47

I am learning to use Metasploit as part of one of my college lessons. As you may know there are software builds like NOWASP (Mutillidae) or Damn Vulnerable Linux that allow you to exercise on pentest or similar things. I have heard that in order the payloads to work the target-victim should run its PC as server. I have tried to set up a server in to the same machine (through Virtualbox) and make it as target but it failed. So, do you know if there is a server or something similar to allow me practice (legally, against test systems)?

Gilles 'SO- stop being evil'
  • 51,415
  • 13
  • 121
  • 180
py_script
  • 781
  • 2
  • 7
  • 10
  • 1
    Why did using VirtualBox not work? Did you set up the networking correctly (adding a host-only adapter to the VM)? – yfeldblum Jan 19 '11 at 16:13
  • 6
    check out "How to set up a pentesting lab" by rapid 7 http://blog.rapid7.com/?p=5791 – Tate Hansen Jan 20 '11 at 02:58
  • 1
    I think you're asking for a real live server out there run by someone else that invites you to legally hack on it. But most answers are about hackable server distributions that you could install locally and hack on yourself, which is what you said you failed with. Can you edit your question to clarify whether you want this question to address one or the other? Each is of potential interest. – nealmcb Jan 20 '11 at 15:54
  • Hi guys, sorry for not responding yesterday but there were some emergent tasks to do.@Justice, I am not sure but if it helps the virtual os can connect to the internet.@Tane Hansen, thank you I will check out.@nealmcb.Both of them...if you ask me for one I prefer to test my skills on a real server. – py_script Jan 21 '11 at 17:09

5 Answers5

46

http://www.irongeek.com/i.php?page=security/wargames

WebGoat. WebGoat is a set of deliberately insecure Java server pages

http://www.hackthissite.org/

http://www.smashthestack.org/wargames

from their FAQ:

The Smash the Stack Wargaming Network hosts several Wargames. A Wargame in our context can be described as an ethical hacking environment that supports the simulation of real world software vulnerability theories or concepts and allows for the legal execution of exploitation techniques. Software can be an Operating System, network protocol, or any userland application.

http://www.astalavista.com/page/wargames.html

http://www.governmentsecurity.org/forum/index.php?showtopic=15442

http://www.overthewire.org/wargames/

the list is long... some are up, some not...

Update 26 Feb 2011, i found a nice post from http://r00tsec.blogspot.com/2011/02/pentest-lab-vulnerable-servers.html . Some links might be broken. I copy from there:

Holynix Similar to the de-ice Cd’s and pWnOS, holynix is an ubuntu server vmware image that was deliberately built to have security holes for the purposes of penetration testing. More of an obstacle course than a real world example. http://pynstrom.net/index.php?page=holynix.php

WackoPicko WackoPicko is a website that contains known vulnerabilities. It was first used for the paper Why Johnny Can’t Pentest: An Analysis of Black-box Web Vulnerability Scanners found: http://cs.ucsb.edu/~adoupe/static/black-box-scanners-dimva2010.pdf https://github.com/adamdoupe/WackoPicko

De-ICE PenTest LiveCDs The PenTest LiveCDs are the creation of Thomas Wilhelm, who was transferred to a penetration test team at the company he worked for. Needing to learn as much about penetration testing as quickly as possible, Thomas began looking for both tools and targets. He found a number of tools, but no usable targets to practice against. Eventually, in an attempt to narrow the learning gap, Thomas created PenTest scenarios using LiveCDs. http://de-ice.net/hackerpedia/index.php/De-ICE.net_PenTest_Disks

Metasploitable Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql. http://blog.metasploit.com/2010/05/introducing-metasploitable.html

Owaspbwa Open Web Application Security Project (OWASP) Broken Web Applications Project, a collection of vulnerable web applications. http://code.google.com/p/owaspbwa/

Web Security Dojo A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo http://www.mavensecurity.com/web_security_dojo/

Lampsecurity LAMPSecurity training is designed to be a series of vulnerable virtual machine images along with complementary documentation designed to teach linux,apache,php,mysql security. http://sourceforge.net/projects/lampsecurity/files/

Damn Vulnerable Web App (DVWA) Damn Vulnerable Web App is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment. www.dvwa.co.uk

Hacking-Lab This is the Hacking-Lab LiveCD project. It is currently in beta stadium. The live-cd is a standardized client environment for solving our Hacking-Lab wargame challenges from remote. http://www.hacking-lab.com/hl_livecd/

Moth Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for: http://www.bonsai-sec.com/en/research/moth.php

Damn Vulnerable Linux (DVL) Damn Vulnerable Linux is everything a good Linux distribution isn’t. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. DVL isn’t built to run on your desktop – it’s a learning tool for security students. http://www.damnvulnerablelinux.org

pWnOS pWnOS is on a "VM Image", that creates a target on which to practice penetration testing; with the “end goal” is to get root. It was designed to practice using exploits, with multiple entry points http://www.backtrack-linux.org/forums/backtrack-videos/2748-%5Bvideo%5D-attacking-pwnos.html http://www.krash.in/bond00/pWnOS%20v1.0.zip

Virtual Hacking Lab A mirror of deliberately insecure applications and old softwares with known vulnerabilities. Used for proof-of-concept /security training/learning purposes. Available in either virtual images or live iso or standalone formats. http://sourceforge.net/projects/virtualhacking/files/

Badstore Badstore.net is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure. http://www.badstore.net/

Katana Katana is a portable multi-boot security suite which brings together many of today’s best security distributions and portable applications to run off a single Flash Drive. It includes distributions which focus on Pen-Testing, Auditing, Forensics, System Recovery, Network Analysis, and Malware Removal. Katana also comes with over 100 portable Windows applications; such as Wireshark, Metasploit, NMAP, Cain & Able, and many more. www.hackfromacave.com/katana.html

Bob Ortiz
  • 6,339
  • 9
  • 45
  • 91
labmice
  • 1,338
  • 1
  • 9
  • 11
  • of course. WebGoat is just a vulnerable server. All other links have info (ip, user/password etc) about real (physical or virtual) servers. And most of them are up-to-date. With all hotfixes and patches installed. Its like the real thing. The owner gets to know the 0day method you used to 0wn it. There is no description about all these servers. You should visit each link and read the FAQ or terms/EULA etc. :-( – labmice Jan 19 '11 at 16:26
20

There's a couple of options for setting up a test network to work on. There's a good list of known vulnerable operating systems in this question, which includes DVL and Metasploitable.

In terms of getting them set-up as servers on your network you primarily need some working virtualization software.

Not sure what the problems you're having with Virtualbox are, you could try VMWare Player. It's a free, and relatively straightforward virtualization system, which should allow you to install the vulnerable operating systems mentioned above. Once you've got it working, you should be able to install the software into virtual machines which will be accessible from your host machine over a virtual network, and you should be able to test on those.

Rory McCune
  • 61,541
  • 14
  • 140
  • 221
16

Metasploitable and UltimateLAMP-0.2 are great target virtual machines to test against.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
HD Moore
  • 161
  • 2
  • 1
    additional info always welcome to help the poster (eg links, implementation gotchas, or in this case any guidance on setting one up) - although in saying that, VMWare with Metasploitable is just a case of follow the readme :-) – Rory Alsop Jan 19 '11 at 19:37
7

I have tried to set up a server in to the same machine (through virtualbox) and make it as target but it failed

Using virtual machines is probably the right way to solve the problem - if you'd said why you'd failed to get these up and running, then maybe you could get some help solving these problems (serverfault might be a more appropriate place to discuss building vms).

symcbean
  • 18,418
  • 40
  • 74
4

Just for fun I'll note that there was a great live public test of an Internet Voting package before the 2010 election in DC. But its over now so you can't join in the fun.

It helped some security researchers at the University of Michigan teach election administrators some great lessons on how Internet Voting is a world-class unsolved security problem though. See also Dangers of Internet Voting Confirmed | Verified Voting Blog

nealmcb
  • 20,693
  • 6
  • 71
  • 117