The penetration test or pentest consists of an offensive security test where a real cyber attack is simulated in a controlled environment. The objective is to find weaknesses that an attacker could potentially exploit to complete threats such as information theft, improper access, cause service failures for the installation of malware, etc.
Pentesting is the discipline that encompasses this type of exercise. The cybersecurity team is in charge of executing the pentest under the conditions agreed with the client, including scope, objectives, modalities and necessary depth.
Black box exercises start from a total lack of knowledge of the client's infrastructure; the pentester team has no information regarding assets and users.
In this modality, detailed information has been provided on the technologies and target applications. This includes the source code of the application, network maps, architecture, and more…
In the grey penetration test, the team is provided partial information regarding the target such as legitimate user accounts to be used in the process, information about technologies used or IPs to be analyzed.
Perspectives of Penetration Test
Internal pentests are developed from the perspective of an attacker with wired or wireless access to the internal network. These tests include remote access like VPN or remote desktop.
The company’s perimeter comprises of all assets that are accessible through the Internet including public IPs, websites, domains and any exposed services.
Penetration Testing Methodology
Initial phase where we obtain as much information as possible about the target using different techniques.
Objectives are defined for system compromises, persistence, lateral movements and information exfiltration.
Identification focuses on analyzing the information collected and looking for weaknesses.
The reports allow us to see how the penetration test occurred.
In exploitation or, we are given access to systems that can later be used for post-exploitation work.
The internal intrusion test allows us to get a clear vision of the most relevant vulnerabilities. That together with a threat map will serve as support for external intrusion exercises and to identify the attack vectors with a path of compromise within the systems.
In in-depth pentesting, an intrusion is performed manually by expert pentesters who are familiar with the techniques and procedures commonly used by cyber attackers.
This hybrid service combines the properties of the previous ones in routine and continuous intervals. This means that targets are defined and evaluated by the cybersecurity team and the client.
Penetration testing FAQs
What is the penetration test service?
Our penetration tests are technical security reviews where one or more assets are analyzed. The objective is to identify the weaknesses that could be executed both from the outside or internal corporate network. Some tests include:
- Checking the efficiency of security measures and/or security controls implemented in the corporate network
- Identifying and later exploiting the vulnerabilities as a security evaluation
- Checking feasibility for elevating user privileges due to an incorrect security architecture or due to insufficient security measures applied to applications and systems
- Retesting post-exploitation exercises of already compromised objectives (persistence, lateral movement, log tampering, etc.).
Penetration tests have a defined scope and amount of time to perform all the required tests as well as produce a final report.
The outcome of a penetration test is a technical report which includes our findings and security recommendations for the mitigation and remediation of the identified threats and vulnerabilities.
What types of penetration tests does Tarlogic offer?
Penetration tests can be classified into the following three types of exercise:
- Black Box Penetration Test: These exercises are based on the lack of information about the infrastructure to review or the asset to be analyzed. In this modality, the team in charge of performing the penetration test does not have any prior information about the technologies used, the source code of the applications, network maps nor corporate users for the analysis.
- White Box Intrusion Test: These exercises are based on provisional details made available to the team in charge of performing the penetration test. This type of test requires obtaining information on the technologies used by the company, the source code of the applications, user company accounts, network maps as well as the company architecture, prior to starting the exercise.
- Gray Box Penetration Test: These exercises are based on the provisional partial information about the target, such as legitimate user company accounts, partial information on the technologies used, IP inventories of the company, domain information or other useful information for the analysis.
Apart from the different types to consider, the exercises can have different perspectives:
- Internal Penetration Test: Internal penetration tests are performed from the perspective of a cyber attacker with access to the company’s internal wired or wireless network, including remote VPN accesses to the internal network.
- External Penetration Test: The external penetration tests comprises of all assets published on the internet, including public IPs, websites, DNS, and any exposed services that a cyber attacker could access.
What are the industry leading tools used for penetration testing?
It is common for a pentester’s suite of tools to include a version of Linux adapted to cybersecurity, such as Kali Linux and others, as an operating system.
In addition, depending on the phase, objective, or type of work, we can use tools such as the following:
- Discovery of network segments linked to the organization: Tarlogic tools for RIR analysis (RIPE NCC, ARIN, APNIC, AFRINIC, LACNIC).
- Infrastructure reconnaissance: amass (Shodan, Censys, SecurityTrails, WhoisXMLAPI), uncover
- Sub-domain bruteforcing tools: shuffledns, puredns
- Port and service discovery: nmap, masscan, naabu
- Web application recognition: Aquatone, httpx, WaybackMachine, Waybackurls, gau
- Identification of web technologies: wappalyzergo
- Web application vulnerability analysis: Burp Suite, OWASP ZAP, Nuclei, w3af, Acunetix, Nikto
- Analysis of cipher suites: Testssl, sslscan, Qualys SLLlabs
- Analysis and discovery of secrets /APIKeys: Trufflehog, earlybird
- Analysis and discovery of secrets in github repositories: gitGrabber, gitLeaks, github-search, github-tools-collections
- Authentication/authorization vulnerability scanning: Authorize (Burp Extension)
- Out-of-band interactions tools: BurpCollaborator, interactsh
- WAFs detection/WAFs bypass analysis: wafw00f, cloudfail, hakoriginfinder
- Document metadata analysis: FOCA, Exiftool, Exiftool Scanner
- Web resource discovery: gobuster, dirbuster, wfuzz
- Tools for CMS security analysis: CMSMap, WPScan
- Automatic SQL Injection vulnerability scanning: sqlmpa, sqlninja
- XSS vulnerability scanning: XSSer, XSSHunter, BeeF
- Analysis/exploitation of deserialization vulnerabilities: Ysoserial
- Testing of DoS vulnerabilities in web servers: Slowloris, SlowHTTPTest
- Vulnerability scanning tools: Nessus
- Vulnerability exploitation solutions: Metasploit
- Credential cracking: hashcat, John the ripper
- Brute force attacks (password spraying): Hydra
Windows pentesting tools:
- Sysinternals Suite
- Network Monitor
- API Monitor
Linux pentesting tools:
- Sudo Killer
Communications and network attack analysis:
Cloud security analysis:
- Azure: ROADtools, stormspotter, microBurst, adconnectdump, scoutuite, APIs y herramientas CLI de Azure.
- AWS: SkyArk, BucketFinder, Boto3, Cloudspaining, Pacu, enumerate-iam, aws_consoler and AWS CLI tolos.
- Google Cloud Platform: ScoutSuite, GCP IAM Collector, GCP Firewall Enum, GCPBucketBrute, Hayat
How much does a penetration test cost?
The cost of a penetration test varies and is calculated on the grounds of what the objective you seek to obtain: the volume of assets to be analyzed, the complexity of the test, the agreed approach and the methodology used (ie white box, black box or mixed).
The price range could vary from €4,500 for a limited penetration test to €30,000 for a penetration test with much broader objectives. The price is also influenced by whether the work is performed once or if continuous service is required.
We strongly encourage that we have a joint assessment with our clients and team to determine the specific characteristics and particular requirements to better define the scope and objectives of your exercise. We invite you to contact us so that our specialists can give you advice on the best approach to achieve your goals.