Contacts      About the site
the main Verb and forms

Knowledge control using computer testing. Services for checking testing skills for penetration Test test server

I published an overview of the PenstBox distribution with references and descriptions of the utilities included in it. I hope you have enough time to get acquainted with them and explore the functionality. Today I offer you several services for testing your skills in practice. These are specialized services, absolutely legal and allowing everyone to check their knowledge and skills.

Free Pentest Laboratory, developed on the basis of the corporate network of a real company.
Plot: This time, you, professional hackers, have to be held by the real network of the SECURESOFT LLC virtual network engaged in software development. The situation complicates the fact of high awareness in the field of IB employees of the company. According to the report of our agents on the information security status of the company, the SECURESOFT LLC IT structure is quite well protected from attacks. However, there is an assumption that vulnerable places are still available. Your goal is to be the first to detect the Achilles Heigh and access Securesoft LLC systems. Contains web application vulnerabilities, network vulnerabilities and mixed types, online service.

A complimentary, safe and legal landfill for hackers to check and expand their hacking skills. More than just another wargames site - a variety of diverse projects, a huge forum, an IRC channel. Missions are broken by type: simple, realistic, attacks on applications, forenzika, etc. Online service.

Free project created and adjustable ElearnSecurity. It is possible to develop and add your tasks. The tasks are divided into specific vulnerabilities, mainly for beginners. Online service.

Online platform for studying network security and increase ethical hacking skills. Contains tasks approximate to CTF: forenzika, cryptography, reverse engineering. You need to download the image of the virtual machine and the help of it is connected via VPN to the laboratory. Solutions seem to be checked manually.

The service is created for those who want to understand how the safe code is arranged, as hackers can attack your systems. Contains vulnerabilities of web applications of different levels, cryptographic, logical, tasks for reverse engineering. Online service.

Specialized open source application. Contains about 100 vulnerabilities classified by OWASP methodology. One of the best assemblies, Must Have. Contained in a specialized virtual machine - Bee-Box.

According to the developers, this is a web application damn vulnerable. Safety specialists will help check their skills in the legal environment, and web developers are better to understand the processes of protecting their applications. The application is given in the form of PHP / MySQL instance for self-deployment.

Free OpenSource Platform for Web Application Safety Testing. Verified by most popular utilities - SQLMAP, Burp Suite, etc. Along with BWAPP - one of the most famous platforms. The application is given in the form of PHP / MySQL instance for self-deployment.

Platform for testing skills with SQL-INJECTIONS. 65 tasks, from simple to complex (Waf, MySQL_REAL_ESCAPE_STRING). The application is given in the form of PHP / MySQL instance for self-deployment.

The name of the project The authors are associated with syndrome of trimming goats: in emergency situations the goat flows into full stupor and falls on the back or side with elongated legs. This is an inherent breed of goats with a strange genetic disease. Also, the vulnerable code in applications can put it in a fainting state. The main emphasis was made on the educational side of the question, and not creating a vulnerable platform for experiments. WebGoat is a cross-platform tool, you can run it in any OS, in which Apache Tomcat and Java SDK will work.

Test, with different levels of difficulties to assess the level of your knowledge in a vulnerable code. A piece of source code is given in which for a certain period of time you must define and select vulnerability. Online service for beginners.

The project to verify your knowledge in the field of security IOS applications. It was presented for PHD V in the form of a Hands-on laboratory. Allows you to operate various types of iOS application vulnerabilities: Insecure Data Storage, Runtime Manipulation, Security Decisions Via Untrusted Input, etc. Contained in the form of IPA or DEB, vulnerabilities are checked to iOS 8.1 version.

OpenSource project to demonstrate the operation of the Android platform vulnerabilities: File System Access Permissions, Insecure Storage of Files, Parameter Manipulation of Mobile Traffic, etc. We need an emulator, base and lab server.

These distributions will help you expand your ethical hacker skills, understand the nature of vulnerabilities and is better to study the toolkit. Happy Hacking!

Dedicated to the hardware provision of servers, as well as software and hardware support for storage systems and data backups. I suppose, in this section it will often be a question - "But what of a, in, s, d is better?". In the subsequent series of articles, I offer a discussion methodology for testing server performance for databases.

What is the database server? This is a high-performance machine that is always a little (exaggerating a little):

  • Processors
  • Memory
  • Disk space

That is, the database server (we take into account that this machine does not serve a couple of dozen people) - it is a multiprocessor (2, 4, 8 processors) a car serving several hundred people and storing a rather large amount of information in its base. Therefore, the disk subsystem is also a critical place. In addition, it requires reliability of work and often the possibility of hot replacement of damaged hard drives. Therefore, in such servers, disk arrays of the fifth level RAID and hard drives on the SCSI bus are usually used. RAM is also unnecessary (it is also used by the operating system and the database itself). Error correction memory is used and its volume begins from one and a half gigabytes and higher.

In general, you have already understood that this is not a home machine on P4 3 GHz, 160 GB SATA HDD, 512 MB of DDR memory and GeForce FX 5900. By the way, it is not necessary to the above-described video card server at all.

If the Question is still open with the method of testing the performance of the disk subsystem, the discussion of the methodology testing the data processing rate (or more precisely, the number of transactions per second) can be started.

What is a transaction? This is an indivisible sequence of operations that can be either fully fulfilled or canceled at all. In other words, the idea of \u200b\u200bthe transaction is to be completed. Consider a simple example of transferring money from the account of one client to another. This action is divided into a certain sequence of operations.

  • Reduce the amount of money on the account of the first client.
  • Record the result.
  • Increase the amount of money on the second client's account.
  • Record the result.

Obviously, if at some stage a failure occurs, the first client may lose money, and the second is not to get them. In other words, money dissolve in cyberspace. It will be even more interesting if we change the steps of 3.4 places with steps 1.2. In case of a failure, the second client can get the money nowhere. Therefore, transactions are very important. In the modern world you can find many examples where they are used.

As a performance testing, a solution from tests was selected. All tests apply to open source rights and are used as a database distributed on the license GPL / LGPL rights. The set is developed under the Linux platform and includes three tests.

OSDL Database Test 1 (OSDL-DBT-1) is an Internet test of transaction performance. It imitates the activity of users looking through and buying goods in an interactive bookstore. OSDL-DBT-1 - implementation of test specifications. The test results include the number of transactions per second, the degree of CPU loading, I / O activity and memory use. The main thing is the BT indicator - the number of BogOnSActions (synthetic transactions) per second.

OSDL Database Test 2 is a test of transaction operational performance test. It imitates the work of the wholesale company selling spare parts, in which several users work with the database, update customer information and check the availability of goods in stock. OSDL-DBT-2 - implementation of test specifications. The test results include the number of transactions per second, the degree of CPU loading, I / O activity and memory use.

OSDL Database Test 3 (OSDL-DBT-3) - this testimizes solutions support tools. It includes non-inflammed requests and parallel data change. OSDL-DBT-3 - implementation of test specifications.

This article will focus in detail on the OSDL-DBT-1 test.

The OSDL Database Test 1 project (OSDL-DBT-1) is aimed at developing an easy-to-use transaction processing test for Linux OS and open source software with the possibility of convenient sharing results with other developers. This test is a simplified derivative of the TPC-W (TM) specification of TPC. TPC-W is used in this case as a template, as it is believed that it simulates a load sufficient to optimize productivity.

TPC-W imitates the activity of users looking through web pages and purchases in an interactive bookstore. OSDL-DBT-1 uses TPC-W load characteristics to create a simplified tool for studying the narrow seats of the system and measuring relative performance improvements made by developers.

It must be remembered that the results of OSDL-DBT-1 cannot be compared with the results of the TPC-W test. TPC requires all published results to meet the strict rules of publication and audit that guarantee an honest comparison with competing tests. TPC rules also require specification of costs and availability of products used for testing. Follow these rules in open developments is impractical, therefore the results of the OSDL-DBT-1 test have no relation to the test results of the TPC-W Benchmark test.

What is TPC-W?

TPC-W determines the commercial activity of an interactive bookstore. A typical TPC-W kit includes remote browsers (RBE) emulators, web servers and database. A detailed description of the TPC-W test is on.

The workload is created by RBE, which emulate the activity of users opening in the browser many interactive sessions to view and order products in the store. Emulated 14 web pages:

  • The main;
  • Basket;
  • Registration of buyers;
  • Order;
  • Confirmation of an order;
  • Request for order;
  • Derived order information;
  • Search query;
  • Searching results;
  • New products;
  • Sales leaders;
  • Detailed product description;
  • Administrator requests;
  • Confirmation of administrator requests;

One web page represents one interaction. Each interaction may include one or more exchange between the system being tested and an emulated browser. Exchanges may include requests and transmit cookies, HTML pages, images, etc. Emulated browsers operate in accordance with certain transition rules between pages that imitate the behavior of the real user and ensure that access to 14 pages meets the requirements of the TPC-W "Web Interaction Mix", which determines the percentage range of each transaction.

When you receive a query from RBE, web servers appeal to web pages, dynamically updated them and referred back. Commercial Website servers are usually divided into assignment groups. For example, the image server serves the ".gif" and ".jpg" files, the HTTP server and the application server executes business logic and works with the database, and the caching server works with cached objects. To simulate a site search, the TPC-W specification provides a commercially available text search subsystem that creates and manages static indexes outside the database. TPC-W also requires the emulator of the payment gateway, imitating work with credit cards.

The database consists of a variety of tables of various sizes that have complex relationships. Database transactions must support ACID properties. The ACID properties include atomicity, consistency, autonomy and durability. More detailed description is contained in the TPC-W Specification sections.

Figure 1 shows a typical architecture TPC-W.

What is OSDL-DBT-1?

OSDL-DBT-1 is a set of transaction-based tests. It loads the database in accordance with the TPC-W specification. The test includes a database, transaction management server and driver.

Figure 2 shows the OSDL-DBT-1 components.

The OSDL-DBT-1 driver performs tasks similar to RBE tasks in TPC-W. It creates and manages emulated users who follow the logic similar to the browser logic in the TPC-W test, but create instead of HTTP query data structure.

Unlike the TPC-WTM test using the web servers for network objects, the OSDL-DBT-1 test works with a transaction management server that simplifies testing and completely eliminates the level of web servers.

Being at the average level, the transaction management server connects the driver with the database and controls transactions. The interaction with the database occurs through ODBC.

Databases in OSDL-DBT-1 and TPC-W tests are essentially the same tables with the same descriptions and follow the same filling rules. Stored procedures execute the same business logic. Some of the OSDL-DBT-1 stored procedures return less data than defined for TPC-W.

OSDL-DBT-1 architecture

The OSDL-DBT-1 test consists of three components: Driver (Driver), Transaction Management Server and Database. The first two components are written in C language and use the ODBC interface to work. As a database was a third-party product - SAP DB (version 7.3). The test was developed under Redhat Linux 7.2, but can be used on all standard Linux OS.

Driver directly loads the database. It is a multithreaded program in which each thread performs the actions of one user. The driver is compiled into two separate binary files. The first of these (dbdriver_p1) is associated with the ODBC interface and interacts with the database directly, bypassing the transaction manager. This driver can be used for simple functional testing of stored procedures. The second binary file (dbdriver_p2) is associated with the socket interface and interacts with the transaction control server. This driver plays a major role in performance testing.

Transaction management server is an average level. It receives from the driver requests for transactions, delivers the database requests and returns them to the driver. Transaction Management Server is configured to create a specific number of connections to the database to work with a large number of individual emulated users. It provides greater realistic system loading.

Figure 3 shows the transaction management server and its connection with the driver and database:

When you start the transaction management server, a specific number of DOTXN streams is created, each of which opens a connection to the database and expects the receipt of the elements in the transaction queue.

Listening to the selected port on the subject of incoming connections is performed by one thread. When attempting an emulated user to create a listened stream connection creates a Doconnection stream for a query processing.

Doconnection Gets a query from an emulated user, adds it to the transaction queue, notifies Dotxn that the queue is not empty and waits for the completion of the transaction.

DOTXN takes a request from the transaction queue, refers to the database and notifies the Doconnection to perform the transaction. After that, Doconnection refers the results to an emulated user.

Database

The database consists of tables, indexes and stored procedures. Tables contain information on the goods of the interactive bookstore. Stored procedures perform requests. Indexes are created to speed up the execution of queries. Using a database, emulated users can create requests for sales leaders, new books, books of specific authors, etc.

Test Methodology OSDL-DBT-1 test

A server was used as a test bench, courtesy of ISM Computers with the following characteristics:

  • Dual Pentium 4 Xeon 2.4 GHz with HT technology;
  • 2 GB DDR266 ECC RAM;
  • Motherboard - ASUS PP-DLW on Intel E7505 chipset;
  • Dual Ultra160 SCSI RAID Intel SRC32U Controller 128 MB ECC SDRAM Kesha;
  • 74 GB Total disk space - 3 × Cheetah 15K.3 (ST336753LC with Ultra320 SCSI interface with a volume of 37 GB) in RAID5;
  • Network controller - Intel 82540 Gigabit Ethernet (integrated);
  • ATI Radeon 9800Pro;
  • TDK 440N DVD-R / RW for backups;
  • ASUS 52 × CD-ROM

Generally speaking, such a computer is posted as a powerful graphics station, but we use it as a server stand for working out the technique. At the end of the cycle of articles, this computer will be considered in more detail on the spent method of testing servers.

Disk space is divided into four sections

  • Linux SWAP size 5 GB;
  • Two linux partitions each 10 GB
  • Root section in EXT3 format - all other space available

RedHat Linux 7.3 is installed on the server (with version 9.0 used version of SAP DB base recommended by the OSDL test developers, it works incorrectly).

Collected kernel 2.4.21 (Full core config) with activated options in Processor Type and Features

  • (Pentium-4) Processor Family
  • (4GB) High Memory Support
  • [*] Highmem I / O Support
  • [*] MTRR (Memory Type Range Register) Support
  • [*] Symmetric Multi-Processing Support

SAP DB version 7.3.0.25 is installed from RPM packets, all of its settings remain default.

  • The number of emulated users (UES, Number of Emulated Users) - 500;
  • Number of things in the database (Number of Items) - 10,000 (default value)

The total database size with the above-mentioned parameters is about 2.4 gigabytes.

The parameters for the SAP DB kernel are specified, such as

  • Data_Cache 235930.

    The maximum size of Shared memory in 8 KB pages used when requests to this database and for the SAP DB kernel. It is necessary to allocate as a larger memory as possible, but not more than the available size of RAM on the computer's tested. In this case, a value of 90 percent of RAM is used.

  • Maxusertasks 50.

    The number of simultaneous connections from the database. The default value.

  • MAXCPU 4.

    The maximum number of processors that can use the database core when processing requests.

To accelerate access, two RAW devices are created.
USR / BIN / RAW / DEV / RAW / RAWX / DEV / SDAX
Devices are used to store logs and data of the current base.

Row of the start of the script to generate the base:
./build_db.sh -g -i 10000 -U 1000 -P / Home / SAPDB / DBT1 / TMP /

After creating the source data, the DBT1.Config configuration file is modified by the test script. It establishes the launch of all parts of the test on one (test) computer, as well as the following parameters are specified.

    • dbconnection \u003d 100.
      the number of connections opened to the database from AppServer and AppCache programs;
    • transaction_queue_size \u003d 400 (default)
      maximum transaction in the AppServer queue;
    • transaction_array_size \u003d 400 (default)
      the maximum number of transactions in the queue per client;
    • items \u003d 10000.
      the number of things in the database
      • items \u003d 10,000;
      • eU \u003d 400.
        the number of emulated users;
      • eU / MIN \u003d 50 (default)
        the number of users appearing per minute;
      • mean Think_Time \u003d 7.2 (default)
        waiting time between user actions (in sec);
      • run_DURATION \u003d 4100 (default)
        test execution time (in sec);

    After that, the test starts to execute (approximately an hour). Script start row:
    ./run_dbt1.sh / Home / SAPDB / DBT1 / TMP / RES

    After the end of the test and before the start of the new, the database is restored from backups, and the server is overloaded for the purity of the experiment.

    results

    The results of OSDL DBT-1 are presented as a large number of text files. The main indicator is the number of BTS (Bogotransactions per second). Interaction% avg. Response Time (s) Admin Confirm 0.09 0.274 Admin Request 0.10 0.259 Best Sellers 4.95 1.103 Buy Confirm 1.18 0.565 Buy Request 2.55 0.586 Customer Registration 2.94 0.000 Home 16.69 0.505 New Products 4.98 1.125 Order Display 0.65 0.554 Order Inquiry 0.74 0.470 Product Detail 16.92 0.467 Search Request 19.88 0.478 Search Results 16.92 0.684 Shopping Cart 11.41 0.510 59.3 BOGOTRANSACTIONS PER Second 68.5 Minute Duration Total Bogotransactions 243754 Total Errors 0

    The second important indicator is during the execution of the test. CPU Statistics (SAR) Linux S1 2.4.21-2421-ISM2 # 4 SMP MON JUL 14 20:08:52 MSD 2003 I686 Unknown Linux 2.4.21-2421-ISM2 (S1) 07/16/03 17:34 : 35 CPU% User% Nice% System% iowait% Idle [...] Average: All 50.46 0.00 6.38 0.00 43.16

    It is clearly seen that in this case the processors were loaded only by half. To fully download, it is possible to increase the amount of EU (emulated users), as well as the size of the database itself (Items). With an increase in the number of users, we encounter the Glibc restriction and the PTHread library, which does not allow emulate more than about 900 EU with one machine. In this case, you will have to run multiple dbdriver and appserver programs on different machines.

    In addition to the above, there are still a large number of statistical reports.

    • individual processors (these are the results in the test without HT);
      • .

      Special thanks to Cormac For help with the translation of specifications.

Developed testing technology is an effective means of monitoring knowledge at any stages of the educational process. The program complex "Visual testing Studio" allows you to automate students' knowledge control, including the creation of a test of test tasks, conducting students testing and analyzing results.

The complex consists of modules:

Test editor - to create test tasks;
- Script Editor - to set students testing parameters;
- Test shell - for testing in an educational institution;
- test results - for analyzing and viewing test results;
- Lists of students - to manage lists of groups and students;
- Administration - to manage the security of the software package.

The test editor allows you to create test tasks of 7 different types: Yes / No, choosing one or more correct answers, entering a number or word, setting a sequence and conformity. When creating text, you can use formulas, drawings and complex formatting.
In the script editor, you can choose which tasks to use in testing from one or more tests, set the time and number of tasks, determine the test mode.

Based on the created test, you can test both on computers and on paper blanks automatically formed by the program.

To determine the assessment, two algorithms can be used, one of which takes into account the statistical error of guessing the correct answer option. A single database stores tasks and accumulated testing statistics that can be used to assess the quality of test tasks and improving the test.
To ensure security, a multi-level access control system, encryption, password or Windows authentication and event audit are used.
The testing system can be used both a separate system and in a bundle with other automation systems. In this case, students from "Deanat" and test results can be automatically loaded and test results can be exported to IC "Electronic Vedomosti".

The result of testing is a report with the results of control. If necessary, you can view which questions a wrong answer was given.
The system supports full-text search features, centralized design style, search for duplicate tasks, as well as export and import tests from files.

As a result of using an automated testing system:
1) The productivity of the teacher during tests increases 8-10 times.
2) Excludes subjectivity when assessing knowledge.
3) It is possible to use testing as input control over the exam.
4) Created test task bank can be reused.
5) Test results can be used in analyzing the academic performance and quality of test tasks.

In the process of everyday use of IT systems, it is rather difficult to assess the compliance of the hardware infrastructure parameters to current technical requirements and current business processes.

To measure available server capacities, it is necessary to create conditions close to peak loads for them. Load testing of the server allows you to most accurately simulate similar work scenarios.

What tasks solves load testing

  • select the optimal hardware and software configuration of the server components;
  • checking the maximum performance of hardware and debugging scripts of their work during periods of peak loads;
  • warning server failures with increased network resource consumption, increased download of RAM and CPU;
  • checking the stability of the server's operation at maximum loads in different time segments around the clock.

The main stages of load testing

  • Definition of test criteria

Developing a test strategy, determining server operation parameters, permissible boundaries of values \u200b\u200bwhen equipped with equipment. The following is a list of properties and tools used. In conclusion, test parameters and scripts are prepared.

  • Testing

In accordance with the selected scenario, the simultaneous operation of users with the application is emulated. The speed of data processing from the disk subsystem is evaluated, the query time, the amount of network resource consumption, as well as the level of operational memory and the central processor. It is possible to start multiple scenarios at the same time.

  • Analysis of test results

According to the results of the load testing of the server, the Customer provides a detailed report on tests with dependency graphs, descriptions of probable problems and suggestions for improving the configuration of equipment.

Testing various system components

  • Network architecture

Detection of potential defects of network adapters and drivers. Establishment of productivity and determination of the quality of the network.

  • Applications

Assessment of the maximum efficiency of the selected applications at the specified values \u200b\u200bof the performance metric. Typical Objects Research - Operating Systems (Linux, MS Server, Solaris), Application Servers (RedHat Jboss Application Server), IBM WebSphere, WebLogic, Database Management Systems (MySQL, PostgreSQL, MS SQL), Corporate software (ERP -, CRM systems, etc.)

  • Database

Checking the performance of the database using the emulation of a plurality of user transactions with a gradual increase in the intensity of information loading.

Load testing allows you to determine the degree of readiness of the system to freelance situations (equipment failure, DDoS attacks), the level of reliability and self-healing ability. Also, load tests help to develop a set of adequate measures to increase system performance, its stability and protection of the corporate environment.

Selecting a virtual allocated server and work with it provides many nuances. And if the technical aspect of the VPS / VDS server can be studied using different indicators, then the quality of work can be analyzed only during operation.

The company site is confident in the high quality of the quality of the services provided, so it offers customers to use the test period. Using the VPS / VDS server in test mode, you can evaluate the operation of the server and make sure that our company's reliability.

Are there any differences between paid and test VPS / VDS?

While you are not sure about the number of resources you need, and do not know which of the servers (dedicated or virtual) to choose, the company website offers to use the opportunity to test hosting and dedicated server for free. Check it in work in a trial period, without paying long-term lease.

What will the test period give?

  • The ability to work in real conditions. The VPS / VDS server provided on the test period is technically unlimited. Functionality and platform capabilities are the same as with a paid provision
  • Ability to compare the difference in tariff plans, to select the optimal option for your own needs
  • In the test period, you can install the necessary software and fully customize the operating system.
  • Full interaction with technical support, equivalent to a raid period

    • Test period conditions

    For testing, free rent for a period of 14 days is available. Throughout the trial period, you can independently perform a subscription to a paid rate, while maintaining the previously made settings.

    Throughout the test access period, data transfer from another hosting, which is very convenient and profitable. You do not need to pay for the service before it is actual use.

Share with friends or save for yourself:

Loading...
Recommended articles on the topic
The story is repeated: the liberation of the Crimea (1944) Crimean offensive
The story is repeated: the liberation of the Crimea (1944) Crimean offensive
Worker-peasant Red Army What is RKKK during the Second World War
Worker-peasant Red Army What is RKKK during the Second World War
What clan of the Scots is considered the most mean and cruel?
What clan of the Scots is considered the most mean and cruel?