Resources


A regular question we hear is "how can I practice this stuff?" The answer gets a bit long considering the "what" you want to practice is usually a bit vague.  That said, during sessions at #SDC5 one of our awesome speakers, Josh More, chimed in that he had built a pretty extensive & fairly current list of "target systems" or other practice resources compiled for an upcoming book!  Even better...he sent us the list to post up for everyone!

If you have thanks, kudos, feedback, updates, additions, etc. please contact:

When the book is out, you can get it here (support our speakers!):

__Progressive Games__


NameDescriptionLinks
crackmehttps://en.wikipedia.org/wiki/Crackme
code katashttps://en.wikipedia.org/wiki/Code_Kata
Matasano/Square Embedded Security CTF Challengehttps://microcorruption.com/
Starfighter CTFprogramming competion instead of technical interviews or resumeshttp://www.starfighters.io/
http://www.kalzumeus.com/2015/03/09/announcing-starfighter/
EnigmaGroupWide range of excercizeshttp://www.enigmagroup.org/
GameOverInsecure web applicationshttp://sourceforge.net/projects/null-gameover/
SecuraBit Gh0st PenLabCTFhttp://www.gh0st.net/
Google GruyereWeb Application Exploits and Defenses: small cheesy web application codelabhttp://google-gruyere.appspot.com/
Hacker Challengehttp://www.dareyourmind.net/
Hacker TestJavaScript-PHP-HTMLhttp://www.hackertest.net/
Hacking-LabCTF and mission style challenges for the European Cyber Security Challengehttps://www.hacking-lab.com/
Hack.meVulnerable web applications code samples and CMS̢۪s onlinehttps://hack.me/
http://www.elearnsecurity.com/
HackThisJavaScript-SQLi-Coding-Crypt-Captcha-Forensicshttp://www.hackthis.co.uk/
Hack This SiteProgramming-JavaScript-Forensics-Stego-Irchttps://www.hackthissite.org/
Hax.Tor02006 many levels deprecatedhttp://hax.tor.hu/
hackxorVirtual machine image like WebGoat but with a plothttp://hackxor.sourceforge.net/cgi-bin/index.pl
OverTheWireSSH shell accesshttp://www.overthewire.org/wargames/
p0wnlabsFree sample challenges forensics-password cracking-OpenVPN-Metasploitable-WebGoat-OWASPBWA-pay challengeshttp://www.p0wnlabs.com/free
pwn0VPN accesshttps://pwn0.com/home.php
Root MeHundreds of challenges-virtual machineshttp://www.root-me.org/?lang=en
Security Treasure HuntWeb vulnerability-forensicshttp://www.securitytreasurehunt.com/
Smash The StackSSH shell accesshttp://www.smashthestack.org/
sqli-labsAplatform to learn SQLihttps://github.com/Audi-1/sqli-labs
TheBlackSheep and ErikProgramming-JavaScript-PHP-Java-Steganography-Cryptographyhttp://www.bright-shadows.net/
ThisIsLegalhacker wargameshttp://thisislegal.com/
Try2Hackhttp://www.try2hack.nl/
WabLabSQL-web applicationhttp://www.wablab.com/hackme
VulnApphttp://www.nth-dimension.org.uk/blog.php?id=88

__Network Targets__


NameDescriptionLinks
US NIST Computer Forensic Reference Data Sets (CFReDS)http://www.cfreds.nist.gov/
Damn Vulnerable Linuxhttp://sourceforge.net/projects/virtualhacking/files/os/dvl/
Handler DiariesDigital Forensics and Incident Responsehttp://blog.handlerdiaries.com/
Kioptrixvirtual machine challengeshttp://www.kioptrix.com/blog/test-page/
LAMPSecurityVulnerable virtual machine images to teach linux-apache-php-mysql securityhttp://sourceforge.net/projects/lampsecurity/
MetasploitableIntentionally vulnerable Linux virtual machinehttp://sourceforge.net/projects/virtualhacking/files/os/metasploitable/
Metasploitable2Intentionally vulnerable Linux virtual machinehttp://sourceforge.net/projects/metasploitable/files/Metasploitable2/
GoatseLinux: It's Wide Openhttp://neutronstar.org/goatselinux.html
pWnOShttp://www.pwnos.com/
RebootUser VulnixVulnerable Linux host with configuration weaknesses rather than purposely vulnerable software versions. The goal: boot up find the IP hack away and obtain the trophyhttp://www.rebootuser.com/?page_id=1041
UltimateLAMPPHDays iBank CTFhttp://www.amanhardikar.com/mindmaps/practice-links.html
VulnserverVulnerable Windows based threaded TCP server applicationhttp://www.thegreycorner.com/2010/12/introducing-vulnserver.html

__Web Targets__


NameDescriptionLinks
Metasploit UnleashedFree training from Hackers for Charityhttp://www.offensive-security.com/metasploit-unleashed/Main_Page
MetasploitableUse with Metasploit Unleashedhttp://www.offensive-security.com/metasploit-unleashed/Metasploitable
Backtrack Tutorialshttp://www.backtrack-linux.org/tutorials/
Hack This SiteProgramming JavaScript Forensics Stego Irchttp://www.hackthissite.org/
BodgeIt Storea vulnerable web application for those new to pentestinghttps://github.com/psiinon/bodgeit
Butterfly SecurityWeb application and PHP vulnerabilities and mitigationhttp://sourceforge.net/projects/thebutterflytmp/
CryptOMGCommon cryptographic flaws CTFhttps://github.com/SpiderLabs/CryptOMG
Damn Vulnerable Web App (DVWA)PHP/MySQLhttp://www.dvwa.co.uk/
Damn Vulnerable Web Services (DVWS)http://dvws.professionallyevil.com/
Exploit KB Vulnerable Web AppSQLi PHP MySQLhttp://exploit.co.il/projects/vuln-web-app/
https://sourceforge.net/projects/exploitcoilvuln
Foundstone Hackme BankMS-Windowshttp://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx
Foundstone Hackme BooksMS-Windowshttp://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx
Foundstone Hackme CasinoMS-Windowshttp://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx
Foundstone Hackme ShippingMS-Windows Adobe ColdFusion MySQLhttp://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx
Foundstone Hackme TravelMS-Windows client/server SQLhttp://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx
LAMPSecurityvulnerable virtual machine images to teach linux apache php mysql securityhttp://sourceforge.net/projects/lampsecurity/
Magical Code Injection Rainbow (MCIR)SQLol XMLmao ShelLOL and XSShttps://github.com/SpiderLabs/MCIR
MothVMware image with vulnerable Web Applications and scriptshttp://www.bonsai-sec.com/en/research/moth.php
NOWASP/Mutillidae 2Vulnerable web-application for Linux and Windows using LAMP WAMP and XAMMP pre-installed on SamuraiWTF Rapid7 Metasploitable-2 and OWASP BWAhttp://sourceforge.net/projects/mutillidae/
http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10
OWASP BricksVulnerable web application built on PHP and MySQL exploitable using Mantra and ZAPhttp://sourceforge.net/projects/owaspbricks/
OWASP Broken Web AppsVulnerable web applications on a Virtual Machinehttps://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
OWASP Broken Web Applications Project (BWA)vulnerable web applications on VMware virtual machinehttp://code.google.com/p/owaspbwa/
OWASP Security ShepherdWeb and mobile application security training platformhttps://www.owasp.org/index.php/OWASP_Security_Shepherd
OWASP SiteGeneratorDynamic websites based on XML files and predefined vulnerabilitieshttps://www.owasp.org/index.php/Owasp_SiteGenerator
PuzzleMallJava/JSP Apache Derby Temporal Session Race Conditions (TSRC) and Layer Targeted AdoShttp://code.google.com/p/puzzlemall/
SecuriBenchJava-SQL injection attacks-Cross-site scripting attacks HTTP splitting attacks Path traversal attackshttp://suif.stanford.edu/~livshits/securibench/
SocketToMePHP chat a simple number guessing game and a few other hidden featureshttp://digi.ninja/projects/sockettome.php
WackoPickoPart of OWASP BWA Projecthttps://github.com/adamdoupe/WackoPicko
"Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners"http://cs.ucsb.edu/%7Eadoupe/static/black-box-scanners-dimva2010.pdf
WebGoat.NEThttps://github.com/jerryhoff/WebGoat.NET/
https://www.owasp.org/index.php/WebGoat_User_Guide_Table_of_Contents
WebSecurity DojoSelf-contained training environment for Web Application Security penetration testing xubuntu 12.04http://sourceforge.net/projects/websecuritydojo/files/ http://dojo.mavensecurity.com/
OWASP Zed Attack ProxyWeb Application Vulnerability Examples (WAVE) for testing OWAP ZAPhttp://code.google.com/p/zaproxy/downloads/detail?name=zap-wave-0.1.zip
Hewlett-Packard Fortify WebInspectProduct demo Zero Bankhttp://zero.webappsecurity.com/