100+ Hacking Sites Legally to Practice Your InfoSec Skills

They say the best defense is a good offense – and it’s no different in the InfoSec world. Use these list to practice your hacking skills so you can be the best defender you can – whether you’re a developer, security manager, auditor or pen-tester. Always remember: Practice makes perfect!
What other sites have you used to practice on? Let us know below!

Vulnerable Web Applications

BadStore

http://www.badstore.net/

BodgeIt Store

http://code.google.com/p/bodgeit/

Butterfly Security Project

http://thebutterflytmp.sourceforge.net/

bWAPP

http://www.mmeit.be/bwapp/
http://sourceforge.net/projects/bwapp/files/bee-box/

Commix

https://github.com/stasinopoulos/commix-testbed

CryptOMG

https://github.com/SpiderLabs/CryptOMG

Damn Vulnerable Node Application (DVNA)

https://github.com/quantumfoam/DVNA/

Damn Vulnerable Web App (DVWA)

http://www.dvwa.co.uk/

Damn Vulnerable Web Services (DVWS)

http://dvws.professionallyevil.com/

Drunk Admin Web Hacking Challenge

https://bechtsoudis.com/work-stuff/challenges/drunk-admin-web-hacking-challenge/

Exploit KB Vulnerable Web App

http://exploit.co.il/projects/vuln-web-app/

Foundstone Hackme Bank

http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx

Foundstone Hackme Books

http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx

Foundstone Hackme Casino

http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx

Foundstone Hackme Shipping

http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx

Foundstone Hackme Travel

http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx

GameOver

http://sourceforge.net/projects/null-gameover/

hackxor

http://hackxor.sourceforge.net/cgi-bin/index.pl

Hackazon

https://github.com/rapid7/hackazon

LAMPSecurity

http://sourceforge.net/projects/lampsecurity/

Moth

http://www.bonsai-sec.com/en/research/moth.php

NOWASP / Mutillidae 2

http://sourceforge.net/projects/mutillidae/

OWASP BWA

http://code.google.com/p/owaspbwa/

OWASP Hackademic

http://hackademic1.teilar.gr/

OWASP SiteGenerator

https://www.owasp.org/index.php/Owasp_SiteGenerator

OWASP Bricks

http://sourceforge.net/projects/owaspbricks/

OWASP Security Shepherd

https://www.owasp.org/index.php/OWASP_Security_Shepherd

PentesterLab

https://pentesterlab.com/

PHDays iBank CTF

http://blog.phdays.com/2012/05/once-again-about-remote-banking.html

SecuriBench

http://suif.stanford.edu/~livshits/securibench/

SentinelTestbed

https://github.com/dobin/SentinelTestbed

SocketToMe

http://digi.ninja/projects/sockettome.php

sqli-labs

https://github.com/Audi-1/sqli-labs

MCIR (Magical Code Injection Rainbow)

https://github.com/SpiderLabs/MCIR

sqlilabs

https://github.com/himadriganguly/sqlilabs

VulnApp

http://www.nth-dimension.org.uk/blog.php?id=88

PuzzleMall

http://code.google.com/p/puzzlemall/

WackoPicko

https://github.com/adamdoupe/WackoPicko

WAED

http://www.waed.info

WebGoat.NET

https://github.com/jerryhoff/WebGoat.NET/

WebSecurity Dojo

http://www.mavensecurity.com/web_security_dojo/

XVWA

https://github.com/s4n7h0/xvwa

Zap WAVE

http://code.google.com/p/zaproxy/downloads/detail?name=zap-wave-0.1.zip

Vulnerable Operating System Installations

21LTR

http://21ltr.com/scenes/

Damn Vulnerable Linux

http://sourceforge.net/projects/virtualhacking/files/os/dvl/

exploit-exercises – nebula, protostar, fusion

http://exploit-exercises.com/download

heorot: DE-ICE, hackerdemia

http://hackingdojo.com/downloads/iso/De-ICE_S1.100.iso
http://hackingdojo.com/downloads/iso/De-ICE_S1.110.iso
http://hackingdojo.com/downloads/iso/De-ICE_S1.120.iso
http://hackingdojo.com/downloads/iso/De-ICE_S2.100.iso
hackerdemia – http://hackingdojo.com/downloads/iso/De-ICE_S1.123.iso

Holynix

http://sourceforge.net/projects/holynix/files/

Kioptrix

http://www.kioptrix.com/blog/

LAMPSecurity

http://sourceforge.net/projects/lampsecurity/

Metasploitable

http://sourceforge.net/projects/virtualhacking/files/os/metasploitable/

neutronstar

http://neutronstar.org/goatselinux.html

PenTest Laboratory

http://pentestlab.org/lab-in-a-box/

Pentester Lab

https://www.pentesterlab.com/exercises

pWnOS

http://www.pwnos.com/

RebootUser Vulnix

http://www.rebootuser.com/?page_id=1041

SecGame # 1: Sauron

http://sg6-labs.blogspot.co.uk/2007/12/secgame-1-sauron.html

scriptjunkie.us

http://www.scriptjunkie.us/2012/04/the-hacker-games/

UltimateLAMP

http://www.amanhardikar.com/mindmaps/practice-links.html

TurnKey Linux

http://www.turnkeylinux.org/

Bitnami

https://bitnami.com/stacks

Elastic Server

http://elasticserver.com

OS Boxes

http://www.osboxes.org

VirtualBoxes

http://virtualboxes.org/images/

VirtualBox Virtual Appliances

https://virtualboximages.com/

CentOS

http://www.centos.org/

Default Windows Clients

https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise
https://dev.windows.com/en-us/microsoft-edge/tools/vms/

Default Windows Server

https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-technical-preview

Default VMWare vSphere

http://www.vmware.com/products/vsphere/

Sites for Downloading Older Versions of Various Software

Exploit-DB

http://www.exploit-db.com/

Old Apps

http://www.oldapps.com/

Old Version

http://www.oldversion.com/

VirtualHacking Repo

sourceforge.net/projects/virtualhacking/files/apps%40realworld/

Sites by Vendors of Security Testing Software

Acunetix acuforum

http://testasp.vulnweb.com/

Acunetix acublog

http://testaspnet.vulnweb.com/

Acunetix acuart

http://testphp.vulnweb.com/

Cenzic crackmebank

http://crackme.cenzic.com

HP freebank

http://zero.webappsecurity.com

IBM altoromutual

http://demo.testfire.net/

Mavituna testsparker

http://aspnet.testsparker.com

Mavituna testsparker

http://php.testsparker.com

NTOSpider Test Site

http://www.webscantest.com/

Sites for Improving Your Hacking Skills

Embedded Security CTF

https://microcorruption.com

EnigmaGroup

http://www.enigmagroup.org/

Escape

http://escape.alf.nu/

Google Gruyere

http://google-gruyere.appspot.com/

Gh0st Lab

http://www.gh0st.net/

Hack This Site

http://www.hackthissite.org/

HackThis

http://www.hackthis.co.uk/

HackQuest

http://www.hackquest.com/

Hack.me

https://hack.me

Hacking-Lab

https://www.hacking-lab.com

Hacker Challenge

http://www.dareyourmind.net/

Hacker Test

http://www.hackertest.net/

hACME Game

http://www.hacmegame.org/

Halls Of Valhalla

http://halls-of-valhalla.org/beta/challenges

Hax.Tor

http://hax.tor.hu/

OverTheWire

http://www.overthewire.org/wargames/

PentestIT

http://www.pentestit.ru/en/

CSC Play on Demand

https://pod.cybersecuritychallenge.org.uk/

pwn0

https://pwn0.com/home.php

RootContest

http://rootcontest.com/

Root Me

http://www.root-me.org/?lang=en

Security Treasure Hunt

http://www.securitytreasurehunt.com/

Smash The Stack

http://www.smashthestack.org/

SQLZoo

http://sqlzoo.net/hack/

TheBlackSheep and Erik

http://www.bright-shadows.net/

ThisIsLegal

http://thisislegal.com/

Try2Hack

http://www.try2hack.nl/

WabLab

http://www.wablab.com/hackme

XSS: Can You XSS This?

http://canyouxssthis.com/HTMLSanitizer/

XSS Game

https://xss-game.appspot.com/

XSS: ProgPHP

http://xss.progphp.com/

CTF Sites / Archives

CAPTF Repo

http://captf.com/

CTFtime (Details of CTF Challenges)

http://ctftime.org/ctfs/

CTF write-ups repository

https://github.com/ctfs

Reddit CTF Announcements

http://www.reddit.com/r/securityctf

shell-storm Repo

http://shell-storm.org/repo/CTF/

VulnHub

https://www.vulnhub.com

Mobile Apps

Damn Vulnerable Android App (DVAA)

https://code.google.com/p/dvaa/

Damn Vulnerable FirefoxOS Application (DVFA)

https://github.com/pwnetrationguru/dvfa/

Damn Vulnerable iOS App (DVIA)

http://damnvulnerableiosapp.com/

ExploitMe Mobile Android Labs

http://securitycompass.github.io/AndroidLabs/

ExploitMe Mobile iPhone Labs

http://securitycompass.github.io/iPhoneLabs/

Hacme Bank Android

http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx

InsecureBank

http://www.paladion.net/downloadapp.html

NcN Wargame

http://noconname.org/evento/wargame/

OWASP iGoat

http://code.google.com/p/owasp-igoat/

OWASP Goatdroid

https://github.com/jackMannino/OWASP-GoatDroid-Project

Lab

binjitsu

https://github.com/binjitsu/binjitsu

CTFd

https://github.com/isislab/CTFd

Mellivora

https://github.com/Nakiami/mellivora

NightShade

https://github.com/UnrealAkama/NightShade

MCIR

https://github.com/SpiderLabs/MCIR

Docker

https://www.docker.com/

Vagrant

https://www.vagrantup.com/

NETinVM

http://informatica.uv.es/~carlos/docencia/netinvm/

SmartOS

https://smartos.org/

SmartDataCenter

https://github.com/joyent/sdc

vSphere Hypervisor

https://www.vmware.com/products/vsphere-hypervisor/

GNS3

http://sourceforge.net/projects/gns-3/

OCCP

https://opencyberchallenge.net/

XAMPP

https://www.apachefriends.org/index.html

Miscellaneous

VulnVPN

http://www.rebootuser.com/?page_id=1041

VulnVoIP

http://www.rebootuser.com/?page_id=1041

Vulnserver

http://www.thegreycorner.com/2010/12/introducing-vulnserver.html

NETinVM

http://informatica.uv.es/~carlos/docencia/netinvm/

DVRF

https://github.com/praetorian-inc/DVRF

HackSys Extreme Vulnerable Driver

http://www.payatu.com/hacksys-extreme-vulnerable-driver/

VirtuaPlant

https://github.com/jseidl/virtuaplant

Fosscomm

https://github.com/nikosdano/fosscomm

Morning Catch

http://blog.cobaltstrike.com/2014/08/06/introducing-morning-catch-a-phishing-paradise/

AWBO

https://labs.snort.org/awbo/awbo.html

Back to top button
Close