Design And Implimentation Of A Training Platform For Penetrationg Testing

In the age of Internet, new technologies come up one after another. But at the same time the challenge of network threats keep growing, the proliferation of Trojan viruses, frequently conducted hacker attacks. It seems that normal protective measures are not good enough to resist ordinary hackers, how to protect network and information security? The answer is to carry out penetration testing. Penetration test is to simulate the act of hacking. Ahead of the real hackers doing this, conducting penetration testing, using hacking techniques, hacking methods to find out vulnerabilities that may exist in the systems, then to fix it, thereby eliminating the risks and protect network security.However, penetration testing has problems both in theory and practice. In theory, the processes of penetration testing are too broad, lack of specific guide to action, in other way, the methods of penetration testing are too dispersed to form a unified whole; practically, the level of penetration testers are uneven and lack of specific learning approaches.In this paper, chapter two conducted the research of penetration testing from a theoretical point of view. Take penetration testing objects as a whole, carrying out a research of web application security, the web application structure will be divided into five layers, the operating system layer, database layer, middleware layer, web scripts layer and system outer layer. Based on the five-story structure of web application security, this paper further proposed a roadmap of penetration testing to provide guidance for penetration testing. Technically, the five-story on this WEB application security are being discussed layer by layer, specific examples are given to illustrate penetration testing in each layer.Penetration testing needs practicing. This paper design and implement a training platform for penetration testing. The platform is composed by there parts, the control side, the attacker side and the cyber range side. It was designed for an attacker conducted by the control side performing practice of penetration testing in the cyber range. Cyber range side is filled with full of vulnerabilities. The control side implements a WEB site. The Purpose is to provide penetration testing missions for testers, when testers meet some problems to carry out the missions, the control side will also provide technical help to guide the testers to complete the missions. In this way testers can lean and make progress by practicing in the training platform of penetration testingIn this paper, the functionality of the penetration testing platform is being verified and consistent as expected. Then take SQL injection-get the administrator password-get WEBSHELL-privilege elevation as a full example to illustrate the practicing on the penetration testing platform.