Infrastructure pen testing is performed for companies that want to check the functionality, security and safety of their IT infrastructure. We provide an honest and realistic status overview of your environment. The scope of our pen tests is always determined together with the client. That means we can perform our services in any environment: internal, external or in the cloud!
Scope examples
The following environments can be included during an infrastructure pen test: External, Internal or Cloud IT infrastructures. We can also test laptops, PCs, smartphones or test the available Wi-Fi on site.
Would you like insight into the security of any of the above environments? Then get in touch!
What attack scenarios are possible for infrastructure pen testing?
The most common attack scenario for an IT infrastructure is a combination of Black and Grey Box. An illustrative example is provided below for both attack scenarios. During an intake the wishes will be mapped out in order to choose a suitable scenario.
Black Box of the external IT infrastructure
With minimal information, a picture will be formed of vulnerabilities in the publicly available IT infrastructure. By means of open source research (OSINT) as much information as possible will be collected to discover vulnerabilities.
Grey Box of internal IT infrastructure
Testing the internal infrastructure is at least as important as the external environment. This scenario simulates what a malicious hacker or malware might do if it gains access to the internal network through, for example, a phishing or social engineering attack. Which vulnerabilities are present and is it possible to increase the privileges to administrator rights?
Standards pentetration testing
NFIR uses the Penetration Testing Execution Standard (PTES) for pen testing IT infrastructures. This standard gives you the guarantee that the pen test is carried out completely and according to the correct standards. We find it important to be as transparent as possible about the execution of the pen test. For this reason, we offer a checklist for various pen testing standards which is added to the report. This allows you to see which checks have been carried out, which could not be carried out and which, if any, were not applicable.
Sample infrastructure pen testing report
A sample report (NL/EN) is available of an internal black box pen test. In this report, a pen test was performed on a fictitious environment, revealing vulnerabilities.
Pen tests
Which systems can you have tested by NFIR's experts?
Which systems can you have tested by NFIR’s experts? Our ethical hackers check the technical resilience of (web) applications, websites, IT and OT infrastructures, API links and mobile apps. If you have a different environment that you would like to have controlled, we will be happy to discuss it with you.
Black box pentest infrastructure
With minimal information, a picture will be formed of vulnerabilities in the publicly available IT infrastructure. By means of open source research (OSINT) as much information as possible will be collected to discover vulnerabilities.
White box pentest infrastructure
Testing the internal infrastructure is at least as important as the external environment. This scenario simulates what a malicious hacker or malware might do if it gains access to the internal network through, for example, a phishing or social engineering attack. Which vulnerabilities are present and is it possible to increase the privileges to administrator rights?
How long does a pen test take?
How long a pen test takes depends greatly on the environment to be tested and the agreements made with the client about the attack scenarios to be deployed. If you have an environment that you would like to have checked, we will be happy to discuss it with you.
What is the PTES standard?
The Penetration Testing Execution Standard (PTES) consists of several main components. These cover everything about a penetration test, namely:
The initial communication and reasoning behind a pen test;- The information gathering and threat modelling phases, where testers work behind the scenes to gain a better understanding of the tested organisation;
- Vulnerability assessment, exploitation and post-exploitation, which addresses the technical security expertise of the testers and combines it with the business acumen of the assignment;
- Reporting, which captures the entire process in a way that makes sense to the customer and provides them with the most value.
