Pentetration testing lab

Pentetration testing lab

Security Information Management systems are meant to catch and report anything suspicious, right? So how do we test them? Creating a vulnerable network and exploiting it. The following tools can be used to create a testing lab to validate network security and web application security controls

 
Attack systems:

Back|Track — The most widely used and well developed penetration distro. The main disadvantage is bloat and lack of Hyper-V support. (Live disc; Slax; netsec)
http://www.backtrack-linux.org/

Matriux — The new kid on the block, with a faster and leaner distro than Back|Track and native Hyper-V support. (Live disc, Hyper-V; Kubuntu; netsec)
http://www.matriux.com/

Neopwn — A penetration testing distro created for smart phones. (Debian; netsec)
http://www.neopwn.com/

Pentoo — Gentoo meets pentesting. (Live disc; Gentoo; netsec).
http://pentoo.ch/

Samurai Web Testing Framework — Specifically targeted towards web application security testing. (Live disc, Ubuntu, appsec)
http://samurai.inguardians.com/

 

Target systems:

Damn Vulnerable Linux (DVL) — The classic vulnerable Linux environment. (Live disc; netsec)

De-ICE — A series of systems to provide real-world security challenges, used in training sessions. (Live disc; netsec)

Metasploitable — Metasploit’s answer to the question: now that I have Metasploit installed, what can I attack? (VMware; Ubuntu; netsec)

Damn Vulnerable Web App (DVWA) — A preconfigured web server hosting a LAMP stack (Linux, Apache, MySQL, PHP) with a series of common vulnerabilities. (Live disc; Ubuntu; appsec;)
http://www.dvwa.co.uk/

Moth — From the people that brought you w3af, Moth is a preconfigured web server with vulnerable PHP scripts and PHP-IDS. (VMware; Ubuntu; appsec)
http://www.bonsai-sec.com/en/research/moth.php

Mutillidae — An insecure PHP web app that implements the OWASP Top 10. (Installer; appsec)
http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10

WebGoat — An insecure J2EE web app that OWASP uses for security training. (Installer; appsec)
http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

Posted by