Hace poco en una entrada de hackplayers hicieron una buena recopilación de información para pruebas de intrusión catalogando entre aplicaciones web, sistemas operativos entre otros, aquí otra mas:
HackMe
Hack.me is a FREE, community based
project powered by eLearnSecurity. The community can build, host and
share vulnerable web application code for educational and research
purposes.
It aims to be the largest collection of
“runnable” vulnerable web applications, code samples and CMS’s online.
The platform is available without any restriction to any party
interested in Web Application Security: students, universities,
researchers, penetration testers and web developers.
pentesterlab.com
PentesterLab is an easy and great way to
learn penetration testing.PentesterLab provides vulnerable systems that
can be used to test and understand vulnerabilities. Just decide what
course you want to follow, download the course and start learning. You can easily run the course using VMware or Virtualbox no internet access needed.
pentesterlab.com
bWAPP
bWAPP or a buggy web application
is a free and open source web application build to allow security
enthusiasts, students and developers to better secure web applications.
bWAPP prepares to conduct successful penetration testing and ethical
hacking projects. It includes all vulnerabilities from the OWASP Top 10
project and is for educational purposes only.
OWASP Bricks!
Bricks is a web application security learning platform built on PHP
and MySQL. The project focuses on variations of commonly seen
application security issues. Each ‘Brick’ has some sort of security
issue which can be leveraged manually or using automated software tools.
The mission is to ‘Break the Bricks’ and thus learn the various aspects
of web application security.
GameOver
Project GameOver was started with the
objective of training and educating newbies about the basics of web
security and educate them about the common web attacks and help them
understand how they work.
https://sourceforge.net/projects/null-gameover/
UltimateLAMP
UltimateLAMP is a Ubuntu VM running vulnerable services and containing weak accounts.
The UltimateLAMP VM runs the following services:Postfix, Apache,
MySQL, WordPress, TextPattern, Seredipity, MediaWiki, TikiWiki, PHP,
Gallery, Moodle, PHPWebSite, Joomla, eGroupWare, Drupal, Php Bulletin
Board, Sugar CRM, Owl, WebCalendar, Dot project, PhpAdsNew, Bugzilla,
OsCommerce, ZenCart, PhphMyAdmin, Webmin,Mutillidae 1.5 (OWASP Top 10
Vulns)
webgoat
WebGoat is a deliberately insecure J2EE web application maintained by
OWASP designed to teach web application security lessons. In each
lesson, users must demonstrate their understanding of a security issue
by exploiting a real vulnerability in the WebGoat application. For
example, in one of the lessons the user must use SQL injection to steal
fake credit card numbers. The application is a realistic teaching
environment, providing users with hints and code to further explain the
lesson.http://www.owasp.org
Holynix
Similar to the de-ice Cd’s and pWnOS, holynix is an ubuntu server vmware image that was deliberately built to have security holes for the purposes of penetration testing. More of an obstacle course than a real world example.
http://pynstrom.net/index.php?page=holynix.php
Similar to the de-ice Cd’s and pWnOS, holynix is an ubuntu server vmware image that was deliberately built to have security holes for the purposes of penetration testing. More of an obstacle course than a real world example.
http://pynstrom.net/index.php?page=holynix.php
WackoPicko
WackoPicko is a website that contains known vulnerabilities. It was
first used for the paper Why Johnny Can’t Pentest: An Analysis of
Black-box Web Vulnerability Scanners found: http://cs.ucsb.edu/~adoupe/static/black-box-scanners-dimva2010.pdf https://github.com/adamdoupe/WackoPicko
De-ICE PenTest LiveCDs
The PenTest LiveCDs are the creation of Thomas Wilhelm, who was transferred to a penetration test team at the company he worked for. Needing to learn as much about penetration testing as quickly as possible, Thomas began looking for both tools and targets. He found a number of tools, but no usable targets to practice against. Eventually, in an attempt to narrow the learning gap, Thomas created PenTest scenarios using LiveCDs.
http://de-ice.net/hackerpedia/index.php/De-ICE.net_PenTest_Disks
The PenTest LiveCDs are the creation of Thomas Wilhelm, who was transferred to a penetration test team at the company he worked for. Needing to learn as much about penetration testing as quickly as possible, Thomas began looking for both tools and targets. He found a number of tools, but no usable targets to practice against. Eventually, in an attempt to narrow the learning gap, Thomas created PenTest scenarios using LiveCDs.
http://de-ice.net/hackerpedia/index.php/De-ICE.net_PenTest_Disks
Metasploitable
Metasploitable is an Ubuntu 8.04 server
install on a VMWare 6.5 image. A number of vulnerable packages are
included, including an install of tomcat 5.5 (with weak credentials),
distcc, tikiwiki, twiki, and an older mysql.
https://sourceforge.net/projects/metasploitable/
https://sourceforge.net/projects/metasploitable/
Owaspbwa
Open Web Application Security Project (OWASP) Broken Web Applications Project, a collection of vulnerable web applications.
http://code.google.com/p/owaspbwa/
Open Web Application Security Project (OWASP) Broken Web Applications Project, a collection of vulnerable web applications.
http://code.google.com/p/owaspbwa/
Web Security Dojo
A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo
http://www.mavensecurity.com/web_security_dojo/
A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo
http://www.mavensecurity.com/web_security_dojo/
Lampsecurity
LAMPSecurity training is designed to be a series of vunlerable virtual machine images along with complementary documentation designed to teach linux,apache,php,mysql security.
http://sourceforge.net/projects/lampsecurity/files/
LAMPSecurity training is designed to be a series of vunlerable virtual machine images along with complementary documentation designed to teach linux,apache,php,mysql security.
http://sourceforge.net/projects/lampsecurity/files/
Damn Vulnerable Web App (DVWA)
Damn Vulnerable Web App is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
www.dvwa.co.uk
Damn Vulnerable Web App is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
www.dvwa.co.uk
Hacking-Lab
This is the Hacking-Lab LiveCD project. It is currently in beta stadium. The live-cd is a standardized client environment for solving our Hacking-Lab wargame challenges from remote.
http://www.hacking-lab.com/hl_livecd/
This is the Hacking-Lab LiveCD project. It is currently in beta stadium. The live-cd is a standardized client environment for solving our Hacking-Lab wargame challenges from remote.
http://www.hacking-lab.com/hl_livecd/
Moth
Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for:
http://www.bonsai-sec.com/en/research/moth.php
Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for:
http://www.bonsai-sec.com/en/research/moth.php
Exploit kb vulnerable web app
exploit.co.il Vulnerable Web app designed as a learning platform to test various SQL injection Techniques This is a fully functional web site with a content management system based on fckeditor. You can download it as source code or a pre configured.
http://sourceforge.net/projects/exploitcoilvuln/
exploit.co.il Vulnerable Web app designed as a learning platform to test various SQL injection Techniques This is a fully functional web site with a content management system based on fckeditor. You can download it as source code or a pre configured.
http://sourceforge.net/projects/exploitcoilvuln/
Gruyere
This codelab shows how web application
vulnerabilities can be exploited and how to defend against these
attacks. The best way to learn things is by doing, so you’ll get a
chance to do some real penetration testing, actually exploiting a real
application. Specifically, you’ll learn the following:
How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF). How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution. To get the most out of this lab, you should have some familiarity with how a web application works (e.g., general knowledge of HTML, templates, cookies, AJAX, etc.).
How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF). How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution. To get the most out of this lab, you should have some familiarity with how a web application works (e.g., general knowledge of HTML, templates, cookies, AJAX, etc.).
Damn Vulnerable Linux (DVL)
Damn Vulnerable Linux is everything a good Linux distribution isn’t. Its
developers have spent hours stuffing it with broken, ill-configured,
outdated, and exploitable software that makes it vulnerable to attacks.
DVL isn’t built to run on your desktop – it’s a learning tool for
security students.
http://www.damnvulnerablelinux.org
http://www.damnvulnerablelinux.org
pWnOS
pWnOS is on a “VM Image”, that creates a target on which to practice penetration testing; with the “end goal” is to get root. It was designed to practice using exploits, with multiple entry points
http://www.backtrack-linux.org/forums/backtrack-videos/2748-%5Bvideo%5D-attacking-pwnos.html
http://www.krash.in/bond00/pWnOS%20v1.0.zip
pWnOS is on a “VM Image”, that creates a target on which to practice penetration testing; with the “end goal” is to get root. It was designed to practice using exploits, with multiple entry points
http://www.backtrack-linux.org/forums/backtrack-videos/2748-%5Bvideo%5D-attacking-pwnos.html
http://www.krash.in/bond00/pWnOS%20v1.0.zip
Virtual Hacking Lab
A mirror of deliberately insecure applications and old softwares with known vulnerabilities. Used for proof-of-concept /security training/learning purposes. Available in either virtual images or live iso or standalone formats.
http://sourceforge.net/projects/virtualhacking/files/
A mirror of deliberately insecure applications and old softwares with known vulnerabilities. Used for proof-of-concept /security training/learning purposes. Available in either virtual images or live iso or standalone formats.
http://sourceforge.net/projects/virtualhacking/files/
Badstore
Badstore.net is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure.
http://www.badstore.net/
Badstore.net is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure.
http://www.badstore.net/
BodgeIt Store
The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to pen testing.http://code.google.com/p/bodgeit/
Hackademic Challenges
The OWASP Hackademic Challenges , is an open source project that can
be used to test and improve one’s knowledge of information system and
web application security. The OWASP Hackademic Challenges implement
realistic scenarios with known vulnerabilities in a safe, controllable
environment. Users can attempt to discover and exploit these
vulnerabilities in order to learn important concepts of information
security through the attacker’s perspective.www.hackademic.eu
OWASP Vicnum Project
A flexible web app showing
vulnerabilities such as cross site scripting, sql injections, and
session management issues. Helpful to IT auditors honing web security
skills and setting up ‘capture the flag’ . Play the game at
http://vicnum.ciphertechs.com
Stanford SecuriBench
Stanford SecuriBench is a set of open source real-life programs to be
used as a testing ground for static and dynamic security tools. Release
.91a focuses on Web-based applications written in Java.http://suif.stanford.edu/~livshits/securibench/
Kioptrix
This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player).
The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.
http://www.kioptrix.com/blog/?page_id=135
hackxor
Hackxor is a webapp hacking game where players must locate and
exploit vulnerabilities to progress through the story. Think WebGoat but
with a plot and a focus on realism&difficulty. Contains XSS, CSRF,
SQLi, ReDoS, DOR, command injection, etchttp://hackxor.sourceforge.net
Project GameOver:
Project GameOver was started with the objective of training and educating newbies about the basics of web security and educate them about the common web attacks and help them understand how they work. It is collection of various vulnerable web applications, designed for the purpose of learning web penetration testing. We have included some of the above mentioned deliberately vulnerable websites.
http://null.co.in/2012/06/14/gameover-web-pentest-learning-platform/
Others:
http://demo.testfire.net/
http://code.google.com/p/bodgeit/
http://ghostinthelab.wordpress.com/2011/09/06/hackademic-rtb1-root-this-box/
http://ghostinthelab.wordpress.com/2011/09/06/hackademic-rtb2-%E2%80%93-root-this-box/
http://www.amanhardikar.com/mindmaps/PracticewithURLs.html
http://null.co.in/2012/06/14/gameover-web-pentest-learning-platform/
http://exploit-exercises.com/
This article is translated to Serbo-Croatian language by Jovana Milutinovich from Webhostinggeeks.com.
Fuente: http://bailey.st/blog/2010/09/14/pentest-lab-vulnerable-servers-applications-list/
No hay comentarios:
Publicar un comentario