Penetration testing / Pentest

Two types of penetration testings are available : internal and external one. They can be realized as a black box, grey box or white box penetration testing. External penetration testings test the security measures implemented in the publicly accessible elements of your information system.
The purpose of the internal penetration testing is to simulate attacks from within the company. The profiles of simulated attackers are those of an outside person who manages to penetrate in the premises of the company and tries to connect to the network (black box) or a malicious collaborator (grey box).
These tests make it possible to evaluate the overall level of security of the internal network, but also the detection capabilities of the operational teams against attacks originating from within the company.

The purpose of the black box penetration testings is to discover what an attacker could do from a simple network socket. The tests aim to explore the information system in order to find sensitive data and security vulnerabilities that can be exploited to gain the total control or part of the information system. The grey box penetration testings are designed to evaluate the ability of a malicious collaborator to elevate his privileges on the information system and to access information normally inaccessible to this type of profile. These tests, complementary to the black box tests, make it possible to evaluate the partitioning of internal accesses as well as the possibility for a user to take control of equipment and services on which he has no legitimate or restricted access. These two approaches are realized consecutively, the auditor carrying out the operations of search and exploitation without valid credentials at first, before exploring the actions achievable with a valid user account.

This action is realized on the internal network, inside the premises of the customer as follow:
  • The auditor uses his own computer to perform the tests;
  • The scope of the audit can be wide, auditors will focus on strategic and sensitive information systems.

ISO 19011 audit processes are used to realize all the penetration testings as well as each audit we do. Our audit approach is based on the standards of ANSSI, CEH (Certified Ethical Hacker), OWASP (Open Web Application Security Project), and internal methodologies based on the experience gained by its consultants on similar missions.

Penetration testings are realized in 3 steps:

  • Actual networks and services cartography of the IT network (scans);
  • Finding vulnerable services and applications and exploiting these flaws without a user account;
  • Inventory and exploit security vulnerabilities identified using unprivileged user accounts.

Tests performed are mainly focus on the following vulnerabilities:

  • Public security vulnerabilities exploitations;
  • Configuration fault;
  • Weak or default password;
  • Local privileges escalation;
  • Compromission of accessibles servers;
  • Firewall bypass and server rebounds.

Digitemis does not perform any denial of service attack in order to ensure that applications are not disrupted. If the execution of a technical attack represents a risk to the stability of the equipment or the network, this is only done with the explicit agreement of the auditee.

The main tools used are the following (non-exhaustive list):

  • Nmap ;
  • Metasploit ;
  • John the Ripper ;
  • Mimikatz ;
  • Cachedump / pwdump ;
  • Hydra ;
  • Burpsuite ;
  • SQLMap ;
  • Wireshark ;
  • Openvas ;
  • Ettercap ;
  • Aircrack-ng ;
  • Internal developed tools.

For further information or to plan a pentest, please use the form below to contact us:

*Mandatory fields

The information collected from this form is subject to computer processing intended for DIGITEMIS. For the following purpose: Making contact. The recipient of the data is: the commercial and marketing department of DIGITEMIS. In accordance with the law "Informatique et Libertés" of 6 January 1978 modified, you have a right to access and rectify information concerning your personal data. You can access information about yourself here.