April 15, 2015

This one deserves a post. A nice guy who teaches Web Application Security to Universities has developed an awesome VMware image with a lot of vulnerable Web Applications. He has combined a lot of the common vulnerable Web Apps such as DVWA and OWASP Bricks into a single bootable bundle.

A lot of the Web Apps come with complete course modules where Penetration Testers can run through modules in a course style environment. Best of all. It’s completely free, fun and safe.

Students can practice simple stuff such as HTML GET and POST manipulation, LFI/RFI to advanced Javascript vulnerabilities, Cross Site Scripting (XSS) and SQL Injection. You can test automated tools such as Burp Suite, Nikto, OWASP-ZAP, Netstalker etc. You can use Firefox Pentesting plugins all the way to manual testing.

A special funny highlight is the OWASP Hackademic Challenges Project where you become a little Cyber agent with tasks of gaining access to websites, find hidden files etc.

IMHO, working with such vulnerable distributions is a LOT more valuable to Penetration Testers than reading and understanding dry theory and concepts. Penetration Testing is all about being able to face challenges and to be able to do Pentesting not just understanding the concepts.

You can download the VMware image here:



Vulnerable machines for Pentesters

Author: Martin Voelk
December 19, 2014

Often our customers and fellow Penetration Testers ask us: Where can you test Penetration Testing tools against? We don’t wanna break anything on our live systems. Fortunately there are free great open source distributions out there which allow you to test Pentesting tools against, run you customised exploits against etc.

These days more and more servers become virtualised with VMware and other virtualisation software. It has never been that easy for Pentest professionals and aspiring Pentesters to hone their skills against vulnerable machines. If you can get your hands on a Windows XP distribution, great. If not we highly suggest to download Metasploitable 2. A distribution left intentionally vulnerable for testing purposes. Easily deployed on a VMware and the victim machine is ready to be attacked.

You can download Metasploitable 2 here: http://sourceforge.net/projects/metasploitable/files/Metasploitable2/ 

It come with tons of in-built vulnerabilities to be exploited. Those range from common FTP server vulnerabilities to complex Cross Site Scripting and SQL injection vulnerabilities on Web Applications. Ideal to test, play with and practice skills.

Have a great weekend everybody.