Pentest

Our experts perform advanced technical operations such as intrusion tests simulating cyber espionage operations under an ethical hacker contract. These simulations can be:

  • Restricted to a particular application in order to discover any vulnerability allowing you to grant yourself specific rights, access sensitive data, etc.
  • Extended to the entire network and internal and/or external infrastructure to analyze the exposure area, find infrastructure vulnerabilities and show how an attacker would find and connect multiple vulnerabilities to compromise the network and its data.
Pictogramme : Personne derrière un ordinateur portable

To illustrate, here are some examples of topics and environments addressed in recent years during digital security projects or security assessments through intrusion tests:

  • Advanced Persistent Threat (APT) & In-depth Hacking
  • Exfiltration of sensitive data outside the infrastructure beyond proxies, DLP, etc.
  • Servers, workstations, applications, Active Directory Windows, UNIX, etc.
  • WEB applications, APIs, Docker environments, Cloud applications (AWS, Kubernetes, etc.)
  • Limitations of protection tools: antivirus, firewall, anti-spyware, proxy, NAC, etc.
  • SCADA (plants), supercomputing (infrastructures), CCTV (network cameras)
  • LAN, DMZ, VPN, WEB, VoIP, Wifi, databases, etc
  • Mobile fleet and tablet management (MDM)
  • Mobile Device Management)
  • Old-school PBX – PABX infrastructures

Remote pentest

On-site pentest

On-demand 0day research
for critical products

Some examples of vulnerabilities discovered by TEHTRIS, shared directly with the affected vendors

MISP before version 2.4.146 is impacted by a stored XSS vulnerability via the “share groups” menu

https://github.com/MISP/MISP/commit/01521d614cb578de75a406394b4f0426f6036ba7

The plugin did not validate a redirect parameter on a specifically crafted URL before redirecting the user to it, leading to an Open Redirect issue.

Read more about this vulnerability

The plugin did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send an arbitrary reset password email to a registered user on behalf of the WordPress site. Such issue could be chained with an open redirect (https://wpscan.com/vulnerability/fd4352ad-dae0-4404-94d1-11083cb1f44d) in version below 4.1.10, to include a crafted password reset link in the email, which would lead to an account takeover.

Read more about this vulnerability

The plugin did not validate a redirect parameter on a specifically crafted URL before redirecting the user to it, leading to an Open Redirect issue.

Read more about this vulnerability

Tenable.sc and Tenable.sc Core versions 5.13.0 through 5.17.0 contain a vulnerability that could allow an unprivileged, authenticated user to perform remote code execution (RCE) on the Tenable.sc server via hypertext preprocessor deserialization.

Read more about this vulnerability

The URL for the web client sharing details was vulnerable to an XSS attack. An attacker could perform social engineering and impersonate an authenticated user.

Read more about this vulnerability

SolarWinds Serv-U before 15.2.2 allows the injection of unauthenticated macros. These two vulnerabilities allow an unauthenticated attacker to recover user passwords in clear text.

Read more about this vulnerability

An untrusted search path vulnerability in the product.console.exe as implemented in Bitdefender Endpoint Security Tools for Windows and Endpoint Security SDK allows a local attacker to escalate privileges.

This issue affects Bitdefender Endpoinit Security Tools for Windows versions prior to 6.6.18.261; Endpoint Security SDK versions prior to 6.6.18.261.

Reference :  https://www.bitdefender.com/support/security-advisories/improper-authentication-vulnerability-bitdefender-endpoint-security-tools-endpoint-security-sdk-va-8646/

A webserver component in Paessler PRTG Network Monitor 19.2.50 to PRTG 20.1.56 allows unauthenticated remote command execution via a crafted POST request or the what parameter of the screenshot function in the Contact Support form.

Reference :  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10374
https://www.paessler.com/prtg/history/stable

A vulnerability allows an attacker who is not authenticated with network access via HTTP to compromise the Oracle Trade Management component of Oracle eBusiness Suite. The attack requires human interaction and although the vulnerability is in the Oracle Trade Management component, the attack significantly impacts other components. Exploiting this vulnerability gives unauthorized access to critical data, or even full access to all data accessible by the “Oracle Trade Management” module as well as unauthorized access to read, write and modify the data accessible by the module.

Reference : https://www.oracle.com/technetwork/topics/security/cpujul2018-4258247.html

A vulnerability allows an attacker who is not authenticated with network access via HTTP to compromise the “CRM Technical Foundation” component of Oracle eBusiness Suite. The attack requires human interaction and although the vulnerability is in the Oracle CRM Technical Foundation component, the attack significantly impacts other components. Exploiting this vulnerability gives unauthorized access to critical data, or even full access to all data accessible by the “Oracle CRM Technical Foundation” module as well as unauthorized access to read, write and modify the data accessible by the module.

Reference : https://www.oracle.com/technetwork/topics/security/cpujul2018-4258247.html

A vulnerability allows a non-authenticated attacker with network access via HTTP to compromise the Oracle Applications Manager component of Oracle eBusiness Suite. Exploiting this vulnerability gives unauthorized access to critical data, or even full access to all data accessible by the “Oracle Applications Manager” module.

Reference :  https://www.oracle.com/technetwork/topics/security/cpujul2018-4258247.html

A vulnerability allows an attacker who is not authenticated with network access via HTTP to compromise the Oracle Trade Management component of Oracle eBusiness Suite. The attack requires human interaction and although the vulnerability is in the Oracle Trade Management component, the attack significantly impacts other components. Exploiting this vulnerability gives unauthorized access to critical data, or even full access to all data accessible by the “Oracle Trade Management” module as well as unauthorized access to read, write and modify the data accessible by the module.

Reference : https://www.oracle.com/technetwork/topics/security/cpujul2018-4258247.html

Multiple cross-site scripting (XSS) vulnerabilities in Alfresco Enterprise prior to version 4.1.6.13 allow attackers to inject HTML and arbitrary JavaScript content via (1) an XHTML document, (2) a <% tag, or (3) the taskId parameter on share/page/task-edit.

Reference : https://www.kb.cert.org/vuls/id/537684/

McAfee Enterprise Mobility Manager (EMM) Agent before version 4.8 and Server before version 10.1, are vulnerable when the single provisioning mode (OTP) is enabled. They are unduly dependent on SRV DNS records, which makes it easier for remote hackers to discover user passwords, as demonstrated by a password entered on an iOS device.

Reference : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4587

Zenprise Device Manager is a mobile device management (MDM) software that can be used to manage a company’s mobile device fleet. The web interface of the Zenprise device manager is vulnerable to intersite request falsification (CSRF) attacks. A successful CSRF attack against an administrator user will allow a remote attacker to execute commands as an administrator on any device managed by Zenprise Device Manager.

Reference : https://www.kb.cert.org/vuls/id/584363/

There is a stack overflow in the CFNetwork URL management code. Visiting a maliciously constructed website can lead to the unintended closure of the application or arbitrary execution of code. This problem has been solved by better memory management.

Reference : https://support.apple.com/en-us/HT4225

Overflow vulnerabilities in Research In Motion (RIM) BlackBerry devices prior to version 6.0.0 allowing remote attackers to cause (at a minimum) a denial of service (browser blocking) via a malicious web page designed for them.

Reference : https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber=000024841

Example of a simulated attack scenario by TEHTRIS to identify it risks for a customer

The test is defined as a black box test from the internet to simulate an external attacker. No information is given other than the company’s external IP ranges. In a few days, TEHTRIS can :

  • Perform reconnaissance on the external IP ranges of the company in order to list the exposed assets (IPs, OS, Applications, domains…)
  • Find several vulnerabilities on the exposed applications (pre-authentication) that allowed to execute commands on the backend OSes
  • Bypass security solutions on exposed web servers (WAF, Antivirus, firewalls …) and deploy post-exploitation tools in order to bounce back on the internal network
  • Scan the internal network from one of the web servers for a quick recognition phase
  • Discover vulnerabilities in internal applications
  • Rotate and escalate privileges on the Active Directory Domain
  • Get “Domain Administrator” privileges on the Active Directory


At the end of the test, a meeting is held with the client to discuss the various problems identified and possible improvements. A detailed report containing the exploited vulnerabilities and recommendations for patches/mitigations and infrastructure improvements are delivered to the client.

 
Contact us