PenTest Magazine | PentestIT Test.lab

PenTest Magazine | PentestIT Test.lab

2

Penetration Testing Laboratories PentestIT is a copy of the IT-structure of the real companies. Laboratory Test.lab created in order to allow participants to legally validate and consolidate skills penetration testing under real conditions, but we strongly recommended to use the knowledge gained in a wrongful and unlawful purposes.

Laboratories are always unique and contain the most current vulnerability in anonymous form (under NDA), discovered during penetration testing of a

real companies by PentestIT team. Developing Test.lab we try to cover almost all areas of information security: network security, operating systems and applications. Participants are encouraged to perform operation of a variety of vulnerabilities: work-related network components, cryptographic mechanisms, configuration errors and code, the human factor.

Gathering participants from around the world, we have developed Test.lab for various events, such as the All-Russian contest ProfIT 2013,

PentestIT Test.laba platform for legal practical experience penetration testing

PentestIT Test.lab | PenTest Magazine

PentestIT Test.lab | PenTest Magazine

3

ZeroNights13, PHD IV. We are supported by experts in the field of information security from around the world, and our laboratory made into one big map pentest.

Test.lab is a real computer network virtual companies containing common configuration errors and vulnerabilities. Participants acting as pentesters (White hat), trying to exploit them, and in case of success have access to individual nodes laboratories, each of which contains a token. The winner is the participant who first collected all the tokens. Work in the laboratory is based on the technique of gray box: before the study (penetration testing), participants are given information about the infrastructure Test.lab in the form of diagrams and descriptions.

Depending on the particular laboratory, allowed to use different methods of hacking (operation vulnerabilities of network services, WEB, social engineering, buffer overflow, etc.).

We invite you to participate in the lab One step ahead Test.lab, presented on Positive Hack Days IV. To gain access to the laboratory is necessary to pass a free registration on the website: https://lab.pentestit.ru. Good luck!

Mayorovsky Maxim, the headmaster of a department, working out penetration testing laboratories of PentestIT

company.

PenTest Magazine | PentestIT Test.lab

PenTest Magazine | PentestIT Test.lab

4

Reconnaissance and information gathering Types of intelligence (active and passive information

gathering) Collect information using DNS Use of search engines Metadata Automating the collection of information

Scanning Scan Types Tools to scan (nmap, unicornscan) Fingerprint (definition version of the OS) Grabbing banners (the definition of network services

and services)

Exploitation Overview freymorka Metasploit Operation and exploits Using Meterpreter for research purpose compromised

Postexploitation Investigation of compromised systems (Windows and

Linux) Work in the Windows command line without additional

tools (scanning and sorting of passwords)

Web security Basics of SQL Injection for different databases (MySQL,

MSSQL and PostgreSQL) The concept of vulnerability type SQLi Techniques and methods of disposal SQLi

Cross-site scripting Types of XSS vulnerabilities (passive and active) Stealing Cookies Stealing data from forms Species by vectors (Steady / reflected, Constant /

stored).

Plan Of The Workshop