Practical training in pentest laboratories. Part 2

“Corporate laboratories” is a training program in the field of information security, consisting of theoretical (webinar courses) and practical training (work in pentest laboratories). This article will consider the content of the practical base, which constitutes about 80% of the total training program. The article contains a brief analysis of one of the tasks of practical training.

Entry point to the corporate network

In modern realities, hacking by corporate intruders begins with the compromising of a company's corporate website or an email account, the authorization form of which is often located within the site or on a subdomain. Getting access to the company's website allows attackers to carry out further attacks inside the organization's network or at this stage to extract financial gain:

In August of this year, Jaspen Capital Partners and Andrei Supranonka, along with other individuals, were charged with hacking into the corporate networks of Business Wire, Marketwired and PR Newswire and implementing a fraudulent scheme that allowed them to steal over 150,000 news releases over five years before their official publication.
')
According to the Securities and Exchange Commission, thus the attackers managed to illegally earn more than $ 100 million. Jaspen Capital Partners and Supranonok were the first to agree to pay compensation. It is worth noting that, unlike nine other suspects, criminal charges were not brought against them.

According to the agency, in the period from 2010 to 2015, the Ukrainian company used contracts for price difference to conduct trading operations, based on information from press releases stolen from news media.

Hacking a corporate site is the most common security issue. As we wrote earlier, one of the first places is a weak password policy - many are used to set simple passwords in their personal lives, and transfer this practice to the corporate sector. In second place - the vulnerability of web applications.

Your company's website can be attacked at any time — attackers may be interested in gaining access to critical information (trade secrets, customer base, etc.), extort funds for the uninterrupted operation of the site, or hack the site out of hooligan motives.

Break any sites

As practice shows, attackers attack absolutely any sites, regardless of their identity and level of protection:

A spokesman for the Russian president, Dmitry Peskov, reported that on the single voting day, on Sunday, September 13, the Kremlin’s website had been subjected to a cyber attack. Peskov noted that the protection system of the government's Internet resource managed to maintain the performance of the web page, RBC writes.

“Churov told yesterday about attempts to hack the website of the Central Election Commission. In this regard, you will probably be interested to know that somewhere from 05:00 to 10:00 on Sunday, a very powerful attack was carried out simultaneously on the website of the President of Russia. The defense systems managed, although it was not easy, the attack was powerful enough, ”Peskov told journalists. The spokesman also noted that he still does not know who is the organizer of the cyber attack.

Most of all intruders are attracted to large sites, news portals, online stores, media, etc. In addition to attempts to benefit from the information obtained from the site, visitors of the site can be attacked, using so-called drive-by attacks.

Sometimes a successful attack can result in huge reputational losses. Of the latest "high-profile" cases: the hacking of the Italian company Hacking Team , specializing in the development of offensive cyber-weapons and means of operation.

Or an example with the company Ashley Madison : although it is a very dubious business from a moral point of view, but it brings a good profit. Hacking the site showed that the site’s functionality, for the most part, turned out to be fiction (there were very few female questionnaires, and specially trained people were responsible for them), moreover, the company did not keep its promises: the personal information of even those users who separately paid the service for deleting all data about yourself.

Protective measures

To prevent unauthorized access to your web application, you need to follow a few simple steps. First of all, it is a configured web server, with all the latest updates installed. In the second - built protection based on WAF / IDS / IPS. And the third, no less important measure is the awareness of staff about modern threats and methods of attack. But, as practice shows, even modern means of protection can be circumvented .

In the Corporate Laboratories PENTESTIT, we consider the main vectors of attacks on web applications, their nature, operating methods and countermeasures. In order to understand how to protect your web applications (not at the level of writing secure code, although this is important), it is necessary to understand how they can be attacked. Even a well-written application can be compromised: a set of minor vectors can help an attacker to create an effective attack scenario.

In the first stage, interns receive up-to-date information about the nature of SQL injections; XSS basics; overview of modern effective tools for exploiting web vulnerabilities. Even this set of knowledge allows you to obtain the necessary skills to test your own web applications for exploitation of vulnerabilities. To consolidate the obtained theoretical material, interns perform practical tasks in a specialized penetration testing laboratory.

Going through this phase allows interns to start working on more serious web application topics:
advanced SQL injection workshop, including operation in such DBMS as: MySQL; MSSQL; PostgreSQL. Demonstration of the most topical XSS variants within the framework of a large workshop on XSS attacks: active, passive and dom-based.

Only a combination of protective tools and measures, awareness of responsible personnel and an understanding of modern threats can allow a business to protect its assets in the form of uninterrupted web applications and reliable information protection.

---

Practical training in pentest laboratories. Part 1
Practical training in pentest laboratories. Part 3
Practical training in pentest laboratories. Part 4
Practical training in pentest laboratories. Part 5