Practical training in pentest laboratories. Part 1

“Corporate laboratories” is a training program in the field of information security, consisting of theoretical (webinar courses) and practical training (work in pentest laboratories). This article will consider the content of the practical base, which constitutes about 80% of the total training program. The article contains a brief analysis of one of the tasks of practical training.

According to many modern statistics collected during penetration testing, one of the important security problems are weak and repetitive passwords, which, undoubtedly, is realized in the tasks of the laboratories. Information gathered at one stage or host may be useful at another. Any data can be decisive for a successful attack.
')


Work in corporate penetration testing laboratories involves the use of modern security software and relevant attack vectors. After the announcement of the release of the popular version of the popular Kali Linux 2.0 security distribution, the training program, training material and methodical manuals were reworked to take into account the features of the new version - this way we support the relevance of the material.



Let's return to the practical part of the program. The first step, for both the pentester and the attacker, is to collect information about the system under attack. As a rule, such information is collected using search queries and services, as well as specialized software. The process of gathering information is quite painstaking; in addition, it is necessary to have an excellent understanding of the work of specialized tools in order not to miss potential “entry points” to the system. For example, in the default mode, the popular Nmap utility does not scan UDP ports. Some do not know about it or simply “lose sight of it”.



Potential "entry points" to the system can be located on such ports: IPsec (500 UDP) or SNMP (161 UDP). These services can be subject to attacks by the communuty string (SNMP) and discovering IKE hosts (IPsec VPN Servers), and attacks on them can allow an attacker to obtain information about the company's network infrastructure and facilitate unauthorized access to the internal network.

Intranet security is often a bottleneck. Trying to focus the main efforts on ensuring the external perimeter, IT and IB specialists forget or intentionally weaken (for comfortable work of employees) the security of the internal network, allowing the intruder to get inside to feel quite at ease. In our courses, we show MitM attacks and technology, and in such attacks, the situation is not quite typical. The principle of the necessary attack is explained so that you can transfer the knowledge gained to test your network, taking into account the features of the architecture. Attention is also paid to attacks on privilege escalation and expansion of influence within the local network. For example, many admins do not know about the so-called. Kerberos Golden Ticket , which allows an attacker to obtain the highest rights in the infrastructure under attack.



The usual practice of such attacks is intercepting traffic to external resources; however, in Corporate Laboratories we try to focus on intercepting traffic between hosts on the same network — such techniques are used by attackers to advance in the local network and capture new targets in the company's infrastructure.

Often the rights inside the network are set incorrectly and little attention is paid to access control, the level of privileges. And such moments are reflected in laboratories, for example: there is a certain Windows server with scheduled tasks for backing up critical information from folder A (working) to folder B (backup). Users do not have access to folders even for reading files.



However, the service configuration file has incorrect permissions, which allows users to manipulate the output of this file and gain access to critical information. Moreover, the config itself is encrypted, which adds more difficulty to the attacker (and more knowledge to the trainees).

One of the frequent attack vectors are vulnerable web applications that are also implemented in laboratories: in one of the tasks, attackers find a site on Wordpress (which is very common in everyday life, including as the basis of a corporate blog). One of the installed plugins contains a vulnerability, it is possible to upload files to the root of the web server. Complicating the problem is the fact that the web server is located behind a NAT. To successfully launch an attack, you need to select the correct payload - to exploit the vulnerability and get reverse shell from a web server on the local network.


Or one of the most dangerous vulnerabilities is the introduction of SQL statements, SQL injection. This vulnerability is still found on the Internet, and sometimes on fairly large and secure projects. Using such a vulnerability, a table with users is pulled out and a site admin panel is searched using a bruteforce attack to further fill the shell and conduct, for example, watering-hole attacks on company employees, to implement phishing scripts.

During the training in the "Corporate laboratories" specialist in a short time receives the following skills:

• Awareness of current threats, vectors and attack scenarios;
• Understanding the actions of the attacker, methods and tactics of the attacks;
• The ability to recognize the attack and correctly counteract;
• Knowledge of security utilities and attack techniques;
• The ability to use the search for information (the curator does not give direct clues, but only a direction for reflection and finding a solution to the problem);
• The ability to use official documentation;
• Knowledge and understanding of the weakness of the default settings and their verification.

Throughout the course, each specialist is in full interaction with the instructors and the curator - he receives practical advice, answers to questions and advice, including on security issues in a particular situation.



The extensive practical experience of our employees, the analysis of current vulnerabilities and attack vectors makes it possible to make the learning process practical and exciting, keeping a “hand on the pulse” and withstand modern cyber threats professionally and in time.

---

Practical training in pentest laboratories. Part 2
Practical training in pentest laboratories. Part 3
Practical training in pentest laboratories. Part 4
Practical training in pentest laboratories. Part 5