A penetration test follows an iterative cycle of four phases:

Reconnaissance: Auditors explore the target to understand its technical and functional architecture.

Vulnerability Discovery: Depending on the technologies present, a manual search for vulnerabilities is conducted.

Exploitation: Identified vulnerabilities are exploited to confirm their presence and assess their impact.

Pivot: Exploitation may provide access to new components of the target, leading to a new analysis phase.

Objective: Conduct a service with the aim of a realistic attack, typically represented in four major steps:

Open Source Research & Reconnaissance: Gathering information from publicly available sources to understand the target’s digital footprint and potential vulnerabilities.

Social Engineering: Utilizing psychological manipulation to exploit human behavior and gain unauthorized access to the target system.

System Access: Attempting to gain entry into the target system using various methods, including exploiting vulnerabilities, weak credentials, or misconfigurations.

The configuration audit aims to verify the implementation of security best practices on a logical or physical security device.

NEVERHACK auditors rely on various standards and best practice guides depending on the specific equipment and client context (such as ANSSI, NIST guides, etc.).

This service will encompass a documentation review and exchanges with technical counterparts to validate various elements such as deployed software or hardware solutions, not only their positioning but also their roles and configurations.

Mobile application audits are typically divided into three major stages as described below (not exhaustive):

Reconnaissance: Gathering information related to the publisher. Gathering application-specific information.

Static Analysis: Application review (searching for hard-coded elements, poor practices, or any elements posing a risk). Analysis of application behavior (APIs, URLs, data storage, etc.). Attempts to misuse APIs, etc.

Connected devices and the Internet of Things (IoT) are becoming increasingly prevalent in our daily lives.

IoT devices contain proprietary and personal information, access and communicate with various services, through which sensitive information may transit.

This is why it’s crucial to ensure a high level of security for these devices.

In order to carry out the source code audit under the best conditions, NEVERHACK proposes the following approach for technical tests:

Phishing aims to :