Eclectic Security

Photo by: extraketchup

In this post I’m going to present some useful resources to learn about penetration testing and where to use exploitation tools and techniques in a safe and legal environment. This list contain a set of  deliberately insecure LiveCDs, Virtual machines and applicarions designed to be used as targets for enumeration, web exploitation, password cracking and reverse  engineering.

If you have other links/distribution/virtual machines, please leave a comment.

List updated on 13/9/2011

UltimateLAMP

UltimateLAMP is a Ubuntu VM  running vulnerable services and containing weak accounts.

The UltimateLAMP VM runs the following services:Postfix, Apache, MySQL, WordPress, TextPattern, Seredipity, MediaWiki, TikiWiki, PHP, Gallery, Moodle, PHPWebSite, Joomla, eGroupWare, Drupal, Php Bulletin Board, Sugar CRM, Owl, WebCalendar, Dot project, PhpAdsNew, Bugzilla, OsCommerce, ZenCart, PhphMyAdmin, Webmin,Mutillidae 1.5 (OWASP Top 10 Vulns)

UltimateLAMP download

webgoat

WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

http://www.owasp.org

Holynix
Similar to the de-ice Cd’s and pWnOS, holynix is an ubuntu server vmware image that was deliberately built to have security holes for the purposes of penetration testing. More of an obstacle course than a real world example.
http://pynstrom.net/index.php?page=holynix.php

WackoPicko

WackoPicko is a website that contains known vulnerabilities. It was first used for the paper Why Johnny Can’t Pentest: An Analysis of Black-box Web Vulnerability Scanners found: http://cs.ucsb.edu/~adoupe/static/black-box-scanners-dimva2010.pdf

https://github.com/adamdoupe/WackoPicko

De-ICE PenTest LiveCDs
The PenTest LiveCDs are the creation of Thomas Wilhelm, who was transferred to a penetration test team at the company he worked for. Needing to learn as much about penetration testing as quickly as possible, Thomas began looking for both tools and targets. He found a number of tools, but no usable targets to practice against. Eventually, in an attempt to narrow the learning gap, Thomas created PenTest scenarios using LiveCDs.
http://de-ice.net/hackerpedia/index.php/De-ICE.net_PenTest_Disks

Metasploitable

Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql.
http://blog.metasploit.com/2010/05/introducing-metasploitable.html

Owaspbwa
Open Web Application Security Project (OWASP) Broken Web Applications Project, a collection of vulnerable web applications.
http://code.google.com/p/owaspbwa/

Web Security Dojo
A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo
http://www.mavensecurity.com/web_security_dojo/

Lampsecurity
LAMPSecurity training is designed to be a series of vunlerable virtual machine images along with complementary documentation designed to teach linux,apache,php,mysql security.
http://sourceforge.net/projects/lampsecurity/files/

Damn Vulnerable Web App (DVWA)
Damn Vulnerable Web App is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
www.dvwa.co.uk

Hacking-Lab
This is the Hacking-Lab LiveCD project. It is currently in beta stadium. The live-cd is a standardized client environment for solving our Hacking-Lab wargame challenges from remote.
http://www.hacking-lab.com/hl_livecd/

Moth
Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for:
http://www.bonsai-sec.com/en/research/moth.php

Exploit kb vulnerable web app
exploit.co.il Vulnerable Web app designed as a learning platform to test various SQL injection Techniques This is a fully functional web site with a content management system based on fckeditor. You can download it as source code or a pre configured.
http://sourceforge.net/projects/exploitcoilvuln/

Gruyere

This codelab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you’ll get a chance to do some real penetration testing, actually exploiting a real application. Specifically, you’ll learn the following:
How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF). How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution. To get the most out of this lab, you should have some familiarity with how a web application works (e.g., general knowledge of HTML, templates, cookies, AJAX, etc.).

http://google-gruyere.appspot.com/

Damn Vulnerable Linux (DVL)
Damn Vulnerable Linux  is everything a good Linux distribution isn’t. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. DVL isn’t built to run on your desktop – it’s a learning tool for security students.
http://www.damnvulnerablelinux.org

pWnOS
pWnOS is on a “VM Image”, that creates a target on which to practice penetration testing; with the “end goal” is to get root. It was designed to practice using exploits, with multiple entry points

http://www.backtrack-linux.org/forums/backtrack-videos/2748-%5Bvideo%5D-attacking-pwnos.html

http://www.krash.in/bond00/pWnOS%20v1.0.zip

Virtual Hacking Lab
A mirror of deliberately insecure applications and old softwares with known vulnerabilities. Used for proof-of-concept /security training/learning purposes. Available in either virtual images or live iso or standalone formats.
http://sourceforge.net/projects/virtualhacking/files/

Badstore
Badstore.net is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure.
http://www.badstore.net/

BodgeIt Store

The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to pen testing.

http://code.google.com/p/bodgeit/

Hackademic Challenges

The OWASP Hackademic Challenges , is an open source project that can be used to test and improve one’s knowledge of information system and web application security. The OWASP Hackademic Challenges implement realistic scenarios with known vulnerabilities in a safe, controllable environment. Users can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker’s perspective.

www.hackademic.eu

OWASP Vicnum Project

A flexible web app showing vulnerabilities such as cross site scripting, sql injections, and session management issues. Helpful to IT auditors honing web security skills and setting up ‘capture the flag’ . Play the game at http://vicnum.ciphertechs.com

https://sourceforge.net/projects/vicnum/

Stanford SecuriBench

Stanford SecuriBench is a set of open source real-life programs to be used as a testing ground for static and dynamic security tools. Release .91a focuses on Web-based applications written in Java.

http://suif.stanford.edu/~livshits/securibench/

Kioptrix

This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player).
The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.

http://www.kioptrix.com/blog/?page_id=135

hackxor

Hackxor is a webapp hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat but with a plot and a focus on realism&difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, etc

http://hackxor.sourceforge.net

About:
Nmbscan scans the the shares of a NetBIOS/SMB network. It’s a handy tool when you need to enumerate NMB/SMB/NetBIOS/Windows hostname, IP address, IP hostname, ethernet MAC address, Windows username, NMB/SMB/NetBIOS/Windows domain name, and master browser. This is another indispensable tool for for acquiring information on a local area network for such purposes as security auditing.

http://freshmeat.net/projects/nmbscan/

Disclaimer:
This tools can cause harm to the normal operation of your network/servers if used improperly. Use this tool on your own networks/servers, or networks/servers for which you have been given permission to test. Before using this tools, please read the documentation available.

Installation (ubuntu 10.4):
apt-get install samba smbclient
wget http://packetstormsecurity.org/UNIX/scanners/nmbscan-1.2.6.tar.gz
tar xvfz nmbscan-1.2.6.tar.gz

Usage:
./nmbscan {-d|-m|-a}
-d show all domains
-m show all domains with master browsers
-a show all domains, master browsers, and hosts

./nmbscan {-h|-n} host1 [host2 [...]]
-h show information on hosts, known by ip name/address
-n show information on hosts, known by nmb name

Examples:

Enumerating all the domains:

./nmbscan -d
nmbscan version 1.2.6 – core – Mon Sep 13 10:14:22 UTC 2010
domain LAB
domain WORKGROUP

Enumerating all domains with master browsers:

./nmbscan -a
nmbscan version 1.2.6 – core – Sun Sep 12 21:20:52 UTC 2010
domain WORKGROUP
master-browser CORE 192.168.0.100 -
domain LAB
master-browser WSERVER2003 192.168.0.1 -

Enumerating all domains with master browsers and hosts informations:

./nmbscan -a
nmbscan version 1.2.6 – core – Sun Sep 12 21:27:52 UTC 2010
domain WORKGROUP
master-browser CORE 192.168.0.100 -
domain LAB
master-browser WSERVER2003 192.168.0.1 -
server VMWARE-SERVER
ip-address 192.168.0.2
mac-address 00:0A:5E:53:6B:28
arp-mac-address 00:0A:5E:53:6B:28
server-software Samba 3.0.28a
operating-system Unix
share vmware
share-type Disk
share IPC$
share-type IPC
share-comment IPC Service (Vmware Server 3.0.28a)
server WSERVER2003
ip-address 192.168.0.1
mac-address 00:0C:29:5F:ED:2E
smb-mac-address 00:0C:29:5F:ED:2E
arp-mac-address 00:0C:29:5F:ED:2E
server-software Windows Server 2003 5.2
operating-system Windows Server 2003 3790
share IPC$
share-type IPC
share-comment Remote IPC
share NETLOGON
share-type Disk
share-comment Logon server share
share projects
share-type Disk
share Desktop
share-type Disk
share ADMIN$
share-type Disk
share-comment Remote Admin
share SYSVOL
share-type Disk
share-comment Logon server share
share C$
share-type Disk
share-comment Default share
server SEC
ip-address 192.168.0.28
server-software Samba 3.4.7
operating-system Unix
share IPC$
share-type IPC
share-comment IPC Service (Secure Server 3.4.7)
share finance
share-type Disk
share-comment Corporate finance
share doc
share-type Disk
share-comment Corporate documentation

About:
Hyenae is a highly flexible platform independent network packet generator. This tool will allow the penetration testers and network administrator to reproduce several MITM, DoS and DDoS attack scenarios.The Hyenae suite comes  with a clusterable remote daemon for setting up distributed attack networks.

https://sourceforge.net/projects/hyenae/

DISCLAIMER: This tools can cause harm to the normal operation of your network/servers if used improperly. Use this tool on your own networks/servers, or networks/servers for which you have been given permission to test. Before using this tools, please read the documentation available.

Main Features:

* Platform independence
* Assisted ARP-Request flood setup
* Assisted ARP-Cache poisoning setup
* Assisted ICMP-Echo flood setup
* Assisted ICMP-Smurf attack setup
* Assisted ICMP based TCP-Connection reset setup
* Assisted TCP-SYN flood setup
* Assisted TCP-Land attack setup
* Assisted Blind TCP-Connection reset setup
* Assisted UDP flood setup
* Assisted DNS-Query flood setup
* Assisted DHCP-Discover flood setup
* Assisted Cisco HSRP active router hijacking setup
* Customizable ARP-Reply based attacks
* Customizable PPPoE-Discover based attacks
* Customizable ICMP-Echo based attacks (IPv4 and IPv6)
* CUstomizable ICMP “Destination Unreachable” based attacks (IPv4)
* Customizable TCP based attacks (IPv4 and IPv6)
* Customizable UDP based attacks (IPv4 and IPv6)
* Daemon for setting up remote attack networks

Installation:

apt-get install build-essential checkinstall libdumbnet-dev libpcap0.8-dev

wget http://packetstormsecurity.org/UNIX/scanners/hyenae-0.35-2.tar.gz

tar xvfz hyenae-0.35-2.tar.gz

cd hyenae-0.35-2/

./configure

make

checkinstall

dpkg -i hyenae-0.35_2-1_i386.deb

Usage:

hyenae –help

DNS-Query flood
# hyenae -I 3 -a dns-query -s %-% -d 00:f0:21:03:c6:00-192.168.0.1 \ -y www.google.com

TCP-Land Attack
# hyenae -I 3 -a tcp -f s -s 00:f0:21:03:c6:00-192.168.0.1@139 \ -d -d 00:f0:21:03:c6:00-192.168.0.1@139 -c 1

Photo by: hdaniel CC

Netrecon is a small network scan/recon tool that can perform fast network investigations. Netrecon isn’t a replacement for nmap and tcpdump, but can be considered an integration to the *nix network toolbox.

DISCLAIMER: This tools can cause harm to the normal operation of your network/servers if used improperly. Use this tool on your own networks/servers, or networks/servers for which you have been given permission to test. Before using this tools, please read the documentation available.

The main feature included are:

- Ping-like only fast connect/select check
- Precheck support (skips dead hosts) and keeps going
- Tiny footprint with only one dependency (pcap) for the sniffer
- Easy to use and modify for your own systems
- Simple port range support e.g. -p 23 or -p 22-80
- Fine grained timeout support in seconds, useconds or both
- Fast by default but able to do non-strobes (past port 1024/no service mapping)
- Optional full tcp connect for every port
- Very fast packet watching capability with little tiny footprint
- Simple subnet specification in the form of x.x.x.x-X
- ipv6 support (EXPERIMENTAL)
- Session dump capability using libpcap during scans in parallel
- Simple packet payload decoding in ascii
- Added ARP traffic monitoring
- Passive TCPIP port/host data collection

Installation:

apt-get install build-essential libpcap0.8 libpcap-dev
wget http://www.packetstormsecurity.org/UNIX/utilities/netrecon-1.78.tgz
tar xvfz netrecon-1.78.tgz
cd netrecon-1.78
make linux
make install

Usage:

Using netrecon:

./netrecon

Usage: netrecon <command> <args> …
netrecon scan –ping –conn –dgram –port n-N –time s.ms –extra -V {target}
netrecon scan6 –dgram –port N {ipv6addr}
netrecon passive –if <dev> –threshold <n> –polls <count> –extra {pcap-expr}
netrecon tcpdump –if <dev> –polls <count> –decode {pcap-expr}
netrecon arpsniff –if <dev> –polls <count> –decode {pcap-expr}

Example:

./netrecon scan 192.168.1.1
Host 192.168.1.1
22    ssh
53    domain
80    www
443   https

./netrecon scan –ping  192.168.1.1
Timeout: 2.0
Scan start: Thu Sep  9 15:50:04 2010
Host 192.168.1.1 is alive
Scan start: Thu Sep  9 15:50:04 2010
Scan end  : Thu Sep  9 15:50:04 2010

./netrecon arpsniff –if eth0

Photo:
Claus Rebler

Facebook has again suspended the webpage www.facebook.com/savebradley . This support page was established by a grassroot and spontaneous movement to coordinate and give support to Private First Class Bradley E. Manning, the alleged leaker of of U.S. classified information. A 2007 video of US attack helicopter brutally murdering civilians and journalists in Baghdad was part of the leaked documents. The page has been already suspended at at the end  of july, after a formal  complaint to facebook, was restored within a few days.

UPDATE: This is the copy of the complaint sent to legal@facebook.com

Dear Administrator,

www.facebook.com/savebradley has been suspended by Facebook.  We cannot post content and the URL is dead.  There is no ability to post links.

We are receiving the following message

“Your publishing rights have been blocked due to a violation of the Pages Terms of Use http://www.facebook.com/terms_pages.php.”

However we have not been informed how our page violated Facebook’s pages terms of use and we maintain that we are in compliance with said terms. Please inform us as soon as possible regarding our alleged violation and actions we can take to correct this.  We request that you re-enable publishing rights and the www.facebook.com/savebradley url immediately.

Sincerely

If you digit the url:

www.facebook.com/savebradley

You will get back:

The page you requested was not found. You may have clicked an expired link or mistyped the address.

Through an alternative url it is possible to reach the page https://www.facebook.com/pages/savebradley/114129961964452 but on top of the page you get this message:

Your publishing rights have been blocked due to a violation of the Pages Terms of Use.

Is this another attempt to censor the savebradley support page?

Links:

www.bradleymanning.org

en.wikipedia.org/wiki/Bradley_Manning