Monday, February 5, 2018

Awesome Curated List of Environments and Platforms for Hacking and CTFs!

Lot of people think that hacking and security is all about reading books and watching tutorials! But unfortunately that is completely wrong! Since, you are into a field related to IT you'll need to practice a lot. Practicing things you learn will develop your skills to the next level!
For that, there is bunch of resources on the net out there! Platforms, Environments and more to practice Hacking/Pen-Testing ethically and safely! My job in this article is to share with you a list of my preferred platforms and environments; Enjoy.
  • HackTheBox: HTB is an online platform to test and advance your skills in penetration testing and cyber security. It has a good list of boot2root machines and jeopardy challenges to develop your skills. Hack it and join the community CLICK.
  • VulnHub: It provides a bunch of boot2root machines to download! Allowing anyone to gain practical hands-on experience with hacking and penetration testing. CLICK.
  • Root Me: Well known Jeopardy-CTF platform that gives everyone the chance to test and improve knowledge in computer security and hacking. CLICK.
  • bWAPP: Buggy Web Application, is a free and open source deliberately insecure web application. It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. It has over 100 web vulnerabilities! It covers all major known web bugs, including all risks from the OWASP Top 10 project. CLICK.
  • DVWA: Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment (offline), help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security. CLICK.
  • XVWA: Xtreme Vulnerable Web Application is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security. It’s not advisable to host this application online as it is designed to be “Xtremely Vulnerable”. CLICK.
  • Lab26: It is an offline vulnerable virtual machine that has a set of already installed & configured vulnerable web applications, like: DVWA, bWAPP, Mutillidae, OWASP Juice Shop ..etc. CLICK.
  • DSVW: Damn Small Vulnerable Web, is a deliberately vulnerable web application written in under 100 lines of code, created for educational purposes. It supports majority of (most popular) web application vulnerabilities together with appropriate attacks. CLICK.
  • HackThis!!: Beginners friendly website/platform for complete beginners into InfoSec (Hacking/Security). It has a good set of Jeopardy Challenges that let you practice different skills and attacks. CLICK.
  • DVAA: Damn Vulnerable Android App, is an Android application which contains intentional vulnerabilities. Its purpose is to enable security professionals to test their tools and techniques legally, help developers better understand the common pitfalls of secure Android development. CLICK.
  • DVHMA: Damn Vulnerable Hybrid Mobile App is an hybrid mobile app (for Android) that intentionally contains vulnerabilities. CLICK.
  • DVIA: Damn Vulnerable iOS Application, is an iOS application that is damn vulnerable. Its main goal is to provide a platform to mobile security enthusiasts/professionals or students to test their iOS penetration testing skills in a legal environment. This application covers all the common vulnerabilities found in iOS applications (following OWASP top 10 mobile risks). CLICK.
  • DVRF: Damn Vulnerable Router Firmware Project, is a project to let professionals simulate a real world environment to help people learn about other CPU architectures outside of the x86_64 space. This project will also help people get into discovering new things about hardware security/hacking. CLICK.
  • DVL: Damn Vulnerable Linux, is everything a good Linux distribution isn't. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. It allows you to practice your Linux Hacking Skills in a safe and legal environment. CLICK.
  • DVTA: Damn Vulnerable Thick Client App, is a vulnerable thick client application developed in C# dotNET. CLICK.
  • DVWS: Damn Vulnerable Web Services is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities. CLICK.
  • ODVWS: OWSAP Damn Vulnerable Web Sockets, is a vulnerable web application which works on web sockets for client-server communication. CLICK.
  • DIVA Android: Damn Insecure and vulnerable App for Android, is an App intentionally designed to be insecure. The aim of the App is to teach developers/QA/security professionals, flaws that are generally present in the Apps due poor or insecure coding practices. CLICK.
  • Enigma Group: Enigma Group has been providing its members a legal and safe security resource where they can develop their pen-testing skills on various challenges provided by this site. These challenges cover the exploits listed in the OWASP Top 10 Project and teach members the many other types of exploits that are found in today's applications; thus, helping them to become better programmers in the mean time. CLICK.
  • Exploit Exercises: It is a very well known website in the hacking community, it provides a variety of virtual machines, documentation and challenges that can be used to learn about a variety of computer security issues such as privilege escalation, vulnerability analysis, exploit development, debugging, reverse engineering, and general cyber security issues. CLICK.
  • HSEVD: HackSys Extreme Vulnerable Driver is intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level. It caters wide range of vulnerabilities ranging from simple Buffer Overflows to complex Use After Frees and Pool Overflows. This allows the researchers to explore the exploitation techniques for all the implemented vulnerabilities. CLICK.
  • Game of Hacks: This game was designed to test your application hacking skills. You will be presented with vulnerable pieces of code and your mission if you choose to accept it is to find which vulnerability exists in that code as quickly as possible. CLICK.
  • Google Gruyere: This codelab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you'll get a chance to do some real penetration testing, actually exploiting a real application. CLICK.
  • Metasploitable: Taking your first steps with Metasploit can be difficult – especially if you don’t want to conduct your first penetration test on your production network. Metasploitable is virtual machine based on Linux that contains several intentional vulnerabilities for you to exploit. CLICK.
  • HackThisSite: Free, safe and legal training ground for hackers to test and expand their hacking skills. Tune into the hacker underground and get involved with the project. CLICK.
  • Hack.Me: Is a FREE, community based project powered by eLearnSecurity. The community can build, host and share vulnerable web application code for educational and research purposes. It aims to be the largest collection of "runnable" vulnerable web applications, code samples and CMS's online. CLICK.
  • OWASP Hackademic: The Hackademic Challenges implement realistic scenarios with known vulnerabilities in a safe and controllable environment. Users can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through an attacker's perspective. CLICK.
  • HackaZon: It is a free, vulnerable test site that is an online storefront built with the same technologies used in today’s rich client and mobile applications. Hackazon has an AJAX interface, strict workflows and RESTful API’s used by a companion mobile app providing uniquely-effective training and testing ground for IT security professionals. CLICK.
  • Hacker Test: It is your own online hacker simulation. With 20 levels that require different skills to get to another step of the game, this new real-life imitation will help you advance your security knowledge. CLICK.
  • Hacking-Lab: An online ethical hacking, computer network and security challenge platform, dedicated to finding and educating cyber security talents. Furthermore, Hacking-Lab is providing the CTF and mission style challenges for the European Cyber Security Challenge with Austria, Germany, Switzerland, UK, Spain, Romania and provides free OWASP TOP 10 online security labs. CLICK.
  • HackXor: It is a web app hacking game where players must locate and exploit vulnerabilities to progress through the story. Contains XSS, CSRF, SQLi, ReDoS, IDOR, command injection, etc. CLICK.
  • Valhalla Challenges: Challenges you can solve. Valhalla is a place for sharing knowledge and ideas. CLICK.
  • HaxTor: A good set of challenges to practice CTFs for hacking & security. CLICK.
  • HellBound Hackers: HBH stands for HellBound Hackers. Completely legal, web-based security training ground. It offers challenges that teach you how computer based exploits work. The idea being, if you know how to exploit a website for instance, then you can go and secure your website, and help others in securing theirs. CLICK.
  • Holynix: Holynix is an Linux distribution that was deliberately built to have security holes for the purposes of penetration testing. The object of the challenge v2 to root the box. CLICK.
  • DVJWA: DAMN Vulnerable Java based Web Application. This app is intended for the Java Programmers and other people who wish to learn about Web application vulnerabilities and write secure code. CLICK.
  • OWASP Juice Shop: Is an intentionally insecure web application written entirely in JavaScript which encompasses the entire range of OWASP Top Ten and other severe security flaws. CLICK.
  • OWASP Mutillidae II: Free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. It is pre-installed on SamuraiWTF and OWASP BWA. CLICK.
  • OverTheWire WarGames: The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games. CLICK.
  • OWASP BWAP: Open Web Application Security Project Broken Web Application Project, is a collection of vulnerable web applications that is distributed on a Virtual Machine. CLICK.
  • OWASP GoatDroid: A fully functional and self-contained training environment for educating developers and testers on Android security. CLICK.
  • OWASP Security Shepherd: A web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status. CLICK.
  • OWASP SiteGenerator: It allows the creating of dynamic websites based on XML files and predefined vulnerabilities (some simple, some complex) covering .Net languages and web development architectures (for example, navigation: Html, Javascript, Flash, Java, etc...). CLICK.
  • PenTest Training: A simple website used as a hub for information revolving around the varies services, they offer to help both experienced and new penetration testers practice and hone their skills. CLICK.
  • PwnableKr: A non-commercial wargame site which provides various pwn challenges regarding system exploitation. the main purpose of pwnable.kr is 'fun'. CLICK.
  • ReversingKr: Simply, a super great platform made only for REVERSE ENGINEERING, it has a good set of challenges on different fields of R.E (Linux, Windows, Android..). CLICK.
  • RingZer0 Team: Very good platform, it looks like the same as root-me it has a lot of CTF challenges in different fields: Cryptography, Reversing, Steganography, Forensics and more! CLICK.
  • SlaveHack2: An interactive open world online hacking game which simulates a virtual operating system desktop. CLICK.
  • SQL-Zoo: Funny name really? It is a beginners friendly platform to learn and test for SQLInjection attacks/vulnerabilities. CLICK.
  • ThisIsLegal: A hacker wargames site with much more - such as forums and tutorials. The aim of the site is to help you learn and improve as much as they can and also provide a community with a chance to chat. CLICK.
  • W3Challs: A penetration testing training platform, which offers various computer challenges, in categories related to security: Hacking, Cracking, Wargame, Forensic, Cryptography, Steganography and Programming. The purpose of this site is to offer realistic challenges, without simulation, and without guessing! CLICK.
  • WackoPicko: Is a vulnerable web application used to test web application vulnerability scanners. CLICK.
  • Web Security Dojo: A preconfigured, stand-alone training environment for Web Application Security. CLICK.
  • OWASP WebGoat Project: Is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. You can install and practice with WebGoat. There are other 'goats' such as WebGoat for .Net. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. CLICK.
  • Solve-Me: A CTF-Jeopardy style wargame website. CLICK.
  • CTFsME: Join with all pwners. over the world! CLICK.
  • XSS-Game: In this training program, you will learn to find and exploit XSS bugs. You'll use this knowledge to confuse and infuriate your adversaries by preventing such bugs from happening in your applications. There will be cake at the end of the test. CLICK.

Contact me if there is any broken link! If you want to add a platform/environment give me the name + link in the comment section.

No comments:

Post a Comment