Penetration Testing

Home > Penetration Testing

Penetration Testing

The threats and vulnerabilities your organization faces in the cyber realm are highly dynamic. Security is not an attainable static state, but a continuous practice requiring constant effort and vigilance. Our penetration testing is designed to identify and focus an organization on key points of leverage to create the largest impact on security with the least cost and effort. We help your business accomplish this by utilizing the following services.

External Network Penetration Testing

Internal Network Penetration Testing

Pivot (Assumed Compromise) Test

Wireless Penetration Testing

Of targets have

1 Critical Vulnerability

Increase in

Cybercrime Since 2019

Internal Penetration Test

During this phase, we perform port scans, vulnerability scans, and testing for all computers, devices, databases, and networking equipment on in-scope networks. We then validate the scan results to weed out false positives by manually verifying a subset of results within particular vulnerability classes and review the discovered vulnerabilities. We include ones marked as “Low” or “Informational,” as well as manually probe the in-scope networks to look for additional methods of entry or compromise not flagged by a scanner.

External Penetration Test

In an External Penetration test, we perform a vulnerability scan of your company’s externally-facing (public) systems, manually verify issues, and exploit issues.

Pivot Test

Starting as a least-privileged user, we attempt to gain access to other systems, identify sensitive information, escalate privileges on the network, and pivot to other areas of the network using a local system with only normal user credentials provided by you. The level of access used as a starting point simulates what an attacker may have gained through a successful phishing email campaign or by imitating an employee or contractor. This item is meant to highlight the “unknown unknowns” and assist your company with understanding what can happen and how – ultimately allowing you to raise the bar on your internal security.

The first penetration testing phase is reconnaissance. In this phase, the tester gathers as much information about the target system as they can, including information about the network topology, operating systems and applications, user accounts, and other relevant information. The goal is to gather as much data as possible so that the tester can plan an effective attack strategy.

Enumeration is the method that a penetration tester uses to identify information about in-scope assets. A pen tester will use an automated process to identify all active IP addresses within the scope and some limited information about those devices, such as type and operating system version. This information is then used for further automated and manual testing. Enumeration can happen several times within a single pen test on different parts of a network. A bad actor will also use enumeration to identify systems to compromise.

In the exploitation phase, the penetration testers try to exploit security weaknesses actively. Exploits are developed to, for example, gather sensitive information or to enable the ethical hacker to compromise a system and manifest themselves on it. Once a device is successfully compromised, it is quite often possible to penetrate more systems because the malicious users now have access to more potential targets that were not available before.

Active Directory Security