Corporate laboratories - educational process

Pentestit corporate laboratories are unique in their format and content, practical information security training courses, developed on the basis of the best penetration testing practices and security analysis, comparable in content to hacker conferences.

Specialists trained in Corporate Laboratories gain invaluable practical experience in working with modern methods and tools to penetrate the system, study the psychology of intruders, investigate cybercrime, and, based on this, learn to develop the most effective defense mechanisms. In the article we will tell you what the uniqueness of our training program is and what specialists who graduated from the course “Corporate Laboratories” receive.

The program "Corporate Laboratories" is developed taking into account the materials and practices used by both hackers and employees of the information security departments of various companies. Listening to the wishes of specialists attending our training, we regularly update the course content so as to ensure comfortable and high-quality training. For these purposes, we have developed our own platforms: a convenient personal account, a functional service for viewing webinars, unique pentest laboratories built on the basis of corporate networks of real companies.

Practical example

As an example, one of the tasks of the Corporate Laboratories for exploiting a web vulnerability: time-based SQL-injection. Time-based is a type of SQL injection that relies on sending a SQL query to the database, which causes the database to wait for a certain period of time before responding.
')
Depending on the result, the response to the HTTP request will be returned late, or will be returned immediately. The response time will tell the attacker whether the result of his query is TRUE or FALSE. This attack is usually slow, as the attacker will have to cycle through the database using time delays.

As a function, forcing the server to “pause” the following can be used:

• SLEEP (time) is a function that is available for MySQL databases. The parameter takes the number of seconds that the server will wait before responding;
• BENCHMARK (count, expr) is a function that is also available only for MySQL. It executes the expr expression the specified number of times specified in the count argument. By specifying huge values ​​in the first parameter, you can achieve a time delay from the server;
• WAIT FOR DELAY 'hh: mm: ss' is a time delay function for MS SQL servers.
• Pg_sleep (time) is a function for PostgreSQL. Waiting for% time% seconds.

In one case study, an example of this vulnerability is presented. And the vulnerable parameter is not specified explicitly. Using BurpSuite it can be found that upon successful authorization a redirect occurs, where the vulnerable parameter is present. By testing it with the help of the Intruder tool (from BurpSuite), you can see that it is vulnerable to Time-Based SQL injection. As we can see, the usual response from the server comes in ~ 200ms:


And in the following image, you can see that the server waits 10 seconds, and then sends the answer:


Now, knowing that this parameter is vulnerable, you can use the sqlmap utility, specifying the vulnerable parameter and scanning technique.

Video recording of the Pentestit Corporate Laboratories webinar

For all interested, we prepared a webinar recording, which reviewed the course program, the learning process, a review of specialized sites, theoretical and practical training.

---

Pentestit corporate laboratories are a unique information security program in Russia and the CIS. Start date of the next course: April 15, 2017.