You are here: Home » Penetration-Testing

Penetration-Testing

“Security – A Hackers Perspective”

Want the view of your web aplication , network and IT infrastructure from a Hackers perspective? Yes, penetration test is a simulated attack on you IT infrastructure with all the step that the bad guys follow to attack your assets. It is about getting a comprehensive view of the vulnerabilities that are present in you IT infrastructure from the eyes of a hacker.

Our Xi-AAAG (Attack Audit Analysis Group ) follows the OSSTMM methodology for conducting a Pen test, OSSTMM is one of the most comprehensive and trusted security testing methodology available, it is developed by ISECOM

The following major steps of a pen-test:

  • Planning stage
  • Gathering  information / Foot printing
  • Scanning / Enumeration
  • Verifying vulnerabilities
  • Exploiting / Penetrating and getting proof of concept
  • Privilege escalation as required
  • Reporting  / Presentation

Types of Penetration Tests

White-Box

The testing team has complete carte blanche access to the testing network and has been supplied with network diagrams, hardware, operating system and application details etc, prior to a test being carried out. This does not equate to a truly blind test but can speed up the process a great deal and leads to a more accurate results being obtained. The amount of prior knowledge leads to a test targeting specific operating systems, applications and network devices that reside on the network rather than spending time enumerating what could possibly be on the network. This type of test equates to a situation whereby an attacker may have complete knowledge of the internal network.

Black-Box

No prior knowledge of a company network is known. In essence an example of this is when an external web based test is to be carried out and only the details of a website URL or IP address is supplied to the testing team. It would be their role to attempt to break into the company website/ network. This would equate to an external attack carried out by a malicious hacker.

Grey-Box

The testing team would simulate an attack that could be carried out by a disgruntled, disaffected staff member. The testing team would be supplied with appropriate user level privileges and a user account and access permitted to the internal network by relaxation of specific security policies present on the network i.e. port level security.