simply more security
Our Hacktor is your personal pentester that can pentest all accessible assets within a network segment. In the clear audit report you can see how far it has penetrated within your systems and what other security gaps have been found.
Step 1
Bruteforce
As part of the bruteforce attack, the hacker attempts to gain access to your system by trying out passwords en masse.
If he is successful, he tries to penetrate deeper into the system.
Step 2
CVE scan (network)
Additionally, Hacktor now checks the software versions used to provide the services for CVEs. This applies to any service provided on a target (such as FTP, SSH, MySQL, http, etc.) This is a network-side area scan for security vulnerabilities.
Step 3
Discovery of services
Regardless of whether a brute force test is successful or not, the services are tested further.
Each service is specifically checked and tries to get your data and/or take control of the system.
infrastructure | server | services
Enginsight’s pentest specifically checks services that are used within an IT infrastructure. The goal is to find out if a login and the transfer of rights is possible. In Discovery, further analyses are carried out with the acquired rights in order to obtain sensitive data, for example.
For protocols, the hacktor tests whether the remote user has root privileges. If this is the case, control over an attachment (telnet), server (FTP, SSH) or e-mail (POP3, IMAP) could be gained.
Furthermore it is checked whether it is possible to delete data, create directories or break out of the directory with an anonymous or standard account. If the user manages to go back in the directory structure, this would allow him to read the password of the server.
For SQL databases, the pentest aims to determine whether anonymous login is possible, whether the standard user has rights or privileges to create and delete databases, and whether access to system internals is possible.
The Mongo DB is a NoSQL database, which makes it more and more popular especially in the BigData environment.
For MongoDB, login options and the assignment of rights are also being evaluated for this technology. In particular, the gap of a missing password, which often occurs in MongoDB, is tested.
These services are very critical for the operation of the infrastructure. If an attacker manages to penetrate this area, he can take almost complete control of the system/servers. The hacktor uses the bruteforce attack to check whether access and transfer of rights is possible.
web based attacks and scans
The website or web services are the figurehead par excellence for companies, especially in end customer business. If everything works and looks good, the customer is happy and has confidence in your company. But what if nothing works anymore, the online store goes down or the users on your website are corrupted? Then not only the turnover, but also your reputation will go down faster than you would like.
But that does not have to be. We show you the weak points that a hacker can exploit to protect your company from unwanted manipulation.
web based attack
We try to smuggle malicious code into your system within a supposedly secure context.
web based attack
Trying to insert database commands through the application that provides access to the database.
web based attack
Embedding and execution of program code in the web server via vulnerabilities in script-based web applications
web based attack
Sending system commands via web request to a server, such as a shutdown.
configurations
Check your certificates to see if they use ciphers that have security vulnerabilities.
configurations
Checking of the security relevant HTTP headers including information on correct implementation. Protect the visitors of your website!
configurations
Scan for files that reveal sensitive data about a target system (e.g. passwords, configuration data) and for database dumps that are publicly accessible.
configurations
Determine whether the other side is disclosing information that makes the target potentially vulnerable to attack. This includes accessible config files or even logs.
