Group Services Tiger
HyperSec has nurtured what is now known as the HyperSec Review
Methodology over its many years of experience operating in the field
of IT security. The program continues to guide highly efficient
security analyses as it evolves to reflect the rapidly changing
environment in which we work. To ensure the homogeneity of high
standards across all assessments, the HyperSec Review Methodology is
The methodology specifies a structure for each assessment and
details objectives, approaches and tasks on a number of levels. At
the top level, activities are distinguished on the basis of our
network positioning and on the targets of the assessment. Typically,
this means classifying an assessment into one or more of external,
internal, remote access or application related. The corresponding
high-level approach covers the specification of tasks such as
discovery and penetration procedures, and is significantly based
upon the client’s individual requirements.
External Security Review:
The objective of external review is to analyse external firewalls,
Internet routers and other networked systems visible from the
Internet at large. Our aim is to ascertain security configuration
through empirical methods in order to assess the level of
conformance to security policy. The approach is not simply to
highlight hazards, but also to tailor exploits based upon our
findings that carry the symbiosis of discovered vulnerabilities to
its logical extreme (subject to authorisation from the client). The
aim is to demonstrate unauthorised access to networks, systems or
information. Each vulnerability is risk assessed based upon specific
criteria that includes the role of the vulnerability in an “attack
path” and the specific impact to the client.
Physically, our placement can be either at the client’s site, where
access to systems is through the internal network, or at HyperSec’s
offices, where access to systems is through the Internet. After the
successful subversion of external systems providing access to
internal networks, we will usually undertake an internal review (subject
to authorisation from the client).
We are relieved from having to discover targets and non-stealth
full TCP scans are permitted. This approach usually minimises
the duration of the review.
We have no knowledge of target systems. There is no requirement
to use stealth techniques.
We have all necessary information about our targets. Stealth
techniques are required which extend the duration of the review.
We are not provided any information about our targets. Stealth
techniques are required. This approach is often the most time-consuming.
TABLE 1: External Security Review
Clients may have a preference for the
approach used in order to simulate an attack scenario. For example,
an employee can pass system information to an attacker. HyperSec can
generate a risk profile for this scenario by following the standard/known
Detection avoidance methods are employed when a client wishes to
observe the effectiveness of their intrusion detection resources
during a simulated attack. The aim of a Detection Avoidance review
is to maximize our level of access, whilst minimizing activity that
may lead to detection. Such reviews necessitate high precision
targeting, relying on information searching and slow probing.
The first phase of the review lays the foundation for the
vulnerability scan (phase 2). During the first phase, we gather
information concerning the target systems and associated networks.
In the case of a blind review, we have little initial knowledge, and
use an in-house methodology and toolset to efficiently reconcile
domain names and associated networks with a particular corporation.
The following sections detail the types of information gathered and
the corresponding approaches.
Public information refers to that available (usually freely) from
Internet organisations that is related to the client’s networks and
systems. The Whois databases (Arin, RIPE, ApNic and InterNic) and
other registries such as IP and domain indexes are methodically
queried in order to discover domains and IP ranges associated with
the client. The Domain Name Service (DNS), is often a fruitful
source of information, potentially containing a number of relevant
records. Zone transfers (if permitted) are the pièce de résistance
of DNS mining, supplying us with hostname and IP addresses
associated with the client’s domains.
HyperSec will also search the Internet for stray information that
may be of relevance to a possible intruder. Typically a number of
web and usenet searches are undertaken.
Normal Known Traffic
Gathering information through Normal Known Traffic involves using
the information channels provided by the client, examples of such
channels are a web server or FTP service. Through such channels we
will pull all information allowable and sift through the data
looking for useful items, including IP addresses, hostnames, domain
names, email addresses, account names, passwords, services,
protocols, company names, departments, and phone numbers. We also
look for web applications, which can often be exploited to gain
unauthorised access to information or to the server itself.
Identifying target systems is a key stage of information gathering,
and we use tools such as pinger, fping, hping and nmap to produce a
map of the client’s Internet presence. We use a variety of methods
to identify systems, not simply ICMP ECHO (“ping”). The ICMP, TCP
and UDP protocols are all used to identify systems in a manner
similar to ping, but with more versatility. Mail-trace is also used
to discover hostnames. Sending an email to a client’s system (running
a mail service) with a non-existent recipient usually elicits a
response containing hostnames or internal IP addresses within the
mail headers. Traceroute to discovered systems usually identifies
other systems (including routers and firewalls) and completes the
host enumeration process. At the end of the host enumeration stage
we have a range of valid targets.
Full Contact Enumeration
When live Internet-visible systems have been identified, HyperSec
will begin a service scan. A service scan against a particular
system identifies what TCP and UDP service ports are present and
listening. Identifying listening ports is critical to fingerprinting
the operating system and network applications. The type or
combination of service scans employed will vary based upon the
stealth factor of the review. The different kinds of service scans
employed are detailed below.
Standard TCP and UDP scanning: A standard scan attempts to
form a valid connection with each port of a system. If a connection
can be made, then the port is open.
Stealth scanning: TCP stealth scans are named after the
packet settings. The most common are SYN, FIN and ACK scans. By
setting certain flags on the TCP packet, or by cutting short the
connection procedure, packets can often evade detection, since many
access control devices do not register such packets.
Fragmentation scanning: Fragmentation scanning is any kind of
scan (including the two above) that involves fragmenting an IP
packet into several smaller packets. Many access control devices to
not deal with fragmented packets correctly and thus do not detect
TCP reverse ident scanning: The ident service, as specified
in RFC 1413,
returns the username of any process using the TCP protocol (even if
the process didn’t initiate the connection). When ident is running,
it is possible to obtain the process owner of each listening service.
Protocol scanning: Several services will not answer to
connections unless the connection procedure adheres to a specific
protocol (this is especially true of UDP services). By emulating
such connections, we can often detect these services.
RPC scanning: RPC services do not always run on predictable
ports. These services can usually be enumerated through the
portmapper service (which does listen on predictable ports).
Stack Fingerprinting: Each networked system will run a TCP/IP
stack (which also deals with UDP traffic) as part of the operating
environment. Usually, standard stacks are associated with different
kinds and versions of operating systems. By exploiting
idiosyncrasies in the behaviour of different stacks, it is possible
to fingerprint the stack, and thereby place the remote system into a
class of operating systems (often a specific operating system and
version). The identification of the remote operating systems permits
HyperSec to mount a focused and methodical attack against the
identified target systems.
Having determined services running on each target system, the next
stage is to extract information through them. This includes banners
and other information obtainable through a connection to the service
port. Information provided by services such as SNMP, finger, rusers,
SMTP and NetBIOS can supply detailed configuration and user
information for a system that can aid an attacker in compromising
the security of the system.
Proprietary Network Mapping Tools
HyperSec has developed a toolset that mirrors our methodology,
allowing us to quickly and methodically collect relevant data. These
tools allow us to efficiently parse the relevant information so that
we can focus our efforts on specific systems. The majority of these
tools have been written in-house or are specially modified versions
of freely available tools found on the Internet.
HyperSec proprietary tools include automated profiling scripts and
specific exploitation techniques that are not available in
commercial scanners. These tools have been designed by HyperSec
security professionals and draw upon experience gained from years of
performing similar profiling engagements. These field-proven tools
use the footprint data (from the earlier phase) to choose
appropriate attacks against the target systems. HyperSec can then
construct “attack paths” based on a number of different
vulnerabilities. Examples of these interdependencies include
exploitation of trust relationships, circumvention of router
filtering rules, and the use of backchannels through firewalls.
Additionally, HyperSec have proven expertise in discovering and
exploiting application vulnerabilities using techniques and exploit
code that have not been released into the public domain.
Examples of our tools include those to bypass NT authentication, to
exploit buffer overflows and race conditions, enhanced password
cracking utilities, and code written to gain local access to a
particular remote hosts.
HyperSec believe that commercial scanners have numerous
limitations. Many of the tools generate inconclusive reports due to
false positives, false negatives, and the inherent ambiguity
associated with automated scanning techniques. Also, HyperSec has
found that there is quite a considerable lead-time before the latest
exploits are included in these scanners.
Scanner technology has not evolved to include the intelligence
necessary to perform vulnerability linkage. This is the process of
combining several low or medium risk vulnerabilities to create an
attack path with an overall elevated risk. Thus, a scanner may note
several low or medium risk vulnerabilities, but cannot determine if
an attack combining these vulnerabilities would result in a gaping
security hole. This type of expertise is a value-added benefit of
engaging HyperSec to undertake a security review.
Denial of Service Analysis
A critical component of any firewall system is to ensure the
availability of systems directly connected to the Internet. To
assess the ability of our client to defend against denial of
services (DoS) attacks, HyperSec will perform DoS analysis only at
specific request. We will not actually usually perform a denial of
service attack but will look to provide evidence of our ability to
perform such an attack. Our goal is to assess the availability of
the environment without disrupting services during critical times.
External Security Review:
The objective of internal security review is to analyse
internal firewalls, routers and other networked systems visible only
on internal networks. Our aim is to ascertain security configuration
through empirical methods in order to assess the level of
conformance to internal security policy. Internal systems should not
be omitted from security policy; a hard shell enclosing a “soft
centre” is an enticement for attackers. Additionally, not all
attacks originate from the outside. Indeed, statistics exist to
support the fact that many attacks originate internally or are aided
Common approaches to internal security review are shown in table 2.
Reconnaissance involves deducing an architectural overview of
the internal network from a security perspective. This will
include noting the positioning of network components, various
resources and access points.
Network security review is the standard internal review where we
test the integrity of selected internal systems. This can be
performed in stealth or blind mode.
The insider security review involves using social engineering
techniques and interacting with other employees in order to gain
TABLE 2: Internal Security Review
Remote Access Review:
Security policy and practice relating to modem, ISDN and
DSL connections is often neglected. The purpose of the remote access
review is to locate access points available through the telephone
system and then attempt to gain unauthorised access to internal
networks through these channels. Often this method of entering a
network bypasses firewalls and IDS. Telephone numbers can be
specified by the client, discovered through “war-dialing”, or
discovered through social-engineering.
When access points have been located, we attempt to pass the
authentication phase. Authentication for remote access services is
often through a simple username and password challenge. Certain
modem pools can be exploited directly to bypass authentication, gain
control of the device or retrieve usernames or passwords. Brute
forcing is always undertaken.
After successfully obtaining unauthorised access, we can proceed to
conduct an internal security review (subject to client authorisation).
We suggest you to check our code audit section
If you want to know more about our penetration testing service,
please download the requisition form and send it to
Download our Pentesting Requisition Form.