Pentesting

Ethical hacking

SensePost is the elite ethical hacking team of Orange Cyberdefense in South Africa, which also delivers offensive security consulting services and training worldwide. With a 20-year track record, SensePost is viewed as trusted advisor that provides insight, information and systems to enable our clients to make informed information security decisions that support their business performance.

Our strategy

The penetration testing methodology that is used by the ethical hacking team of Orange Cyberdefense is based on high value-added manual testing. We believe that the low hanging fruit which is mostly detected through automated security testing tools should be the starting point of an assessment, not the end of it. The true value of a penetration testing lies in the expert knowledge of our testers applied to a specific business context and technical implementation.

What is penetration testing?

Penetration testing is a testing methodology in which assessors attempt to circumvent or defeat the security features of a system. The methodology will greatly vary depending on the specific constraints and the system assessed.

Internal Infrastructure

In internal assessments, different skills, techniques, and tools are used to test the security of the internal infrastructure in scope. A common exercise is the "From Zero to Hero" proof-of-concept in which we start without any information or credentials and try to escalate to a high-privileged user (typically a Domain Admin).

External Infrastructure

External infrastructure assessments evaluate the security of a company's external perimeter and its public exposure. Typical tests include internet footprinting, port scans, vulnerability scans and additional manual testing/exploitation.

Wi-Fi testing

During Wi-Fi assessments we try to gain unauthorized access to the wireless networks in scope. The techniques can range from trying to capture/crack the pre-shared key (e.g. WPA) to luring mobile users/devices to connect to a rogue Wi-Fi network to intercept login credentials (e.g. WPA/Ent).

Web/API testing

In testing web applications and APIs, Orange Cyberdefense focuses on identifying the OWASP Top 10 issues. The tester will intercept every single request and response. Interesting calls (from an attackers’ viewpoint) will be inspected, modified, and attacked in different ways to identify potential issues and exploit weaknesses.

Mobile applications

Mobile assessments audit both the mobile app and its communications. The mobile app will be decompiled, and its configuration and source code will be inspected. The mobile app will be also audited against security best practices (e.g. storage of sensitive data). The OWASP Mobile Top 10 is used as the main framework.

IoT testing

In an IoT assessment, several aspects of the device or setup will be tested. Depending on the scope, the tests can range from assessing the security of the hardware, the firmware, the backend(s) and the protocols used. The OWASP IoT Top 10 is used as the main framework.

Theoretical audit

In a theoretical assessment, an organization is (self-)audited against the CIS Critical Security Controls. This is a well-known, yet very pragmatic, cybersecurity framework formerly known as the SANS Top 20.