The security of your computer network can be compromised by external attackers, but also by internal attackers Our internal penetration tests allow us to evaluate the impact of an attacker on the elements of the information system accessible from the company network. Unlike a Red Team audit, only the security of IT resources is evaluated, not the security of physical premises or personnel vigilance.
There are two types of internal audits:
Internal audit in black box evaluates threats related to an attacker connected to an Ethernet socket, without user account. We sometimes call it a 'plumber's audit'.
Internal audit in grey box evaluates threats from an attacker with a user account with standard privileges. We sometimes call it 'trainee audit'.
The common prerequisite for both types of tests is to be able to connect to an Ethernet socket on your internal network and not be blocked by a Network Access Control (NAC) device, such as 802.1X. We can also perform this LAN audit from a user station.
The process of our audits and pentests is based on the PTES (Penetration Testing Execution Standard), and aims at performing an audit in the time optimization. Furthermore, we respect the perimeter that you impose on us in terms of targets, time range, or type of attacks.
We begin with a phase of enumeration, during which we discover the services and machines exposed on the network range we are connected to, and then we repeat this process to other networks in your company. We use the well-known nmap tool, but also other tools and scripts of our own design to speed up this process.
Once we have a synthetic view of the main networks in your infrastructure, we exploit the flaws allowing us to elevate our privileges and retrieve confidential and sensitive data. Please note that if you have a very large internal network, you can give us the main networks on which you would like us to focus our attention.
At the end of the audit, we'll take a moment to discuss the key findings with you. The idea is to give you a synthetic view of the main risks to your internal network: what are the main impacts of the discovered vulnerabilities on the security of your data, the level required of the attacker and the complexity of the attacks to be carried out. We then continue with the writing of the report.
Once we have sent the report, we'll plan a presentation. The objective of this step is to present both a managerial vision of the audit results, but also a detailed technical vision. This is why we encourage you to invite your technical teams to this exchange, so that they can be informed of security defects and the corrective actions we recommend.
Of course, the auditors remain at your disposal even after the restitution, by email or telephone, to answer your questions or to advise you on the implementation of corrective actions. We aim to establish a relationship of trust as well as long-term accompaniment.
The defects listed below are indicative, and the knowledge of our auditors is constantly evolving to keep up with new attacks.
File sharing is commonly used in companies so that users can share documents with each other. However, these are frequently misconfigured, and overexposed. For this, we check, among other things:
If necessary, our report will include the list of discovered file shares, and the access rights to them.
Windows mechanisms allow a user to authenticate to a server or service by sending an authentication sequence, rather than just a username and a password. However, due to poor configuration, an attacker may be able to eavesdrop on network traffic and retrieve these authentication sequences in order:
For this, we check, among other things:
Exchange servers, because of their importance and functionality, are generally installed by default with a configuration that grants them significant rights to Active Directory objects. Through other vulnerabilities, an attacker can manipulate Exchange servers and their high privileges in order to perform sensitive actions, or grant high privileges to an account. For this, we check, among other things:
Active Directory and Windows networks administration is complex, especially due to the strong evolution of these technologies, as well as the need for Microsoft to maintain backward compatibility of these solutions for businesses. However, new protocols, solutions and architectures have emerged to fix the many critical vulnerabilities found in these systems. Unfortunately, many times they are not implemented due to lack of knowledge, time or resources. For this, we check, among other things:
Solution integrators rarely take security into account, and installed products generally have neither an upgrade policy nor a password policy. For this, we check, among other things:
These security defects are present in the vast majority of internal networks built with a Active Directory, and they are also the security defects with the highest impact on the security of the information system. During a LAN audit, we also perform service-specific tests: iSCSI, FTP, SMTP gateways, SQL and Oracle servers, SNMP, SSH, RSH... within the time limit of the audit.
We use tools that are mainly open-source, with a high level of quality and a strong reputation in the cyber security community. We can quote, but not exhaustively:
We also use an internally developed tool, Pollenisator, to facilitate the management of scans during a LAN audit and traces between auditors.
We like to highlight the transparency of actions taken on your infrastructure. For this purpose, you will find in the appendix of our reports the list of tools that were used during the audit, as well as any script that we may have developed for a specific need.
Below is a graph showing the most common attack vectors, from our experience during internal pentests.
Below is a graph showing the most common facilitating elements for attacks, from our experience during internal pentests.
Specialists in information security in Lyon, Paris, Saint-Etienne and throughout France
You've enabled "Do Not Track" in your browser, we respect that choice and don't track your visit on our website.