background preloader

Hacking

Facebook Twitter

Pentest lab vulnerable servers-applications list. In this post I’m going to present some useful resources to learn about penetration testing and where to use exploitation tools and techniques in a safe and legal environment. This list contain a set of deliberately insecure LiveCDs and virtual machines designed to be used as targets for enumeration, web exploitation, password cracking and reverse engineering. Holynix Similar to the de-ice Cd’s and pWnOS, holynix is an ubuntu server vmware image that was deliberately built to have security holes for the purposes of penetration testing. More of an obstacle course than a real world example. WackoPicko WackoPicko is a website that contains known vulnerabilities. De-ICE PenTest LiveCDs The PenTest LiveCDs are the creation of Thomas Wilhelm, who was transferred to a penetration test team at the company he worked for.

Metasploitable Damn Vulnerable Web App (DVWA) Damn Vulnerable Web App is a PHP/MySQL web application that is damn vulnerable. Hackxor. Contents: About hacxkor Hackxor is a webapp hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat but with a plot and a focus on realism&difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, etc Features: Client attack simulation using HtmlUnit; no alert('xss') here. Play the online demo The first two levels can be played online here. Download&install instructions Download the full version of hackxor (700mb) Install VMWare Player (This involves creating a free account with vmware) Extract hackxor1.7z, run the image using VMware player.

The scene You play a professional blackhat hacker hired to track down another hacker by any means possible. Changes since 1.0 Fixed a potential-lose bug in hub71 Changes since the beta Hints&tips Try some other vulnerable webapps Read some cryptic spoiler-free hints (Last updated 11th May) Client Attack Simulation with HtmlUnit Credits. VulnHub - Vulnerable By Design. Index of / Here's a list of some CTF practice sites and tools or CTFs that are long-running. Thanks, RSnake for starting the original that this is based on.

If you have any corrections or suggestions, feel free to email ctf at the domain psifertex with a dot com tld. Live Online Games Recommended Whether they're being updated, contain high quality challenges, or just have a lot of depth, these are probably where you want to spend the most time. Others Meta (excellent list of challenge sites) (good CTF wiki, though focused on CCDC) (great archive of CTFs) Webapp Specific Forensics Specific Recruiting Paid Training Downloadable Offline Games Virtual Machines Inactive or Gone Just around for historical sake, or on the off-chance they come back. Vulnerable by Design. Positive Hack Days. Wargames. We're hackers, and we are good-looking. We are the 1%. The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games.

To find out more about a certain wargame, just visit its page linked from the menu on the left. If you have a problem, a question or a suggestion, you can join us on IRC. Suggested order to play the games in Bandit Leviathan or Natas or Krypton Narnia Behemoth Utumno Maze … Each shell game has its own SSH port Information about how to connect to each game using SSH, is provided in the top left corner of the page. Professional education - What "hacking" competitions/challenges exist? I don't know a good reference to point to for further reading.

Thus I will try to list a few time-wasters that I personally enjoy. In the following I will allow myself to differentiate between various styles of hacking competitions. I don't know if this is a canonical approach, but it will probably help explaining the differences between the ones I know: These games take place on given server, where you start with an ssh login and try to exploit setuid-binaries to gain higher permissions.

These games are usually available 24/7 and you can join whenever you want. These games will present you numerous tasks that you can solve separately. The challenges mostly vary from exploitation, CrackMes, crypto, forensic, web security and more. These actually require you to capture and protect "flags". iCTF (typically in December)CIPHER CTF (will be renewed by new organizers this year)RuCTF and RuCTFe (a Russian CTF and its international version) Edit: /Edit. Exploit Exercises.