The SecureState Profiling Team is well known and highly regarded as experts in Penetration Testing. Our approach follows industry accepted testing methodologies such as PTES, NIST 800-115, OWASP and OSSTMM. By following these methodologies, our clients can accurately replicate the testing SecureState has performed in their own environment to accurately mitigate identified vulnerabilities. The Profiling Team also helps identify strategic “root cause” issues through our Penetration Tests. SecureState's Risk Management Team is uniquely positioned to work closely with the Profiling Team in order to assist clients with mitigating these strategic “root cause” issues.
Phase I – Pre-engagement Interactions:
In this phase, SecureState works with the client to establish the rules of engagement as well as the scope and exchange contact information for both parties. SecureState provides a detailed Project Charter which contains information on scope and everything that will be required to conduct the testing. The Project Charter is discussed during the kickoff call prior to the beginning of the engagement.
Phase II – Information Gathering:
Our approach first maps the accessible network by finding responsive or “alive” access points and identifying them as client property. Directional antennas can determine where they are located. Once this list has been determined and approved by the client, key targets (AP) are selected for attack and we then find as much information as possible without transmitting a single packet. IDS/IPS evasion is extremely easy at this level. Clear-text transmissions can be sniffed and reassembled to analyze what users are viewing in real time.
Phase III – Attack & Penetration:
During this process, SecureState attempts several attacks, either bypassing or cracking security mechanisms in order to gain full access to the wireless access point. Some of these attacks can include:
- Man in the Middle – Perform an attack that routes all communications through our machine and then to the access point without user knowledge.
- Brute Force – Attack passwords utilizing a 1.3 terabyte rainbow table database.
- Session Hijacking – Performing a Denial of Service attack on a client and “jacking” his session allows access to the network and bypasses encryption standards.
- Mass De-Authentication – Performing a mass de-authentication of all associated clients forces re-association and broadcasting of usernames and passwords.
Phase IV – Client Side Attacks:
As wireless infrastructures become more secure, attackers now are focusing their attention to wireless clients. To test if these attacks will be successful against your organization, SecureState attempts a number of client side attacks against the wireless configuration service used by your organization.
If your network is using WPA or WPA2 Enterprise authentication, SecureState will perform tests against the 802.1X supplicant. These tests will determine if the supplicant is properly configured. During the supplicant attacks, our Team Members will attempt to capture and crack the credentials used to access networks using Enterprise Authentication.
Phase V – Entering the Network:
Once unrestricted access has been gained, an assessment is performed on what systems the access point is connected through. Hosts are identified through the wireless access point to determine the size of the network and the hosts associated with this network.
Phase VI – Vulnerability Discovery:
SecureState employs a variety of Vulnerability Assessment tools, both manual and automated, to perform an attack and penetration. This entails taking the detailed list compiled in Phase IV and then running an assessment against them to determine vulnerabilities.
Phase VII – Exploitation and Data Capture:
SecureState will further progress into the network as exploits and vulnerabilities become available. We perform exploits to validate proof of concept and to determine the extent of the vulnerability. SecureState applies the Vulnerability Linkage Theory, which is the practice of linking multiple vulnerabilities together in order to create higher risk vulnerabilities on the system. This process is extremely effective and is performed from a hacker’s perspective.
While the attack and penetration progresses, all packets are being captured for future analysis. Data Analysis is performed to determine what traffic is being broadcasted over your wireless network, including sniffing for usernames, passwords, and credit card information. A complete packet reconstruction of all network traffic can be performed utilizing state of the art reconstruction tools provided upon request.
Phase VIII – Post Exploitation:
The Post Exploitation Phase includes pillaging; penetrating further into the network, documenting and removing any remains from SecureState’s testing on the clients systems.
Phase IX – Reporting:
As part of the deliverable, SecureState provides a report which contains a short, graphical summary aimed at senior management, a narrative body which details major findings, and a detailed findings section aimed at technical staff. Additionally, SecureState will provide a closing call and a high-level executive presentation to summarize the penetration test; as well as provide an opportunity to ask questions about the engagement.