What do we do?
If you are reading this, you’ve probably already heard about us, and in this post I do not want to talk about “Who we are” , instead I’d like to talk about How we check the Security Status of your company from the outside with almost no information other than your domain name.
To understand how we work it’s important to understand that the process of a Penetration Test follows a series of flexible rules, the same rules that we apply in our methodology of Automatic Security Analysis. You will find detailed information in this post about this process and how we use these steps to automate the security analysis process.
So, let the games begin!
There are 5 Phases in a Penetration Test assessment, Hackmetrix works in the first 3 of them, the 2 last phases will need an Expert Security Consultant to combine the results of Hackmetrix (and other tools) with Advanced Exploitation Techniques to achieve the final objective of a full system compromise.
Phase 1 | Reconnaissance
“Reconnaissance is the act of gathering preliminary data or intelligence on your target. The data is gathered in order to better plan for your attack. Reconnaissance can be performed actively (meaning that you are directly touching the target) or passively (meaning that your recon is being performed through an intermediary).”
Hackmetrix works very extensively in this step, and we apply the words by Sun Tzu (Art of the War) in our work:
“If you know the enemy and know yourself, you need not fear the result of a hundred battles”
For this reason, Hackmetrix implements a series of steps to study the objective:
- WAF Detection
- Hackmetrix Scanning Servers need your website to allow suspicious traffic from their IPs to perform scanning. Because of this we check if your site will block our aggressive test before starting the Scanning Process. You can read more about this in our post: Why is important to Whitelist our Scanning Servers here.
- Network Scanning
- After WAF Detection, Hackmetrix proceeds to get all the ports exposed by the platform and will try to identify the services (and their versions) running behind them.
- Detect Technologies Used in the Application
- In this point Hackmetrix will try to identify the technologies used to develop the Application (Javascript, C#, Java, Python, etc), this will be used in the Scanning Step to improve the test cases to perform against the Application.
- Web Scraping + User Inputs and Directory Detection.
- As the last step of our Reconnaissance Phase, Hackmetrix will simulate a user interaction with the site in order to obtain a common request to use on further test suites. Also, Hackmetrix will try to detect all the directories that the Application has, even the hidden ones! But even that is not enough,so Hackmetrix will also scrape your web application in order to identify HTML forms and user inputs that will be used as potential injection points.
All this information is used by Hackmetrix to map the Attack Surface of the target application and its infrastructure.
Phase 2 | Scanning
“The phase of scanning requires the application of technical tools to gather further intelligence on your target, but in this case, the intel being sought is more commonly about the systems that they have in place. A good example would be the use of a vulnerability scanner on a target network.”
- Hackmetrix will use the Attack Surface crafted in the above step to select specific test cases to attack the target and detect Strange Application Behavior and Potentially Vulnerable Injection Points that could damage the confidentiality, availability and, integrity of the targeted application.
- We work with OWASP Specifications, so we are able to detect different vulnerabilities as Cross Site Scripting (XSS), SQL Injection (SQLi), Insecure Direct Object References (IDOR), Remote Code/Command Execution (RCE), Network Brute-forceable Credentials, Directory Listing, and much more!
Phase 3 | Exploiting Vulnerabilities / Gaining Access
“Gaining access requires taking control of one or more network devices in order to either extract data from the target or to use that device to then launch attacks on other targets.”
- The Scanning System will try to exploit in a non-damaging way the vulnerabilities detected in Phase 2. In order to do this Hackmetrix uses a wide range of commercial tools, open source tools, and tools developed by our assessment team to improve the detection of less common vulnerabilities like XXE and Serialization Attacks. The results of this job will be used to build the Proof of Concept that will be delivered with the report.
- Our report includes Proof of Concepts of the vulnerabilities found in the targeted site but we want that the Hackmetrix attacks to be performed in the most inoffensive way possible against the targeted system, so the full validation of the issue needs to be a hybrid approach between our auto-generated Proof of Concept and the human behind our Report Dashboard.
- At this point it’s important to highlight that we count with services that provide our customers with qualified assistance to resolve doubts about the exploitability and impact of vulnerabilities detected by our Scanning Platform.
Phase 4 | Maintaining Access
“Maintaining access requires taking the steps involved in being able to be persistently within the target environment in order to gather as much data as possible. The attacker must remain stealthy in this phase, so as to not get caught while using the host environment.”
Because Hackmetrix does not have permission to exploit a vulnerability in a full compromising way, we cannot perform this Pentest Phase. At this point you will need the assessment of a Security Consultant Firm as SecSignal, this was explained in our post How to combine Pentest with Automation to improve your security.
Phase 5 | Covering Tracks
“The final phase of covering tracks simply means that the attacker must take the steps necessary to remove all semblance of detection. Any changes that were made, authorizations that were escalated etc. all must return to a state of non-recognition by the host network’s administrators.”
- We want all of our actions to be logged in the targeted system, this will help the development team track our attacks and get better information of the vulnerabilities detected and how to solve them. Because of that and that we do not have permission to abuse a vulnerability detected to get access to your server, we do not perform any kind of Log Erasing process over your Platform! So, stay calm and read your server Logs!
Conclusion
Hackmetrix is in continuous development and you will find improvements month after month, we are building a platform to put control over security in the hands of any developer. We strive to be a must have in your secure software development cycle.
Be proactive, and go hack yourself – before somebody else does!