Resources

Disclaimer:

The contents of this blog are meant for defensive purposes only.  By testing in a controlled environment, security students and professionals can educate themselves LEGALLY.  The contents of this blog are meant for educational purposes.  Anything used outside of your scope of permissions is likely to be illegal.

Setup:

• Download VMware player
  • This is just my personal preference for running VMs
  • VMware Player is free for personal use
  • Remember to enable virtualization via BIOS settings if you haven’t already!!

VM Note: Since most run multiple VMs on the same physical box, you may want to use a “Bridged” connection.  This means that the VM is treated as its own physical box on the network, with its own IP address (as opposed to sharing an IP with the host box).  See below:

Offensive platforms:

• Kali Linux
  • A distro based on Debian, loaded with a bunch of popular tools for pen testing and forensics

Vulnerable platforms:

• Metasploitable 2
  • All around great for learning web app vulns, service vulns..a bit of everything.

• Web For Pentester
  • Has a lot of great basic web application and database vulns to test

• CySCA2014-in-a-Box
  • Contains challenges used in Cyber Security Challenge Australia 2014

• Aman Hardikar’s list of labs for vulnerable apps/systems
• Vulnhub.com

Mobile

• Genymotion free version for android device virtualizaiton, alternative to AVD
• Android-sdk
  • Includes Android Virtual Device (AVD) and Android Debug Bridge (ADB)
• OWASP GoatDroid Project – vulnerable Android application platform

Misc.

• Exploit-db.com
• Datalossdb.org
• Password lists, compiled by SkullSecurity
• My GitHub