Pentesting: External Audit and Web Application Audit Service (Ethical Hacking)

We deeply understand the needs of SMEs, and we try to meet them by designing, implementing, maintaining and operating comprehensive security plans based on the six NIST functions (Governance, Identification, Protection, Detection, Response and Recovery). Within them, our External Audit service will allow you to know your exposure perimeter, acquiring a clear photo of your exposed vulnerabilities and how to solve them.

Phase 1: Footprint (OSINT)

During the first phase of the service, the Zerolynx team will map the attack surface exposed to the Internet. For this work, open and private sources will be consulted with the aim of carrying out Footprinting processes in search of all types of sensitive information that currently exists or that may have been published in the past on the Internet. For this work, different techniques based on OSINT methodologies will be used, highlighting in particular:

• Hacking with search engines (Google, Bing, Yandex, Exalead, Duckduckgo and Baidu).
• Asset search services (Shodan, Censys, Greynoise, Zoomeye, Fofa, Onyphe, Binayedge, Wigle and Oshadan).
• Threat Intelligence Search Services (RiskIQ, Cisco Talos Intelligence, ThreatExchange, VirusTotal).
• Listing assets on paste websites (Pastebin, Pasteguru, TextSnip, Snip.Net, Hastebin, Anonpaste, etc.).
• Crawling tools and massive analysis of content on the Internet.
• Querying Whois records.
• Mobile application store (AppStore, PlayStore, etc.).
• Analysis of IP addresses and domains (Robtex, Ipv4info, ThreatCrowd, MxToolBox, IPStack, DB-IP, Ultratools).
• Public code repositories (github, gitlab, bitbucket, etc.).
• Password leaks published on the Internet and the Dark Web.
• Study of possible visually similar domains (Typosquatting), through the use of our own scripts and online technologies.
• Analysis of old websites published on Archive.org.
• Tracking of applications on social networks (Twitter, Facebook, Instagram and LinkedIn, among others).
• Analysis of possible sites, which may be legal, have been classified as phishing on platforms such as OpenPhish, PhisTank or PhisStats.
• Location of data traded in underground Internet markets.

Level 2: Fingerprint

Once the initial information of each application/service has been collected, the Fingerprinting process will begin, proceeding to carry out an in-depth analysis of the assets for their subsequent exploitation. To make a complete map of the attack surface, all exposed ports and services will be listed, with emphasis mainly on identifying the following elements:

• Ports and services accessible from the Internet.
• Software and version used in each service.
• Technologies used, especially those that are obsolete or have known vulnerabilities.
• External libraries used and other relationships between the different assets.

In parallel, an active search for possible valid exploitation vectors for subsequent stages of the process will be carried out. To this end, special emphasis will be placed on the detection of functionalities that usually carry a greater risk of being exploited to compromise the perimeter, either through vulnerabilities, code injections, uploading of malicious files, or even brute force tests or leaked credentials. previously. Some of the features that will receive special attention are:

• Web authentication panels.
• File upload forms.
• File sharing services.
• Remote access technologies for administration.
• Remote desktop technologies.
• VPN connections.

Therefore, for the purposes of the MITER ATT&CK attack matrix, the search for elements that facilitate access is contemplated through the following Initial Access techniques:

• Exploit Public-Facing Application (T1190).
• External Remote Services (T1133).
• Valid Accounts (T1078.001, T1078.002, T1078.003, T1078.003).

The rest of the attack vectors that include third-party compromise or physical access would initially be outside the scope of the project.

Phase 3: Vulnerability Analysis

The next phase uses all the information previously collected as a basis for detecting possible avenues of attack. These will be prioritized based on the possibility of exploitation and potential impact, with the aim of maximizing dedication to finding the most critical vulnerabilities, such as data exfiltration or remote code execution.

This phase, in any case, covers most of the security audit, and allows the identification of vulnerabilities related to identity management, authentication, authorization or session management. Special importance is also given to injections through input validation tests. Finally, it allows you to find error management flaws, detect incorrectly implemented cryptographic methods, and vulnerabilities in business logic. Broadly speaking, the test categories in force in the OWASP methodology at the time of the review will also be covered.

• Information collection
• Configuration and deployment management
• Identity Management and Session Management
• Authentication and Authorization
• Input Validation and Error Handling
• Weak Cryptography
• Business Logic and Client Side

In the event that the vulnerabilities found allow especially harmful scenarios, such as remote code execution or escalation of privileges, prior communication will be carried out with those responsible for managing the security audit, to decide whether to proceed to perform security tests. concept, or stop testing without proceeding to exploit it. In any case, critical impact vulnerabilities will be immediately reported to the client to minimize the time in which said potential breach is active.

Phase 4: Analysis of Results

In the case of detecting high-impact vulnerabilities that are reported during the service, the client may raise questions, or request additional tests to be carried out to clarify these weaknesses, for example, if a countermeasure or solution is deployed during the project time. . However, it is important to understand that in no case may the performance of additional tests impact the project planning, consuming the days dedicated to the preparation of the final report, unless both Zerolynx and the client previously agree to this situation. In any case, Zerolynx offers the client the possibility of hiring additional days for analysis and retesting of vulnerabilities if necessary.

Phase 5: Final report

By consolidating all the evidence obtained, a complete technical and executive report will be constructed in accordance with the Zerolynx model, and will include, at least, the following points:

• Purpose and scope of the audit
• Audited systems
• Auditor team
• Interlocutors who have participated in the audit
• Test development dates
• Reference documentation
• Confidentiality clause
• Vulnerabilities detected, classified according to their importance
• Recommended solutions to vulnerabilities
• Vulnerabilities corrected in the audit
• Observations
• Strengths and opportunities for improvement
• Conclusions obtained

The report will have an Executive Summary, highlighting the main risks detected and prioritization recommendations for their possible resolution. Below are examples of executive summary and vulnerability sheets used by Zerolynx. However, the information in the report and the vulnerabilities can be adapted to the client's needs and requirements if necessary.

Additionally, Zerolynx provides the client with a high-level presentation at the end of the project that will document the main findings and remediations.

This service is designed exclusively for SMEs with up to 250 employees. If you wish to contract this service for larger companies, do not hesitate to contact our commercial team from contact form on our website.

More information about our External Audit Pentesting and Web Audit services

Purchase the service from our virtual store and in less than 48 (working) hours one of our Project Managers will contact you to schedule the start of the work, which will take us approximately one week.