Test lab v.8 - pentest laboratory, built on the basis of a real corporate network

Unlike the CTF competition, the penetration testing laboratories “Test lab” imitate the IT structure of real companies and have a full-fledged legend. Created for legal verification and consolidation of pentest skills, laboratories are always unique and contain the most relevant vulnerabilities, and participation in laboratories requires good practical training.

Developing Test Labs, we try to cover practically all areas of information security: network, OS and application security. Participants are encouraged to exploit various vulnerabilities associated with the operation of network components and cryptographic mechanisms, configuration and code errors, as well as human error. Participants acting as pentesters try to exploit them, and, in case of success, get access to servers and workstations, each of which contains a token. The winner is the participant who first collected all the tokens. The work in the laboratory is carried out on the basis of the “gray box” methodology: before the start of the research, information on the “Test lab” infrastructure is provided in the form of a diagram and a description of the activity of the virtual company. Collecting pentesters from all over the world, we are developing Test labs for various events, such as the All-Russian competition ProfIT-2013, ZeroNights'13, PHD IV.
')

Test lab v.7

More than 2000 participants from 73 countries of the world took part in the previous laboratory “Test lab v.7”, launched on May 01, 2015. Most of the active participants were from Russia, Ukraine, USA, Germany and China. In the opinion of pentesters, the most interesting tasks were related to the exploitation of vulnerabilities in web applications, while brute force was not of particular interest and was implemented last, despite the fact that according to global vulnerability statistics associated with the use of unstable passwords are one of the main reasons for the compromise of corporate networks.

The work in the laboratory is carried out through a VPN connection, each laboratory has its own gateway and internal IT structure (as a rule, two zones are used: DMZ and LAN). Some of the services located in the DMZ zone are accessible from the outside (inside the VPN tunnel): the company's website, mail server, remote access server or remote connections. Cisco products can be used as switches or routers (virtually, via GNS and QEMU). In the LAN zone, there are, as a rule, workstations (secretary, administrator, web developers, etc.). A participant acting as an attacker needs to search for and exploit vulnerabilities, overcoming various protection systems: antivirus, WAF and Firewall, access control systems, etc. The main difference between the laboratories “Test lab” and the CTF competition is in a realistic storyline: the compromise of one node may allow an attack on the rest of the network to be developed. For example, the accounts of one of the employees of a virtual company found in the mailbox can be used to attack other nodes of the laboratory - for example, on a VPN connection server. There are many such examples and all of them allow us to make the laboratory as realistic as possible.

A distinctive feature of “Test lab v.7”, in addition to new tasks, is the implementation of a visual attack map .

The average duration of the laboratory (compromise of the corporate network) is about 3 weeks, while the winner of “Test lab v.7” (Omar Ganiev, Beched ) managed to complete all the tasks in a record 6 days.

Welcome to "Test lab v.8"

November 13, 2015 will launch the next, cool lab "Test lab v.8". Like previous versions, the laboratory will be built on the basis of current vulnerabilities and modern attack techniques, and the IT structure of the laboratory will be as close as possible to the corporate network of real companies, both in structure and scale. If you want to take part in the development of “Test lab v.8” , broaden your horizons and express yourself - send interesting tasks to info@pentestit.ru with the topic “2f2874e4549aef222b055de6088c8fef”.

You can try your hand at “Test lab v.7” via the link: lab.pentestit.ru .
See you soon!