Services

RedRays Penetration testing services

Penetration Testing

Testing methodologies - "PTES", "OWASP Top 10 Web", "OWASP Top 10 Mobile", "OWASP Top 10 IoT" and "OWASP Top 10 API"

Web&API application

Our team provides penetration testing of WEB and API applications regardless of the platform or programming language.

Portable devices and IoT

Nowadays, it’s impossible to imagine our life without portable devices and IoT. But unfortunately, many of your connected devices are at risk of cyberattacks. Mobile and IoT penetration testing provide a practical way to assess the security level of your devices.

Host

Our team delivers penetration testing on hosts regardless of the platform.

Network

Our team simulates a real-world attack to provide a point-in-time assessment of vulnerabilities and threats to your internal and external network infrastructure.

Testing steps

Scopping

Starting point:

The scope of the assessment determines the targets, type of testing, and testing methodologies. This includes the information we gather about the system, technologies in use, and possible entry points for the test.

Reconnaissance and enumeration

The cycle includes gathering information about the target machine that could be utilized to discover its defects, overall weaknesses, and security vulnerabilities.

This step includes network enumeration through automated and manual means. We determine the live network hosts and services available within those hosts. We make these conclusions through network mapping, host discovery, and network connection attempts, including:

– DNS enumeration
– Port scan/ping sweep of in-scope hosts
– Service detection/identification of answering, connectable services

Vulnerability identification

This step includes identifying publicly known vulnerabilities and evaluating their efficacy using automated and manual techniques, comprising

– Vulnerability scanning of enumerated available services
– Server configuration assessment
– Application scanning (non-credentialed)
– Manual validation of automated findings

Exploitation

The exploitation step uses the previous phases as input and targets an additional level of network access. Vulnerable services may respond unexpectedly to crafted network traffic, potentially escalating privilege or service denial. This phase also produced proof-of-concept attack vectors, including:

– Additional network and information compromise targeted
– Full report with detailed exploitation techniques (where applicable)
– Custom scripting used for system or information compromise

Testing Report and documentation

This is the final step of the engagement. We provide an in-depth technical analysis document for each engagement to highlight security vulnerabilities and identify areas for exploitation. Also, we will guide remediation, with a focus on preventative measures.

Post engagement guidance

Our team will be available 24/7 for post engagement assistance such as:

– A retest of found security issues
– Provide recommendations on remediation for particular required actions