PenTesting Challenges

https://www.amanhardikar.com/mindmaps/Practice.html

Following table gives the URLs of all the vulnerable web applications, operating system installations, old software and war games [hacking] sites. The URLs for individual applications that are part of other collection entities were not given as it is not necessary to download each of them and manually configure them if they are already available in a configured state. For technologies used in each web application, please refer to the mindmap above.

Vulnerable Web Applications

BadStore

http://www.badstore.net/

BodgeIt Store

http://code.google.com/p/bodgeit/

Butterfly Security Project

http://thebutterflytmp.sourceforge.net/

bWAPP

http://www.mmeit.be/bwapp/ http://sourceforge.net/projects/bwapp/files/bee-box/

Commix

https://github.com/stasinopoulos/commix-testbed

CryptOMG

https://github.com/SpiderLabs/CryptOMG

Damn Vulnerable Node Application (DVNA)

https://github.com/quantumfoam/DVNA/

Damn Vulnerable Web App (DVWA)

http://www.dvwa.co.uk/

Damn Vulnerable Web Services (DVWS)

http://dvws.professionallyevil.com/

Drunk Admin Web Hacking Challenge

https://bechtsoudis.com/work-stuff/challenges/drunk-admin-web-hacking-challenge/

Exploit KB Vulnerable Web App

http://exploit.co.il/projects/vuln-web-app/

Foundstone Hackme Bank

http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx

Foundstone Hackme Books

http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx

Foundstone Hackme Casino

http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx

Foundstone Hackme Shipping

http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx

Foundstone Hackme Travel

http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx

GameOver

http://sourceforge.net/projects/null-gameover/

hackxor

http://hackxor.sourceforge.net/cgi-bin/index.pl

Hackazon

https://github.com/rapid7/hackazon

LAMPSecurity

http://sourceforge.net/projects/lampsecurity/

Moth

http://www.bonsai-sec.com/en/research/moth.php

NOWASP / Mutillidae 2

http://sourceforge.net/projects/mutillidae/

OWASP BWA

http://code.google.com/p/owaspbwa/

OWASP Hackademic

http://hackademic1.teilar.gr/

OWASP SiteGenerator

https://www.owasp.org/index.php/Owasp_SiteGenerator

OWASP Bricks

http://sourceforge.net/projects/owaspbricks/

OWASP Security Shepherd

https://www.owasp.org/index.php/OWASP_Security_Shepherd

PentesterLab

https://pentesterlab.com/

PHDays iBank CTF

http://blog.phdays.com/2012/05/once-again-about-remote-banking.html

SecuriBench

http://suif.stanford.edu/~livshits/securibench/

SentinelTestbed

https://github.com/dobin/SentinelTestbed

SocketToMe

http://digi.ninja/projects/sockettome.php

sqli-labs

https://github.com/Audi-1/sqli-labs

MCIR (Magical Code Injection Rainbow)

https://github.com/SpiderLabs/MCIR

sqlilabs

https://github.com/himadriganguly/sqlilabs

VulnApp

http://www.nth-dimension.org.uk/blog.php?id=88

PuzzleMall

http://code.google.com/p/puzzlemall/

WackoPicko

https://github.com/adamdoupe/WackoPicko

WAED

http://www.waed.info

WebGoat.NET

https://github.com/jerryhoff/WebGoat.NET/

WebSecurity Dojo

http://www.mavensecurity.com/web_security_dojo/

XVWA

https://github.com/s4n7h0/xvwa

Zap WAVE

http://code.google.com/p/zaproxy/downloads/detail?name=zap-wave-0.1.zip

Vulnerable Operating System Installations

21LTR

http://21ltr.com/scenes/

Damn Vulnerable Linux

http://sourceforge.net/projects/virtualhacking/files/os/dvl/

exploit-exercises - nebula, protostar, fusion

http://exploit-exercises.com/download

heorot: DE-ICE, hackerdemia

http://hackingdojo.com/downloads/iso/De-ICE_S1.100.iso http://hackingdojo.com/downloads/iso/De-ICE_S1.110.iso http://hackingdojo.com/downloads/iso/De-ICE_S1.120.iso http://hackingdojo.com/downloads/iso/De-ICE_S2.100.iso hackerdemia - http://hackingdojo.com/downloads/iso/De-ICE_S1.123.iso

Holynix

http://sourceforge.net/projects/holynix/files/

Kioptrix

http://www.kioptrix.com/blog/

LAMPSecurity

http://sourceforge.net/projects/lampsecurity/

Metasploitable

http://sourceforge.net/projects/virtualhacking/files/os/metasploitable/

neutronstar

http://neutronstar.org/goatselinux.html

PenTest Laboratory

http://pentestlab.org/lab-in-a-box/

Pentester Lab

https://www.pentesterlab.com/exercises

pWnOS

http://www.pwnos.com/

RebootUser Vulnix

http://www.rebootuser.com/?page_id=1041

SecGame # 1: Sauron

http://sg6-labs.blogspot.co.uk/2007/12/secgame-1-sauron.html

scriptjunkie.us

http://www.scriptjunkie.us/2012/04/the-hacker-games/

UltimateLAMP

http://www.amanhardikar.com/mindmaps/practice-links.html

TurnKey Linux

http://www.turnkeylinux.org/

Bitnami

https://bitnami.com/stacks

Elastic Server

http://elasticserver.com

OS Boxes

http://www.osboxes.org

VirtualBoxes

http://virtualboxes.org/images/

VirtualBox Virtual Appliances

https://virtualboximages.com/

CentOS

http://www.centos.org/

Default Windows Clients

https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise https://dev.windows.com/en-us/microsoft-edge/tools/vms/

Default Windows Server

https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-technical-preview

Default VMWare vSphere

http://www.vmware.com/products/vsphere/

Sites for Downloading Older Versions of Various Software

Exploit-DB

http://www.exploit-db.com/

Old Apps

http://www.oldapps.com/

Old Version

http://www.oldversion.com/

VirtualHacking Repo

sourceforge.net/projects/virtualhacking/files/apps%40realworld/

Sites by Vendors of Security Testing Software

Acunetix acuforum

http://testasp.vulnweb.com/

Acunetix acublog

http://testaspnet.vulnweb.com/

Acunetix acuart

http://testphp.vulnweb.com/

Cenzic crackmebank

http://crackme.cenzic.com

HP freebank

http://zero.webappsecurity.com

IBM altoromutual

http://demo.testfire.net/

Mavituna testsparker

http://aspnet.testsparker.com

Mavituna testsparker

http://php.testsparker.com

NTOSpider Test Site

http://www.webscantest.com/

Sites for Improving Your Hacking Skills

Embedded Security CTF

https://microcorruption.com

EnigmaGroup

http://www.enigmagroup.org/

Escape

http://escape.alf.nu/

Google Gruyere

http://google-gruyere.appspot.com/

Gh0st Lab

http://www.gh0st.net/

Hack This Site

http://www.hackthissite.org/

HackThis

http://www.hackthis.co.uk/

HackQuest

http://www.hackquest.com/

Hack.me

https://hack.me

Hacking-Lab

https://www.hacking-lab.com

Hacker Challenge

http://www.dareyourmind.net/

Hacker Test

http://www.hackertest.net/

hACME Game

http://www.hacmegame.org/

Halls Of Valhalla

http://halls-of-valhalla.org/beta/challenges

Hax.Tor

http://hax.tor.hu/

OverTheWire

http://www.overthewire.org/wargames/

PentestIT

http://www.pentestit.ru/en/

CSC Play on Demand

https://pod.cybersecuritychallenge.org.uk/

pwn0

https://pwn0.com/home.php

RootContest

http://rootcontest.com/

Root Me

http://www.root-me.org/?lang=en

Security Treasure Hunt

http://www.securitytreasurehunt.com/

Smash The Stack

http://www.smashthestack.org/

SQLZoo

http://sqlzoo.net/hack/

TheBlackSheep and Erik

http://www.bright-shadows.net/

ThisIsLegal

http://thisislegal.com/

Try2Hack

http://www.try2hack.nl/

WabLab

http://www.wablab.com/hackme

XSS: Can You XSS This?

http://canyouxssthis.com/HTMLSanitizer/

XSS Game

https://xss-game.appspot.com/

XSS: ProgPHP

http://xss.progphp.com/

CTF Sites / Archives

CAPTF Repo

http://captf.com/

CTFtime (Details of CTF Challenges)

http://ctftime.org/ctfs/

CTF write-ups repository

https://github.com/ctfs

Reddit CTF Announcements

http://www.reddit.com/r/securityctf

shell-storm Repo

http://shell-storm.org/repo/CTF/

VulnHub

https://www.vulnhub.com

Mobile Apps

Damn Vulnerable Android App (DVAA)

https://code.google.com/p/dvaa/

Damn Vulnerable FirefoxOS Application (DVFA)

https://github.com/pwnetrationguru/dvfa/

Damn Vulnerable iOS App (DVIA)

http://damnvulnerableiosapp.com/

ExploitMe Mobile Android Labs

http://securitycompass.github.io/AndroidLabs/

ExploitMe Mobile iPhone Labs

http://securitycompass.github.io/iPhoneLabs/

Hacme Bank Android

http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx

InsecureBank

http://www.paladion.net/downloadapp.html

NcN Wargame

http://noconname.org/evento/wargame/

OWASP iGoat

http://code.google.com/p/owasp-igoat/

OWASP Goatdroid

https://github.com/jackMannino/OWASP-GoatDroid-Project

Lab

binjitsu

https://github.com/binjitsu/binjitsu

CTFd

https://github.com/isislab/CTFd

Mellivora

https://github.com/Nakiami/mellivora

NightShade

https://github.com/UnrealAkama/NightShade

MCIR

https://github.com/SpiderLabs/MCIR

Docker

https://www.docker.com/

Vagrant

https://www.vagrantup.com/

NETinVM

http://informatica.uv.es/~carlos/docencia/netinvm/

SmartOS

https://smartos.org/

SmartDataCenter

https://github.com/joyent/sdc

vSphere Hypervisor

https://www.vmware.com/products/vsphere-hypervisor/

GNS3

http://sourceforge.net/projects/gns-3/

OCCP

https://opencyberchallenge.net/

XAMPP

https://www.apachefriends.org/index.html

Miscellaneous

VulnVPN

http://www.rebootuser.com/?page_id=1041

VulnVoIP

http://www.rebootuser.com/?page_id=1041

Vulnserver

http://www.thegreycorner.com/2010/12/introducing-vulnserver.html

NETinVM

http://informatica.uv.es/~carlos/docencia/netinvm/

DVRF

https://github.com/praetorian-inc/DVRF

HackSys Extreme Vulnerable Driver

http://www.payatu.com/hacksys-extreme-vulnerable-driver/

VirtuaPlant

https://github.com/jseidl/virtuaplant

Fosscomm

https://github.com/nikosdano/fosscomm

Morning Catch

http://blog.cobaltstrike.com/2014/08/06/introducing-morning-catch-a-phishing-paradise/

AWBO

https://labs.snort.org/awbo/awbo.html

There are other war games sites also. The sites whose core objective is hacking and available for free to all are in the above list. Rest of the sites focus mainly on software cracking, logic/puzzles and therefore not included in the hacking related list. More mindmaps and templates in the MindMaps section at http://www.amanhardikar.com/mindmaps.html

PreviousForensic ChallengesNextPKI

Last updated