Pentest: External assets discovery

External mapping: Main challenges

What are the challenges to ensure the safety of assets published on the internet on in the cloud:

• Maintain up-to-date documentation for all servers published on the Internet or through Cloud services
• Identify and ensure only necessary services are accessible from the internet.
• Verify that test, development, or preproduction servers are not accessible externally.
• Implement control measures for new assets during mergers or acquisitions.
• Foster collaboration among IT teams to minimize configuration errors and prevent unauthorized access to resources from the internet.

External mapping: Our Solutions

QLab offers a comprehensive solution to discover your Internet assets:

• Methodology to find published assets with various techniques (whois, ASN, search engines, favicon, etc.)
• Exhaustive search using external services (censys, crtsh, shodan, etc.).
• Creation of specific dictionaries based on identified domain names.

Continuous service for ongoing alerts on newly detected assets.

Web Pentest

Web Pentest: Main challenges

The IT security challenges for a company whether developing a web application or using a third-party service require to:

• Ensure the application used is robust against external threats
• A team of web developers with skills in secure programming
• Use robust base system and application, properly configured
• Ensure compliance with data protection regulations

Web Pentest: Our Solutions

From the design phase to the post-deployment phase, the benefits of working with our experienced pentest team include:

• Collaboration with senior pentesters with extensive R&D experience.
• Adoption of a proven methodology (OWASP), enriched by insights gained from pentesters
• A manual approach to understand and address all business features of an application
• Use of expertise in approved tools for efficient vulnerability discovery

External Pentest

External Pentest: Main challenges

Online services, from VPNs to databases, pose security risks Protecting against server control, database theft, and network intrusions can be challenging:

• Restrict online accessibility to selected services through IP filtering, firewall rules, and initial authentication.
• Keep exposed services up to date to prevent easy compromises.
• Implement robust configurations to withstand specific attacks on these services.
• Verify authentication mechanisms to prevent intrusions due to weak passwords.
• Implement detection mechanisms for potential attacks, including exploitation and brute force.

External Pentest: Our Solutions

Quarkslab’s external pentests tackle challenges by:

• Targeting network, system, and applications
• Using dedicated tools, manual tests, and ongoing technology watch
• Establishing combined attack scenarios
• Complementing our external assets discovery, providing a comprehensive view of your online exposure and protection

Mobile Penetration testing

Mobile App Audit: Main challenges

When developing a mobile application, companies must ensure that the entire process is carried out by following the best security practices:

• Ensure the mobile application is robust against external threats
• Implement measures to slow down an attacker studying the application (code obfuscation, root/jailbreak detection)
• Rely on skilled developers in secure programming
• Use well-configured and robust base system and application
• Ensure compliance with data protection regulations

Mobile Penetration testing: Our Solutions

From the design phase to the post-deployment phase, benefit from the expertise of our pentest team providing:

• Senior pentesters with extensive R&D experience.
• Use of a proven methodology (OWASP), enriched by insights gained from pentesters
• A manual approach to understand and address all business features of an application
• Use of tools dedicated to the search for web vulnerabilities

Internal Penetration testing

Internal Pentest: Main challenges

Maintaining a specific level of security on internal networks poses numerous challenges, including:

• Ensuring the application of security policies on all internal assets
• Implementing measures to defend against attacks and/or establishing proactive surveillance
• Using well-configured and robust base systems and applications
• Deploying security updates on equipment, systems, and applications
• Applying network segmentation to prevent access from unnecessary services

Our Internal Pentest solutions

Tap into our pentest team’s expertise to uncover and address security weaknesses in your internal information system offering:

• Senior pentesters with internal penetration test experience
• Diverse attack methods from the MITRE ATT&CK repository
• A step-by-step approach: network discovery, privilege escalation, lateral movement, server takeover, AD domain compromise
• Expertise from QLab Desktop Security team to bypass security equipment (EDR, antivirus, etc.)

Configuration audit

Main challenges of configuration

Deploying new systems, applications, or network appliances in a company presents various challenges:

• Verify configuration compliance with recognized standards such as ANSSI RGS, CIS, NIST, etc., or internal policies.
• Ensure configurations do not introduce security risks that could impact the information system.
• Analyze and manage expanding sets of rules on security equipment like firewalls and IDS/IPS.
• Implement effective identity and access management to prevent fraudulent access (user/service account lifecycle).
• Evaluate the efficiency of specific configurations (EDR, IPS, etc.).

Our Configuration Audit Solutions

Access our pentest team’s expertise for configuration challenges, offering:

• In-depth knowledge of systems and networks.
• Proficiency in various solutions to cater to a diverse range of applications.
• Extensive skills, especially through R&D efforts in the internal laboratory focused on new technologies.
• An approach to eliminate false positives: combining automated collection with manual verification of configuration items.
• Utilization of recognized tools such as Nessus Professional and Nipper.

Wi-Fi penetration testing

Enterprise Wi-Fi audit: Main challenges

Maintaining a specific level of security on a Wi-Fi network poses various challenges, including:

• Validate the configuration of the corporate Wi-Fi network and chosen security measures.
• Ensure the guest network/captive portal prevents access to the internal network.
• Confirm robust policies on employee laptops for pairing with corporate Wi-Fi.
• Verify captive portal resilience against network/web attacks.
• Check protection against Man-In-The-Middle attacks, ensuring no compromise of user accounts.
• Assess probe efficacy for detecting fraudulent access points

Wi-Fi audit: Our solutions

Get support from our pentest team’s expertise to identify security vulnerabilities in your Enterprise Wi-Fi network, offering:

• Senior pentesters with Wi-Fi penetration testing experience
• Diverse attack methods and of appropriate equipment/tools
• Adaptable approach based on customer-specific threat scenarios.
• Expertise to address other wireless protocols through the QLab team.

Red Team & Adversary simulation

Red Team & Adversary simulation: Main challenges

Red Team testing are designed to challenge the security of your organization by simulating realistic, targeted attacks to reveal potential vulnerabilities and improve your overall security posture.

Our advanced service aim at:

• Evaluate resistance to sophisticated attacks by simulating advanced tactics, techniques, and procedures (TTPs), assessing readiness and detection capabilities.
• Uncover security vulnerabilities missed in traditional penetration testing campaigns.
• Measure physical and logical security through comprehensive assessments, including physical security and social engineering tests.
• Testing your incident response setup by assessing your organization’s ability to detect, respond and contain a simulated cyber attack

Red Team & Adversary simulation: Our solutions

Our Red Team services offer a proactive and comprehensive approach to improving the security of your organization. Our deliverables will include:

• Precise identification of vulnerabilities and security weaknesses detected during the assessment
• Recommendations comensurated with your context to strengthen the security of yourassets
• Detailed reports on the testing activity and progress, the positive aspects of your security and the associated corrective actions

Phishing campaign

Phishing campaign: Main challenges

Phishing attacks often target the human layer of security, aiming to exploit user trust to gain access to sensitive information. Here are some specific challenges your organization might face:

• Evaluating your resilience against a simulated attack, which remains the most common initial access vector used by threat actors
• Training you employees to recognize and report phishing attempts
• Measuring your capacity to identify and block phishing emails attempting to breach your company

Phishing campaign: Our solution

The phishing service offered by Quarkslab addresses these challenges through a comprehensive and proactive approach. Our commitment includes:

• Create and send realistic phishing emails
• Simulate real world tactics used by attacker
• Test the organization ability to detect, report and respond to phishing attacks.

Our team

OSCP

OSEP

SANS-SEC560 (Enterprise Pentest)

SANS-SEC760 (Exploit for Pentest)

SANS-FOR508 (Advanced Forensic)

CEHv6

EC-Council

An experienced team to create unique pentests tailored to each context.

QLab

12 years of existence

Reverse Engineering

Vulnerability Research

Cryptography

Cloud

Blockchain

Conferences:

SSTIC, BlackHat, Hardware.io…

Our tools

Kdigger

AERoot

Pyrrha

Triton

I- dascript