Practical training in pentest laboratories. Part 2

    image

    “Corporate laboratories” - a training program in the field of information security, consisting of theoretical (webinar courses) and practical training (work in pentest laboratories). This article will consider the content of a practical base, which makes up about 80% of the total training program. The article contains a brief analysis of one of the tasks of practical training.

    Corporate Network Entry Point


    In modern realities, hacking a corporate network by attackers begins with a compromise of the company's corporate website or email account, the authorization form of which is often located within the website or on a subdomain. Gaining access to the company’s website allows attackers to carry out further attacks inside the organization’s network or, at this stage, gain financial gain:
    In August of this year, Jaspen Capital Partners and Andrei Supranonk, along with others, were charged with breaking into the corporate networks of Business Wire, Marketwired and PR Newswire and carrying out a fraudulent scheme that allowed them to steal over 150 thousand news releases over five years prior to their official publication.

    According to the Securities and Exchange Commission, in this way, the attackers managed to illegally earn more than $ 100 million. Jaspen Capital Partners and Supranonok were the first to agree to pay compensation. It is worth noting that, unlike the nine other suspects, no criminal charges were brought against them.

    According to the agency, in the period from 2010 to 2015, the Ukrainian company used price difference contracts to conduct trading operations, based on information from press releases stolen from news publications.

    Hacking a corporate site is the most common security issue. As we wrote earlier, one of the first places is a weak password policy - many are used to setting simple passwords in their personal lives, and transfer this practice to the corporate sector. In second place is the vulnerability of web applications.

    Your company’s site can be attacked at any time — attackers may be interested in gaining access to critical information (trade secrets, customer base, etc.), soliciting funds for the smooth operation of the site, or hack the site out of hooligan motives.

    Break any sites


    As practice shows, attackers attack absolutely any sites, regardless of their affiliation and level of protection:
    A spokesman for the Russian president Dmitry Peskov said that on a single voting day, on Sunday, September 13, the Kremlin’s website was subjected to a cyber attack. Peskov noted that the defense system of the government Internet resource managed to maintain the functionality of the web page, writes RBC.

    “Churov yesterday spoke about attempts to hack the site of the Central Election Commission. In this regard, you will probably be interested to know that somewhere from 05:00 to 10:00 on Sunday a very powerful attack was carried out simultaneously on the website of the President of Russia. The defense systems managed, although it was not easy, the attack was quite powerful, ”Peskov told reporters. The spokeswoman also noted that he still does not know who is the organizer of the cyber attack.

    Most of the attackers are attracted to large sites, news portals, online stores, media, etc. In addition to trying to benefit from the information received from the site, site visitors can be attacked using the so-called. drive-by attacks.

    Sometimes a successful attack can lead to huge reputational losses. From the latest “high-profile” cases: hacking of the Italian company Hacking Team , specializing in the development of offensive cyber weapons and means of exploitation.

    Or an example with Ashley Madison: although it is a very morally questionable business, but it brings good profit. Hacking the site showed that the site’s functionality, for the most part, turned out to be fiction (there were very few female profiles, and specially trained people were responsible for them), moreover, the company did not keep its promises: even those users who paid separately for the service got on the network for deleting all data about yourself.

    Protective measures


    To prevent unauthorized access to your web application, you need to follow a few simple steps. First of all, this is a configured web server, with all the latest updates installed. The second is a built-in protection based on WAF / IDS / IPS. And the third, no less important measure is personnel awareness of modern threats and attack methods. But, as practice shows, even modern remedies can be circumvented .

    At PENTESTIT Corporate Laboratories, we examine the main vectors of attacks on web applications, their nature, operating methods and countermeasures. In order to understand how to protect your web applications (not at the level of writing safe code, although this is important), you need to understand how they can be attacked. Even a well-written application can be compromised: a combination of insignificant vectors can help an attacker to create an effective attack scenario.

    At the first stage, interns receive up-to-date information on the nature of SQL injections; XSS basics; Review of modern effective tools for exploiting web vulnerabilities. Even this set of knowledge allows you to get the necessary skills to test your own web applications for the possibility of exploiting vulnerabilities. To consolidate the obtained theoretical material, the trainees perform practical tasks in a specialized penetration testing laboratory.

    Passing this stage allows trainees to start working on more serious topics in web application operation: an
    expanded workshop on SQL injection, including operation in such DBMSs as: MySQL; MSSQL PostgreSQL Demonstration of the most relevant varieties of XSS as part of a large workshop on XSS attacks: active, passive and dom-based.

    Only a combination of protective measures and measures, awareness of responsible personnel and an understanding of modern threats can enable a business to protect its assets in the form of smoothly running web applications and reliable information protection.



    Practical training in pentest laboratories. Part 1
    Practical training in pentest laboratories. Part 3
    Practical training in pentest laboratories. Part 4
    Practical training in pentest laboratories. Part 5

    Also popular now: