Need Something To Hack?

Finally, after 2 months of wildness life (prepare my team {the 9 tails team} for Gemastik 2011 Hacking Contest, with 24h of craziest training I’ve ever made!), it’s time for me to have a little break in here. Today post is about hacking lab stuff. In case you need to search for hacking lab for you training, you might give a try on this list. Happy hacking !
UltimateLAMP is a Ubuntu VM  running vulnerable services and containing weak accounts. The UltimateLAMP VM runs the following services:Postfix, Apache,
MySQL, WordPress, TextPattern, Seredipity, MediaWiki, TikiWiki, PHP,
Gallery, Moodle, PHPWebSite, Joomla, eGroupWare, Drupal, Php Bulletin
Board, Sugar CRM, Owl, WebCalendar, Dot project, PhpAdsNew, Bugzilla,
OsCommerce, ZenCart, PhphMyAdmin, Webmin,Mutillidae 1.5 (OWASP Top 10


WebGoat is a deliberately insecure J2EE web application maintained by
OWASP designed to teach web application security lessons. In each
lesson, users must demonstrate their understanding of a security issue
by exploiting a real vulnerability in the WebGoat application. For
example, in one of the lessons the user must use SQL injection to steal
fake credit card numbers. The application is a realistic teaching
environment, providing users with hints and code to further explain the
Similar to the de-ice Cd’s and pWnOS, holynix is an ubuntu server vmware
image that was deliberately built to have security holes for the
purposes of penetration testing. More of an obstacle course than a real
world example.
WackoPicko is a website that contains known vulnerabilities. It was
first used for the paper Why Johnny Can’t Pentest: An Analysis of
Black-box Web Vulnerability Scanners found:
De-ICE PenTest LiveCDs
The PenTest LiveCDs are the creation of Thomas Wilhelm, who was
transferred to a penetration test team at the company he worked for.
Needing to learn as much about penetration testing as quickly as
possible, Thomas began looking for both tools and targets. He found a
number of tools, but no usable targets to practice against. Eventually,
in an attempt to narrow the learning gap, Thomas created PenTest
scenarios using LiveCDs.
Metasploitable is an Ubuntu 8.04 server
install on a VMWare 6.5 image. A number of vulnerable packages are
included, including an install of tomcat 5.5 (with weak credentials),
distcc, tikiwiki, twiki, and an older mysql.
Open Web Application Security Project (OWASP) Broken Web Applications Project, a collection of vulnerable web applications.
Web Security Dojo
A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo
LAMPSecurity training is designed to be a series of vunlerable virtual
machine images along with complementary documentation designed to teach
linux,apache,php,mysql security.
Damn Vulnerable Web App (DVWA)
Damn Vulnerable Web App is a PHP/MySQL web application that is damn
vulnerable. Its main goals are to be an aid for security professionals
to test their skills and tools in a legal environment, help web
developers better understand the processes of securing web applications
and aid teachers/students to teach/learn web application security in a
class room environment.
This is the Hacking-Lab LiveCD project. It is currently in beta stadium.
The live-cd is a standardized client environment for solving our
Hacking-Lab wargame challenges from remote.
Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for:
Exploit kb vulnerable web app Vulnerable Web app designed as a learning platform to test
various SQL injection Techniques This is a fully functional web site
with a content management system based on fckeditor. You can download it
as source code or a pre configured.


This codelab shows how web application vulnerabilities can be
exploited and how to defend against these attacks. The best way to learn
things is by doing, so you’ll get a chance to do some real penetration
testing, actually exploiting a real application. Specifically, you’ll
learn the following:
  • How an application can be attacked using common web security
    vulnerabilities, like cross-site scripting vulnerabilities (XSS) and
    cross-site request forgery (XSRF).
  • How to find, fix, and avoid these common vulnerabilities and other bugs
    that have a security impact, such as denial-of-service, information
    disclosure, or remote code execution.

To get the most out of this lab, you should have some familiarity with
how a web application works (e.g., general knowledge of HTML, templates,
cookies, AJAX, etc.).

Damn Vulnerable Linux (DVL)
Damn Vulnerable Linux  is everything a good Linux distribution isn’t.
Its developers have spent hours stuffing it with broken, ill-configured,
outdated, and exploitable software that makes it vulnerable to attacks.
DVL isn’t built to run on your desktop — it’s a learning tool for
security students.
pWnOS is on a “VM Image”, that creates a target on which to practice
penetration testing; with the “end goal” is to get root. It was designed
to practice using exploits, with multiple entry points
Virtual Hacking Lab
A mirror of deliberately insecure applications and old softwares with
known vulnerabilities. Used for proof-of-concept /security
training/learning purposes. Available in either virtual images or live
iso or standalone formats.
Badstore is dedicated to helping you understand how hackers prey on
Web application vulnerabilities, and to showing you how to reduce your
BodgeIt Store
The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to pen testing.
Hackademic Challenges
The OWASP Hackademic Challenges , is an open source project that can
be used to test and improve one’s knowledge of information system and
web application security. The OWASP Hackademic Challenges implement
realistic scenarios with known vulnerabilities in a safe, controllable
environment. Users can attempt to discover and exploit these
vulnerabilities in order to learn important concepts of information
security through the attacker’s perspective.