Feb 26, 2011

Pentest lab vulnerable servers-applications list

In this post I’m going to present some useful resources to learn about penetration testing and where to use exploitation tools and techniques in a safe and legal environment. This list contain a set of  deliberately insecure LiveCDs and virtual machines designed to be used as targets for enumeration, web exploitation, password cracking and reverse  engineering.

Similar to the de-ice Cd’s and pWnOS, holynix is an ubuntu server vmware image that was deliberately built to have security holes for the purposes of penetration testing. More of an obstacle course than a real world example.

WackoPicko is a website that contains known vulnerabilities. It was first used for the paper Why Johnny Can’t Pentest: An Analysis of Black-box Web Vulnerability Scanners found: http://cs.ucsb.edu/~adoupe/static/black-box-scanners-dimva2010.pdf

De-ICE PenTest LiveCDs
The PenTest LiveCDs are the creation of Thomas Wilhelm, who was transferred to a penetration test team at the company he worked for. Needing to learn as much about penetration testing as quickly as possible, Thomas began looking for both tools and targets. He found a number of tools, but no usable targets to practice against. Eventually, in an attempt to narrow the learning gap, Thomas created PenTest scenarios using LiveCDs.

Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql.

Open Web Application Security Project (OWASP) Broken Web Applications Project, a collection of vulnerable web applications.

Web Security Dojo
A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo

LAMPSecurity training is designed to be a series of vunlerable virtual machine images along with complementary documentation designed to teach linux,apache,php,mysql security.

Damn Vulnerable Web App (DVWA)
Damn Vulnerable Web App is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

This is the Hacking-Lab LiveCD project. It is currently in beta stadium. The live-cd is a standardized client environment for solving our Hacking-Lab wargame challenges from remote.

Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for:

Damn Vulnerable Linux (DVL)
Damn Vulnerable Linux  is everything a good Linux distribution isn’t. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. DVL isn’t built to run on your desktop – it’s a learning tool for security students.

pWnOS is on a “VM Image”, that creates a target on which to practice penetration testing; with the “end goal” is to get root. It was designed to practice using exploits, with multiple entry points

Virtual Hacking Lab
A mirror of deliberately insecure applications and old softwares with known vulnerabilities. Used for proof-of-concept /security training/learning purposes. Available in either virtual images or live iso or standalone formats.

Badstore.net is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure.

Katana is a portable multi-boot security suite which brings together many of today’s best security distributions and portable applications to run off a single Flash Drive. It includes distributions which focus on Pen-Testing, Auditing, Forensics, System Recovery, Network Analysis, and Malware Removal. Katana also comes with over 100 portable Windows applications; such as Wireshark, Metasploit, NMAP, Cain & Able, and many more.

HACKXOR [webapp hacking game] 

Hackxor is a webapp hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat but with a plot and a focus on realism&difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, etc 



BodgeIt Store  

is a vulnerable web application which is currently aimed at people who are new to pen testing



Exploit KB Vulnerability Web App.
This vulnerability web app. was developed by NightRanger. It's good practice to develop a PHP based site from scratch in order to learn the basic of PHP and MySQL and it is a fully functional web site with a content management system based. You can download as a source code package or VMware Image.

PuzzleMall is a vulnerable web application designed for training purposes.
It is prone to a variety of different session puzzle exposures, which can be detected and exploited using different session puzzling sequences.



Edit:: Update the link. Thank you Francisco Sáa Muñoz.
Update:  Add link and Add some to the list
Update 2011-05-23: Add puzzlemall and update broken link.


Francisco Sáa Muñoz said...

There are broken links.

Medt said...

What the link is broken?

Stupid People Whisperer said...

Another good one for web app is webgoat: http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project it has vulnerable web and lessons.

Medt said...
This comment has been removed by the author.
Medt said...

Thank you for your advise but Webgoat is the one vulnerability website in the OWASP Broken Web App.

MLB2k11 said...

All links are working and worthful. Thanks for the share.
Android development| Android developer|

Katt Wilson said...

Certified Ethical Hacker CEH training is held at TechBharat Consulting using official EC-Council curriculum. CEH certification certifies you as Ethical Hacker and Penetration Tester. CEH training is held on Version 7.
ethical hacking and security

Katt Wilson said...

Certified Ethical Hacker CEH training is held at TechBharat Consulting using official EC-Council curriculum. CEH certification certifies you as Ethical Hacker and Penetration Tester. CEH training is held on Version 7.
best ethical hacking certification

Vibhor Gupta said...

Demo.testfire.net is also a very good web application for beginner.

Marlene Saffan said...

Have a glance at gizmoquip sms tracker login to see how to track