|
|
|
Ethical Hacking
Positioning: targeted hacking to order from
the perspective of an attacker with the skill level of a hacker/cracker.
Ethical hacking is the most extreme form of
technical security testing. On the basis of a precisely formulated
remit from the client, our security consultants attempt to gain
electronic access to the target system (components in the DMZ or
LAN/WAN). Unlike in a penetration
test the testers are looking for vulnerabilities until they found an appropriate one to reach the predefined target. The aim of ethical hacking is to discover design based security holes and to exploit trusts.
In addition, an important component of a security model, the response from the internal security teams/equipments are fully assessed. The objectives of an ethical hacking test are to cover the
remaining points which a typical penetration test lacks.
An ethical hacking test can be separated in multiple approaches, each aiming for different objectives. Because the goal is to focus on the design and not on the software itself, the range of elements to audit should be fairly wide.
| Shoot all |
The Shoot all approach is performed for evaluating the security risk when a host of the audited network gets compromised. It will focus on exploiting the security design of a system by exploiting every available resources of the compromised host. This can be done using post exploitation techniques such as installing back doors, tools for finding user/administrator credentials, etc. The network flow is analyzed, captured credentials are used in order to jump to other hosts in the network which could have been considered secure. Examples can be hijacking windows nt access tokens, kerberos credentials hijacking, using ssh private keys, UNIX TTY hijacking, etc. |
| Capture the flag |
The Capture the flag approach is performed for evaluating the likeliness of an element of the network (host, resource) to get compromised. Whereas the objective is usually to assess a specific and critical component, it performs well to test the response of an internal security team in case of an attack. Because the range of exploited components is reduced, security probes are less likely to be triggered. A flag is defined and represents the critical resource (data, email, server, ...). An audit time window is defined as well. Techniques used are close to the ones for shoot all. Bots are also used to discover the location of the flag. This approach is the closest to represent a real attack. |
The client defines the information level parameters of both parties (tester and administrators/users of the systems to be in scope):
| Double Blind |
The testers do not have prior audit knowledge about the systems to be audited and the administrators and users of the tested systems are unaware of the security audit. This is the most realistic approach. |
| Blind |
The administrators and users of the audited systems are unaware of the security audit. The objective is to test the response of a security team. |
| Black Box |
The testers do not have prior audit knowledge about the systems to be audited. The objective is to assess the information leak. |
| White Box |
The testers obtain all and detailed information of the systems to be audited. The objective is to simulate an attack with insider information. |
| Gray Box |
The testers obtain partial information of the systems. The objective is close to the black box approach. But this approach allows to speed up the audit by avoiding wasting precious project time. |
Depending on the remit, the
same information channels as hackers use are employed before the
actual attacks (e.g. social engineering, dumpster diving, footprinting
and fingerprinting). The majority of the work is brainwork, i.e.
the scope for using tools is limited. The basic module ethical hacking can be extended with several optional supplementary modules.
Because the quality and informativeness of this activity
depends directly on the parameters, including the project budget
available, we agree before the project begins which are the project aims, how much time is to
be devoted to ethical hacking and what methods are allowed.
Finally, the procedure, the results achieved and the recommended
countermeasures to eliminate vulnerabilities and design faults are comprehensively
(optionally OSSTMM-compliant) documented.
OneConsult GmbH is ISECOM
Licensed Auditor (ILA), Platinum Level and ISECOM Partner (Accredited Trainer) and our security consultants
are ISECOM certified in various areas of expertize (OPST = OSSTMM
Professional Security Tester, OPSA = OSSTMM Professional Security
Analyst, OSSTMM-Trainer), guaranteeing that the tests will be thorough
and professional and that documentation of the results will be informative
and comprehensive.
Remarks
- Our Security Consultants know and understand the methods and
tricks that hackers use.
- We only test systems that are under the client's direct control.
- Depending on the remit, our security consultants will also develop exploits and use
test trojans developed specifically for the task (e.g. OneConsult®
Pandora PRO).
- In ethical hacking, the client normally defines the objective
(e.g. saving a predefined file on a server in the LAN or WAN or
remotely administering a PC in the LAN via the Internet), but
not the way it is to be achieved.
If you're interested in OneConsult and you'd like a no-obligation
consultation or more information, please contact
us.
Further Information
|  |
