Penetration Testing

What is Penetration Testing?

Penetration Testing or ethical hacking is an exercise that attempts to simulate the techniques adopted by an attacker to compromise your systems. It helps to highlight those vulnerabilities which could be exploited by a remote unauthorized attacker. NII's penetration testing service is a highly creative, out-of-the-box engagement, and often results in new vulnerabilities being discovered or a new tool being developed from such an exercise. Visit the following links to get a better insight of our penetration testing related research activities:

NII Approach

A penetration testing exercise can be structured in various ways:


Application Security Audits

A penetration test could focus exclusively on your web applications. This could be done at various levels

Black-box testing:

Here, we only know the URL of the website. Enumeration of technologies, mapping of the website, identification of fault injection points, determining input validation vulnerabilities, or logical security vulnerabilities, and the OWASP top 10 attacks are all part of this exercise.

Grey-box testing:

Often enough, a web application involves authentication and authorization components. In order to be able to test these, we request for a dummy user account with the least level of privileges within the application. Using this account, we are able to log in and test for various flaws in the authentication scheme, as well as attempt to escalate our privileges and bypass authorization restrictions. Read our list of advisories here


Network Penetration Testing

This type of a penetration test involves identifying the targets through Google searches, WHOIS, DNS queries, etc. Fingerprinting and identifying vulnerabilities. Exploitation of these vulnerabilities depends on whether it is part of the engagement or not. Limited exploitation is always done in terms of password guessing, directory traversals, file uploads, etc. However, stronger exploitation such as Denial of Service attacks, Buffer Overflow exploits, etc., are carried out only if the possible fallouts from such exploitation are accepted prior to the engagement.


Automated port identification

In large and very large networks, the number of public IP addresses, and the ports exposed on these IP addresses can vary on a daily basis. What is required is an automated way to periodically scan a large range of IP addresses, determine what ports are open, and attempt to identify the service running on those ports. What is even more important is to produce trending analyses reports, which show new IP addresses or new ports that have appeared since the last scan was run. NII offers a secure portal to its customers, where they can log in, enter their ranges, run the scans, view the reports and compare with previous scans.

Quick Links

About

We are a team of passionate and committed people driven to secure your information assets from some of the most talented, well-funded, and highly motivated adversaries out there.

Information security represents one of the biggest challenges for both individuals and enterprises as we move rapidly into an almost exclusively digital future.

More than just the right technology, it will be the right people doing the right thing that will get us to a more secure state. And this is why we believe that we are a “people” company and not a “technology” company. With a team of 100+ consultants and presence in multiple geographies, we are focused relentlessly on helping you gain and retain the edge in information security.