13th November 2019

Penetration Testing

Penetration testing for your Networks and Websites

As a business owner / Manager, it is crucial that you take all possible steps to secure your business, both from external threats and internal threats, but the issue is WHAT ARE THOSE THREATS??

This where Purple Triangle can help. We provide a wide range of testing both complaince and penetration testing. We will find the vunerabilities in your system so that remidial action can be taken to shore up your defences against them.

See below for some of the tests we can perform.

Here are 6 use cases for an Nmap scan (if this all gobbledygook to you, dont worry, thats why we are here, call us on 02476 320788 today for a chat)

  1. Determine status of host and network based firewallsUnderstanding the results from the online Nmap scan will reveal whether a firewall is present.
  2. Test Firewall Logging and IDSLaunch remote scans against your infrastructure to test that your security monitoring is working as expected. Review firewall logging and Intrusion Detection System alerts.
  3. Find Open Ports on Cloud based Virtual ServersIn 2016 thousands of MongoDB databases were compromised and data leaked due to the server being configured to listen on the Internet facing Interface. Using Purple Triangle services it is possible to quickly identify a host firewall with holes or services poorly configured.
  4. Detect Unauthorized Firewall ChangesWhen your firewall rule base changes require change board approval. A scheduled Nmap Port Scan can quickly determine firewall changes that have not been through the change approval process.
  5. Not all Firewalls work well with IPv6As IPv6 gets deployed it is important to understand whether the IPv6 interface has the same level of protection as the existing IPv4 addresses. Many virtual servers (VPS) are deployed with IPv6 enabled by default. Have you checked yours?
  6. Troubleshoot Network ServicesYour getting pushed to roll out the new service. The network guys are saying its not their problem, and the firewall administrator is pointing the finger at the developers. Sometimes you just need to know if the port is open and listening.

Zmap was built to scan the Internet. Developed by a team at the University of Michigan, it has been used by researchers from Rapid7, Scans.io and Censys.io to gather data on the state of Internet Security from an open service perspective. Another related Internet scan project but unrelated to the Zmap tool is the well known shodan.io.

These days, complaining about being scanned is about as useful as griping that the top of your home is viewable via Google Earth. Trying to put devices on the Internet and then hoping that someone or something won’t find them is one of the most futile exercises in security-by-obscurity.
Brian Krebs (krebsonsecurity.com)


Why would I use the OpenVAS scanner?

The primary reason to use this scan type is to perform comprehensive security testing of an IP address. It will initially perform a port scan of an IP address to find open services. Once listening services are discovered they are then tested for known vulnerabilities and mis-configuration using a large database (more than 53000 NVT checks). The results are then compiled into a report with detailed information regarding each vulnerability and notable issues discovered.


About Passive Website Analysis

When performing attack surface discovery against an organisation a great deal of information can be gathered from simply performing a regular web request against the target web sites. The response from the web server will reveal details about the technologies in use within the HTTP Response Header as well as the HTML body of the response.

Analysis of the HTTP response can reveal:
  • web server and version in use (nginx, IIS, apache)
  • content management system (wordpress, joomla, drupal)
  • management applications (phpmyadmin, tomcat administration pages)
  • javascript frameworks (ember.js, angularjs)
  • web analytics javascript (google analytics)
  • server backend scripting languages (cold fusion, php, django, java)

Not only can the type of technology be revealed but often the version of the software can also be determined. With the version, you are a simple search away from finding exploits that affect that particular version of the software. Knowing the technology in use can allow you to focus your attacks, knowing the version can reveal exploitable vulnerabilities – all with only a simple web request.

Here are 5 use cases for the Domain Profiler Tool

Internal Operations Team
Check the results of this analysis against internal asset lists. Quickly find gaps in the assets or forgotten systems. Staff turnover in many organizations can lead to orphaned systems that are Internet facing and no longer maintained. Asset management systems should be aware of these systems, but sometimes they slip through the cracks.
Incident Response
Whether you are chasing down a major incident (DFIR) or simply in need of contextual information around a domain for alert triage. This is a tool that will surely save time during the analysis or investigative process.
Penetration Testers
The first stage of any penetration testing engagement is to compile open source intelligence into a picture of the target. Using OSINT methods allows a great deal of information to be collected without sending any packets to the target. This is known as passive information gathering.
Business Intelligence
Detailed open source information reveal technologies and third party service providers of an organizations. This can benefit a number of different investigative processes including competitive analysis. The key here is the fact that the information is from open sources, with zero impact to the target.
Bug Bounty Hunters
The passive nature of the information discovery, allows bug hunters (and other attackers) to quickly find systems that may be worth spending time assessing for vulnerabilities. A bounty hunter with a list of programs (domains) can submit a list of targets and watch the results come into their email box, quickly reviewing each to find easy wins.

About the WordPress Security Scans

The basic security check will review a WordPress installation for common security related mis-configurations. Testing with the basic check option uses regular web requests. The system downloads a handful of pages from the target site, then performs analysis on the resulting html source.

The more aggressive enumeration option attempts to find all plugins / themes that are being used on the WordPress installation and can attempt to enumerate users of the site. These tests will generate HTTP 404 errors in the web server logs of the target site. If you test all plugins, be warned that this will generate more than 18000 log entries and potentially triggered intrusion prevention measures.

By identifying all the plugins, themes and users of the site you are developing an understanding of the attack surface. With this information you are able to target further testing against the discovered resources.

  • Reverse Analytics Search
  • Zone Transfer Test
  • Find shared DNS Servers
  • Find DNS Host Records (Subdomains)
  • Zone Transfer Test
  • Many more…