I've used Metasploitable and WebGoat, but I haven't used any of the others, looks like I will be very busy, thank you
I was referring to Northumbria University, however I will partly retract my previous statement, it looks like it will build a good foundation, but it doesn't look like it would prepare someone for hacking a real network.
I'm not sure on a specific field, I've lately enjoyed playing around with buffer overflows, and written a generic return address brute force tool. I found it really interesting, however I don't know which field this would be included in.
I also enjoy the whole process of penetration testing, from gathering information through to exploitation and covering tracks.
How does the metasploitable server compare to real world targets? It seemed way too easy, which do you think would give the best feel for testing the security of a real company?