... neuere Einträge
Wednesday, 6. July 2011
Pentest - (Offline) Web Based
Am Wednesday, 6. Jul 2011 im Topic 'Pentest'
Name: BadStore
Homepage: http://www.badstore.net/
Brief description: Badstore.net is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure. Our Badstore demonstration software is designed to show you common hacking techniques.
Version/Levels: 1 (v1.2)
Name: BodgeIT
Homepage: https://code.google.com/p/bodgeit/
Brief description: The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to pen testing.
Version/Levels: 1 (v1.1.0)
Name: Damn Vulnerable Web App
Homepage: http://www.dvwa.co.uk/
Brief description: Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
Version/Levels: 1 (v1.0.7)
Name: Hacking-Lab
Homepage: http://www.hacking-lab.com/
Brief description: This ist the LiveCD project of Hacking-Lab (www.hacking-lab.com). It gives you OpenVPN access into Hacking-Labs Remote Security Lab. The LiveCD iso image runs very good natively on a host OS, or within a virtual environment (VMware, VirtualBox).
The LiveCD gives you OpenVPN access into Hacking-Lab Remote.You will gain VPN access if both of the two pre-requirements are fulfilled.
Version/Levels: 1 (v5.30)
Name: HackUS HackFest Web CTF
Homepage: http://hackus.org/en/media/training/
Brief description: The Hackfest is an annual event held in Quebec city. For each event, a competition is held where participants competed at solving challenges related to security. For the 2010 edition, I got involved in the competition by creating the web portion of the competition.
Version/Levels: 1 (2010)
Name: Hacme
Homepage: http://www.mcafee.com/us/downloads/free-tools/index.aspx
Brief description: Foundstone Hacme Casino™ is a learning platform for secure software development and is targeted at software developers, application penetration testers, software architects, and anyone with an interest in application security.
Version/Levels: 5 (2006)
Name: Hackxor
Homepage: http://hackxor.sourceforge.net/cgi-bin/index.pl
Brief description: Hackxor is a webapp hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat but with a plot and a focus on realism&difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, etc
Version/Levels: 1
Name: LAMPSecurity
Homepage: http://sourceforge.net/projects/lampsecurity/
Brief description: Foundstone Hacme Casino™ is a learning platform for secure software development and is targeted at software developers, application penetration testers, software architects, and anyone with an interest in application security.
Version/Levels: v6 (4x)
Name: Moth
Homepage: http://www.bonsai-sec.com/en/research/moth.php
Brief description: Moth is a VMware image with a set of vulnerable Web Applications and scripts.
Version/Levels: v6
Name: Mutillidae
Homepage: http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
Brief description: Mutillidae: A Deliberately Vulnerable Set Of PHP Scripts That Implement The OWASP Top 10
Version/Levels: v1.5
Name: Open Web Application Security Project (OWASP) Broken Web Applications Project
Homepage: https://code.google.com/p/owaspbwa/ or https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
Brief description: This project includes applications from various sources (listed in no particular order).
Name: SecuriBench
Homepage: http://suif.stanford.edu/~livshits/securibench/
Brief description: Stanford SecuriBench is a set of open source real-life programs to be used as a testing ground for static and dynamic security tools. Release .91a focuses on Web-based applications written in Java
Version/Levels: v0.91a
Name: UltimateLAMP
Homepage: http://ronaldbradford.com/blog/ultimatelamp-2006-05-19/
Brief description: UltimateLAMP is a fully functional environment allowing you to easily try and evaluate a number of LAMP stack software products without requiring any specific setup or configuration of these products. UltimateLAMP runs as a Virtual Machine with VMware Player (FREE). This demonstration package also enables the recording of all user entered information for later reference, indeed you will find a wealth of information already available within a number of the Product Recommendations starting with the supplied Documentation.
Version/Levels: v0.2
Name: Vicnum
Homepage: http://vicnum.ciphertechs.com/
Brief description: A mirror of deliberately insecure applications and old softwares with known vulnerabilities. Used for proof-of-concept /security training/learning purposes. Available in either virtual images or live iso or standalone formats
Version/Levels: 1.4 (2009)
Name: Virtual Hacking Lab
Homepage: http://virtualhacking.sourceforge.net/
Brief description: A mirror of deliberately insecure applications and old softwares with known vulnerabilities. Used for proof-of-concept /security training/learning purposes. Available in either virtual images or live iso or standalone formats
Version/Levels: 1
Name: WackoPicko
Homepage: https://github.com/adamdoupe/WackoPicko
Brief description: WackoPicko is a vulnerable web application used to test web application vulnerability scanners.
Version/Levels: 1
Name: WebGoat
Homepage: http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
Brief description: WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application.
Version/Levels: 1
Name: WebMaven
Homepage: http://www.mavensecurity.com/WebMaven/
Brief description: WebMaven (better known as Buggy Bank) was an interactive learning environment for web application security. It emulated various security flaws for the user to find. This enabled users to safely & legally practice web application vulnerability assessment techniques. In addition, users could benchmark their security audit tools to ensure they perform as advertised.
Version/Levels: 1.0.1
Name: Web Security Dojo
Homepage: http://www.mavensecurity.com/web_security_dojo/
Brief description: A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo
Various web application security testing tools and vulnerable web applications were added to a clean install of Ubuntu v10.04.1, which is patched with the appropriate updates and VM additions for easy use.
Version 1.1 includes an exclusive speed-enhanced version of Burp Suite Free. Special thanks to PortSwigger .
Version/Levels: 1
Homepage: http://www.badstore.net/
Brief description: Badstore.net is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure. Our Badstore demonstration software is designed to show you common hacking techniques.
Version/Levels: 1 (v1.2)
Name: BodgeIT
Homepage: https://code.google.com/p/bodgeit/
Brief description: The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to pen testing.
Version/Levels: 1 (v1.1.0)
Name: Damn Vulnerable Web App
Homepage: http://www.dvwa.co.uk/
Brief description: Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
Version/Levels: 1 (v1.0.7)
Name: Hacking-Lab
Homepage: http://www.hacking-lab.com/
Brief description: This ist the LiveCD project of Hacking-Lab (www.hacking-lab.com). It gives you OpenVPN access into Hacking-Labs Remote Security Lab. The LiveCD iso image runs very good natively on a host OS, or within a virtual environment (VMware, VirtualBox).
The LiveCD gives you OpenVPN access into Hacking-Lab Remote.You will gain VPN access if both of the two pre-requirements are fulfilled.
Version/Levels: 1 (v5.30)
Name: HackUS HackFest Web CTF
Homepage: http://hackus.org/en/media/training/
Brief description: The Hackfest is an annual event held in Quebec city. For each event, a competition is held where participants competed at solving challenges related to security. For the 2010 edition, I got involved in the competition by creating the web portion of the competition.
Version/Levels: 1 (2010)
Name: Hacme
Homepage: http://www.mcafee.com/us/downloads/free-tools/index.aspx
Brief description: Foundstone Hacme Casino™ is a learning platform for secure software development and is targeted at software developers, application penetration testers, software architects, and anyone with an interest in application security.
Version/Levels: 5 (2006)
Name: Hackxor
Homepage: http://hackxor.sourceforge.net/cgi-bin/index.pl
Brief description: Hackxor is a webapp hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat but with a plot and a focus on realism&difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, etc
Version/Levels: 1
Name: LAMPSecurity
Homepage: http://sourceforge.net/projects/lampsecurity/
Brief description: Foundstone Hacme Casino™ is a learning platform for secure software development and is targeted at software developers, application penetration testers, software architects, and anyone with an interest in application security.
Version/Levels: v6 (4x)
Name: Moth
Homepage: http://www.bonsai-sec.com/en/research/moth.php
Brief description: Moth is a VMware image with a set of vulnerable Web Applications and scripts.
Version/Levels: v6
Name: Mutillidae
Homepage: http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
Brief description: Mutillidae: A Deliberately Vulnerable Set Of PHP Scripts That Implement The OWASP Top 10
Version/Levels: v1.5
Name: Open Web Application Security Project (OWASP) Broken Web Applications Project
Homepage: https://code.google.com/p/owaspbwa/ or https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
Brief description: This project includes applications from various sources (listed in no particular order).
Name: SecuriBench
Homepage: http://suif.stanford.edu/~livshits/securibench/
Brief description: Stanford SecuriBench is a set of open source real-life programs to be used as a testing ground for static and dynamic security tools. Release .91a focuses on Web-based applications written in Java
Version/Levels: v0.91a
Name: UltimateLAMP
Homepage: http://ronaldbradford.com/blog/ultimatelamp-2006-05-19/
Brief description: UltimateLAMP is a fully functional environment allowing you to easily try and evaluate a number of LAMP stack software products without requiring any specific setup or configuration of these products. UltimateLAMP runs as a Virtual Machine with VMware Player (FREE). This demonstration package also enables the recording of all user entered information for later reference, indeed you will find a wealth of information already available within a number of the Product Recommendations starting with the supplied Documentation.
Version/Levels: v0.2
Name: Vicnum
Homepage: http://vicnum.ciphertechs.com/
Brief description: A mirror of deliberately insecure applications and old softwares with known vulnerabilities. Used for proof-of-concept /security training/learning purposes. Available in either virtual images or live iso or standalone formats
Version/Levels: 1.4 (2009)
Name: Virtual Hacking Lab
Homepage: http://virtualhacking.sourceforge.net/
Brief description: A mirror of deliberately insecure applications and old softwares with known vulnerabilities. Used for proof-of-concept /security training/learning purposes. Available in either virtual images or live iso or standalone formats
Version/Levels: 1
Name: WackoPicko
Homepage: https://github.com/adamdoupe/WackoPicko
Brief description: WackoPicko is a vulnerable web application used to test web application vulnerability scanners.
Version/Levels: 1
Name: WebGoat
Homepage: http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
Brief description: WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application.
Version/Levels: 1
Name: WebMaven
Homepage: http://www.mavensecurity.com/WebMaven/
Brief description: WebMaven (better known as Buggy Bank) was an interactive learning environment for web application security. It emulated various security flaws for the user to find. This enabled users to safely & legally practice web application vulnerability assessment techniques. In addition, users could benchmark their security audit tools to ensure they perform as advertised.
Version/Levels: 1.0.1
Name: Web Security Dojo
Homepage: http://www.mavensecurity.com/web_security_dojo/
Brief description: A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo
Various web application security testing tools and vulnerable web applications were added to a clean install of Ubuntu v10.04.1, which is patched with the appropriate updates and VM additions for easy use.
Version 1.1 includes an exclusive speed-enhanced version of Burp Suite Free. Special thanks to PortSwigger .
Version/Levels: 1
Pentest - Forensic
Am Wednesday, 6. Jul 2011 im Topic 'Pentest'
Name: Digital Forensics Tool Testing Images
Homepage: http://dftt.sourceforge.net/
Brief description: To fill the gap between extensive tests from NIST and no public tests, I have been developing small test cases. The following are file system and disk images for testing digital (computer) forensic analysis and acquisition tools.
Version/Levels: 14
Name: Digital Corpora - DiskImages & Scenarios
Homepage: http://digitalcorpora.org/corpora/disk-images & http://digitalcorpora.org/corpora/scenarios
Brief description: We have many sources of disk images available for use in education and research. The easiest disk images to work with are the NPS Test Disk Images.
Scenarios are collections of multiple disk images, memory dumps, network traffic, and/or data from portable devices.
Version/Levels: 3 + 7
Name: DFRWS 2011 Forensics Challenge
Homepage: http://www.dfrws.org/2011/challenge/
Brief description: Given the variety and impending ubiquity of Android devices along with the wide range of crimes that can involve these systems as a source of evidence, the DFRWS has created two scenarios for the forensics challenge in 2011.
Version/Levels: 2
Name: ForensicKB
Homepage: http://www.forensickb.com/search/label/Forensic%20Practical
Brief description: We have many sources of disk images available for use in education and research. The easiest disk images to work with are the NPS Test Disk Images.
Version/Levels: Level 1, Level 2, Level 3, Level 4
Name: Honeynet Project Challenges
Homepage: https://www.honeynet.org/challenges
Brief description: The purpose of Honeynet Challenges is to take this learning one step farther. Instead of having the Honeynet Project analyze attacks and share their findings, Challenges give the security community the opportunity to analyze these attacks and share their findings. The end results is not only do individuals and organizations learn about threats, but how to learn and analyze them. Even better, individuals can see the write-ups from other individuals, learning new tools and technique for analyzing attacks. Best of all, these attacks are from the wild, real hacks.
Version/Levels: 8
Homepage: http://dftt.sourceforge.net/
Brief description: To fill the gap between extensive tests from NIST and no public tests, I have been developing small test cases. The following are file system and disk images for testing digital (computer) forensic analysis and acquisition tools.
Version/Levels: 14
Name: Digital Corpora - DiskImages & Scenarios
Homepage: http://digitalcorpora.org/corpora/disk-images & http://digitalcorpora.org/corpora/scenarios
Brief description: We have many sources of disk images available for use in education and research. The easiest disk images to work with are the NPS Test Disk Images.
Scenarios are collections of multiple disk images, memory dumps, network traffic, and/or data from portable devices.
Version/Levels: 3 + 7
Name: DFRWS 2011 Forensics Challenge
Homepage: http://www.dfrws.org/2011/challenge/
Brief description: Given the variety and impending ubiquity of Android devices along with the wide range of crimes that can involve these systems as a source of evidence, the DFRWS has created two scenarios for the forensics challenge in 2011.
Version/Levels: 2
Name: ForensicKB
Homepage: http://www.forensickb.com/search/label/Forensic%20Practical
Brief description: We have many sources of disk images available for use in education and research. The easiest disk images to work with are the NPS Test Disk Images.
Version/Levels: Level 1, Level 2, Level 3, Level 4
Name: Honeynet Project Challenges
Homepage: https://www.honeynet.org/challenges
Brief description: The purpose of Honeynet Challenges is to take this learning one step farther. Instead of having the Honeynet Project analyze attacks and share their findings, Challenges give the security community the opportunity to analyze these attacks and share their findings. The end results is not only do individuals and organizations learn about threats, but how to learn and analyze them. Even better, individuals can see the write-ups from other individuals, learning new tools and technique for analyzing attacks. Best of all, these attacks are from the wild, real hacks.
Version/Levels: 8
Pentest - Online (VPN - War Games)
Am Wednesday, 6. Jul 2011 im Topic 'Pentest'
Name: OverTheWire
Homepage: http://www.overthewire.org/wargames/
Brief description: The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of funfilled games.
Levels: 7
Name: pwn0
Homepage: https://pwn0.com/home.php
Brief description: Just sign up, connect to the VPN, and start hacking.
Levels:1
Homepage: http://www.overthewire.org/wargames/
Brief description: The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of funfilled games.
Levels: 7
Name: pwn0
Homepage: https://pwn0.com/home.php
Brief description: Just sign up, connect to the VPN, and start hacking.
Levels:1
Pentest - (Online) Web Based
Am Wednesday, 6. Jul 2011 im Topic 'Pentest'
Name: Biscuit
Homepage: http://heideri.ch/biscuit/
Brief description: Goal: alert(document.cookie) // extract the PHPSESSID, FF3.6 - 4 only!
Version/Levels: 1
Name: Gruyere / Jarlsberg
Homepage: http://google-gruyere.appspot.com/
Brief description: This codelab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you'll get a chance to do some real penetration testing, actually exploiting a real application
Version/Levels: 1 (v1.0.7)
Name: HackThis
Homepage: http://www.hackthis.co.uk/
Brief description: Welcome to HackThis!!, this site was set up over 2 years ago as a safe place for internet users to learn the art of hacking in a controlled environment, teaching the most common flaws in internet security.
Version/Levels: 32 (40?)
Name: HackThisSite
Homepage: http://www.hackthissite.org/
Brief description: Hack This Site is a free, safe and legal training ground for hackers to test and expand their hacking skills. More than just another hacker wargames site, we are a living, breathing community with many active projects in development, with a vast selection of hacking articles and a huge forum where users can discuss hacking, network security, and just about everything. Tune in to the hacker underground and get involved with the project.
Version/Levels: Lots
Name: Hell Bound Hackers
Homepage: http://www.hellboundhackers.org/
Brief description: We offer challenges that teach you how computer based exploits work. The idea being, if you know how to exploit a website for instance, then you can go and secure your website, and help others in securing theirs. If you know how malicious hackers get in, you can keep them out.
Version/Levels: Lots
Name: Hackxor
Homepage: http://hackxor.sourceforge.net/cgi-bin/index.pl
Brief description: Hackxor is a webapp hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat but with a plot and a focus on realism&difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, etc
Version/Levels: 1
Name: Vicnum
Homepage: http://vicnum.ciphertechs.com/
Brief description: A mirror of deliberately insecure applications and old softwares with known vulnerabilities. Used for proof-of-concept /security training/learning purposes. Available in either virtual images or live iso or standalone formats
Version/Levels: 1.4 (2009)
Homepage: http://heideri.ch/biscuit/
Brief description: Goal: alert(document.cookie) // extract the PHPSESSID, FF3.6 - 4 only!
Version/Levels: 1
Name: Gruyere / Jarlsberg
Homepage: http://google-gruyere.appspot.com/
Brief description: This codelab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you'll get a chance to do some real penetration testing, actually exploiting a real application
Version/Levels: 1 (v1.0.7)
Name: HackThis
Homepage: http://www.hackthis.co.uk/
Brief description: Welcome to HackThis!!, this site was set up over 2 years ago as a safe place for internet users to learn the art of hacking in a controlled environment, teaching the most common flaws in internet security.
Version/Levels: 32 (40?)
Name: HackThisSite
Homepage: http://www.hackthissite.org/
Brief description: Hack This Site is a free, safe and legal training ground for hackers to test and expand their hacking skills. More than just another hacker wargames site, we are a living, breathing community with many active projects in development, with a vast selection of hacking articles and a huge forum where users can discuss hacking, network security, and just about everything. Tune in to the hacker underground and get involved with the project.
Version/Levels: Lots
Name: Hell Bound Hackers
Homepage: http://www.hellboundhackers.org/
Brief description: We offer challenges that teach you how computer based exploits work. The idea being, if you know how to exploit a website for instance, then you can go and secure your website, and help others in securing theirs. If you know how malicious hackers get in, you can keep them out.
Version/Levels: Lots
Name: Hackxor
Homepage: http://hackxor.sourceforge.net/cgi-bin/index.pl
Brief description: Hackxor is a webapp hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat but with a plot and a focus on realism&difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, etc
Version/Levels: 1
Name: Vicnum
Homepage: http://vicnum.ciphertechs.com/
Brief description: A mirror of deliberately insecure applications and old softwares with known vulnerabilities. Used for proof-of-concept /security training/learning purposes. Available in either virtual images or live iso or standalone formats
Version/Levels: 1.4 (2009)
Pentest - Complete Operating System
Am Wednesday, 6. Jul 2011 im Topic 'Pentest'
Name: Damn Vulnerable Linux
Homepage: http://www.damnvulnerablelinux.org/
Brief description: Damn Vulnerable Linux (DVL) is everything a good Linux distribution isn’t. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. DVL isn’t built to run on your desktop – it’s a learning tool for security students.
Version/Levels: 1
Name: De-ICE
Homepage: http://heorot.net/livecds/ or http://www.de-ice.net
Brief description: The PenTest LiveCDs are the creation of Thomas Wilhelm, who was transferred to a penetration test team at the company he worked for. Needing to learn as much about penetration testing as quickly as possible, Thomas began looking for both tools and targets. He found a number of tools, but no usable targets to practice against. Eventually, in an attempt to narrow the learning gap, Thomas created PenTest scenarios using LiveCDs.
Version/Levels: Level 1 - Disk 1, Level 1 - Disk 2, Level 1 - Disk 3 (A & B) Level 2 - Disk 1
Name: Holynix
Homepage: http://pynstrom.net/holynix.php
Brief description: Holynix is a Linux distribution that was deliberately built to have security holes for the purposes of penetration testing.
Version/Levels: 2
Name: Kioptrix
Homepage: http://www.kioptrix.com
Brief description: This Kioptrix VM Image are easy challenges. The object of the game is to acquire
root access via any means possible (except actually hacking the VM server or player).
The purpose of these games are to learn the basic tools and techniques in vulnerability
assessment and exploitation. There are more ways then one to successfully complete the challenges.
Version/Levels: 3
Name: Metasploitable
Homepage: http://blog.metasploit.com/2010/05/introducing-metasploitable.html
Brief description: One of the questions that we often hear is "What systems can i use to test against?" Based on this, we thought it would be a good idea throw together an exploitable VM that you can use for testing purposes.
Version/Levels: 1
Name: NETinVM
Homepage: http://informatica.uv.es/~carlos/docencia/netinvm/#id7
Brief description: NETinVM is a single VMware virtual machine image that contains, ready to run, a series of User-mode Linux (UML) virtual machines which, when started, conform a whole computer network inside the VMware virtual machine. Hence the name NETinVM, an acronym for NETwork in Virtual Machine. NETinVM has been conceived mainly as an educational tool for teaching and learning about operating systems, computer networks and system and network security, but other uses are certainly possible.
Version/Levels: 3 (2010-12-01)
Name: pWnOS
Homepage: http://forums.heorot.net/viewtopic.php?f=21&t=149
Brief description: It's a linux virtual machine intentionally configured with exploitable services to provide you with a path to r00t. :) Currently, the virtual machine NIC is configured in bridged networking, so it will obtain a normal IP address on the network you are connected to. You can easily change this to NAT or Host Only if you desire. A quick ping sweep will show the IP address of the virtual machine.
Version/Levels: 1
Name: RuCTFE 2010
Homepage: http://ructf.org/e/2010/
Brief description: RuCTFE is a remote challenge in information security
Version/Levels: 1
Homepage: http://www.damnvulnerablelinux.org/
Brief description: Damn Vulnerable Linux (DVL) is everything a good Linux distribution isn’t. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. DVL isn’t built to run on your desktop – it’s a learning tool for security students.
Version/Levels: 1
Name: De-ICE
Homepage: http://heorot.net/livecds/ or http://www.de-ice.net
Brief description: The PenTest LiveCDs are the creation of Thomas Wilhelm, who was transferred to a penetration test team at the company he worked for. Needing to learn as much about penetration testing as quickly as possible, Thomas began looking for both tools and targets. He found a number of tools, but no usable targets to practice against. Eventually, in an attempt to narrow the learning gap, Thomas created PenTest scenarios using LiveCDs.
Version/Levels: Level 1 - Disk 1, Level 1 - Disk 2, Level 1 - Disk 3 (A & B) Level 2 - Disk 1
Name: Holynix
Homepage: http://pynstrom.net/holynix.php
Brief description: Holynix is a Linux distribution that was deliberately built to have security holes for the purposes of penetration testing.
Version/Levels: 2
Name: Kioptrix
Homepage: http://www.kioptrix.com
Brief description: This Kioptrix VM Image are easy challenges. The object of the game is to acquire
root access via any means possible (except actually hacking the VM server or player).
The purpose of these games are to learn the basic tools and techniques in vulnerability
assessment and exploitation. There are more ways then one to successfully complete the challenges.
Version/Levels: 3
Name: Metasploitable
Homepage: http://blog.metasploit.com/2010/05/introducing-metasploitable.html
Brief description: One of the questions that we often hear is "What systems can i use to test against?" Based on this, we thought it would be a good idea throw together an exploitable VM that you can use for testing purposes.
Version/Levels: 1
Name: NETinVM
Homepage: http://informatica.uv.es/~carlos/docencia/netinvm/#id7
Brief description: NETinVM is a single VMware virtual machine image that contains, ready to run, a series of User-mode Linux (UML) virtual machines which, when started, conform a whole computer network inside the VMware virtual machine. Hence the name NETinVM, an acronym for NETwork in Virtual Machine. NETinVM has been conceived mainly as an educational tool for teaching and learning about operating systems, computer networks and system and network security, but other uses are certainly possible.
Version/Levels: 3 (2010-12-01)
Name: pWnOS
Homepage: http://forums.heorot.net/viewtopic.php?f=21&t=149
Brief description: It's a linux virtual machine intentionally configured with exploitable services to provide you with a path to r00t. :) Currently, the virtual machine NIC is configured in bridged networking, so it will obtain a normal IP address on the network you are connected to. You can easily change this to NAT or Host Only if you desire. A quick ping sweep will show the IP address of the virtual machine.
Version/Levels: 1
Name: RuCTFE 2010
Homepage: http://ructf.org/e/2010/
Brief description: RuCTFE is a remote challenge in information security
Version/Levels: 1
Dukascopy.com - SQL Injection
Am Wednesday, 6. Jul 2011 im Topic 'Vulnerabilities'
General Information
Website: www.dukascopy.com
Vulnerability Type: SQL Injection Vulnerability
Alert Level: Critical
Threats: Entire Database Access, Shell Uploading
by Mr.
zsecure
Website: www.dukascopy.com
Vulnerability Type: SQL Injection Vulnerability
Alert Level: Critical
Threats: Entire Database Access, Shell Uploading
by Mr.
zsecure
Wifi Cracker 1.5 - Linux
Am Wednesday, 6. Jul 2011 im Topic 'Web Security'
Fern Wifi Cracker 1.5 is available, download fern 1.2 then update to 1.5 by using the update download button
This is a wireless security auditing application that is written in python and uses python-qt4. This application uses the aircrack-ng suite of tools.
It should work on any version of linux running the following:
Requirements:
python
python-qt4
macchanger
aircrack-ng
xterm
subversion
To install simply run the following command in terminal after changing directory to the path were the downloaded package is:
root@host:~# dpkg -i Fern-Wifi-Cracker_1.2_all.deb
Download
http://code.google.com/p/fern-wifi-cracker/downloads/list
This is a wireless security auditing application that is written in python and uses python-qt4. This application uses the aircrack-ng suite of tools.
It should work on any version of linux running the following:
Requirements:
python
python-qt4
macchanger
aircrack-ng
xterm
subversion
To install simply run the following command in terminal after changing directory to the path were the downloaded package is:
root@host:~# dpkg -i Fern-Wifi-Cracker_1.2_all.deb
Download
http://code.google.com/p/fern-wifi-cracker/downloads/list
OWASP Zed Attack Proxy v.1.3.1
Am Wednesday, 6. Jul 2011 im Topic 'Pentest'
OWASP Zed Attack Proxy v.1.3.1 Released
The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.
Download:
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Changelog:
https://code.google.com/p/zaproxy/downloads/list
The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.
Download:
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Changelog:
https://code.google.com/p/zaproxy/downloads/list
50 Days of Lulz - LulzSec Says Goodbye
Am Wednesday, 6. Jul 2011 im Topic 'News'
http://www.youtube.com/watch?v=xJYhPrbtqug&feature=player_embedded
ironic
http://www.youtube.com/watch?v=quSL92cIueI
ironic
http://www.youtube.com/watch?v=quSL92cIueI
Sniffjoke 0.4.2 - Linux
Am Wednesday, 6. Jul 2011 im Topic 'Tools'
“SniffJoke (Sj) implements a set of anti sniffing technology itself, but begins developed as a modular framework.
Will easily be supported by a security community that want to exploit and explore sniffing faults. SniffJoke is an application for Linux that handle transparently your TCP connection, delaying, modifying and injecting fake packets inside your transmission, make them almost impossible to be correctly read by a passive wiretapping technology (IDS or sniffer). An internet client running SniffJoke injects in the transmission flow some packets able to seriously disturb passive analysis like sniffing, interception and low level information theft. No server supports needed!“
Download Sniffjoke v0.4.2 (sniffjoke-0.4.2.tar.bz2)
https://github.com/vecna/sniffjoke/downloads
Will easily be supported by a security community that want to exploit and explore sniffing faults. SniffJoke is an application for Linux that handle transparently your TCP connection, delaying, modifying and injecting fake packets inside your transmission, make them almost impossible to be correctly read by a passive wiretapping technology (IDS or sniffer). An internet client running SniffJoke injects in the transmission flow some packets able to seriously disturb passive analysis like sniffing, interception and low level information theft. No server supports needed!“
Download Sniffjoke v0.4.2 (sniffjoke-0.4.2.tar.bz2)
https://github.com/vecna/sniffjoke/downloads
phpMyAdmin Multiple Vulnerabilities
Am Wednesday, 6. Jul 2011 im Topic 'Vulnerabilities'
Software:
phpMyAdmin 3.x
1) An error within the "Swekey_login()" function in libraries/auth/swekey/swekey.auth.lib.php can be exploited to overwrite session variables and e.g. inject and execute arbitrary PHP code.
2) Input passed to the "PMA_createTargetTables()" function in libraries/server_synchronize.lib.php is not properly sanitised before calling the "preg_replace()" function with the "e" modifier. This can be exploited to execute arbitrary PHP code via URL-encoded NULL bytes.
3) Input passed to the "PMA_displayTableBody()" function in libraries/display_tbl.lib.php is not properly sanitised before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal sequences.
NOTE: A weakness in setup scripts, which could lead to arbitrary PHP code injection if session variables are overwritten.
The vulnerabilities in versions prior to 3.3.10.2 and 3.4.3.1.
phpMyAdmin 3.x
1) An error within the "Swekey_login()" function in libraries/auth/swekey/swekey.auth.lib.php can be exploited to overwrite session variables and e.g. inject and execute arbitrary PHP code.
2) Input passed to the "PMA_createTargetTables()" function in libraries/server_synchronize.lib.php is not properly sanitised before calling the "preg_replace()" function with the "e" modifier. This can be exploited to execute arbitrary PHP code via URL-encoded NULL bytes.
3) Input passed to the "PMA_displayTableBody()" function in libraries/display_tbl.lib.php is not properly sanitised before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal sequences.
NOTE: A weakness in setup scripts, which could lead to arbitrary PHP code injection if session variables are overwritten.
The vulnerabilities in versions prior to 3.3.10.2 and 3.4.3.1.
Skipfish-2.01b - Linux
Am Wednesday, 6. Jul 2011 im Topic 'Tools'
A fully automated, active web application security reconnaissance tool. Key features:
High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint - easily achieving 2000 requests per second with responsive targets.
Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.
Download:
http://code.google.com/p/skipfish/downloads/list
High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint - easily achieving 2000 requests per second with responsive targets.
Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.
Download:
http://code.google.com/p/skipfish/downloads/list
Faces of Hacking
Am Wednesday, 6. Jul 2011 im Topic 'News'
Some Hacker use software and hardware to express themselves creatively.......
http://www.pentestit.com/wp-content/uploads/HLIC/e57cb16a9284494b6fb328de8e8539d2.png
http://www.pentestit.com/wp-content/uploads/HLIC/e57cb16a9284494b6fb328de8e8539d2.png
... ältere Einträge