ETHICAL HACKING | PENTEST
A pentest is an audit of the security of an IT environment. It is a technique which consists of analyzing a target by behaving like a hacker. We can also call it ethical hacking.
An ethical hacker, also called a “white-hat” or “pentester”, is responsible for carrying out this type of test. Thus, it can help organizations identify their weak points and indicate how to resolve them.
EXTERNAL INFRASTRUCTURE
This test simulates an attack on an IT infrastructure accessible from the Internet. The objective is to identify vulnerabilities in security measures implemented at the network and operating system level of systems connected to the Internet.
⏳ Average time required : 2 days / 10 IPs
💸 From : 1000 € excl. VAT / 10 IPs
INTERNAL INFRASTRUCTURE
This is an attack simulated by a person who has already accessed the internal network and knows the systems.
The objective will be to identify the shortest path to take control of the client’s most important resource (e.g. access confidential data and/or take control of the Domain Controller).
To do this, our testers will identify a chain of vulnerabilities present in the client’s infrastructure and thus exploit them to achieve the set objective.
This test focuses on the structured identification of vulnerabilities in an extensive set of internal systems. We also test Active Directory for vulnerabilities such as Kerberoasting or privilege delegation abuse.
What it does not do : attempt to bypass anti-viruses and be stealthy.
⏳ Average time required : 10 days for a < 500 employee company
💸 From : 5000 € excl. VAT
INDUSTRY 4.0 (SCADA/ICS)
Critical infrastructure and industrial systems are increasingly dependent on IT, introducing new threats to SCADA systems. Hackmosphere helps organizations evaluate and test the OT network through passive and active security testing, which is then compared to the desired security level.
During passive tests, we review, for example, the configuration of the architecture in place, the physical access controls or the update management process.
Active testing includes penetration testing of the internal IT infrastructure, dual-homed hosts (IT & OT), and ICS infrastructure. The ICS infrastructure is tested with very limited actions to ensure that it does not disrupt, at all, these highly sensitive environments.
⏳ Average time required : 10 days for a < 500 employee company
💸 From : 5000 € excl. VAT
WEB APPLICATIONS
In this test, we analyze application vulnerabilities based on the OWASP Top 10, such as SQL injection, Cross-site Scripting (XSS), user input validation, or vulnerable management interfaces.
We offer several approaches: Black Box, Gray Box & White Box. The Gray Box approach is often the best option in terms of optimizing the time spent compared to the added value provided by the pentest.
The Gray box approach simulates an attack from the perspective of an authorized and unauthorized user. These tests involve the use of specifically provided accounts to identify vulnerabilities in application logic, such as checking for unauthorized access to other users’ information.
In comparison, the White Box approach also includes source code review, while the Black Box approach does not require the provision of any identifiers or source code.
⏳ Average time required : 6 days / app
💸 From : 3000 € excl. VAT / app
MOBILE APPLICATIONS
This test targets the security of mobile applications on smartphones and tablets, concerning the communication between the mobile application and the back-end application environment.
For this purpose, we will do a specific application security test for the communication with the back end and a source code security test for the application.
⏳ Average time required : 8 days / application
💸 From : 4000 € excl. VAT / application
Wi-Fi
A Wi-Fi security test simulates an attack on a wireless network. We will enter one or more sites with a specially prepared laptop to identify vulnerabilities in the existing Wi-Fi technology, at several strategic points if necessary. For example, we will attempt to crack the password used, or to identify vulnerabilities in the encryption protocol used.
⏳ Average time required : 3 days / AP
💸 From : 1500 € excl. VAT / AP
PASSWORD CRACKING
In this test, we evaluate the strength of the passwords that end users may have chosen. To perform this test, we work closely with the client to obtain an extract of the password hashes of selected users.
We then try to “crack” these hashes, providing insight into the chosen passwords and associated statistics (e.g. defining how many passwords can be guessed in a set time).
⏳ Average time required : 2 days / 500 hashs
💸 From : 1000 € excl. VAT / 500 hashs
THEORETICAL AUDIT
A pentest is an advanced method that simulates real attacks in order to identify specific vulnerabilities. But without a prior global understanding of potential threats and existing protections, its results may lack context and relevance.
A theoretical analysis of the security measures in place can reveal gaps and weaknesses that require immediate attention. Once this basis is established, a pentest can be used in a more targeted and effective way. This will validate the assumptions and conclusions of the initial assessment, providing more accurate and actionable results to strengthen the overall security posture of the enterprise.
⏳ Average time required : 2 days
💸 From : 1000 € excl. VAT