Our Approach and
Methodology
The SecureState Profiling Team are well known and highly regarded as
experts in Penetration Testing. Our approach follows industry accepted
testing methodologies such as
PTES,
NIST 800-115,
OWASP and OSSTMM.By following these methodologies, our clients can accurately replicate the
testing SecureState has performed in their own environment to accurately
mitigate identified vulnerabilities. The SecureState Profiling Team also
helps identify strategic “root cause” issues through our Penetration Tests.
Our Risk Management Team is uniquely positioned to work closely with the
Profiling Team in order to assist clients with mitigating these strategic
“root cause” issues.
Phase I – Pre-engagement Interactions:
In this phase, SecureState works with the client to establish the rules
of engagement as well as the scope and exchange contact information for both
parties. SecureState provides a detailed Project Charter which contains
information on scope and everything that will be required to conduct the
testing. The Project Charter is discussed during the kickoff call prior to
the beginning of the engagement.
Phase II – Information Gathering:
Our approach first maps the accessible network by finding responsive or
“alive” access points and identifying them as client property. Directional
antennas can determine where they are located. Once this list has been
determined and approved by the client, key targets (AP) are selected for
attack and we then find as much information as possible without transmitting
a single packet. IDS/IPS evasion is extremely easy at this level. Clear-text
transmissions can be sniffed and reassembled to analyze what users are
viewing in real-time.
Phase III – Attack & Penetration:
During this process, SecureState attempts several attacks, either
bypassing or cracking security mechanisms in order to gain full access to
the wireless access point. Some of these attacks can include:
- Man in the Middle – Perform an attack that routes all
communications through our machine and then to the access point without
user knowledge.
- Brute Force – Attack passwords utilizing a 1.3 terabyte
rainbow table database.
- Session Hijacking – Performing a Denial of Service attack on
a client and “jacking” his session allows access to the network and
bypasses encryption standards.
- Mass De-Authentication – Performing a mass de-authentication
of all associated clients forces re-association and broadcasting of
usernames and passwords.
Phase IV – Client Side Attacks:
As wireless infrastructures become more secure, attackers now are
focusing their attention to wireless clients. To test if these attacks will
be successful against your organization, SecureState attempts a number of
client side attacks against the wireless configuration service used by your
organization.
If your network is using WPA or WPA2 Enterprise authentication,
SecureState will perform tests against the 802.1X supplicant. These tests
will determine if the supplicant is properly configured. During the
supplicant attacks, our Team Members will attempt to capture and crack the
credentials used to access networks using Enterprise Authentication.
Phase V – Entering the Network:
Once unrestricted access has been gained, an assessment is performed on
what systems the access point is connected through. Hosts are identified
through the wireless access point to determine the size of the network and
the hosts associated with this network.
Phase VI – Vulnerability Discovery:
SecureState employs a variety of Vulnerability Assessment tools, both
manual and automated, to perform an attack and penetration. This entails
taking the detailed list compiled in Phase IV and then running an assessment
against them to determine vulnerabilities.
Phase VII – Exploitation and Data Capture:
SecureState will further progress into the network as exploits and
vulnerabilities become available. We perform exploits to validate proof of
concept and to determine the extent of the vulnerability. SecureState
applies the Vulnerability Linkage Theory (VLT), which is the practice of
linking multiple vulnerabilities together in order to create higher risk
vulnerabilities on the system. This process is extremely effective and is
performed from a hacker’s perspective.
While the attack and penetration progresses, all packets are being
captured for future analysis. Data Analysis is performed to determine what
traffic is being broadcasted over your wireless network, including sniffing
for usernames, passwords, and credit card information. A complete packet
reconstruction of all network traffic can be performed utilizing state of
the art reconstruction tools provided by SecureState upon request.
Phase VIII – Post Exploitation:
The Post Exploitation Phase includes pillaging; penetrating further into
the network, documentation and removal of any remains from SecureState’s
testing on the clients systems.
Phase IX – Reporting:
As part of the deliverable, SecureState provides a report which contains
a short graphical summary aimed at senior management, a narrative body which
details major findings, and a detailed findings section aimed at technical
staff. Additionally, SecureState will provide a closing call and a high
level executive presentation to summarize the penetration test; as well as
provide an opportunity to ask questions about the engagement.