lunes, 14 de marzo de 2011

Penetration Testing - Vulnerable - ISO

Adjunto una relación de imagenes para penetration Testing, se pueden montar sobre VMWare o VirtualBox y practicar (Si veo mas las ire añadiendo):


Holynix:
Holynix is an Linux distribution that was deliberately built to have security holes for the purposes of penetration testing.
The object of the challenge v1 is to gain root level privileges and access to personal client information.
Register on the forums to receive an email update when a new challenge is released.


WackoPicko:
WackoPicko Vulnerable Website
WackoPicko is a website that contains known vulnerabilities. It was first used for the paper Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners.


De-ICE:
The PenTest LiveCDs are the creation of Thomas Wilhelm, who was transferred to a penetration test team at the company he worked for. Needing to learn as much about penetration testing as quickly as possible, Thomas began looking for both tools and targets. He found a number of tools, but no usable targets to practice against. Eventually, in an attempt to narrow the learning gap, Thomas created PenTest scenarios using LiveCDs.


Metasploitable:
http://blog.metasploit.com/2010/05/introducing-metasploitable.html
Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image.
One of the questions that we often hear is "What systems can i use to test against?" Based on this, we thought it would be a good idea throw together an exploitable VM that you can use for testing purposes.


exploit.co.il Vulnerable Web App:
http://sourceforge.net/projects/exploitcoilvuln/
exploit.co.il Vulnerable Web app designed as a learning platform to test various SQL injection Techniques This is a fully functional web site with a content management system based on fckeditor. You can download it as source code or a pre configured


Badstore:
http://www.badstore.net/
Badstore.net is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure. Our Badstore demonstration software is designed to show you common hacking techniques.


Virtual Hacking Lab (pentoo):
http://sourceforge.net/projects/virtualhacking/
A mirror of deliberately insecure applications and old softwares with known vulnerabilities. Used for proof-of-concept /security training/learning purposes. Available in either virtual images or live iso or standalone formats.


PwnOS:
http://code.google.com/p/pwnos/
PwnOS is an operating system being written from the ground up to be ideal for making the most of resource-rich dedicated server systems.
The most significant section of the project is to create a core (kernel) that is designed to be best suited for servers (e.g. usually one process with many threads of varying priorities). Much (highly-regulated) assembly language and some C is used here to increase the performance and decrease bloat potential, (because to code this in assembly, it's ESSENTIAL to have excellent, lean code design).
Development of PwnOS will be switching to be done with PwnIDE once PwnIDE reaches version 0.2.4. Development so far has been done with RadASM and MASM32 for assembly, and Dev-C++ and MinGW for C/C++. Documentation is produced with Natural Docs. Custom linking is done with a utility called JLOC, and drive image writing is done with various utilities.


Damn Vulnerable Linux (DVL):
Damn Vulnerable Linux (DVL) is a Slackware and Slax-based live DVD. The distribution, purposefully stuffed with broken, ill-configured, outdated and exploitable software, began life as a training system used during the author's university lectures. Its primary goal is to design a Linux system that is as vulnerable as possible -- in order to teach and demonstrate a variety of security topics, including reverse code engineering, buffer overflows, shell code development, web exploitation, and SQL injection.


Damn Vulnerable Web App (DVWA):
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.


Moth:
Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for:
- Testing Web Application Security Scanners
- Testing Static Code Analysis tools (SCA)

- Giving an introductory course to Web Application Security



Hacking-Lab:

http://media.hacking-lab.com/largefiles/livecd/
http://hacking-lab.com/Remote_Sec_Lab/livecd.html
This is the Hacking-Lab LiveCD project. It is currently in beta stadium. The live-cd is a standardized client environment for solving our Hacking-Lab wargame challenges from remote. A valid OpenVPN connection is required for accessing the Hacking-Lab server infrastructure. Do you feel like being a beta-tester? Yes? Please make yourself familiar with the the full beta-tester programm where you find everything required to start using Hacking-Lab Remote.


OWASP Broken Web Applications Project:
Open Web Application Security Project (OWASP) Broken Web Applications Project, a collection of vulnerable web applications that is distributed on a Virtual Machine in VMware format compatible with their no-cost VMware Player and VMware Server products (along with their commercial products).


LAMPSecurity Training:
LAMPSecurity training is designed to be a series of vunlerable virtual machine images along with complementary documentation designed to teach linux,apache,php,mysql security.


Web Security Dojo:
A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo.
The Web Security Dojo is for learning and practicing web app security testing techniques. It is ideal for self-teaching and skill assessment, as well as training classes and conferences since it does not need a network connection. The Dojo contains everything needed to get started – tools, targets, and documentation.


Updated 12/06/2011
owasp-hackademic-challenges:

The OWASP Hackademic Challenges project implements realistic scenarios with known vulnerabilities in a safe, controllable environment. Users can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective.

They have been especially designed for use in a classroom environment where they have been proved a valuable educational tool. Using OWASP Hackademic Challenges project students have the chance to experience application security in a realistic environment, something that triggers their interest and provokes a lot of interesting discussions.


Hackxor:

Hackxor is a webapp hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat but with a plot and a focus on realism&difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, etc

Features:
Client attack simulation using HtmlUnit; no alert('xss') here.
Smooth difficulty gradient from moderately easy to fiendishly tricky.
Realistic vulnerabilities modelled from Google, Mozilla, etc (No rot13!)
Open ended play; progress by any means possible.



Updated 27/07/2011
Gruyere:

Want to beat the hackers at their own game?Learn how hackers find security vulnerabilities! Learn how hackers exploit web applications! Learn how to stop them!
This codelab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you'll get a chance to do some real penetration testing, actually exploiting a real application. Specifically, you'll learn the following:

How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF).
How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution.

To get the most out of this lab, you should have some familiarity with how a web application works (e.g., general knowledge of HTML, templates, cookies, AJAX, etc.).


Updated 28/07/2011
Sweet:

SWEET (Secure WEb dEvelopment Teaching) is a set of portable teaching modules for secure web development. SWEET features eight teaching modules, six project modules and a virtualized web development platform that allows instructors to conduct hands-on laboratory exercises. The purpose of this project is to enhance the learning experience of computing students through standardized teaching modules and environment in secure web development. We have adopted this teaching tool to introduce web security concepts in both undergraduate and graduate courses. Each SWEET teaching module will be enough for a three-hour class containing lecture materials and hands-on laboratory exercises that are relevant to the contents in the lectures.


Updated 15/05/2012
On Null Byte Poisoning and XPath Injection:

From Spiderlabs Blog:
Recently I released a tool called XMLmao, a configurable testbed for learning to exploit XPath injection flaws, developing new attack techniques for XPath injection flaws or simulating real-world XPath injection scenarios, similar to SQLol. Among other features, it has challenge scenarios which give you a set of pre-configured options and an objective to complete. As of recently, I've begun to write tutorials for each challenge which will be distributed with their respective testbeds.


Updated 26/01/2014
bWAPP:

bWAPP, or a buggy web application, is a free and open source deliberately insecure web application.
It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities.
bWAPP prepares to conduct successful penetration testing and ethical hacking projects.

What makes bWAPP so unique? Well, it has over 60 web vulnerabilities!
It covers all major known web bugs, including all risks from the OWASP Top 10 project.

bWAPP is a PHP application that uses a MySQL database. It can be hosted on Linux, Windows and Mac with Apache/IIS and MySQL. It can also be installed with WAMP or XAMPP.
Another possibility is to download the bee-box, a custom Linux VM pre-installed with bWAPP.

Download our What is bWAPP? introduction tutorial, including free exercises...

bWAPP is for educational purposes. Education, the most powerful weapon which we can use to change the world.
Have fun with this free and open source project!

Cheers, Malik Mesellem


Updated 30/08/2014
VULN HUB:
http://vulnhub.com/

Aim/Goal
To provide materials that allows anyone to gain practical 'hands-on' experience in digital security, computer application & network administration.

Brief History/Purpose
Before you can run, you need to be able to walk. You do so by learning the basics so you an gain of the theory.
Once you're up and walking, you need 'something' to run to (Something to aim for) & you need 'somewhere' that's padded with foam to run about in (so it doesn't matter if you fall over). This is where VulnHub comes in.

We all learn in different ways: in a group, by yourself, reading books, watching/listening to other people, making notes or things out for yourself.
Learning the basics & understanding them is essential; this knowledge can be enforced by then putting it into practice.

Over the years people have been creating these resources and a lot of time has been put into them, creating ''hidden gems' of training material. However, unless you know of them, its hard to discover them.
So VulnHub was born to cover as many as possible, creating a catalogue of 'stuff' that is (legally)'breakable, hackable & exploitable' - allowing you to learn in a safe environment and practise 'stuff' out.
When something is added to VulnHub's database it will be indexed as best as possible, to try and give you the best match possible for what you're wishing to learn or experiment with. We will also ask for permission from the original source to mirror the material and to preserve the resources.

We hope that the community will come together to help each other learn, either by making new material or providing walkthroughs/solutions for existing solutions to help other people.

You can watch someone else...
Then follow along at the same time...
Afterwards set it up yourself & then try to do it (so you have an insight into the system - white box testing)...
Finally you can start on an unknown source (black box testing)...
...and if you get stuck you can always ask for a nudge!


Updated 01/09/2014
Binary Auditing:
http://www.binary-auditing.com/

That's not an ISO, but very interesting to learn about reversing.

Learn the fundamentals of Binary Auditing. Know how HLL mapping works, get more inner file understanding than ever.

Try to solve brain teasing puzzles with our collection of copy protection games. Increasing difficulty and unseen strange tricks.

Learn how to find and analyse software vulnerability. Dig inside Buffer Overflows and learn how exploits can be prevented.

Start to analyse your first viruses and malware the safe way. Learn about simple tricks and how viruses look like using real life examples.

The training package includes all necessary files to run a complete lecture for Binary Auditing and Reverse Code Engineering at university. All files are well sorted by topics and with increasing difficulty. You need Windows XP, Windows Vista or Windows 7 to use this training package. The training package does NOT include runnable viruses!

WHAT IS INSIDE...
TopicFiles
IDA Pro 5.0 (Free)1
TOTAL324
HLL Mapping 1 (NOT for training, only as reference!)98
HLL Mapping 2 (Start here and convert them to C)31
Manual Decompilation (Simple exercises)10
Algorithm Analysis 1 (Simple math exercises)3
Algorithm Analysis 2 (Simple math exercises)6
Crash Auditing (more complicated, why crashing?)10
File Understanding (Simple to hard Reversemes)31
Copy Protection Auditing (Simple to very hard)47
Unpacking (Simple exercises)3
Vulnerability Auditing (Simple to intermediate)38
Malware Auditing 1 (Simple old .com/.exe exercises)41
Malware Auditing 2 (Some fakes for analysis)4
Malware Auditing 3 (Simple win32 analysis)1


Life of Binaries:
http://opensecuritytraining.info/LifeOfBinaries

Same as before, not ISO, but excellent to learn about Asm, Reverse and Exploit.

Topics include but are not limited to:

•Scanning and tokenizing source code.

•Parsing a grammar.

•Different targets for x86 assembly object files generation. (E.g. relocatable vs. position independent code).

•Linking object files together to create a well-formed binary.

•Detailed descriptions of the high level similarities and low level differences between the Windows PE and Linux ELF binary formats. (NOTE: we didn't get to this in the class where the video was recorded, but the materials are in the slides)

•How an OS loads a binary into memory and links it on the fly before executing it.

Along the way we discuss the relevance of security at different stages of a binary’s life, from the tricks that can be played by a malicious compiler, to how viruses really work, to the way which malware “packers” duplicate OS process execution functionality, to the benefit of a security-enhanced OS loader which implements address space layout randomization (ASLR).

Lab work includes:

•Using the new “Binary Scavenger Hunt” tool which creates randomized PE binaries and asks randomized questions about the material you just learned!

•Manipulating compiler options to change the type of assembly which is output

•Manipulating linker options to change the structure of binary formats

•Reading and understanding PE files with PEView

•Reading and understanding ELF files with Readelf (NOTE: we didn't get to this in the class where the video was recorded, but the materials are in the slides)

•Using WinDbg and/or GDB to watch the loader dynamically link an executable

•Using Thread Local Storage (TLS) to obfuscate control flow and serve as a basic anti-debug mechanism

•Creating a simple example virus for PE

•Analyze the changes made to the binary format when a file is packed with UPX

•Using the rootkit technique of Import Address Table (IAT) hooking to subvert the integrity of a program’s calls to external libraries, allowing files to be hidden.

Knowledge of this material is recommended, but not required, for future classes such as Rootkits, but is required for reverse engineering.

A student Q&A forum has been set up at http://www.reddit.com/r/OST_LifeOfBinaries.

(updated 10/01/2017)
Vulnerability and Attack Labs

People learn from mistakes. In security education, we study mistakes that lead to software vulnerabilities. Studying mistakes from the past not only help students understand why systems are vulnerable, why a "seemly-benign" mistake can turn into a disaster, and why many security mechanisms are needed. More importantly, it also helps students learn the common patterns of vulnerabilities, so they can avoid making similar mistakes in the future. Moreover, using vulnerabilities as case studies, students can learn the principles of secure design, secure programming, and security testing.

(1) Software in general

new): exploit Bash's Shellshock vulnerability



  • Set-UID Program Vulnerability Lab: exploit the vulnerabilities of the privileged Set-UID programs. (
  • Survey Results)
    1. Buffer Overflow Vulnerability Lab: exploit the buffer overflow vulnerability using the shell-code approach. (Survey Results)




  • Return-to-libc Attack Lab: exploit the buffer-overflow vulnerabilities using the return-to-libc attack. (Survey Results)
  • Format String Vulnerability Lab: exploit the format string vulnerability. (Survey Results)
  • Race Condition Vulnerability Lab: exploit the race condition vulnerability. (Survey Results)





  • Chroot Sandbox Vulnerability Lab: explore how the chroot sandbox can be broken. (Survey Results)

  • (2) Network Protocols

    1. TCP/IP Attack Lab: exploit the vulnerabilities of the TCP/IP protocols. (Survey Results)




  • DNS Pharming Attack Lab: exploit the vulnerabilities of the DNS protocol to launch Pharming attacks. (Survey Results)

  • (3) Web Applications

      The following labs need to use the Ubuntu9.11 VM:
    1. Cross-site Scripting Attack Lab on PhpBB: exploiting cross-site scripting vulnerabilities. (Survey Results)




  • Cross-site Request Forgery Attack Lab on PhpBB: exploiting cross-site request forgery vulnerabilities. (Survey Results)
  • SQL Injection Attack Lab on PhpBB: experience the SQL-Injection attacks. (Survey Results)
  • ClickJacking Attack Lab: experience the ClickJacking attacks.

    1. The following labs need to use the Ubuntu11.04 or Ubuntu12.04 VM:
    2. Cross-site Scripting Attack Lab on Collabtive: exploiting cross-site scripting vulnerabilities.




  • Cross-site Request Forgery Attack Lab on Collabtive: exploiting cross-site request forgery vulnerabilities.
  • SQL Injection Attack Lab on Collabtive: experience the SQL-Injection attacks.


  • Design/Implementation Labs

    The objective of the design/implementation labs is to provide students with opportunities to apply security principles in designing and implementingsystems. They help students achieve learning by system development.

    (1) Networking

    1. Linux Firewall Lab: implement a simple firewall (called "miniFirewall") for Linux. This lab involves Loadable Kernel Module and Netfilter. (Survey Results)




  • Minix Firewall Lab implement a simple firewall (called "miniFirewall") for Minix. (Survey Results)
  • IPSec Lab: implement a simplified IPSec protocol (called "miniIPSec") for Minix (a comprehensive project). (Survey Results)
  • Virtual Private Network (VPN) Lab: implement a simple VPN (called "miniVPN") in Linux (a comprehensive project). Unlike IPSec-based VPNs, this lab does not need to modify the Linux kernel. All the implementations are in the user space. This lab involves encryption, hash, public key certificates, SSL, and network tunneling techniques (TUN/TAP). (Survey Results)

  • (2) System

    1. Role-Based Access Control (RBAC) Lab design and implement an integrated access control system for Minix that uses both capability-based and role-based access control mechanisms. Students need to modify Minix kernel to implement both capability and RBAC (this is a comprehensive project for access control). (Survey Results)




  • Capability Lab: design and implement a capability-based access control system for Minix (this is a comprehensive project).
  • Encrypted File System Lab: design and implement an encrypted file system for Minix (a comprehensive project).
  • Set-RandomUID Lab: design and implement a simple sandbox for Minix.
  • Address Space Layout Randomization (ASLR) Lab randomize stack and heap in Minix to improve security.


  • Exploration Labs

    The objective of the exploration labs is two-fold: the first is to enhance students' learning via observation, playing and exploration, so they can see what security principles ``feel'' like in a real system; the second objective is to provide students with opportunities to apply security principles in analyzing and evaluating systems. The exploration labs provide a feasible means by which the students have "a direct encounter with the phenomena being studied rather than merely thinking about the encounter, or only considering the possibility of doing something about it".
    1. Linux Firewall Exploration Lab: This is the redesign of the Linux Firewall Design/Implementation Lab. The focus is shifted from programming to exploration. Students will explore various firewall-related technologies, such as netfilter, web proxy, URL rewriting, and using SSH tunnels to evade egress filtering.




  • Packet Sniffing and Spoofing Lab: explore how sniffing and spoofing tools are implemented. (Survey Results)
  • Linux Capability Exploration Lab: explore the capability-based access control in Linux. (Survey Results)





  • Web Browser Access Control Lab: explore the Same-Origin Access Control Policy in web browsers. (Survey Results)






  • Crypto Lab I -- Secret-Key Encryption : explore secret-key encryption and its applications using OpenSSL. (Survey Results)
  • Crypto Lab II -- One-Way Hash Function: explore one-way hash function and its applications using OpenSSL. (Survey Results)
  • Crypto Lab III -- Public-Key Cryptography and PKI: explore public-key cryptography, digital signature, certificate, and PKI using OpenSSL.
  • Pluggable Authentication Modules (PAM) Lab: explore a flexible authentication technique.
  • SYN Cookies Lab: explore the SYN Cookies mechanism in Linux.



  • (updated 14/01/2017)
    The Lord of Buffer Overflow (Redhat 6.2)


    LEVEL1 (gate -> gremlin) : simple bof
    LEVEL2 (gremlin -> cobolt) : small buffer
    LEVEL3 (cobolt -> goblin) : small buffer + stdin
    LEVEL4 (goblin -> orc) : egghunter
    LEVEL5 (orc -> wolfman) : egghunter + bufferhunter
    LEVEL6 (wolfman -> darkelf) : check length of argv[1] + egghunter + bufferhunter
    LEVEL7 (darkelf -> orge) : check argv[0]
    LEVEL8 (orge -> troll) : check argc
    LEVEL9 (troll -> vampire) : check 0xbfff
    LEVEL10 (vampire -> skeleton) : argv hunter
    LEVEL11 (skeleton -> golem) : stack destroyer
    LEVEL12 (golem -> darkknight) : sfp
    LEVEL13 (darkknight -> bugbear) : RTL1
    LEVEL14 (bugbear -> giant) : RTL2, only execve
    LEVEL15 (giant -> assassin) : no stack, no RTL
    LEVEL16 (assassin -> zombie_assassin) : fake ebp
    LEVEL17 (zombie_assassin -> succubus) : function calls
    LEVEL18 (succubus -> nightmare) : plt
    LEVEL19 (nightmare -> xavis) : fgets + destroyers
    LEVEL20 (xavis -> death_knight) : remote BOF


    http://hackerschool.org/TheLordofBOF/VM_Fedora10.rar (589 MB)

    http://hackerschool.org/TheLordofBOF/VM_Fedora14.rar   (658 MB)

    [FC 3]
    Stack Dummy : O
    Down privileage of bash : O
    Random Stack : O
    Random Library : X
    Random Program Binary Mapped : X
    ASCII Armor : O
    Non-Executable Stack : O
    Non-Executable Heap : O
    Stack Carany : X
    Stack Smashing Protector : X

    Levels:
    gate -> iron_golem : Fake_SFP + Ascii Armor
    iron_golem -> dark_eyes : RET Sleding
    dark_eyes -> hell_fire : another fake_ebp or got overwriting
    hell_fire -> evil_wizard : POP POP RET
    evil_wizard -> dark_stone : POP POP RET / Remote

    [FC 4]
    dark_stone -> cruel : Local BOF on FC4
    cruel -> enigma : Remote BOF on FC4
    enigma -> titan : Remote BOF on FC4

    [FC 10]
    * level1 (titan -> balog)
    * level2 (balog -> talos)
    * level3 (talos -> dark_mare)

    [FC 14]
    * level1 (dark_mare -> stegodon)
    * level2 (stegodon -> blood_seeker)

    [Ref - http://www.hackerschool.org/HS_Boards/zboard.php?id=bof_fellowship_2round&page=1&sn1=&divpage=1&sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=4]

    1 comentario:

    1. This is great! thank you for writing this list. very useful...

      ResponderEliminar