Definition

From the hacker’s point of view, the computer attack principle is the following: breaking into an information system by using configuration mistakes, application vulnerabilities (system and network), or social engineering (human factor).

If he succeeds, the attacker remotely takes over the vulnerable system, and he may:

• read and alter confidential data (emails, reports, passwords, contracts, credit card numbers, etc.);
• install resident programs allowing him to come back later much more easily and stealthy;
• launch an attack from these computers towards the information system's other ones and use the lack of protection within the same system;
• launch an attack from those computers towards external ones, independent of the hacked information system, and hold the company's responsibility for these attacks;
• be detrimental to the hacked company's reputation (i.e. homepage defacing).

In the framework of a penetration test or PenTest, the information system faces attacks similar to those perpetrated by pirates in the real life. The security level of these systems, as well as the identification of all their vulnerabilities, are assessed. Finally, at the end of the test, some corrective solutions are offered.

Common features

The vulnerability test and the penetration test constitute a security analysis of a specific target. The “blind test” is the default test. The analysis is made without being aware of what the system is.
These tests come both with a fully-detailed report and an advising meeting.

The vulnerability test

A vulnerability test is an analysis of security vulnerabilities and weaknesses found in the information system. It gives a kind of “inventory of fixtures” of this system, by organizing into a vulnerability hierarchy sorted by criticity.
This test comes with a partial (external audit) or full (internal audit) system cartography.

The penetration test or PenTest

A PenTest consists of two parts. The first one is a vulnerability test of the target system. The second one uses of one or several spotted vulnerabilities in order to get into the informational system.
This test comes with a piece of evidence proving the system penetration, solution suggestions, and a full system cartography.

Internal or external?

Corporate Hackers offers each test as an internal audit or as an external one.
The external test simulates a potential motivated attack coming from the internet.
Nevertheless, 20-30% of computer disasters come from inside.
The internal test constitutes a prerequisite in order to elaborate the corporate security policy and/or continuity plan. It allows to draw a full cartography of the internal network.

Options

Four options are available for those tests.

Denial of Service

This option allows to test the target-server toughness against a DoS attack. It can be done by using a vulnerability spotted during the vulnerability test or by flooding the target with too many connection requests. This test may be operated during non-working hours in order to minimize the impact on users.

Social engineering

This option consists in introducing the human parameter within the analysis. In this way, it may be used as a potential vulnerability or a helping source in order to break into the system.

System-type awareness

The “blind test” is the default test. Though, in the framework of this option, the tester is aware of what the target system is. The main objective with this option is to analyze a specific and sensitive equipment of the information system according to the customer's needs.

WiFi

When a WiFi network has been set up in a company, the authentication process may be bypassed in order to reach the local network and to launch a security test.

Comparison table

	Vuln. Int.	Vuln. Ext.	Intr. Int.	Intr. Ext.
Network cartography		partial
Automatic tools
Manual analysis
Public databases
Private databases (0'dayz)
Intrusion
Remote analysis
Technical report
Executive report
Evidence
Risk hierarchical organization
Solution suggestions
Advising meeting

Methodology

A security test is mostly launched from outside the network or even outside the target organization. The “blind test” is generally used as a default test: the customer does not give more information than the test's framework.

In order to better simulate pirates’ attacks, the four main steps are followed:

Step 1: Information gathering

The objective of this step is to identify accessible systems (routers, network equipment, servers, firewalls), as well as their operating systems, the provided services, and the version of the related programs. Any information essential to the following steps’ success is established during this step.

Step 2: Research & Development

By using the previously gathered data, this second step determines if the information systems found during the first step are prone to known vulnerabilities and if those latter ones are susceptible to compromise the system’s security. If not, new attacks must be developed: attacks specific to the analyzed information systems, facing potential attacks of a motivated professional hacker, not inclined to use the data and tools, which are available and public.

Step 3: Penetration

Now the security tools, whether specifically developed to be launched against the target systems or not, are used against the identified computers in order to break into without an authorized access.

Step 4: Bouncing

Once inside the corporate network, the local network's equipment may be identified and attacked. It is even easier to scan the internal network connections and to collect users' passwords.