We’re sure you’ve read – and will continue to ;-) – many of our previous posts on Pentesting tools, distributions, and certifications. Now we want to introduce you to several cyber security projects that aim at giving you targets which you can legally exploit/attack, to get better at Cyber Security tasks.
“Give me six hours to chop down a tree and I will spend the first four sharpening the axe.” – Abraham Lincoln
Good Ol’ Abe was right. Our skills are our axes and, in order to chop down the trees – to reach our goals – we need to train, train, train… and, just like an axe, we must sharpen our skills so that, when faced with new challenges; we’ll have the necessary knowledge to attack any problem that comes our way.
Now, let’s look into some project that will surely help you sharpen your axe, empowering you to take on new challenges.
The Damn Vulnerable Web App is a web application that was designed, with the intention of making it vulnerable. It’s meant to aid security professionals like you, test your skills in a legal environment; while helping web developers understand the many weaknesses they need to be aware of when creating a new product.
The DVWA comes with some very common vulnerabilities, all for you to exploit. Some of the attacks you can execute are:
- Brute Force
- Command Execution
- Cross-Site Request Forgery (CSRF)
- File Inclusion
- SQL Injection
- Malicious file upload
- Cross-Site Scripting
It basically serves as a collection of community-developed vulnerable web applications, which you can attack for educational and learning purposes.
The platform does require you to register, since each Hackme (application) you choose is spun up as a new instance, running in a separate sand-boxed instance; isolated just for you.
You can expect to find dozens of web apps, from challenges based on the OWASP Top 10 vulnerabilities, to Capture-the-Flag (CTF) challenges, Cross-Site Scripting (XSS), hacking into fictional banks, and so on.
Think of it as a repository of purposefully vulnerable VMs which you can download and spin up on your favorite hypervisor.
For each virtual machine, you get details such as:
- Release information
- Download links
- Detailed description of the VM
- File information (inc. checksums and file size)
- Virtual machine information, e.g. which hypervisor it should be run on
- Virtual networking specifications
- Screenshots of the VM
In some cases, you may even get walk-through tutorials that provide hints, in case you get stuck.
Expect to find lots and lots of different kinds of VMs; from CTF-style challenges where you’ll need to capture a specific set of flags, to story-like challenges like a virtual machine based on Game of Thrones!
The website contains several hundred hacking challenges and online virtual machines, ready you to legally hack and exploit.
Another feature that Root-Me has is that all challenges are organized in different categories, such as: