Re: How to create a penetration test lab

---

• From: Robert Portvliet <robert.portvliet@xxxxxxxxx>
• Date: Thu, 3 Sep 2009 17:26:31 -0400

---

Here's a few more vulnerable web apps:

http://www.irongeek.com/i.php?page=security/deliberately-insecure-web-applications-for-learning-web-app-security

Also the De-ICE LiveCD's:

http://heorot.net/livecds/





On Thu, Sep 3, 2009 at 3:24 PM, <jfvanmeter@xxxxxxxxxxx> wrote:

Yes I've add DVL, does any one of a LAMP setup like DVL? or should I just use out of date/missing patches for Linux, Apache, MYSQL and PHP?

I guess out of date/missing patches for FTP, SMTP, SNMP, SSH, SSL, etc would allow me to explore.

I've also add
WebGoat http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
Hacme Travel http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm
Hacme Bank http://www.foundstone.com/us/resources/proddesc/hacmebank.htm
Hacme Shipping http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm
Hacme Casino http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm
Hacme Books http://www.foundstone.com/us/resources/proddesc/hacmebooks.htm

I was also thinking of loading Cisco IOSs that had vulnerabilities, if I could find IOSs that we're outdated.

Would it be better to work in a single disciplie? Web, Web Applications, Web Server..... OSes....... Network equipment.... etc or be a jack of all trade, master at none.

I want to thank everyone for the help.

Take Care and Have Fun ::John



----- Original Message -----
From: "Eric Grejda" <eric.grejda@xxxxxxxxxxxxxxxxxxxx>
To: pen-test@xxxxxxxxxxxxxxxxx
Sent: Thursday, September 3, 2009 9:05:17 AM GMT -05:00 US/Canada Eastern
Subject: Re: How to create a penetration test lab

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

¨˜”°º•C0D3w@lk3r•º°”˜¨ wrote:

Also try including DVL (Damn Vulnerable Linux) to your collection.
Happy Hacking :)

I'll second DVL - I use it in some of the trainings I run and everyone
enjoys it.  It's also worth noting that a few of the puzzles have more
than one solution.

- --

Eric Grejda - Security Engineer, the Prometheus Group
PGP: 3651F89F / D04B D4D0 E5E2 5746 7CB7  05CA 1C92 4610 3651 F89F

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkqfvwwACgkQHJJGEDZR+J+TqwCdF2jaWyHQuVApl2xw8qfWRpwR
bJEAn1pBBPgW3mTRuxPq5fkjTqDbTWg7
=tson
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

---

• References:
  • Re: How to create a penetration test lab
    • From: jfvanmeter

• Prev by Date: Re: How to create a penetration test lab
• Next by Date: crack.pl v3
• Previous by thread: Re: How to create a penetration test lab
• Next by thread: [Tools update] The Security-Database Watch Newsletter -- v20090905
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Article on Pentesting Study Frameworks ... I've posted what I told you about, related to Pentesting Study Frameworks. ... Hacme, ... Information Assurance Certification Review Board ... Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. ... (Pen-Test) RE: Which Commercial Web App Scanner? ... so assuming that leaves WebInspect and Acunetix ... actually do a proper penetration test. ... Information Assurance Certification Review Board ... (Pen-Test) Re: Pentest exams ... would be a dynamic duo of pen testing certs. ... Information Assurance Certification Review Board ... Prove to peers and potential employers without a doubt that you can actually ... do a proper penetration test. ... (Pen-Test) Fwd: Evaluating pentesters ... (Being a pen-tester). ... usually get a good feel of how they work and some of the methodologies ... Information Assurance Certification Review Board ... Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. ... (Pen-Test) Re: Pentesting lab ... Most pros that I have ever heard of/met/read use Metasploit. ... One subject is pen-testing and second subject is malware analysis. ... actually do a proper penetration test. ... Information Assurance Certification Review Board ... (Pen-Test)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > pen-test  > 2009-09