24/7 Hotline | Incident Response
Contact us
Accueil SSI audit Penetration testing (Pentest)

Penetration testing (Pentest)

Simulate malicious behavior that could target your Information System from within, evaluate your external exposure or the security of your applications (Web, mobile, fat client…)!

Contact our teams

Simulate real-life attacks

The principle of penetration testing (also known as pentesting) is to identify vulnerabilities on an audited perimeter, then verify their exploitability and impact under real attack conditions, and finally propose corrective action to remedy the vulnerability.

For example, during a web application audit (web pentest), auditors will look for vulnerabilities based on a methodology (e.g. OWASP) and aim to reproduce the behavior of a malicious user.

Our auditors focus on vulnerabilities such as those referenced by the Open Web Application Security Project (OWASP), but also use the MITRE ATT&CK knowledge base, and the MITRE CWE catalog.

Discover the benefits of an intrusion test

Performing a pentest enables your organization to identify potential vulnerabilities in a target system before they are exploited by potential attackers.

The pentest may concern your internal Information System, your external exposure, a Web application, a mobile application such as iOS or Android, APIs…

A penetration test helps you reduce the risk of data breaches or illegitimate access to your systems, and can also help you ensure compliance with current regulatory standards.

As Synetis is a PASSI-qualified company, penetration testing can be carried out under this qualification as defined by ANSSI. This applies, for example, in the case of an audit of a Restricted Diffusion network or a SecNumCloud qualification.

Rely on a rigorous, proven approach

Carrying out a penetration test, or pentest, involves several essential steps:

  • First of all, information gathering enables auditors to map networks, systems and applications: this enables them to identify the context of the audited perimeter and discover high-impact targets to be prioritized according to their importance.
  • This is followed by component analysis and the search for any known vulnerabilities that could allow the perimeter to be compromised.
  • In the third stage, the auditors move on to the exploitation of vulnerabilities to simulate real attacks and assess the depth of the compromise, the access gained and the possible harvesting of sensitive information.
  • Finally, the auditors produce a detailed report presenting the various vulnerabilities observed, determining their criticality in relation to the context, and then presenting the associated remedial actions to be taken.

Different types of penetration test

External penetration testing (or external pentesting) simulates an attack from the Internet, with the aim of identifying exposed vulnerabilities in your infrastructure. Auditors will explore potential entry points, such as websites, web servers, online applications, firewalls, VPNs, exposed administration interfaces (RDP or SSH access, for example)… using vulnerability scanning, fuzzing and exploitation techniques.

Thanks to these external pentests, it is possible to determine :

  • The exposed attack surface (servers, applications, services) ;
  • The presence of vulnerability(ies) (known or 0-day) ;
  • Theft of sensitive data (business data, RGPD);
  • Disruption of your services (business logic error, denial of service).
  • Impact on your company's image

This type of test assesses the robustness of your Internet-accessible Information System, the configuration of your exposed equipment and the effectiveness of your intrusion detection systems in real-life situations.

For internal penetration tests (or internal pentests), the auditors will take the point of view of a malicious individual on your premises, on your corporate network (initially without legitimate access, then with legitimate access, i.e. black box, then grey box, also known as the “trainee test”).

It is also possible to start the audit directly from a so-called corporate workstation , in order to simulate the compromise of an internal machine or an employee.

This type of test will enable you toassess the effectiveness of network partitioning and verify the hardening of resources to which the attacker could gain access, as well as the level of application of security patches within the information system.

Depending on your needs, different methodologies may be used:

  • Black box: unauthenticated attacker with no knowledge of the perimeter ;
  • Grey box: authenticated user with certain perimeter knowledge ;
  • White box: full access to information within the targeted perimeter.

Web / API penetration testing is a type of penetration testing that specifically targets one or more Web applications (front-office and/or back-office).

They can be unrolled as black, gray or white boxes, allowing you to be in the shoes of an attacker with no particular knowledge (black box), a malicious user, or a hacker who has recovered credentials through a data leak, or successful phishing (gray box).

White-box pentesting, on the other hand, offers greater efficiency, for example by providing access to the application’s source code.

A mobile penetration test is specifically designed to test the security of an Android or iOS application, including the application itself, system interactions and network communications.

Synetis auditors focus on vulnerabilities such as those referenced by OWASP Mobile Application Security (MASTG), as well as recently discovered security flaws.

During this type of pentest, teams test the following aspects in particular (non-exhaustive list):

  • Storage and use of sensitive application data ;
  • Application attack surface on an Android or IOS device;
  • Application resilience against attacks and reverse engineering.

An LLM pentest aims to test the vulnerabilities induced by the implementation of an AI chatbot within a Web solution, for example.

This type of pentest brings together 2 approaches:

  • Classic Web penetration test (for technologies and chatbot interactions with its back-end, for example) ;
  • Social Engineering (to get the chatbot out of its more or less well-defined straitjacket).

Read our article on the subject here.

Different approaches to Pentest

These approaches have different advantages and disadvantages, as described below.

Black box

In the “black box” approach , the auditors have no technical knowledge of the targets, only the URL if it’s a web application, or the address at which the target is hosted. In an internal pentest, the auditors have only network access, with no indications.

This approach brings us as close as possible to real cases of compromise: the opportunistic attacker, discovering vulnerabilities without possessing any prior information.

Grey box

Halfway between black-box and white-box penetration testing, we find grey-box penetration testing.

This type of pentest is carried out by auditors with partial knowledge of the targeted systems. This may involve user accounts or information that can be used to direct research.

It combines the time-efficiency of black-box testing, with the added depth of vulnerability research, thanks to the information made available to testers.

White box

Unlike black-box penetration testing, white-box penetration testing is carried out by experts with full access to the infrastructure, systems, source code and internal resources. With all this information at their fingertips, auditors are able to detect even the most complex vulnerabilities, which are sometimes more difficult to determine without this wealth of knowledge at their disposal.

These tests therefore provide an in-depth view of the various vulnerabilities, and offer greater comprehensiveness than previous tests.

Intrusion test carried out by Synetis experts

We carry out non-destructive penetration tests (internal, external, application, Chatbot, mobile, LLM, IoT) on various components of an Information System. These tests simulate the behavior of a malicious individual, whether external to your organization or not. Each of the identified vulnerabilities is given a CVSS rating, or risk-based qualification, using the rating scale proposed by ANSSI, taking into account the level of risk and ease of exploitation of each vulnerability.

Our teams follow the CVSS v3.1 standard (Common Vulnerability Scoring System, used to characterize and evaluate the impact of vulnerabilities). An action plan is then proposed at the end of each audit.

Point of attention

It’s important to note that a pentest does not involve training or evaluating a SOC.

As the aim is to be as exhaustive as possible in the search for vulnerabilities, the techniques and tools used during these services are not intended to validate the detection teams and tools in place.

As part of the continuous improvement of a SOC-type detection team, we recommend the implementation of a Purpleteam/Redteam service.

Penetration testing is therefore an important pillar of your information system protection strategy.

Are you planning an audit?
Pentest
Architecture
Configuration
Red Team
Social Engineering
Organizational and Physical
Source code

Incident response

CERT contact details

Mail: cert@synetis.com

Telephone: 02 30 21 31 04

USER ID : CERT SYNETIS

KEY ID : 2F6F A FE30 7877

PGP key fingerprint: 8D8ACAAC20557C7C1FF58332F6FA110FE307877

CERT Synetis is in the process of obtaining PRIS (Prestataires de Réponse aux Incidents de Sécurité) qualification from ANSSI (the French national agency for security incident response).

Incident response

CERT contact details

Mail: cert@synetis.com

Telephone: 02 30 21 31 04

USER ID : CERT SYNETIS

KEY ID : 2F6F A FE30 7877

PGP key fingerprint: 8D8ACAAC20557C7C1FF58332F6FA110FE307877

CERT Synetis is in the process of obtaining PRIS (Prestataires de Réponse aux Incidents de Sécurité) qualification from ANSSI (the French national agency for security incident response).

Contact our Audit team