Vulnerable webapps and VMs for penetration testing practice: my own list

A list that may be useful to readers that are studying for a certification exam or, more simply, to those who just want to have fun!

Google Gruyere

Gruyere is a Google project to teach web application exploitation and defense. The simulation is hosted entirely online: a new, dedicated instance is created every time you visit the platform.

Metasploitable 2, Metasploitable 3

Metasploitable is a part of the Metasploit Unleashed. Currently, there is metasploitable 2, hosting a huge variety of vulnerable services and applications based on Ubuntu 8.04, and there is a newer Metasploitable 3 that is Windows Server 2008, or Ubuntu 14.04 based.

OWASP BWA

The OWASP Broken Webapps project is a VM that contains a whole host of vulnerable web applications. The link provided lands to sourceforge to download the VM. The OWASP project page can be found here.

OWASP Vulnerable Web Applications Directory Project

A list of all of the intentionally vulnerable webapps that OWASP provides and maintains.

Over the Wire

OverTheWire is a collection of online “Wargames” where the goal is to solve a puzzle or challenge in order to gain access to the next system in the series of challenges. Access to the challenges is totally free.

Counterhack Holiday Hack Challenge

Every year, right around the Christmas/New Years holidays, the counterhack team release a yearly holiday hack challenge. They archived the challenges over the previous years and allow students to access them, as well as the answers to the challenges in the event that you get stuck.

Vulnhub

Vulhub is a website that contains a massive collection of vulnerable virtual machines. The end goal is to go from zero access on the system, all the way to root access. All of the VMs I have seen on vulnhub usually provide a link labeled “walkthroughs” that will link to a walkthrough on how to solve the various puzzles for that VM.

Hack The Box

Hack the box is a website that allows you to access an online semi-persistent wargame environment, with a variety of virtual machines that all have some sort of a theme, or methodology for hacking them.

Malware Traffic Analysis

Malware Traffic Analysis is, as the name of the site implies, a website dedicated to the analysis of malware and the collection of network artifacts that malware leaves behind, but also a collection of exercises with alerts, packet captures and quiz questions.

Honeynet Challenges

The Honeynet Project is a website dedicated to the creation of honeypot projects that can be used to collect information from attackers. The project has a collection of challenges and exercises from various Data Forensics and Incident Response (DFIR) challenges.