Pentest

Pentest

Our experts perform advanced technical operations such as intrusion tests simulating cyber espionage operations under an ethical hacker contract. These simulations can be:

  • Restricted to a particular application in order to discover any vulnerability allowing you to grant yourself specific rights, access sensitive data, etc….
  • Extended to the entire network and internal and/or external infrastructure to analyze the exposure area, find infrastructure vulnerabilities and show how an attacker would find and connect multiple vulnerabilities to compromise the network and its data.

To illustrate, here are some examples of topics and environments addressed in recent years during digital security projects or security assessments through intrusion tests:

  • Advanced Persistent Threat (APT) & In-depth Hacking
  • Exfiltration of sensitive data outside the infrastructure beyond proxies, DLP, etc.
  • Servers, workstations, applications, Active Directory Windows, UNIX, etc
  • WEB applications, APIs, Docker environments, Cloud applications (aws, kubernetes, etc.)
  • Limitations of protection tools: antivirus, firewall, anti-spyware, proxy, NAC, etc
  • SCADA (plants), supercomputing (infrastructures), CCTV (network cameras)
  • LAN, DMZ, VPN, WEB, VoIP, Wifi, databases, etc
  • Mobile fleet and tablet management (MDM)
  • Mobile Device Management)
  • Old-school PBX – PABX infrastructures

Pictogramme test d'intrusion à distance blanc

Remote Pentest

Pictogramme test d'intrusion sur place bleu

On-site Pentest

Pictogramme loupe blanc

On-demand 0day research for critical products

Some examples of vulnerabilities discovered by tehtris, shared directly with the affected vendors

There is a stack overflow in the CFNetwork URL management code. Visiting a maliciously constructed website can lead to the unintended closure of the application or arbitrary execution of code. This problem has been solved by better memory management.

Reference : https://support.apple.com/en-us/HT4225

Overflow vulnerabilities in Research In Motion (RIM) BlackBerry devices prior to version 6.0.0 allowing remote attackers to cause (at a minimum) a denial of service (browser blocking) via a malicious web page designed for them.

Reference : https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber=000024841

McAfee Enterprise Mobility Manager (EMM) Agent before version 4.8 and Server before version 10.1, are vulnerable when the single provisioning mode (OTP) is enabled. They are unduly dependent on SRV DNS records, which makes it easier for remote hackers to discover user passwords, as demonstrated by a password entered on an iOS device…

Reference : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4587

Zenprise Device Manager is a mobile device management (MDM) software that can be used to manage a company’s mobile device fleet. The web interface of the Zenprise device manager is vulnerable to intersite request falsification (CSRF) attacks. A successful CSRF attack against an administrator user will allow a remote attacker to execute commands as an administrator on any device managed by Zenprise Device Manager.

Reference : https://www.kb.cert.org/vuls/id/584363/

Multiple cross-site scripting (XSS) vulnerabilities in Alfresco Enterprise prior to version 4.1.6.13 allow attackers to inject HTML and arbitrary JavaScript content via (1) an XHTML document, (2) a <% tag, or (3) the taskId parameter on share/page/task-edit.

Reference : https://www.kb.cert.org/vuls/id/537684/

A vulnerability allows an attacker who is not authenticated with network access via HTTP to compromise the Oracle Trade Management component of Oracle eBusiness Suite. The attack requires human interaction and although the vulnerability is in the Oracle Trade Management component, the attack significantly impacts other components. Exploiting this vulnerability gives unauthorized access to critical data, or even full access to all data accessible by the “Oracle Trade Management” module as well as unauthorized access to read, write and modify the data accessible by the module.

Reference https://www.oracle.com/technetwork/topics/security/cpujul2018-4258247.html

A vulnerability allows an attacker who is not authenticated with network access via HTTP to compromise the “CRM Technical Foundation” component of Oracle eBusiness Suite. The attack requires human interaction and although the vulnerability is in the Oracle CRM Technical Foundation component, the attack significantly impacts other components. Exploiting this vulnerability gives unauthorized access to critical data, or even full access to all data accessible by the “Oracle CRM Technical Foundation” module as well as unauthorized access to read, write and modify the data accessible by the module.

Reference https://www.oracle.com/technetwork/topics/security/cpujul2018-4258247.html

A vulnerability allows a non-authenticated attacker with network access via HTTP to compromise the Oracle Applications Manager component of Oracle eBusiness Suite. Exploiting this vulnerability gives unauthorized access to critical data, or even full access to all data accessible by the “Oracle Applications Manager” module.

Reference  https://www.oracle.com/technetwork/topics/security/cpujul2018-4258247.html

A vulnerability allows an attacker who is not authenticated with network access via HTTP to compromise the Oracle Trade Management component of Oracle eBusiness Suite. The attack requires human interaction and although the vulnerability is in the Oracle Trade Management component, the attack significantly impacts other components. Exploiting this vulnerability gives unauthorized access to critical data, or even full access to all data accessible by the “Oracle Trade Management” module as well as unauthorized access to read, write and modify the data accessible by the module.

Reference https://www.oracle.com/technetwork/topics/security/cpujul2018-4258247.html

Example of a simulated attack scenario by TEHTRIS to identify IT risks for a customer

The test is defined as a black box test, from the internet to simulate an external attacker. No information is given except the company’s external IP ranges. In a few days, TEHTRIS can:

  • Recognize the company’s external IP ranges in order to list the exposed assets (IPs, OS, Applications, domains,…)
  • Find several vulnerabilities on exposed applications (pre-authentication) that allowed to execute commands on backend OSes
  • Bypass security solutions on exposed web servers (WAF, Antivirus, firewalls, etc.) and deploy post-operation tools to bounce back on the internal network
  • Scan the internal network from one of the web servers for a fast recognition phase
  • Discover vulnerabilities on internal applications
  • Pivot and escalate privileges on the Active Directory domain
  • Get “Domain Administrator” privileges on Active Directory

At the end of the test, a meeting is held with the client to discuss the various problems identified and possible improvements. A detailed report containing exploited vulnerabilities as well as recommendations on patches/mitigation and infrastructure improvements are delivered to the client.