Lab penetration testing "Test lab v.8": welcome to hell

Today, on Friday, the 13th, at 22 o'clock Moscow time, the launch of the new laboratory “Test lab”, which is a virtual bank with its inherent infrastructure and vulnerabilities, will take place. Participants are invited to make a compromise of the entire IT structure of the bank.

"Test lab" - pentest laboratories, built on the basis of networks of real companies

Unlike the CTF competition, the penetration testing laboratories “Test lab” imitate the IT structure of real companies and have a full-fledged legend. Created for legal verification and consolidation of pentest skills, laboratories are always unique and contain the most current vulnerabilities, and participation in laboratories is free and requires good practical training.
')
Developing Test Labs, we try to cover practically all areas of information security: network, system, and application security. Participants are encouraged to exploit various vulnerabilities associated with the operation of network and web components, cryptographic mechanisms, configuration and code errors, as well as human error. Connect to the lab via a VPN connection.

Participants acting as pensters try to exploit vulnerabilities, and, if successful, gain access to servers and workstations, each of which contains a token. The winner is the participant who first collected all the tokens. The work in the laboratory is carried out on the basis of the “gray box” methodology: before the start of the research, information on the “Test lab” infrastructure is provided in the form of a diagram and a description of the activity of the virtual company. Gathering specialists from all over the world, we develop Test Lab laboratories for various events, such as the All-Russian ProfIT 2013 competition, ZeroNights'13, PHD IV.

Laboratory penetration testing "Test lab v.8"

The previous laboratory (Test lab v.7) was a virtual company specializing in the development of information security systems.

Today will be launched the next, the eighth laboratory PENTESTIT, the development of which was carried out for almost six months. “Test lab v.8” will be a virtual bank with its inherent infrastructure and vulnerabilities. In addition, a distinctive feature of the current laboratory will be an actively used system to counter attacks, so participants will need to be as “unnoticeable” as possible. This will add atmospheric!

Why precisely bank?

The legends of the laboratory are the network of a banking organization, and this choice is not accidental. Recently, cybercriminals have shifted attention from bank customers to the compromise of the banking systems themselves: it is more profitable and easier for criminal groups to steal money from a bank account rather than try to attack individual customers. Also, attacks on banking systems directly can allow attackers to conduct fraudulent transactions and implement criminal schemes for the legalization of criminal proceeds.

According to the data of the Deputy Head of the Main Directorate for Security and Information Protection of the Central Bank of the Russian Federation Artem Sychev, in 2014 there were 11 thousand complaints from banks and their clients affected by the actions of fraudsters.

"If, indeed, before the attack vector (cybercriminals) was directed at the client, and the banks, ensuring the security of their perimeter, could be sure that they are doing well, now the vector of attacks has changed dramatically."

"The amount of attempts to steal bank money (in these incidents) amounted to 6 billion rubles"

Indeed, such attacks are quite relevant: breaking through the network perimeter, an attacker can take control of one of the internal systems of the bank and gain access to the local network. Then, using the techniques of advancing inside the local network and elevating privileges, an attacker can gain access to critical data and disable the attacked system.

As can be seen from the news feeds, such attacks quite often reach their goal:

• Last fall, an event occurred that went unnoticed by the general public, but completely overturns the reality in the world of information security of financial organizations. A group of cybercriminals carefully prepared and successfully carried out a full-scale attack on a Russian bank and removed all the money from its corros account.
• According to the hacker, the hacking occurred at the end of January for a very trivial reason - due to the presence of a vulnerability that was not patched in time. The JavaScript code that Razor4 implemented on the bank page redirected customer transactions to the hacker system. Then the attacker replaced the destination accounts with his own accounts and thus received money transfers. After registering a domain with a name that differs from the name of the bank in one letter, he linked it to monitored servers.
• It is assumed that the Israelis Gary Shalon and Ziv Orenstein, as well as American Joshua Samuel Aaron made several attacks on the systems of one of the largest US banks - JPMorgan Chase. As a result, they got access to data of about 80 million users. news.am/rus/news/295627.html

Laboratories “Test lab” allow information security specialists to test their skills in penetration testing of information systems and to prepare for repelling cyber threats to their systems. The concept of pledged topical vulnerabilities contributes to the awareness of weaknesses and the improvement of protective equipment, as well as an adequate assessment of pentest's own skills legally, without violating the law, in an environment as close as possible to real banking systems.

We invite you to take part in the laboratory "Test lab v.8", which will be launched today at 22 o'clock Moscow time. Join now!

Technical information:
Lab IP addresses: 192.168.101.6, 192.168.101.7
Discussion: Forum , Telegram-chat and Telegram-channel
Registration: lab.pentestit.ru
Connecting to the laboratory via OpenVPN , no more than one running instance. If you are using a Windows client, you must use OpenVPN for “Windows XP”.

See you in the new laboratory and let the strongest win!