External Penetration Testing
& Internal Threat Analysis

[RE]DESIGN Group’s Penetration Testing leverages an in-depth methodology that uses commercial grade tools along with personalized tools and scripts designed to warrant thorough analysis of the systems in scope. [RE]DESIGN Group begins with a discovery phase, using proprietary methods and open source tools to establish a comprehensive view of Clients network, systems, and applications.


Multiple automated scanning tools are leveraged with manual testing and manual examination of results. This process will yield potential weaknesses that may exist within the network. [RE]DESIGN Group will perform penetration testing on web applications discovered from a non-authenticated perspective, identifying weaknesses including those defined in the OWASP Top 10 Application vulnerability categories.

If [RE]DESIGN Group is able to obtain a foothold into the network, they will attempt to escalate privileges and compromise additional systems. Using this expanded access, [RE]DESIGN Group will seek to locate and perform exfiltration of sensitive data.

Vulnerabilities data observed from testing are imported into [RE]DESIGN Group’s proprietary penetration testing framework which will correlate and normalize the results. This process helps ensure all potential areas for access or exploitation are evaluated and assessed for proper severity.


[RE]DESIGN Group will perform validation through a targeted penetration test that focuses on critical and high risk vulnerabilities. Exploitation of these vulnerabilities often yields access to critical systems and sensitive information vital to Clients.


Upon completion of testing, the consultants collect assessment findings in a customized report designed to provide detailed, actionable information while eliminating false positives. This information is presented to Client in a format that is valuable to both non-technical and technical audiences.


Discovery Phase

[RE]DESIGN Group will gather information from a variety of sources to gain familiarity about Clients network. The discovery phase focuses on identifying a comprehensive list of live hosts. The goal of the discovery phase is to obtain as much information about the organization’s Internet-facing assets as possible. [RE]DESIGN Group uses a variety of checks and data sources to identify live systems that may otherwise be missed through more basic host identification tests. Identifying obscure hosts can provide additional areas of concern that may have otherwise been missed. These hosts and services may be unknown to Client, and may not be tested during routine tests, and may contain additional vulnerabilities due to their inadvertent exclusion from organization policies such as patch management and system hardening. [RE]DESIGN Group will:

  • Interrogate DNS servers to determine the enterprises footprint.

  • Utilize public search engines including Bing API to resolve hostnames to IP addresses.

  • Leverage traceroute output for in-scope hosts.

  • Perform host and service discovery scans through TCP, UDP, and ICMP protocols to locate and enumerate live hosts.

  • All live hosts identified during the discovery phase will be used to establish the list of in-scope hosts for additional phases of the security assessment.


Threat Identification Phase

During the Threat Identification Phase, [RE]DESIGN Group will perform a complete analysis of the exposed attack surface of all in-scope hosts identified in the discovery phase and will establish threats that exist by identifying software and configuration information that can be leveraged in an attack. This includes detecting:

  • Operating system and device types that may have known weaknesses

  • Accessible ports, service types, and specific software versions installed

  • Device configurations and accessible files

  • Insecure protocols accessible

  • Locally exposed broadcast and multicast traffic, their underlying protocols, and notable configuration settings (Internal network only)

  • “VirtualHost” enumeration to expose additional application attack surface

  • Exposed web applications and their underlying programming languages that may have known systemic weaknesses

  • Management interfaces accessible

  • Databases and backend services accessible

This threat data is imported into a proprietary software framework where the data is normalized, processed and reviewed to provide a testing workflow. This allows for efficient inspection of all identified hosts and services, while enabling the consultant to thoroughly examine Clients exposed threats and attack surface accessible.

  • Interrogate DNS servers to determine the enterprises footprint.

  • Utilize public search engines including Bing API to resolve hostnames to IP addresses.

  • Leverage traceroute output for in-scope hosts.

  • Perform host and service discovery scans through TCP, UDP, and ICMP protocols to locate and enumerate live hosts.

  • All live hosts identified during the discovery phase will be used to establish the list of in-scope hosts for additional phases of the security assessment.


Examination Phase

[RE]DESIGN Group will perform automated vulnerability testing to identify potential threats that exist within Clients network. Manual testing is also performed using the data discovered during the threat identification phase. Manual testing evaluates the exposed attack surface, identifying items that may not be discovered using automated tools (often ports or services running on arbitrary ports). The objective of this phase is to identify potential security findings that affect Clients overall security posture.

  • Identify and analyze insecure protocols in use

  • Scan hosts and services for known network vulnerabilities

  • Identify vulnerabilities that exist within the OWASP Top 10 list by performing manual and automated penetration testing techniques against accessible web applications

  • Manually review and interact with hosts, services, and applications for vulnerabilities not revealed by automated tools

  • Analyze publicly exposed data or data obtained through testing for sensitive information

  • Analyze results and validate issues to reduce false-positive vulnerabilities

  • Classify targets based on vulnerability severity and underlying root cause

[RE]DESIGN Group uses the information gathered during this examination phase to update the previously established threats with any identified vulnerabilities. This additional data is also added into the centralized database to help ensures all systems are thoroughly examined.


Attack Vector Phase

[RE]DESIGN Group will review the identified threats and vulnerabilities to determine their impact on Clients overall security posture. This validation is performed through targeted penetration testing that focuses on critical and high risk findings. Exploitation of these findings often yields access to critical systems and sensitive information vital to Client operations. The objective of this phase is to provide the organization with a clear understanding of the overall severity associated with the identified findings.

  • Manual effort to exploit vulnerabilities

  • Leverage exploited and compromised systems to gain additional knowledge of the network infrastructure

  • Identify sensitive data or additional post-exploitation weaknesses that are exposed as a result of a system compromise

  • Analyze the compromised systems, looking for exposed credentials or sensitive information that can be used in the post-exploitation phase to increase privileges and access throughout the environment


Post-Exploitation Phase

[RE]DESIGN Group will review and of the obtained access and credentials to identify paths that could result in identifying sensitive data or intellectual property. Post-exploitation activities often include:

  • Identifying privileged users logged into the network and attempt to inject into their running processes to inherit escalated privileges

  • Search exposed network shares using compromised hosts to potentially identify and access sensitive information

  • Exploit overly permissive access rights, password reuse, and domain trusts

  • Exfiltration of sensitive data or intellectual property

The Attack Vector and Post-Exploitation phases will validate the overall risk exposure and attack surface. [RE]DESIGN Group will not perform penetration testing activities during unrestricted testing windows, unless otherwise documented in the scoping considerations.

[RE]DESIGN Group’s technical process uses non-destructive testing techniques (i.e., systems remain unaltered, files will not be deleted and accounts will not be created.). Denial-of-Service (DoS) attacks will not be used unless specifically requested.

Prior to beginning the Attack Vector Phase, [RE]DESIGN Group will notify Client of any testing that may result in a crashed service or outage risk. It is important to note that penetration testing and threat analysis always poses an intrinsic risk where a vulnerable service may become unavailable. [RE]DESIGN Group takes extreme safeguards to limit these risks.


Wireless Infrastructure Testing

The Wireless Infrastructure testing will identify specific risks associated with wireless communications. During testing, [RE]DESIGN will take a wireless footprint of Clients environment to identify all access points that belong to the enterprise. More importantly, the encryption types used across the wireless environment are determined at this time. Key targets are selected for attack. If unencrypted networks are observed, cleartext transmissions can be sniffed and reassembled in an attempt to identify user credentials and sensitive information.

[RE]DESIGN will initiate several attacks depending on the wireless environment. If weak protocols are discovered, active attacks will be run in an attempt to break the encryption on the affected networks. These attacks may include man-in-the-middle attacks, brute-force attacks, session hijacking, and mass de-authentication. If the tested wireless network is found to be using enterprise grade authentication, [RE]DESIGN will perform tests against the wireless clients themselves in order to determine if these devices are being configured properly.


If [RE]DESIGN achieves access to Clients wireless environment, an assessment is performed on the network’s endpoints. Checks are made for proper segmentation between wireless networks and the trusted internal network.


Wireless Infrastructure Discovery Phase

[RE]DESIGN will begin with limited knowledge of the wireless infrastructure. No credentials will be provided as part of the start. The testing is designed to simulate a real-world attack simulation on your Client wireless network. [RE]DESIGN will analyze the wireless networks in use to identify the security controls in place. [RE]DESIGN will perform the following items as part of wireless discovery:

  • Locate and analyze wireless access points in use by Client

  • Analyze encryption algorithms configured on Clients wireless infrastructure to identify weaknesses

  • Determine authentication mechanisms (Radius or other) in use within the wireless infrastructure


Wireless Client Attack Phase

[RE]DESIGN will examine all of the client devices which are connected to Clients wireless network. The wireless clients will be analyzed to determine any of the following configurations that may be leveraged by the consultant:

  • Observe and identify and wireless clients connected to Clients SSIDs

  • Identify SSID probe requests coming from wireless clients

  • Analyze other broadcast traffic from wireless clients


Wireless Infrastructure Attack Phase

[RE]DESIGN will determine if the security measures in place can be bypassed or circumvented. [RE]DESIGN will leverage both automated tools along with custom-made tools to ensure a thorough analysis. This includes all radios in use for the wireless network, including client devices and access points.

  • Establish custom tests to evaluate the strengths of specific encryption and authentication settings in place

  • Test the strength of filters in use to restrict access from the wireless network

  • Analyze the traffic of wireless clients and test the strength of client wireless security controls

  • Perform penetration testing, developing attack vectors based on identified wireless network security safeguards; sample attack vectors include:

    • Evil-Twin attacks through SSID impersonation

    • Attack and penetration of networks encrypted with WEP, WPA-PSK and WPA2-PSK

    • Man-in-the-Middle (MiTM) attack replication

    • Automated wireless traffic sniffing for finding streams of sensitive data

    • Client configuration attacks (probing clients, authentication challenge, excessive broadcast information)

    • Identify public and private guest network weaknesses

For pricing information and to schedule your

Penetration Test & Threat Analysis: