3/20/2011 Vulnerable by Design by g0tm1lk blog's

Hi again folks,reading my feeds i found a interesting post with the most important enviroments for practice your skills hacking, i wait that you like :

Pentest lab. "Hacker" training. Deliberately insecure applications challenge thingys.

Call it what you will, but what happens when you want to try out your new set of skills? Do you want to be compare results from a tool when it's used in different environments? What if you want to explore a system (that is legal to do so!) that you have no knowledge about (because you didn't set it up!)...
If any of that sounds helpful, below is a small collection of different environments, so if you want to go from "boot to root", "capture the flag" or just to dig around as much as you want to try out the odd thing here and there. These will allow you to do so and without getting in trouble for doing it!

The idea isn't to cheat, the aim is to learn a thing or two ;)

I'm sure there are a lot more out there, if you want to recommend any others - please so do! =)

Complete Operating System. The idea of going from boot to root via any which way you can. Most of them have multiple entry points (some are easier than others) so you can keep using it ;)  They are all Linux OS (either in ISO or VM form) with vulnerable/configured software installed. (If you haven't got any VM software, VMware Playeris free and will do the trick)
(Offline) Web based. Most of them you'll need to download, copy and load the files yourself on your own web server (if you haven't already got one, xampp is great). A few of them are VM images that can be loaded in to Virtual machines as they come with all the software & settings needed.
(Online) Web based. Same as above, however if you don't want the hassle of setting it all up or to be able to do it where ever you have a Internet connection...

Complete Operating System

Name: Damn Vulnerable Linux

Homepage: http://www.damnvulnerablelinux.org/
Brief description: Damn Vulnerable Linux (DVL) is everything a good Linux distribution isn’t. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. DVL isn’t built to run on your desktop – it’s a learning tool for security students.
Version/Levels: 1
Support/Walk-through: Brochure

Name: De-ICE

Homepage: http://heorot.net/livecds/ or http://www.de-ice.net
Brief description: The PenTest LiveCDs are the creation of Thomas Wilhelm, who was transferred to a penetration test team at the company he worked for. Needing to learn as much about penetration testing as quickly as possible, Thomas began looking for both tools and targets. He found a number of tools, but no usable targets to practice against. Eventually, in an attempt to narrow the learning gap, Thomas created PenTest scenarios using LiveCDs.
Version/Levels: Level 1 - Disk 1, Level 1 - Disk 2, Level 2 - Disk 1
Support/Walk-through: Forums, Wiki,  Level 1 - Disk 1, Level 1 - Disk 2, Level 2 - Disk 1

Name: Holynix

Homepage: http://pynstrom.net/holynix.php
Brief description: Holynix is a Linux distribution that was deliberately built to have security holes for the purposes of penetration testing.
Version/Levels:2
Support/Walk-through: Forum, SourceForge

Name: Kioptrix

Homepage: http://www.kioptrix.com
Brief description: This Kioptrix VM Image are easy challenges. The object of the game is to acquire
root access via any means possible (except actually hacking the VM server or player).
The purpose of these games are to learn the basic tools and techniques in vulnerability
assessment and exploitation. There are more ways then one to successfully complete the challenges.
Version/Levels: 2
Support/Walk-through: Blog, Level 1 - mod_ssl, Level 2 - Injection

Name: Metasploitable

Homepage: http://blog.metasploit.com/2010/05/introducing-metasploitable.html
Brief description: One of the questions that we often hear is "What systems can i use to test against?" Based on this, we thought it would be a good idea throw together an exploitable VM that you can use for testing purposes.
Version/Levels: 1
Support/Walk-through: Blog, DistCC, MySQL, PostgreSQL, TikiWiki, TomCat

Name: NETinVM

Homepage: http://informatica.uv.es/~carlos/docencia/netinvm/#id7
Brief description: NETinVM is a single VMware virtual machine image that contains, ready to run, a series ofUser-mode Linux (UML) virtual machines which, when started, conform a whole computer network inside theVMware virtual machine. Hence the name NETinVM, an acronym for NETwork in Virtual Machine. NETinVM has been conceived mainly as an educational tool for teaching and learning about operating systems, computer networks and system and network security, but other uses are certainly possible.
Version/Levels: 3 (2010-12-01)
Support/Walk-through: Blog

Name: pWnOS

Homepage: http://forums.heorot.net/viewtopic.php?f=21&t=149
Brief description: It's a linux virtual machine intentionally configured with exploitable services to provide you with a path to r00t. :) Currently, the virtual machine NIC is configured in bridged networking, so it will obtain a normal IP address on the network you are connected to. You can easily change this to NAT or Host Only if you desire. A quick ping sweep will show the IP address of the virtual machine.
Version/Levels: 1
Support/Walk-through: Forums, Level 1

(Offline) Web Based

Name: BadStore

Homepage: http://www.badstore.net/
Brief description: Badstore.net is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure. Our Badstore demonstration software is designed to show you common hacking techniques.
Version/Levels: 1 (v1.2)
Support/Walk-through: PDF

Name: Damn Vulnerable Web App

Homepage: http://www.dvwa.co.uk/
Brief description: Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
Version/Levels: 1 (v1.0.7)
Support/Walk-through: PDF

Name: Hacking-Lab

Homepage: http://www.hacking-lab.com/
Brief description: This ist the LiveCD project of Hacking-Lab (www.hacking-lab.com). It gives you OpenVPN access into Hacking-Labs Remote Security Lab. The LiveCD iso image runs very good natively on a host OS, or within a virtual environment (VMware, VirtualBox).
The LiveCD gives you OpenVPN access into Hacking-Lab Remote.You will gain VPN access if both of the two pre-requirements are fulfilled.
Version/Levels: 1 (v5.30)
Support/Walk-through: Download

Name: HackUS HackFest Web CTF

Homepage: http://hackus.org/en/media/training/
Brief description: The Hackfest is an annual event held in Quebec city. For each event, a competition is held where participants competed at solving challenges related to security. For the 2010 edition, I got involved in the competition by creating the web portion of the competition.
Version/Levels: 1 (2010)
Support/Walk-through: BlogSolutionnaire (English)

Name: Hacme

Homepage: http://www.mcafee.com/us/downloads/free-tools/index.aspx
Brief description: Foundstone Hacme Casino™ is a learning platform for secure software development and is targeted at software developers, application penetration testers, software architects, and anyone with an interest in application security.
Version/Levels: 5 (2006)
Support/Walk-through: Bank, Book, Casino, Shipping, Travel

Name: LAMPSecurity

Homepage: http://sourceforge.net/projects/lampsecurity/
Brief description: Foundstone Hacme Casino™ is a learning platform for secure software development and is targeted at software developers, application penetration testers, software architects, and anyone with an interest in application security.
Version/Levels: v6 (4x)
Support/Walk-through: SourceForge

Name: Moth

Homepage: http://www.bonsai-sec.com/en/research/moth.php
Brief description: Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for:

1. Testing Web Application Security Scanners
2. Testing Static Code Analysis tools (SCA)
3. Giving an introductory course to Web Application Security

Version/Levels: v6
Support/Walk-through: SourceForge

Name: Mutillidae

Homepage: http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
Brief description: Mutillidae: A Deliberately Vulnerable Set Of PHP Scripts That Implement The OWASP Top 10
Version/Levels: v1.5
Support/Walk-through: N/A

Name: Open Web Application Security Project (OWASP) Broken Web Applications Project

Homepage: https://code.google.com/p/owaspbwa/
Brief description: This project includes applications from various sources (listed in no particular order).
Intentionally Vulnerable Applications:

• OWASP WebGoat version 5.3.x(Java)
• OWASP Vicnum version 1.4 (PHP/Perl)
• Mutillidae version 1.5 (PHP)
• Damn Vulnerable Web Application version 1.07.x (PHP)
• Ghost (PHP)
• Peruggia version 1.2 (PHP)
• OWASP CSRFGuard Test Application version 2.2 (Java)
• OWASP AppSensor Demo Application (Java)
• Mandiant Struts Forms (Java/Struts)
• Simple ASP.NET Forms (ASP.NET/C#)
• Simple Form with DOM Cross Site Scripting (HTML/JavaScript)

Old Versions of Real Applications:

• WordPress 2.0.0 (PHP, released December 31, 2005, downloaded from www.oldapps.com)
• phpBB 2.0.0 (PHP, released April 4, 2002, downloaded from www.oldapps.com)
• Yazd version 1.0 (Java, released February 20, 2002)
• gtd-php version 0.7 (PHP, released September 30, 2006)
• OrangeHRM version 2.4.2 (PHP, released May 7, 2009)
• GetBoo version 1.04 (PHP, released April 7, 2008)

Version/Levels: v0.92rc1
Support/Walk-through: N/A

Name: SecuriBench

Homepage: http://suif.stanford.edu/~livshits/securibench/
Brief description: Stanford SecuriBench is a set of open source real-life programs to be used as a testing ground for static and dynamic security tools. Release .91a focuses on Web-based applications written in Java.
These applications suffer from a variety of vulnerabilities including

• SQL injection attacks
• Cross-site scripting attacks
• HTTP splitting attacks
• Path traversal attacks

Version/Levels: v0.91a
Support/Walk-through: N/A

Name: UltimateLAMP

Homepage: http://ronaldbradford.com/blog/ultimatelamp-2006-05-19/
Brief description: UltimateLAMP is a fully functional environment allowing you to easily try and evaluate a number of LAMP stack software products without requiring any specific setup or configuration of these products. UltimateLAMP runs as a Virtual Machine with VMware Player (FREE). This demonstration package also enables the recording of all user entered information for later reference, indeed you will find a wealth of information already available within a number of the Product Recommendations starting with the supplied Documentation.
Version/Levels: v0.2
Support/Walk-through: Passwords

Name: Virtual Hacking Lab

Homepage: http://virtualhacking.sourceforge.net/
Brief description: A mirror of deliberately insecure applications and old softwares with known vulnerabilities. Used for proof-of-concept /security training/learning purposes. Available in either virtual images or live iso or standalone formats
Version/Levels: 1 (2009)
Support/Walk-through: SourceForge

Name: WackoPicko

Homepage: https://github.com/adamdoupe/WackoPicko
Brief description: WackoPicko is a vulnerable web application used to test web application vulnerability scanners.
Version/Levels: 1
Support/Walk-through: N/A

Name: WebGoat

Homepage: http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
Brief description: WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application.
Version/Levels: 1
Support/Walk-through: User Guide, GoogleCode, SourceForge

Name: WebMaven

Homepage: http://www.mavensecurity.com/WebMaven/
Brief description: WebMaven (better known as Buggy Bank) was an interactive learning environment for web application security. It emulated various security flaws for the user to find. This enabled users to safely & legally practice web application vulnerability assessment techniques. In addition, users could benchmark their security audit tools to ensure they perform as advertised.
Version/Levels: 1.0.1
Support/Walk-through: Download

Name: Web Security Dojo

Homepage: http://www.mavensecurity.com/web_security_dojo/
Brief description: A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo
Various web application security testing tools and vulnerable web applications were added to a clean install of Ubuntu v10.04.1, which is patched with the appropriate updates and VM additions for easy use.
Version 1.1 includes an exclusive speed-enhanced version of Burp Suite Free. Special thanks to PortSwigger .
Version/Levels: 1
Support/Walk-through: SourceForge

(Online) Web Based

Name: Gruyere / jarlsberg

Homepage: http://google-gruyere.appspot.com/
Brief description: This codelab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you'll get a chance to do some real penetration testing, actually exploiting a real application
Version/Levels: 1 (v1.0.7)
Support/Walk-through: PDFDownload offline

Name: HackThis

Homepage: http://www.hackthis.co.uk/
Brief description: Welcome to HackThis!!, this site was set up over 2 years ago as a safe place for internet users to learn the art of hacking in a controlled environment, teaching the most common flaws in internet security.
Version/Levels: 32 (40?)
Support/Walk-through: N/A

Name: HackThisSite

Homepage: http://www.hackthissite.org/
Brief description: Hack This Site is a free, safe and legal training ground for hackers to test and expand their hacking skills. More than just another hacker wargames site, we are a living, breathing community with many active projects in development, with a vast selection of hacking articles and a huge forum where users can discuss hacking, network security, and just about everything. Tune in to the hacker underground and get involved with the project.
Version/Levels: Lots
Support/Walk-through: N/A

Name: Vicnum

Homepage: http://vicnum.ciphertechs.com/
Brief description: A mirror of deliberately insecure applications and old softwares with known vulnerabilities. Used for proof-of-concept /security training/learning purposes. Available in either virtual images or live iso or standalone formats
Version/Levels: 1.4 (2009)
Support/Walk-through: SourceForge (Download)

Taken from :http://g0tmi1k.blogspot.com ©