reconnaissance
A Penetration Test almost always needs to begin with an extensive information gathering phase. Open Source Intelligence (OSINT) helps us build a profile of the pen-testing target firm and their target systems and website.
OSINT is information collected from public sources, particularly the Internet. The amount of available information is considerable — most intelligence and military organizations are actively engaged in OSINT activities to collect information about their targets, and to guard against data leakage about them.
The gathered data can be used to identify servers, domains, version numbers, vulnerabilities, mis-configurations, exploitable endpoints and sensitive information leakages.
On several occasions, our search queries have identified interesting files (log files for example) that contain sensitive information and the full system path of different applications.
The more targeted information we find for a pen-test, the better the chances of identifying the easiest and fastest way to succeed. Black-box testing requires more reconnaissance than white-box testing because pen-testers do not get enough data.
3. Vulnerability Scanning
After confirming and investigating the target through reconnaissance, the next step is to assess the vulnerability of the target systems and/or website.
We use vulnerability scanners to find hidden vulnerabilities across all designated attack vectors (including computers, network systems, operating systems, websites, and software applications). Vulnerability scanners have a database of known vulnerabilities and can scan the network and websites against thousands of known vulnerabilties, and provide a list of issues based on the risk.
Some scans are relatively simple, such as determining if a port on a device is open, while others are more complex, such as assessing if a web database application is vulnerable to a SQL injection attack.
We recommend a vulnerability scan be performed continuously on the firm's systems and website in order to keep up with new systems being added to networks, changes that are made to systems, and the discovery of new vulnerabilities.
4. Vulnerability Assessment
This next step involves identifying, quantifying and prioritizing (or exploitation ranking) the thousands of granular vulnerabilities discovered in the targeted systems.
Vulnerability assessment and security audits often come at this stage of the target assessment process. Scouting for information can improve the accuracy of identifying potential vulnerabilities, shorten the time it takes to target services and help avoid existing security.
5. Vulnerability Exploitation
Most exploits are developed for specific vulnerabilities and can cause unpredictable results if performed incorrectly. The best approach is to identify a few vulnerabilities and then develop an attack strategy against the vulnerabilities that are most vulnerable to exploitation. The process of exploiting the vulnerabilities of the target system may be manual or automated, based on the ultimate goal.
The following are some of the exploit goals: exploiting vulnerabilities; gaining access; capturing unauthorized data; actively implementing social engineering; attacking other systems or applications and more importantly recording the findings.
6. Privilege Escalation
Access goals do not guarantee that infiltration tasks can be completed. In many cases, the use of a vulnerable system may require access to restricted data and resources. Attackers must be privileged to gain access to critical data (sensitive data, critical infrastructure).
Privilege elevation may include acknowledging and breaking passwords, user accounts, unlicensed IT space, and so on. For example, an attacker could implement limited user access, confirm a shadow file that contains administrator login credentials, obtain passwords for the administrator by password cracking, and access the internal application through administrator access.
7. Maintaining Access
This step is to maintain access by establishing other entry points to the target and, if possible, to cover the evidence of penetration. The penetration process may trigger a defense mechanism, which ultimately helps to ensure that the penetration tester’s security when accessing the network.
The best approach is to establish other means of access to the target as a guarantee that the primary path is closed. Alternative access methods can be backdoors, new administrator accounts, encrypted channels, new network access channels, and so on.
Another important aspect of establishing a foothold in the target system is the removal of evidence of penetration. This can make detection of attacks more difficult, and thus can reduce the security defense response. Clearing evidence includes deleting user logs, masking existing access channels, and clearing traces of corruption (such as error messages caused by the infiltration process).
The goal of establishing a foothold on the target system is as follows: establishing multiple access points on the target network; removing evidence that access has been granted; repairing the affected system; Encryption and other means to hide the communication method; record the findings.
8. Report to Management and Technical Staff
Reporting stage is the last phase in the penetration test methodology. Reporting phase will parlay on the results from the previous three stages or if decided will occur after the attack phase.
Our final report incorporates the client's feedback regarding the original report on vulnerabilites and their impact on the client's business. We work with their IT and InfoSec departments to remediate and find solutions to the attack vectors exploited. Our goal is to exceed the client's expectations in our penetration testing analysis.