Black box penetration tests

Service description
Penetration test is a method of assessing infrastructures security by simulating an attack.
The process involves analysis for potential vulnerabilities and further exploitation of found
security vulnerabilities.
Issues uncovered through the test will be presented and coupled with assessment of
potential impact. Recommendations for application securing will be presented as well.

Methodology
The methodology for the test is based on proven Orange Polskas testing experience
under continuous development. Testers hold certificates confirming their competencies
and ethics, such as: CISSP (Certified Information Systems Security Professional), CEH
(Certified Ethical Hacker). Penetration tests performed by Orange Polska give objective
and independent assessment of actual security level of tested systems.
Although using best practices and making all efforts, testing will not guarantee uncovering
100% of vulnerabilities. This is due to the method itself (no full and specific knowledge of
tested systems), impossibility to check all possible attacks scenarios (e.g. attacks using
0-day vulnerabilities), systems complexity and time constraints.
Penetration testing is highly invasive. When tester will breach deeply into the system,
causing possible risk of damage or having possibility to get sensitive data (e.g. access to
database), we will inform a client. Then we will await for a decision whether to keep exploiting vulnerability in question.

Black box testing

Testers dont know much about tested system in this method. They have network access
to the system, knowledge and experience on security testing, publicly available
knowledge about the system and motivation to compromise its security.
Black box methodology assumes minimal knowledge about system being tested. It is
comparable to a knowledge of an attacker or a systems regular user. Idea behind it is to
find out possible vulnerabilities that could be found by the attacker who have only generic
knowledge at the beginning.

Infrastructure testing
Target is to find vulnerabilities of network services available on tested system. This task
is done with automated tests followed with manual verification and additional tests.
Automated tests are done with vulnerability scanners and other network scanning tools.
The results are then verified manually by testers. Series of manual checks, not covered
by automated tests, follow. Last step is an actual exploitation of found vulnerabilities to
prove it works on the tested system.
Range of tests includes:
OS versions up-to-date
Unnecessary network services running
Known vulnerabilities
Default or weak passwords

Obtaining information about the infrastructure (e.g. based on services banners)

Report
Tests will be concluded with a detailed report. It includes:
Executive summary
Scope of the project
Used tools
Additional information gathered (e.g. open ports, OS information, etc.)
Identified vulnerabilities
Recommendations

Proposed programme of testing

Pre-engagement
Define scope of tests (network address, FQDN, company name),
Define goals of penetration tests,
Define depth,
Define possibility of DoS testing,
Define emergency contact information
Define timeframe (start/end of tests, day hours)
Obtain permission
Reconnaissance (passive & active information gathering)
Host & services discovery with port scanners
Web Mining for information about services
Automatic Analysis
Network Vulnerability Scanners
Manual Analysis
Manual verification of automatic reports
Manual test for vulnerabilities not covered with automatic scanners
Reporting
Report proposal
Improvements of report after comments from customer
Final report

Risks
Penetration tests are highly invasive. Possible negative impact on infrastructure that may
lead to denial of service.
More than 100 of vulnerabilities found out during an automated scanning may result in
longer time needed to finish tests.