HyperSec Consulting Group Services Tiger Teaming


HyperSec has nurtured what is now known as the HyperSec Review Methodology over its many years of experience operating in the field of IT security. The program continues to guide highly efficient security analyses as it evolves to reflect the rapidly changing environment in which we work. To ensure the homogeneity of high standards across all assessments, the HyperSec Review Methodology is embraced organization-wide.
The methodology specifies a structure for each assessment and details objectives, approaches and tasks on a number of levels. At the top level, activities are distinguished on the basis of our network positioning and on the targets of the assessment. Typically, this means classifying an assessment into one or more of external, internal, remote access or application related. The corresponding high-level approach covers the specification of tasks such as discovery and penetration procedures, and is significantly based upon the client’s individual requirements.

External Security Review:

The objective of external review is to analyse external firewalls, Internet routers and other networked systems visible from the Internet at large. Our aim is to ascertain security configuration through empirical methods in order to assess the level of conformance to security policy. The approach is not simply to highlight hazards, but also to tailor exploits based upon our findings that carry the symbiosis of discovered vulnerabilities to its logical extreme (subject to authorisation from the client). The aim is to demonstrate unauthorised access to networks, systems or information. Each vulnerability is risk assessed based upon specific criteria that includes the role of the vulnerability in an “attack path” and the specific impact to the client.

Physically, our placement can be either at the client’s site, where access to systems is through the internal network, or at HyperSec’s offices, where access to systems is through the Internet. After the successful subversion of external systems providing access to internal networks, we will usually undertake an internal review (subject to authorisation from the client).

Approaches With Information Without Information
Standard Known Target

We are relieved from having to discover targets and non-stealth full TCP scans are permitted. This approach usually minimises the duration of the review.

We have no knowledge of target systems. There is no requirement to use stealth techniques.


Detection Avoidance Stealth

We have all necessary information about our targets. Stealth techniques are required which extend the duration of the review.

We are not provided any information about our targets. Stealth techniques are required. This approach is often the most time-consuming.

TABLE 1: External Security Review Types

Clients may have a preference for the approach used in order to simulate an attack scenario. For example, an employee can pass system information to an attacker. HyperSec can generate a risk profile for this scenario by following the standard/known target approach.

Detection avoidance methods are employed when a client wishes to observe the effectiveness of their intrusion detection resources during a simulated attack. The aim of a Detection Avoidance review is to maximize our level of access, whilst minimizing activity that may lead to detection. Such reviews necessitate high precision targeting, relying on information searching and slow probing.

Phase 1:
Information Retrieval

The first phase of the review lays the foundation for the vulnerability scan (phase 2). During the first phase, we gather information concerning the target systems and associated networks. In the case of a blind review, we have little initial knowledge, and use an in-house methodology and toolset to efficiently reconcile domain names and associated networks with a particular corporation. The following sections detail the types of information gathered and the corresponding approaches.

Public Information

Public information refers to that available (usually freely) from Internet organisations that is related to the client’s networks and systems. The Whois databases (Arin, RIPE, ApNic and InterNic) and other registries such as IP and domain indexes are methodically queried in order to discover domains and IP ranges associated with the client. The Domain Name Service (DNS), is often a fruitful source of information, potentially containing a number of relevant records. Zone transfers (if permitted) are the pièce de résistance of DNS mining, supplying us with hostname and IP addresses associated with the client’s domains.

HyperSec will also search the Internet for stray information that may be of relevance to a possible intruder. Typically a number of web and usenet searches are undertaken.

Normal Known Traffic

Gathering information through Normal Known Traffic involves using the information channels provided by the client, examples of such channels are a web server or FTP service. Through such channels we will pull all information allowable and sift through the data looking for useful items, including IP addresses, hostnames, domain names, email addresses, account names, passwords, services, protocols, company names, departments, and phone numbers. We also look for web applications, which can often be exploited to gain unauthorised access to information or to the server itself.

Host Enumeration

Identifying target systems is a key stage of information gathering, and we use tools such as pinger, fping, hping and nmap to produce a map of the client’s Internet presence. We use a variety of methods to identify systems, not simply ICMP ECHO (“ping”). The ICMP, TCP and UDP protocols are all used to identify systems in a manner similar to ping, but with more versatility. Mail-trace is also used to discover hostnames. Sending an email to a client’s system (running a mail service) with a non-existent recipient usually elicits a response containing hostnames or internal IP addresses within the mail headers. Traceroute to discovered systems usually identifies other systems (including routers and firewalls) and completes the host enumeration process. At the end of the host enumeration stage we have a range of valid targets.

Full Contact Enumeration

When live Internet-visible systems have been identified, HyperSec will begin a service scan. A service scan against a particular system identifies what TCP and UDP service ports are present and listening. Identifying listening ports is critical to fingerprinting the operating system and network applications. The type or combination of service scans employed will vary based upon the stealth factor of the review. The different kinds of service scans employed are detailed below.

Standard TCP and UDP scanning: A standard scan attempts to form a valid connection with each port of a system. If a connection can be made, then the port is open.

Stealth scanning: TCP stealth scans are named after the packet settings. The most common are SYN, FIN and ACK scans. By setting certain flags on the TCP packet, or by cutting short the connection procedure, packets can often evade detection, since many access control devices do not register such packets.

Fragmentation scanning: Fragmentation scanning is any kind of scan (including the two above) that involves fragmenting an IP packet into several smaller packets. Many access control devices to not deal with fragmented packets correctly and thus do not detect fragmented scans.

TCP reverse ident scanning: The ident service, as specified in RFC 1413,
returns the username of any process using the TCP protocol (even if the process didn’t initiate the connection). When ident is running, it is possible to obtain the process owner of each listening service.

Protocol scanning: Several services will not answer to connections unless the connection procedure adheres to a specific protocol (this is especially true of UDP services). By emulating such connections, we can often detect these services.

RPC scanning: RPC services do not always run on predictable ports. These services can usually be enumerated through the portmapper service (which does listen on predictable ports).

Stack Fingerprinting: Each networked system will run a TCP/IP stack (which also deals with UDP traffic) as part of the operating environment. Usually, standard stacks are associated with different kinds and versions of operating systems. By exploiting idiosyncrasies in the behaviour of different stacks, it is possible to fingerprint the stack, and thereby place the remote system into a class of operating systems (often a specific operating system and version). The identification of the remote operating systems permits HyperSec to mount a focused and methodical attack against the identified target systems.

Having determined services running on each target system, the next stage is to extract information through them. This includes banners and other information obtainable through a connection to the service port. Information provided by services such as SNMP, finger, rusers, SMTP and NetBIOS can supply detailed configuration and user information for a system that can aid an attacker in compromising the security of the system.

Proprietary Network Mapping Tools
HyperSec has developed a toolset that mirrors our methodology, allowing us to quickly and methodically collect relevant data. These tools allow us to efficiently parse the relevant information so that we can focus our efforts on specific systems. The majority of these tools have been written in-house or are specially modified versions of freely available tools found on the Internet.

Phase 2:
Vulnerability Scan

HyperSec proprietary tools include automated profiling scripts and specific exploitation techniques that are not available in commercial scanners. These tools have been designed by HyperSec security professionals and draw upon experience gained from years of performing similar profiling engagements. These field-proven tools use the footprint data (from the earlier phase) to choose appropriate attacks against the target systems. HyperSec can then construct “attack paths” based on a number of different vulnerabilities. Examples of these interdependencies include exploitation of trust relationships, circumvention of router filtering rules, and the use of backchannels through firewalls. Additionally, HyperSec have proven expertise in discovering and exploiting application vulnerabilities using techniques and exploit code that have not been released into the public domain.

Examples of our tools include those to bypass NT authentication, to exploit buffer overflows and race conditions, enhanced password cracking utilities, and code written to gain local access to a particular remote hosts.

Commercial Tools
HyperSec believe that commercial scanners have numerous limitations. Many of the tools generate inconclusive reports due to false positives, false negatives, and the inherent ambiguity associated with automated scanning techniques. Also, HyperSec has found that there is quite a considerable lead-time before the latest exploits are included in these scanners.

Scanner technology has not evolved to include the intelligence necessary to perform vulnerability linkage. This is the process of combining several low or medium risk vulnerabilities to create an attack path with an overall elevated risk. Thus, a scanner may note several low or medium risk vulnerabilities, but cannot determine if an attack combining these vulnerabilities would result in a gaping security hole. This type of expertise is a value-added benefit of engaging HyperSec to undertake a security review.

Denial of Service Analysis
A critical component of any firewall system is to ensure the availability of systems directly connected to the Internet. To assess the ability of our client to defend against denial of services (DoS) attacks, HyperSec will perform DoS analysis only at specific request. We will not actually usually perform a denial of service attack but will look to provide evidence of our ability to perform such an attack. Our goal is to assess the availability of the environment without disrupting services during critical times.

External Security Review:

The objective of internal security review is to analyse internal firewalls, routers and other networked systems visible only on internal networks. Our aim is to ascertain security configuration through empirical methods in order to assess the level of conformance to internal security policy. Internal systems should not be omitted from security policy; a hard shell enclosing a “soft centre” is an enticement for attackers. Additionally, not all attacks originate from the outside. Indeed, statistics exist to support the fact that many attacks originate internally or are aided by “insiders”.
Common approaches to internal security review are shown in table 2.

Approaches Explanation
Reconnaissance Reconnaissance involves deducing an architectural overview of the internal network from a security perspective. This will include noting the positioning of network components, various resources and access points.
Network Review Network security review is the standard internal review where we test the integrity of selected internal systems. This can be performed in stealth or blind mode.
Insider Review The insider security review involves using social engineering techniques and interacting with other employees in order to gain information.

TABLE 2: Internal Security Review Types

Remote Access Review:

Security policy and practice relating to modem, ISDN and DSL connections is often neglected. The purpose of the remote access review is to locate access points available through the telephone system and then attempt to gain unauthorised access to internal networks through these channels. Often this method of entering a network bypasses firewalls and IDS. Telephone numbers can be specified by the client, discovered through “war-dialing”, or discovered through social-engineering.
When access points have been located, we attempt to pass the authentication phase. Authentication for remote access services is often through a simple username and password challenge. Certain modem pools can be exploited directly to bypass authentication, gain control of the device or retrieve usernames or passwords. Brute forcing is always undertaken.
After successfully obtaining unauthorised access, we can proceed to conduct an internal security review (subject to client authorisation).

Application Review:

We suggest you to check our code audit section here.

If you want to know more about our penetration testing service, please download the requisition form and send it to info@hypersec.co.uk

Download our Pentesting Requisition Form.



HyperSec is a trademark of HyperSec Consulting Group UK. All the logos, images, code and information
are property of his owners. HyperSec Consulting Group does not approve any illegal practice that
uses information contained within this site, for more information, please read the EULA of this page.
HyperSec Consulting Group UK.




  HyperSec Consulting Gr.