A regular question we hear is "how can I practice this stuff?" The answer gets a bit long considering the "what" you want to practice is usually a bit vague.  That said, during sessions at #SDC5 one of our awesome speakers, Josh More, chimed in that he had built a pretty extensive & fairly current list of "target systems" or other practice resources compiled for an upcoming book!  Even better...he sent us the list to post up for everyone!

If you have thanks, kudos, feedback, updates, additions, etc. please contact:

When the book is out, you can get it here (support our speakers!):

__Progressive Games__

code katas
Matasano/Square Embedded Security CTF Challenge
Starfighter CTFprogramming competion instead of technical interviews or resumes
EnigmaGroupWide range of excercizes
GameOverInsecure web applications
SecuraBit Gh0st PenLabCTF
Google GruyereWeb Application Exploits and Defenses: small cheesy web application codelab
Hacker Challenge
Hacker TestJavaScript-PHP-HTML
Hacking-LabCTF and mission style challenges for the European Cyber Security Challenge
Hack.meVulnerable web applications code samples and CMS̢۪s online
Hack This SiteProgramming-JavaScript-Forensics-Stego-Irc
Hax.Tor02006 many levels deprecated
hackxorVirtual machine image like WebGoat but with a plot
OverTheWireSSH shell access
p0wnlabsFree sample challenges forensics-password cracking-OpenVPN-Metasploitable-WebGoat-OWASPBWA-pay challenges
pwn0VPN access
Root MeHundreds of challenges-virtual machines
Security Treasure HuntWeb vulnerability-forensics
Smash The StackSSH shell access
sqli-labsAplatform to learn SQLi
TheBlackSheep and ErikProgramming-JavaScript-PHP-Java-Steganography-Cryptography
ThisIsLegalhacker wargames
WabLabSQL-web application

__Network Targets__

US NIST Computer Forensic Reference Data Sets (CFReDS)
Damn Vulnerable Linux
Handler DiariesDigital Forensics and Incident Response
Kioptrixvirtual machine challenges
LAMPSecurityVulnerable virtual machine images to teach linux-apache-php-mysql security
MetasploitableIntentionally vulnerable Linux virtual machine
Metasploitable2Intentionally vulnerable Linux virtual machine
GoatseLinux: It's Wide Open
RebootUser VulnixVulnerable Linux host with configuration weaknesses rather than purposely vulnerable software versions. The goal: boot up find the IP hack away and obtain the trophy
UltimateLAMPPHDays iBank CTF
VulnserverVulnerable Windows based threaded TCP server application

__Web Targets__

Metasploit UnleashedFree training from Hackers for Charity
MetasploitableUse with Metasploit Unleashed
Backtrack Tutorials
Hack This SiteProgramming JavaScript Forensics Stego Irc
BodgeIt Storea vulnerable web application for those new to pentesting
Butterfly SecurityWeb application and PHP vulnerabilities and mitigation
CryptOMGCommon cryptographic flaws CTF
Damn Vulnerable Web App (DVWA)PHP/MySQL
Damn Vulnerable Web Services (DVWS)
Exploit KB Vulnerable Web AppSQLi PHP MySQL
Foundstone Hackme BankMS-Windows
Foundstone Hackme BooksMS-Windows
Foundstone Hackme CasinoMS-Windows
Foundstone Hackme ShippingMS-Windows Adobe ColdFusion MySQL
Foundstone Hackme TravelMS-Windows client/server SQL
LAMPSecurityvulnerable virtual machine images to teach linux apache php mysql security
Magical Code Injection Rainbow (MCIR)SQLol XMLmao ShelLOL and XSS
MothVMware image with vulnerable Web Applications and scripts
NOWASP/Mutillidae 2Vulnerable web-application for Linux and Windows using LAMP WAMP and XAMMP pre-installed on SamuraiWTF Rapid7 Metasploitable-2 and OWASP BWA
OWASP BricksVulnerable web application built on PHP and MySQL exploitable using Mantra and ZAP
OWASP Broken Web AppsVulnerable web applications on a Virtual Machine
OWASP Broken Web Applications Project (BWA)vulnerable web applications on VMware virtual machine
OWASP Security ShepherdWeb and mobile application security training platform
OWASP SiteGeneratorDynamic websites based on XML files and predefined vulnerabilities
PuzzleMallJava/JSP Apache Derby Temporal Session Race Conditions (TSRC) and Layer Targeted AdoS
SecuriBenchJava-SQL injection attacks-Cross-site scripting attacks HTTP splitting attacks Path traversal attacks
SocketToMePHP chat a simple number guessing game and a few other hidden features
WackoPickoPart of OWASP BWA Project
"Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners"
WebSecurity DojoSelf-contained training environment for Web Application Security penetration testing xubuntu 12.04
OWASP Zed Attack ProxyWeb Application Vulnerability Examples (WAVE) for testing OWAP ZAP
Hewlett-Packard Fortify WebInspectProduct demo Zero Bank