Hacking Without All the Jailtime
There’s been more and more legislation put in place to try to discourage hacking in general, and even tool development. Not that I think it’ll lead to many prosecutions anywhere, but nevertheless, it’s always nice to have a place to test. I got an email from one of my readers asking about the hackme series:
Hello and thank you for an awesome blog, and a daily read.I while back you mentioned some “ready-made” websites that were used in the web app sec sphere to test scanners and specific tools. More specifically you mentioned 2, one of which that was somewhat depreciated, but still had some educational value. I’ve been looking though your posts, but I have had no success finding this entry.
I’ll do one better - here’s a short list I compiled that includes a lot of the more popular tools for ethical testing, without all the muss and fuss of prison time. If you want to hone your skills or just have some fun at work, try these out (in no particular order):
- http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
- http://testasp.acunetix.com/Default.asp
- http://test.acunetix.com/
- http://hackme.ntobjectives.com/
- http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm
- http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm
- http://www.foundstone.com/us/resources/proddesc/hacmebooks.htm
- http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm
- http://zero.webappsecurity.com/
- http://www.hackertest.net/
- http://www.hackthissite.org/
- http://www.mavensecurity.com/WebMaven.php
- http://ha.ckers.org/challenge/
- http://ha.ckers.org/challenge2/
- http://demo.testfire.net/
- http://scanme.nmap.org/
- http://www.hellboundhackers.org/
- http://www.overthewire.org/wargames/
- http://roothack.org/
- http://heorot.net/
- http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
- http://wocares.com/xsstester.php
- https://how2hack.net
- http://hax.tor.hu/
If there are others that should be added to this list, please drop me a line and I’ll add them. I hope everyone had a good April 1st and that insurance covers whatever was damaged. 
April 6th, 2009 at 1:23 pm
Also http://demo.testfire.net/
April 6th, 2009 at 1:35 pm
scanme.nmap.org
April 6th, 2009 at 3:08 pm
I thought it was more fun to load WebGoat into the Fortify SCA 4 demo that came with the book, “Secure Programming with Static Analysis”. I didn’t call it hacking though. YMMV.
April 6th, 2009 at 4:07 pm
1. http://www.hellboundhackers.org/ kinda like hackthissite dot org has some leet missions…
2. http://www.overthewire.org/wargames/ these are like teh sexiest wargames I’ve ever played
3. http://roothack.org/ check it out yourself
4. Since you mentioned OWASP’s WEBGOAT, add http://heorot.net/ they have these own-the-box-running-a-vunlerable-live-cd livecds
April 6th, 2009 at 6:05 pm
IronGeek has also developed one based on OWASPs Top 10 vulns called Mutillidae:
http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
April 6th, 2009 at 10:49 pm
thanks, that’ll keep me busy during the semester break
April 7th, 2009 at 5:10 am
Not quite the same, but my XSS sandbox ( http://wocares.com/text.php ) is supposed to help you recreate conditions on a site and test injections without actually injecting the site. I guess that’s semi-relevant
April 7th, 2009 at 5:10 am
Argh, wrong url, I meant to write http://wocares.com/xsstester.php
April 7th, 2009 at 6:32 am
Watchfire created a live site to test AppScan that you can use.
http://demo.testfire.net/
April 7th, 2009 at 6:56 am
Thanks everyone, I added all your recommendations in. And if you have any others, just let me know and I’ll throw them in over time.
April 7th, 2009 at 8:58 am
https://how2hack.net
They help get people started, teaching the basics and whatnot.
April 7th, 2009 at 10:12 am
http://hax.tor.hu/
Only has a few web-appsec specific ones (mostly PHP), but lots of random challenges. Fairly fun.
April 7th, 2009 at 11:00 am
How about badstore?
It’s a 10MB bootable ISO image so you can study in an isolated environment.
Registration required to download
http://www.badstore.net/
April 7th, 2009 at 1:18 pm
http://www.gat3way.eu/hack
April 7th, 2009 at 1:55 pm
http://ha.ckers.org/challenge3 is it ‘later’ yet?
April 7th, 2009 at 8:31 pm
All courtesy of IronGeek!
http://www.ethicalhack3r.co.uk/damn-vulnerable-web-app/
http://suif.stanford.edu/~livshits/securibench/
Deprecated:
http://www.mavensecurity.com/WebMaven.php
April 8th, 2009 at 12:24 am
Note to all people who might visit Hellboundhackers (HBH): When posting an introduction thread, it might be a wise idea to tell HBH you were referenced there by this blog. Otherwise someone, or more likely, I, might end up putting two bullets in your end before I come to the conclusion you aren’t ‘just a noob’. HBH has some… audience issues.
April 8th, 2009 at 3:56 am
http://www.rootcontest.com - RootContest has been reborn from the ashes and is back with a new team, a new set of challenges, a new philosophy and a goal to provide the best hacker war games the interwebs has ever seen. RootContest is a free, legal, hacker war-game web site. The challenges hosted here involve exploiting security vulnerabilities on *nix based servers. Hackers may work individually or as a team in order to capture and control remote servers. The RootContest application is a distributed, multi-user challenge driven web application. Technology and security challenges are made available to web clients and progress is tracked through a point system. Challenges include network based attacks, operating system attacks, application attacks, logic challenges, and other security focused scenarios. RootContest is unique in the respect that participants have the opportunity to completely take over and root a remote system, retain control of the system, and defend the system against external threats.
April 8th, 2009 at 5:33 am
http://www.damnvulnerablelinux.org/
It’s a Linux Distribution developed to be “damn vulnerable”
April 9th, 2009 at 10:08 pm
@RSnake
http://www.owasp.org/index.php/Phoenix/Tools
provided the following additional resources:
Cenzic (live) - http://crackme.cenzic.com/
Acunetix (live) - http://testphp.acunetix.com/ http://testaspnet.acunetix.com
Updated HackmeBank - http://www.o2-ounceopen.com/technical-info/2008/12/8/updated-version-of-hacmebank.html
Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/
SecuriBench Micro - http://suif.stanford.edu/~livshits/work/securibench-micro/
OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator
April 11th, 2009 at 8:42 am
here is another one:
http://www.intruded.net/wargames.html
April 11th, 2009 at 9:20 am
http://www.mod-x.co.uk/main.php
April 14th, 2009 at 8:59 pm
Thanks for this list! it’s proving helpful for me. I’m working my way through WebGoat.
May 17th, 2009 at 11:29 am
I cut my teeth on http://www.hackthissite.org/ back in the day.
July 14th, 2009 at 3:48 pm
I’m a little surprised to see http://bright-shadows.net has not been mentioned.