Security Information Management systems are meant to catch and report anything suspicious, right? So how do we test them? Creating a vulnerable network and exploiting it. The following tools can be used to create a testing lab to validate network security and web application security controls
Attack systems:
Back|Track — The most widely used and well developed penetration distro. The main disadvantage is bloat and lack of Hyper-V support. (Live disc; Slax; netsec)
http://www.backtrack-linux.org/
Matriux — The new kid on the block, with a faster and leaner distro than Back|Track and native Hyper-V support. (Live disc, Hyper-V; Kubuntu; netsec)
http://www.matriux.com/
Neopwn — A penetration testing distro created for smart phones. (Debian; netsec)
http://www.neopwn.com/
Pentoo — Gentoo meets pentesting. (Live disc; Gentoo; netsec).
http://pentoo.ch/
Samurai Web Testing Framework — Specifically targeted towards web application security testing. (Live disc, Ubuntu, appsec)
http://samurai.inguardians.com/
Target systems:
Damn Vulnerable Linux (DVL) — The classic vulnerable Linux environment. (Live disc; netsec)
De-ICE — A series of systems to provide real-world security challenges, used in training sessions. (Live disc; netsec)
Metasploitable — Metasploit’s answer to the question: now that I have Metasploit installed, what can I attack? (VMware; Ubuntu; netsec)
Damn Vulnerable Web App (DVWA) — A preconfigured web server hosting a LAMP stack (Linux, Apache, MySQL, PHP) with a series of common vulnerabilities. (Live disc; Ubuntu; appsec;)
http://www.dvwa.co.uk/
Moth — From the people that brought you w3af, Moth is a preconfigured web server with vulnerable PHP scripts and PHP-IDS. (VMware; Ubuntu; appsec)
http://www.bonsai-sec.com/en/research/moth.php
Mutillidae — An insecure PHP web app that implements the OWASP Top 10. (Installer; appsec)
http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10
WebGoat — An insecure J2EE web app that OWASP uses for security training. (Installer; appsec)
http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project