It’s very difficult for the beginner security analyst, mainly the ones interested in the area of pentesting, to find good study pentesting resources. Starting from the principle that in pentesting there are many other sub areas of study, it becomes more and more difficult to choose and then find a proper pentesting study application.

As the beginner knows nearly nothing it became very difficult to prepare a Home Pentesting Lab for study, once that beginners has to know something about coding a vulnerable application fisrt, then exploit them.

Thinking about that i’ve decided to gather a list, the most complete I could, with all vulnerable pentesting tools I could find. They are categorized based on the type of application like Web Pentesting, War Games and Insecure Distributions. Due to the amount of tools I won’t be doing any previews because it would delay this post a lot and make it a little boring to read. I’m gonna review every tool with complete labs later on in future posts.

As I don’t know every pentesting tool in the planet, feel free to contact me if you remember any application, in fact I would much appreciate it. And I apologize if I miscategorized some of them, feel free to tell me when I’ve done that so i can correct that.

Note that this post intends to show only vulnerable applications used to be exploited, not the tools used to exploit them.

Web Pentesting

Application Name	Company/Developer	URL
OWASP WebGoat	OWASP	http://www.owasp.org/index.php/OWASP_WebGoat_Project
OWASP Vicnum	OWASP	http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project
OWASP InsecureWebApp	OWASP	http://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project
Web Security DOJO	Maven Security Consulting	http://www.mavensecurity.com/web_security_dojo/
Gruyere (antigo Codelab / Jalsberg)	Google	http://google-gruyere.appspot.com/
Hacme Game	NTNU	http://hacmegame.org/
SPI Dynamics	SPI Dynamics	http://zero.webappsecurity.com/
Acunetix 1	Acunetix	http://testphp.vulnweb.com/
Acunetix 2	Acunetix	http://testasp.vulnweb.com/
Acunetix 3	Acunetix	http://testaspnet.vulnweb.com/
PCTechtips Challenge	PC Tech Tips	http://pctechtips.org/hacker-challenge-pwn3d-the-login-form/
Damn Vulnerable Web Application	DVWA	http://dvwa.co.uk/
Mutillidae	Iron Geek	http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
The Butterfly Security Project	The Butterfly Security	http://sourceforge.net/projects/thebutterflytmp/
Hacme Casino	McAfee	http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx
Hacme Bank 2.0	McAfee	http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx
Updated HackmeBank	McAfee	http://www.o2-ounceopen.com/technical-info/2008/12/8/updated-version-of-hacmebank.html
Hacme Books	McAfee	http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx
Hacme Travel	McAfee	http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx
Hacme Shipping	McAfee	http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx
Moth	Bonsai Sec	http://www.bonsai-sec.com/en/research/moth.php
Stanford SecuriBench	Standford	http://suif.stanford.edu/%7Elivshits/securibench/
SecuriBench Micro	Standford	http://suif.stanford.edu/%7Elivshits/work/securibench-micro/
BadStore	BadStore	http://www.badstore.net/
WebMaven/Buggy Bank	Maven Security	http://www.mavensecurity.com/webmaven
EnigmaGroup	Enigma Group	http://enigmagroup.org/
XSS Encoding Skills – x5s (Casaba Watcher)	X5S	http://www.nottrusted.com/x5s/
Exploit- DB	Exploit DB	http://www.exploit-db.com/webapps
The Bodgeit Store	The Bodgeit Store	http://code.google.com/p/bodgeit/
LampSecurity	MadIrish	http://sourceforge.net/projects/lampsecurity/
hackxor	Hackxor	http://hackxor.sourceforge.net/cgi-bin/index.pl
WackoPicko	WackoPicko	https://github.com/adamdoupe/WackoPicko
RSnake’s Vulnerability Lab	RSnake	http://ha.ckers.org/weird/

 

War Games

Application Name	Company / Developer	URL
Hell Bound Hackers	Hell Bound Hackers	http://hellboundhackers.org/
Vulnerability Assessment	Kevin Orrey	http://www.vulnerabilityassessment.co.uk/
Smash the Stack	Smash the Stack	http://www.smashthestack.org/
Over the Wire	Over the Wire	http://www.overthewire.org/wargames/
Hack This Site	Hack This Site	http://www.hackthissite.org/
Hacking Lab	Hacking Lab	https://www.hacking-lab.com/
We Chall	We Chall	https://www.wechall.net/
REMnux	REMnux	http://zeltser.com/remnux/

 

Insecure Distributions

Application Name	Company / Developer	URL
Damm Vulnerable Linux	DVL	http://www.damnvulnerablelinux.org/
Metasploitable	Offensive Security	http://blog.metasploit.com/2010/05/introducing-metasploitable.html
de-ICE	Hacker Junkie	http://www.de-ice.net/
Moth	Bonsai Security Software	http://www.bonsai-sec.com/en/research/moth.php
PwnOS	Niel Dickson	http://www.neildickson.com/os/
Holynix	Pynstrom	http://pynstrom.net/holynix.php

Reference:http://www.felipemartins.info/2011/05/pentesting-vulnerable-study-frameworks-complete-list/