Penetration Testing

SynerComm wants to make pentesting great again (sorry, couldn't resist). The information security industry has seen an influx of sub-standard firms claiming to provide quality penetration tests. Don't be fooled by imposters and accounting firms, hire the best!

The A-Team! SynerComm's AssureIT team is comprised of senior Information Assurance Consultants (IACs) focused solely on delivering the highest quality professional services to their customers. Each penetration tester has a strong background in systems administration, networking, security and development. This experience combined with AssureIT's 13+ year track record of providing industry leading IT audits, assessments, penetration tests and incident response services mean our A-Team is the obvious choice.

100% Pentesters OSCP Certified

100% Consultants CISSP Certified

4 PCI QSAs

A penetration test is a simulated attack done to evaluate the security of networks, services and applications. Unlike vulnerability assessments, penetration tests identify previously unknown vulnerabilities and test the effectiveness of security controls. Rather than identifying an exhaustive list of potential weaknesses, penetration testing focuses on the exploit paths that lead to compromise. During a pentest, we won't ask you to whitelist, and we don't want a list of your users.

  • How immune is my network from attack?
  • How vulnerable are my employees to social engineering?
  • Can I detect external attacks against my network?
  • Can I detect (and get alerted on) an intruder inside my network?
  • Do I have sufficient logging to support a forensic incident response?

One notable distinction between a penetration test and a vulnerability assessment is the inclusion of human weaknesses in testing scope. The rampant success of phishing attacks and ransomware is proof that criminals prefer to exploit the weakest link. With an AssureIT social engineering engagement, you'll not only know your human weakness, but also measure your ability to detect and respond to internal threats. We recommend including social engineering in almost all penetration tests. The bad guys don't have rules and social engineering is their weapon of choice.

That's what you get with an AssureIT penetration test report. Businesses need to know how to prioritize their remediation efforts and investments. SynerComm's reports deliver what matters most without the useless filler.

  • Executive Summary & Conclusions
  • Detailed Findings & Recommendations
  • Prioritized Risk Based Action Plan
  • Narrated Timeline with Screenshots and Evidence

We never leave our customers out on a limb. Period. Our customers have direct access to our consultants. No middleman to try and upsell you on something you don't need, just clear intel from the front lines when you need it.

SynerComm's AssureIT team wouldn't be where we are today without the tremendous contributions made to our information security community. We rely heavily on the free and open-source tools made available by companies and individuals. Because of this, we are proud to give back by sharing our knowledge, research and tools. You'll frequently find the AssureIT team speaking at conferences, blogging, and dropping new tools.

Who doesn't like free tools? The AssureIT team at SynerComm has developed a growing number of tools that are made available to the public.

Homegrown AssureIT Tools

Hashview

Hashview is a tool for security professionals to help organize and automate the repetitious tasks related to password cracking. Hashview is a web application that manages hashcat (https://hashcat.net) commands. Hashview strives to bring consistency in your hashcat tasks while delivering analytics with pretty pictures ready for ctrl+c, ctrl+v into your reports.

OWA-Toolkit

Powershell module to assist in attacking Exchange/Outlook Web Access

Vulnerability and Compliance Reporter (VCR)

Vulnerability Compliance Report Tool is used to parse Nessus files into beautiful html reports.

Lucky Strike

A PowerShell based utility for the creation of malicious Office macro documents.

Proxy-Cannon

Create your own private botnet for scanning.

crEAP

Harvesting Users on Enterprise Wireless Networks.

Introducing The Kraken.
A rig is designed for one purpose: to crack password hashes.

How strong are the passwords within your organization?

Let The Kraken dive in and uncover the low-hanging-fruit passwords in use in your environment. While the rig itself is powerful and impression, it is really designed to educate. By discovering weak passwords, your organization will have the opportunity to engage, inform, and improve password management among your teams and thereby increase the security of the organization, as a whole.

What makes it so powerful?

The Kraken is made up of NVIDIA GTX 1080s - eight in total. These are graphics cards with immense parallel computing capabilities. Running Hashcat, the results are impressive - reaching 330 Gigahashes/second for NTLM and 200 Gigahashes/second for MD5 hashes.

How can you put it to use in your organization?

Contact us to set up a password testing engagement where we will supply The Kraken and perform the test. Alternatively, you may purchase your very own Kraken, assembled, guaranteed, and supported by us. Remember: continuous penetration testing leads to faster detection and hardened defenses.

Want to build your own?

No problem! We've posted a detailed guide on the AssureIT blog, #_shellntel.

Test Offerings Offering Customizations
Sub Cat Overt Covert With SE Description
External Blind An external penetration test in which the IAC's actions are transparent to the target company and non-deceptive. Test details are readily exchanged through testing allowing for iterative customer-driven testing.
An external penetration test in which the IAC's actions are obscured from the target company and designed to be unforthcoming. While a valid scope is still required, beyond the description of an RoE, this test includes little communication.
Similar to a covert blind external penetration test but with addition of social engineering components. Social engineering campaigns can be carried out over emails or phone calls and chosen and customized in communication with the customer.
The blind external penetration test that most accurately simulates a determined external threat. With this type of engagement there is little communication.
Double Blind Double blind external penetration tests are limited to remaining covert. This is a simulated attack in its purest sense. Extremely limited user base that is aware of the engaging. All threats identified are treated as hostile.
Internal An assessment that begins internally. Generally, these tests are conducted remotely and over a supplied "dropbox" through which the attacker works. Due to the nature of how this test is performed, there is little opportunity for the test to be performed in a covert fashion.
Physical A penetration test performed in meatspace. The IAC will physically attempt to gain unauthorized access to the brick and mortar locations.
Rapid Hybrid A test designed to specially evaluate the strength of inline security controls and their configuration. This penetration test is considered hybrid as it is performed in full cooperation with an administrator with insight into the logs and configurations of each control to be tested.
Real Time Analytics