ajnaa penetration test popularly known as pen-test will evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities. These vulnerabilities may exist in operating systems, services and application flaws, improper configurations or risky end-user behavior. Pen Test assessments are also useful in validating the efficacy of defensive mechanisms, as well as, end-user adherence to security policies.
Penetration tests are performed using manual or automated technologies to systematically compromise servers, endpoints, web applications, wireless networks, network devices, mobile devices and other potential points of exposure. At ajnaa we access vulnerabilities in the system, our testers may attempt to use the compromised system to launch subsequent exploits at other internal resources by trying to incrementally achieve higher levels of security clearance and deeper access to electronic assets and information via privilege escalation.
Penetration testing will measure the feasibility of systems or end-user compromise and evaluate any related consequences such incidents may have on the involved resources or operations.
Types of Penetration Tests:
Web Application Security Testing
In this type of penetration test, we assess the security of the application by focusing on remotely exploitable vulnerabilities, application architecture, design and implementation. We also assess the controls with respect to user access, privilege levels, development and delivery, and overall design of the applications. This helps to give the total threat profile of your web application environment.
Network Penetration Testing
This type of a penetration test involves identifying the targets through Google searches, WHOIS, DNS queries, etc. Fingerprinting and identifying vulnerabilities. The exploitation of these vulnerabilities depends on whether it is part of the engagement or not. Limited exploitation is always done in terms of password guessing, directory traversals, file uploads, etc. Before going for stronger exploitation methods such as Denial of Service attacks, Buffer Overflow exploits, etc., we take prior written consent from the management so as to not to cause possible fallouts from the such exploitation methods.
Automated port identification
In large and very large networks, what is required is an automated way to periodically scan a large range of IP addresses, determine what ports are open, and attempt to identify the service running on those ports. An important activity is to produce trending analyses reports, which show new IP addresses or new ports that have appeared since the last scan was run. AJNAA offers a secure portal to its customers, where they can log in, enter their ranges, run the scans, view the reports and compare with previous scans.
Risk-based Penetration Testing
The days and age of tool-based scanning is long over. The need of the hour is for the penetration testing team to understand the business risks associated with the application and build test cases accordingly. Be it an ERP system or a mobile application, our first step is to always understand the flow of the application, the business processes around the system, and the concomitant risks from it. Once the automated scanning parts are over, then our real expertise comes into play leveraging our database of test cases combined with our strong understanding of business processes across various industries.
This approach, then might also include social engineering attacks, threat modelling, and other elements that might not be typical of a traditional penetration testing exercise.
Benefits in engaging with ajnaa
Our penetration testing service is a highly creative, out-of-the-box engagement, and often results in new vulnerabilities being discovered or a new tool being developed from such an exercise. Our teams are highly passionate and committed to doing as comprehensive an assessment as possible. Our team members are also actively engaged in security research initiatives.