Menu
INFRASTRUCTURAL
SECURITY
INFORMATION GATHERING
Manual or automated scanning phase in order to identify vulnerabilities that allow the attacker to breach systems. Jpic in this phase is responsible for classifying the vulnerabilities found through the tools and verifying that it is not a false positive. The vulnerabilities we identify are about:
ACTIVE
- Using Content Discovery tools to expand the attack surface of a web application
- Bruteforce-based Subdomain Enumeration through the use of a custom wordlist
- Use of Network / Application Security Scanners
PASSIVE
- Subordinate Enumeration
- Identify the owner of an application or IP range
- Identification of technologies
- Use of Google Dork advanced queries
- Use of Wayback Machine
- Use a search engine
VULNERABILITY ASSESSMENT
Manual or automated scanning phase in order to identify vulnerabilities that allow the attacker to breach systems. Jpic in this phase is responsible for classifying the vulnerabilities found through the tools and verifying that it is not a false positive. The vulnerabilities we identify are about:
- Design
- Implementation
- Operational
- Local
- Remote
EXPLOITATION
In this phase, vulnerabilities are exploited to make one to or more accesses to the victim machine. In this case, a series of tools are used that allow us to carry out attacks. It is at this point that the experience of the penetration tester and the methodology used play an important role. The penetration tester acts as a real attacker, attempting to circumvent the defenses adopted for the target defined by the client. At this stage, the tester may also identify new vulnerabilities and code exploits.
POSTEXPLOITATION
Manual or automated scanning phase in order to identify vulnerabilities that allow the attacker to breach systems. Jpic in this phase is responsible for classifying the vulnerabilities found through the tools and verifying that it is not a false positive. The vulnerabilities we identify are about:
ACCESS MANTEINANCE
In wich the connection to the machine is established at the desired time.
PRIVILEGE ESCALATION
In wich it attempts to become an administrator of the machine.
REPORT
SUMMARY
AND SYNTHESIS
Presentation of the general report on activities carried out to stakeholders containing in general the metrics of exposed vulnerabilities
MANAGEMENT
REPORT
Presentation of a general pentester report containing the life cycle, duration, modes , best-practies, framework, and impacts of attacks on the target system.
TECHNICAL
REPORT
Presentation of a pentester's technical report containing items regarding the main tools and instruments used to carry out an attack on the system.
