.

Penetration Testing/Ethical Hacking Labs

<<

partek

Newbie
Newbie

Posts: 27

Joined: Thu Feb 28, 2008 6:15 pm

Post Mon Feb 22, 2010 7:28 pm

Penetration Testing/Ethical Hacking Labs

I have been enjoying the Pentesting with Backtrack course and my time in their labs is about to expire. I have managed to break into nearly every machine in the lab, and it has been an amazing experience. I'm really looking forward to the OSCP challenge.

Does anyone know if there are other penetration testing or ethical hacking labs out there like this that can be used to practice and grow skills?

I know I can build my own labs, but there is definitely a benefit of going into it blind and having to discover the systems and develop a penetration strategy.


Thanks!
CISSP, CISM, CISA, CCNA Security, OSCP, CEH
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Feb 22, 2010 7:56 pm

Re: Penetration Testing/Ethical Hacking Labs

Nothing 'free' that is likely to be as good or deep as OSCP, but there are other 'hackable lab distros' out there, to give you some things to play with.  Check out de-ice.net and some of the other distros out there, as well as Thomas Wilhelm's book (which is relatively inexpensive, compared to many 'paid' resources.  (There's a picture of it on the top of the de-ice site.)

As for others, check out jhaddix's site ( http://www.securityaegis.com/ ) for some links for webapp labs and others you might get some good use out of.  Dig around on there, and you'll find some good links and resources.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

partek

Newbie
Newbie

Posts: 27

Joined: Thu Feb 28, 2008 6:15 pm

Post Tue Feb 23, 2010 10:33 am

Re: Penetration Testing/Ethical Hacking Labs

I definitely wouldn't expect them to be free. I would totally be willing to spend a little money for the time and effort that someone is spending to maintain a lab.

I've seen the de-ice.net/heorot site, and have entertained setting the stuff on there up. I'd just rather spend my limited free time researching, hacking, etc rather than downloading and configuring VM's.

I'll be sure to check out security aegis too. I haven't been over there in ages.

Thanks!
CISSP, CISM, CISA, CCNA Security, OSCP, CEH
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue Feb 23, 2010 10:42 am

Re: Penetration Testing/Ethical Hacking Labs

As for 'downloading/ configuring VM's' the de-ice ones don't take long at all, to get setup and running, so they're at least worth setting up to hack at during your free time, since again, at least those are relatively inexpensive / free.

If you want more of a challenge, you might also sign up for NetWars...  http://www.netwars.info/ as it's been kind of fun, and gives you some immediate things to hack at (when each new round begins... one JUST ended, I believe, today)  I think this one would be your best immediate fun, when a round is in session, so sign up and go for it.

Also, one more...

You might check out group51.org, as well.  They have some little projects going on, and a 'dedicated' test lab setup amongst various members devices and servers.  I haven't checked it out in a while, but they were doing a few cool things in there, last I was in.

Anyway, I understand your 'limited free time,' as I get that a lot, myself, so I wish you luck.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue Feb 23, 2010 12:10 pm

Re: Penetration Testing/Ethical Hacking Labs

I still like the challenges on overthewire.org.  They require programming experience, but they are certainly rewarding.
~~~~~~~~~~~~~~
Ketchup
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Wed Feb 24, 2010 4:48 am

Re: Penetration Testing/Ethical Hacking Labs

i recently build my own (VMware) hacklab containing the most popular hack challenges i could find. most are mentioned here, but i definately miss the lampsecurity capture the flags (there on sourceforge). the CTF's are pretty hard en well documented. i certenly recommend it to take a loot at. Like said before setting up these hacklabs is peanuts. it tool me a full weekend to get everything installed and working. i will post a index later when i'm at home to sum up the completeness of the challenges available.
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Feb 24, 2010 6:26 am

Re: Penetration Testing/Ethical Hacking Labs

I will be watching this post J0rDy!

I went through the De-Ice Vm images and I had a lot of fun figuring out the "puzzles".

I am also looking forward to new challenges.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Wed Feb 24, 2010 7:11 am

Re: Penetration Testing/Ethical Hacking Labs

still not home (stuck on work for another few hours) but here are a few from the top of my head (i'll add the links later)

lampsecurity, CTF 4,5 and 6. documentation is available from the same source. very good and focussing on webapplications (so prepare for SQL injection and stuff) also covers a few good tools, but for a start it can be quite hard.

De-Ice, 1,2 and dont forget pWnOS! very good one wich is focussed on milw0rm and exploit-db!

Hacme's Foundstone. A bit harder to do because of the installation needed. then again it took me about a day to get the most of them working (trust me, with my knowledge, you will probably be quicker)

DVL. just download, boot and get started. no manuals, no pointers, no documentation...the ultimate challenge! a good tool to start with is the OWASP os, or if you prefer BT use BT ;)

Mutilidea (sp?) is based on the OWASP top 10. havent done this one yet so dont know if it is any good.

Moth. same here, havent done this one yet.

the last 2 require some installation too, but didnt give me much trouble.

in my personal lab i also included some standard installations of a linux distribution, windows XP/Vista/7 and Server 2000/2003/2008 as victims.

the main advantage of a virtual lab is when you use backups and mess up, its delete and copy and your ready to go!
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Feb 24, 2010 7:49 am

Re: Penetration Testing/Ethical Hacking Labs

Humm,

I didn't know about lampsecurity. Since I first want to specialized in web application pentesting, this one will be good for me!

I will take a look at it once I am done with OSCP (I started last Sunday...).
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Wed Feb 24, 2010 1:21 pm

Re: Penetration Testing/Ethical Hacking Labs

good luck with OSCP! did you get the 30 day or 60 day package? i'm trying to get an idea how much material it contains so i can see if its possible in 30 days.

here the list i promised:

CTF4 (Capture The Flag 4 from LampSecurity.org)
CTF5 (Capture The Flag 5)
CTF6 (Capture The Flag 6)
De-Ice1_100 (first challenge from heorot)
De-Ice1_110 (used to attack the first challenge)
De-Ice2_100 (second challenge from heorot)
pWnOS (the last challenge from heorot, focussed solely on milw0rm)
DVL1.5 (Damn Vulnerable linux)
Hackerdemia (another challenge from heorot)
Moth (Moth by Bonsai information security)
OWASP (opensource web application security live cd with tools)
Ubuntu WebGoat (OWASP vulnerabilities)
WinXP Foundstone (Hackmes challenges)
WinXP Mutillidae (Mutillidae vulnerabilities)

and the urls:

http://sourceforge.net/projects/lampsecurity/files/
http://heorot.net/livecds/
http://www.damnvulnerablelinux.org/
http://www.bonsai-sec.com/en/research/moth.php
http://www.owasp.org/index.php/Main_Page
http://www.foundstone.com/us/resources-free-tools.asp
http://www.irongeek.com/i.php?page=secu ... asp-top-10

good luck with building the lab!
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

partek

Newbie
Newbie

Posts: 27

Joined: Thu Feb 28, 2008 6:15 pm

Post Wed Feb 24, 2010 2:20 pm

Re: Penetration Testing/Ethical Hacking Labs

j0rDy,

Wow, this is a great list. Thanks! I think I'll start slowly over time building these up.

My labs for PWB expire today(I did the 60 day plan), and really only had 1-3 hours a day at the most(probably skipping a good 15 days) to work on it. If you have at least that much time to devote to it, the 60 day should be fine.

I finished the entire course about 2 weeks ago and have been using the remaining time to break into the remaining lab machines. Unfortunately there are still a handful that I couldn't get.

I'm just hoping the OSCP exam won't take the whole 24 hours!
CISSP, CISM, CISA, CCNA Security, OSCP, CEH
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Feb 24, 2010 9:04 pm

Re: Penetration Testing/Ethical Hacking Labs

Thanks for the list j0rDy,

I took the 60-day package. Since I just started, it is hard to say is 30 days will be enough. But like Hayabusa said in another post: if you get 30 days and you later change your mind, you only lose $50...

Also, doing all the "Going the Extra Mile" exercises can take some time...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Thu Feb 25, 2010 4:05 am

Re: Penetration Testing/Ethical Hacking Labs

good to know. ofcourse i want to get the most out of the course, including the extra challenges. So i guess the best advise is to take the complete package (60 days). considering this i have to wait before i can register. i'm planning a little holiday in early may so starting in the end of march/beginning of april would be a good option...

glad you like the list!!! if people need pointers on installation of for example the hacme's just let me know, i'm willing to help!
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Feb 25, 2010 7:50 am

Re: Penetration Testing/Ethical Hacking Labs

Oh and just so you are aware, it takes about 3 days to complete the registration process and courses only start on a Sunday morning.

So if you are planning to work on the course over a long weekend or something like that, I suggest you register a week in advance...

David
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 3 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software