Benefits of a Penetration Test
During a penetration test RedFox takes on the role of an attacker who penetrates your IT infrastructure. By documenting the attacks, you gain valuable knowledge about the existing vulnerabilities in your system. At the same time, the test makes sure that your IT systems are subject to control and you can prove this on the basis of the report.
Penetration tests are a good cost-benefit ratio when it comes to eliminating defects. Imagine using a vulnerability management program. Which vulnerabilities do you need to fix first? Correct, the one which can be exploited at once for an attack. A penetration test identifies these weak points and can be used to immediately lower the attack surface. This means that even less critical weak points can be addressed progressively.
Procedure of a Penetration Test
First of all, the extent and type of the test is determined together with the customer. This defines which systems can actually be accessed and whether compliance requirements exist.
During this phase, active and passive methods of information gathering are used to obtain as much details as possible about the company’s attacked infrastructure.
For this reason Port and vulnerability scanners are also among the tools used. The information thus obtained is then evaluated and sorted.
The identified vulnerabilities are exploited to gain active access to web services, applications or system services. Different techniques of attack are used to gain access.
This includes, among other things, the execution of exploits, the cracking of passwords by brute-force attacks and client-side attacks.
Depending on the service, the attacker has limited access to the system. Many services are executed with a user who does not have full access to the system. In order to extend the rights of use, incorrect system configurations or errors in the program code of other applications are exploited.
Rights of use can be extended horizontally (users with similar rights) or vertically (users with higher rights).
Once a system has been accessed, the attacked system is analyzed and important assets are filtered out as access proofs. If additional network areas are identified during the analysis, the attack on the new network section can be extended by pivoting. The process thus begins again with the acquisition of information.
The results are presented to the customer in a final report. The report is divided into several sections and contains a rough summary of the weaknesses found as well as detailed instructions on how to reproduce them.