Pentesting Mobile - BETA Version of the Article


We are looking forward to your comments. Tell us what do you like, what you do not like, what should be changed or added to this article – visit the comments section.

The final version of this article will be available in the upcoming Mobile Pentesting issue. You can preorder it here:

You can also send your feedback to the following address: [email protected]

Pentesting Mobile


Dear Reader I share with you the importance of "Mobile pentesting", through my projects in the domestic and international market, I firmly believe that much still sin in our Management solutions, unfinished facilities and poor configured and even worse some cases to use default factory defaults, so most weaknesses and exposures to hackers.

Highlight that many companies are concerned about their information security perimeters strengthening their access, policies, processes and procedures that somehow can answer their consciences, managers and regulations. We should stop kidding ourselves, this is all important and critical to your security environment, we should cherish enough to good planning and management through good "governance", periodic review and penetration testing.

Governance should start in planning your new project, and not the end of your project, always prioritize the success of BASIC, and sequence plan to achieve the ideal, many companies invest heavily in doing well and underestimate the basics or rather the simple, good tools not only ensures the success of your projects, think about it!


End of privacy in mobiles

With the popularization of PCs in the 80s, the invasion of privacy is increasingly being discussed due to the emergence of the earliest forms of viruses. Hacker attacks to computers proliferated globally and agility, requiring creating antivirus to mitigate these actions and leave them less susceptible machines. Then came the spam in emails, which motivated the development of antispam filters, due to the large proportion that the practice gained.

The same situations experienced by computer users regarding privacy are arriving in Mobile. Similarly to hit the e-mail accounts, disrupting communication via this channel, spams are also coming to mobile phones and smartphones, becoming a threat to the enterprise SMS market.

The use of text messaging in corporate communications has emerged to provide support to users in the form of alerts to the population, confirmation of purchase, update contact in public bodies, confirming medical appointments, insurance renewal, among others. However, now attempted coups, unwanted advertising and even viruses arise through the cell.

The increasing use of mobile devices in personal and professional transactions are growing threats to the security of information that travels through these applications. To prevent attacks, it is necessary to shield these devices know the vulnerabilities of the application, the system or the network itself. This is the role of experts in information security known as ethical hackers - or pentester (penetration tester).

Difference between Pentest Scan and Automated Security

Identify the gaps of a server, which represent the exposure of input ports for malicious persons, it is critical to ensure information security. Therefore it is necessary to use the most modern on the market and perform the audit of the servers. This attitude will be crucial for the control and reduction of risks.

Scan or Pentest?

Dears readers the system used to perform this audit vulnerability is Pentest. It is an option to study different forms of intrusion that may occur. But vulnerability and Scan, which performs a system analysis to identify possible failures? They do not have the same function?

This doubt is commonplace and some professionals still do not understand the difference, anyway, apparently they do the same thing. However each fulfills a different role in the safety audit.

To proceed to the article, let's do a quick explanation of what it is each. This information is useful to recall their applicability and help those who still do not know to understand the difference between them. At the end of the article the differences will be presented.


Pentest is the abbreviation of the expression Penetration Test, or Penetration Test. This nomenclature is used to refer to the act of performing vulnerability testing in networks, systems or web applications. It is used to find openings that allow access to corporate information by third parties, usually malicious. For this, the Pentest simulates actual attacks. Who performs this simulation, at the request of the companies, are professionals specialized in this type of security procedure.

The types Pentest:

  • Tend

There is a script to be followed and that was jointly defined between those who carry out the tests and the company will submit to it. The person responsible for conducting the attack possessed all information necessary for the activity. All those involved in the process know exactly what will be tested. The people involved in the process are managers and professionals working on the front lines of IT firms.


  • Reversal

The attacker will have access to all information on the site structure. This will allow him to perform the attacks, which will be run by the same bad guys. When you adopt this way, the "victim" in the case, officials of the company that hired the product, they will not know they are being attacked and what tests will be performed. Only the person who hired the service will know which tests will be conducted.


  • Blind

The company knows what will be invaded and how it will be done, since an attacker would have no prior knowledge of the structure that now holds and will explore the vulnerabilities found.

  • Double Blind

The person responsible for conducting the attack will not have access to any information regarding the company which will be invaded. The company, as well as the attacker does not know which action will be taken by the attacker.


  • Gray Box

The attacker knows some information and what will be audited, but are only partial information. Company already knows it will be attacked, and the test will be made.


  • Double Gray Box

The Invader continues to partial knowledge. But in this mode, even though the manager knows it will be attacked, it will not know what tests can be done.


Examples of tools Pentest for Mobiles

The Inguma is a toolkit for the invasion which was written entirely in Python tests, it has many features such as: hosts discovers, extracts information from hosts, discovers username and password through brute force, in addition to allowing the use of exploits.


Nmap or "Network Mapper" is a free software's advanced scanner type, which was developed by Gordon Lyon, known as Hacker "Fyodor".

Today Nmap is commonly used by hackers, crackers and pentesters with it besides making umport scan (to see which ports are open), you can also get information from various hosts (computers) that are connected to a network of small, medium or large, of such information are:

Computer IP

MAC computer

Operating system that is being rotated

Services being rotated

Doors are open

Packet filters that are being used (firewall and the like)




Automated security scan

It is a software used to verify the server vulnerabilities, looking for points that can be used as a gateway to invasions.

There are two types of scanners, each with their own characteristics and that meet certain situations, they are:

  • Active Scanners

Are used to identify suspicious points that pose risks. The active scanner is also used to analyze doors that were invaded by malicious people and discover the vulnerability that was exploited for this. He can act to address autobloquear offering risks, ie, that have malicious IP. The active scan directly points to a vulnerability and scan it.


  • Passive Scanners

They can be programmed to function directly, without interruptions or to do the analysis in certain periods of time, according to the business need. Passive monitor active applications, the operating system and the doors open on the network. Quite simply, he hopes the information passing through it to find vulnerabilities.

But what is the difference between Pentest and Scan?

The Vulnerability Scan acts as a kind of surface radar. He will seek and identify what gaps in server applications and other vulnerabilities that pose risks. This is a more generalized external scan. The company can use this information to take action and minimize the risk of being overrun.

Pentest is now a more focused process that can even use the Vulnerability Scan to perform their activities. After setting the type Pentest that will be applied is necessary to follow a script:

Mapping of information: In the process of raising all the necessary information for those who will make the invasion is performed. All possible data, such as employee name, who the competitors, which the company's activity, social networks are are taken into account.

Vulnerability Scan: This process is used Automated Security Scan, which will make that analysis quoted above, and links which points to be explored as potential risks identified.

Invasion: done all the mapping procedure and the Scan of all vulnerabilities, it is time to further analyze and understand the different ways to prevent attacks and how bad guys could use these flaws to break into the server or application.


… we can say that the Vulnerability Scan makes an initial analysis and is part of Pentest procedure. He makes an initial sweep of the "holes" that may present a risk of invasion and Pentest acts to understand how someone can act to go through these "holes".


Success to all!

Longinus Timochenco - Chief Information Security Officer - CISO INTERNAL CONTROLS


September 2, 2014

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013