IT-Infrastructure Penetration Tests
Offsite Penetration Tests (external)
Externally accessible IT infrastructures are exposed to a wide range of potential attackers. As part of an offsite penetration test (offensive security) conducted by our ISO 27001 & IEC 62443 certified consultants and lead auditors, as well as OSCP and OSWE certified pentesters, we take on the role of an external attacker from the internet to examine all exposed IT systems and web applications for vulnerabilities, including zero-day vulnerabilities. This allows security gaps to be closed before they can be exploited by real attackers.
Our approach to conducting offsite penetration tests is outlined below:
Onsite Penetration Tests (internal)
By exploiting a security vulnerability within an exposed system or through social engineering attacks such as phishing, external attackers could gain access to the internal corporate network. However, the possibility of an attack by internal personnel cannot be completely ruled out either.
With an onsite penetration test (offensive security) conducted by our ISO 27001 & IEC 62443 certified consultants and lead auditors, as well as OSWE certified pentesters, we evaluate how well your IT infrastructure is protected against an attack from within the internal network. The assessment is carried out according to the following approach:
Active Directory Whitebox Assessment
If Active Directory is used, it is also possible to perform an Active Directory whitebox assessment as part of an onsite penetration test. With the help of provided access data, we check your AD infrastructure for the state of the art. Such an assessment can include the following test points:
- Enumeration of all AD components:
- Forests, Trees, Domains, OUs, Hosts, Groups, Accounts, GPOs, Password information
- Review of operational procedures
- Review of privileged accounts/group membership and regular account hygiene
- Review of forest and domain trusts
- Review of operating system configuration, security patching and update levels
- Verification of domain and domain controller configuration against Microsoft recommended policies
- Review Active Directory object permission delegation key
- Suggest measures for improvement
