Pentetration testing lab

Pentetration testing lab

Security Information Management systems are meant to catch and report anything suspicious, right? So how do we test them? Creating a vulnerable network and exploiting it. The following tools can be used to create a testing lab to validate network security and web application security controls

Attack systems:

Back|Track — The most widely used and well developed penetration distro. The main disadvantage is bloat and lack of Hyper-V support. (Live disc; Slax; netsec)

Matriux — The new kid on the block, with a faster and leaner distro than Back|Track and native Hyper-V support. (Live disc, Hyper-V; Kubuntu; netsec)

Neopwn — A penetration testing distro created for smart phones. (Debian; netsec)

Pentoo — Gentoo meets pentesting. (Live disc; Gentoo; netsec).

Samurai Web Testing Framework — Specifically targeted towards web application security testing. (Live disc, Ubuntu, appsec)


Target systems:

Damn Vulnerable Linux (DVL) — The classic vulnerable Linux environment. (Live disc; netsec)

De-ICE — A series of systems to provide real-world security challenges, used in training sessions. (Live disc; netsec)

Metasploitable — Metasploit’s answer to the question: now that I have Metasploit installed, what can I attack? (VMware; Ubuntu; netsec)

Damn Vulnerable Web App (DVWA) — A preconfigured web server hosting a LAMP stack (Linux, Apache, MySQL, PHP) with a series of common vulnerabilities. (Live disc; Ubuntu; appsec;)

Moth — From the people that brought you w3af, Moth is a preconfigured web server with vulnerable PHP scripts and PHP-IDS. (VMware; Ubuntu; appsec)

Mutillidae — An insecure PHP web app that implements the OWASP Top 10. (Installer; appsec)

WebGoat — An insecure J2EE web app that OWASP uses for security training. (Installer; appsec)

Posted by