100+ Hacking Sites Legally to Practice Your InfoSec Skills

They say the best defense is a good offense – and it’s no different in the InfoSec world. Use these list to practice your hacking skills so you can be the best defender you can – whether you’re a developer, security manager, auditor or pen-tester. Always remember: Practice makes perfect!

Don’t miss: Create Your Own Web Penetration Testing Lab in Kali Linux

Don’t miss: Practice your Hacking Skills By Participating in CTFs Challenges

What other sites have you used to practice on? Let us know below!

Vulnerable Web Applications
BadStore	http://www.badstore.net/
BodgeIt Store	http://code.google.com/p/bodgeit/
Butterfly Security Project	http://thebutterflytmp.sourceforge.net/
bWAPP	http://www.mmeit.be/bwapp/ http://sourceforge.net/projects/bwapp/files/bee-box/
Commix	https://github.com/stasinopoulos/commix-testbed
CryptOMG	https://github.com/SpiderLabs/CryptOMG
Damn Vulnerable Node Application (DVNA)	https://github.com/quantumfoam/DVNA/
Damn Vulnerable Web App (DVWA)	http://www.dvwa.co.uk/
Damn Vulnerable Web Services (DVWS)	http://dvws.professionallyevil.com/
Drunk Admin Web Hacking Challenge	https://bechtsoudis.com/work-stuff/challenges/drunk-admin-web-hacking-challenge/
Exploit KB Vulnerable Web App	http://exploit.co.il/projects/vuln-web-app/
Foundstone Hackme Bank	http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx
Foundstone Hackme Books	http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx
Foundstone Hackme Casino	http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx
Foundstone Hackme Shipping	http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx
Foundstone Hackme Travel	http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx
GameOver	http://sourceforge.net/projects/null-gameover/
hackxor	http://hackxor.sourceforge.net/cgi-bin/index.pl
Hackazon	https://github.com/rapid7/hackazon
LAMPSecurity	http://sourceforge.net/projects/lampsecurity/
Moth	http://www.bonsai-sec.com/en/research/moth.php
NOWASP / Mutillidae 2	http://sourceforge.net/projects/mutillidae/
OWASP BWA	http://code.google.com/p/owaspbwa/
OWASP Hackademic	http://hackademic1.teilar.gr/
OWASP SiteGenerator	https://www.owasp.org/index.php/Owasp_SiteGenerator
OWASP Bricks	http://sourceforge.net/projects/owaspbricks/
OWASP Security Shepherd	https://www.owasp.org/index.php/OWASP_Security_Shepherd
PentesterLab	https://pentesterlab.com/
PHDays iBank CTF	http://blog.phdays.com/2012/05/once-again-about-remote-banking.html
SecuriBench	http://suif.stanford.edu/~livshits/securibench/
SentinelTestbed	https://github.com/dobin/SentinelTestbed
SocketToMe	http://digi.ninja/projects/sockettome.php
sqli-labs	https://github.com/Audi-1/sqli-labs
MCIR (Magical Code Injection Rainbow)	https://github.com/SpiderLabs/MCIR
sqlilabs	https://github.com/himadriganguly/sqlilabs
VulnApp	http://www.nth-dimension.org.uk/blog.php?id=88
PuzzleMall	http://code.google.com/p/puzzlemall/
WackoPicko	https://github.com/adamdoupe/WackoPicko
WAED	http://www.waed.info
WebGoat.NET	https://github.com/jerryhoff/WebGoat.NET/
WebSecurity Dojo	http://www.mavensecurity.com/web_security_dojo/
XVWA	https://github.com/s4n7h0/xvwa
Zap WAVE	http://code.google.com/p/zaproxy/downloads/detail?name=zap-wave-0.1.zip
Vulnerable Operating System Installations
21LTR	http://21ltr.com/scenes/
Damn Vulnerable Linux	http://sourceforge.net/projects/virtualhacking/files/os/dvl/
exploit-exercises – nebula, protostar, fusion	http://exploit-exercises.com/download
heorot: DE-ICE, hackerdemia	http://hackingdojo.com/downloads/iso/De-ICE_S1.100.iso http://hackingdojo.com/downloads/iso/De-ICE_S1.110.iso http://hackingdojo.com/downloads/iso/De-ICE_S1.120.iso http://hackingdojo.com/downloads/iso/De-ICE_S2.100.iso hackerdemia – http://hackingdojo.com/downloads/iso/De-ICE_S1.123.iso
Holynix	http://sourceforge.net/projects/holynix/files/
Kioptrix	http://www.kioptrix.com/blog/
LAMPSecurity	http://sourceforge.net/projects/lampsecurity/
Metasploitable	http://sourceforge.net/projects/virtualhacking/files/os/metasploitable/
neutronstar	http://neutronstar.org/goatselinux.html
PenTest Laboratory	http://pentestlab.org/lab-in-a-box/
Pentester Lab	https://www.pentesterlab.com/exercises
pWnOS	http://www.pwnos.com/
RebootUser Vulnix	http://www.rebootuser.com/?page_id=1041
SecGame # 1: Sauron	http://sg6-labs.blogspot.co.uk/2007/12/secgame-1-sauron.html
scriptjunkie.us	http://www.scriptjunkie.us/2012/04/the-hacker-games/
UltimateLAMP	http://www.amanhardikar.com/mindmaps/practice-links.html
TurnKey Linux	http://www.turnkeylinux.org/
Bitnami	https://bitnami.com/stacks
Elastic Server	http://elasticserver.com
OS Boxes	http://www.osboxes.org
VirtualBoxes	http://virtualboxes.org/images/
VirtualBox Virtual Appliances	https://virtualboximages.com/
CentOS	http://www.centos.org/
Default Windows Clients	https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise https://dev.windows.com/en-us/microsoft-edge/tools/vms/
Default Windows Server	https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-technical-preview
Default VMWare vSphere	http://www.vmware.com/products/vsphere/
Sites for Downloading Older Versions of Various Software
Exploit-DB	http://www.exploit-db.com/
Old Apps	http://www.oldapps.com/
Old Version	http://www.oldversion.com/
VirtualHacking Repo	sourceforge.net/projects/virtualhacking/files/apps%40realworld/
Sites by Vendors of Security Testing Software
Acunetix acuforum	http://testasp.vulnweb.com/
Acunetix acublog	http://testaspnet.vulnweb.com/
Acunetix acuart	http://testphp.vulnweb.com/
Cenzic crackmebank	http://crackme.cenzic.com
HP freebank	http://zero.webappsecurity.com
IBM altoromutual	http://demo.testfire.net/
Mavituna testsparker	http://aspnet.testsparker.com
Mavituna testsparker	http://php.testsparker.com
NTOSpider Test Site	http://www.webscantest.com/
Sites for Improving Your Hacking Skills
Embedded Security CTF	https://microcorruption.com
EnigmaGroup	http://www.enigmagroup.org/
Escape	http://escape.alf.nu/
Google Gruyere	http://google-gruyere.appspot.com/
Gh0st Lab	http://www.gh0st.net/
Hack This Site	http://www.hackthissite.org/
HackThis	http://www.hackthis.co.uk/
HackQuest	http://www.hackquest.com/
Hack.me	https://hack.me
Hacking-Lab	https://www.hacking-lab.com
Hacker Challenge	http://www.dareyourmind.net/
Hacker Test	http://www.hackertest.net/
hACME Game	http://www.hacmegame.org/
Halls Of Valhalla	http://halls-of-valhalla.org/beta/challenges
Hax.Tor	http://hax.tor.hu/
OverTheWire	http://www.overthewire.org/wargames/
PentestIT	http://www.pentestit.ru/en/
CSC Play on Demand	https://pod.cybersecuritychallenge.org.uk/
pwn0	https://pwn0.com/home.php
RootContest	http://rootcontest.com/
Root Me	http://www.root-me.org/?lang=en
Security Treasure Hunt	http://www.securitytreasurehunt.com/
Smash The Stack	http://www.smashthestack.org/
SQLZoo	http://sqlzoo.net/hack/
TheBlackSheep and Erik	http://www.bright-shadows.net/
ThisIsLegal	http://thisislegal.com/
Try2Hack	http://www.try2hack.nl/
WabLab	http://www.wablab.com/hackme
XSS: Can You XSS This?	http://canyouxssthis.com/HTMLSanitizer/
XSS Game	https://xss-game.appspot.com/
XSS: ProgPHP	http://xss.progphp.com/
CTF Sites / Archives
CAPTF Repo	http://captf.com/
CTFtime (Details of CTF Challenges)	http://ctftime.org/ctfs/
CTF write-ups repository	https://github.com/ctfs
Reddit CTF Announcements	http://www.reddit.com/r/securityctf
shell-storm Repo	http://shell-storm.org/repo/CTF/
VulnHub	https://www.vulnhub.com
Mobile Apps
Damn Vulnerable Android App (DVAA)	https://code.google.com/p/dvaa/
Damn Vulnerable FirefoxOS Application (DVFA)	https://github.com/pwnetrationguru/dvfa/
Damn Vulnerable iOS App (DVIA)	http://damnvulnerableiosapp.com/
ExploitMe Mobile Android Labs	http://securitycompass.github.io/AndroidLabs/
ExploitMe Mobile iPhone Labs	http://securitycompass.github.io/iPhoneLabs/
Hacme Bank Android	http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx
InsecureBank	http://www.paladion.net/downloadapp.html
NcN Wargame	http://noconname.org/evento/wargame/
OWASP iGoat	http://code.google.com/p/owasp-igoat/
OWASP Goatdroid	https://github.com/jackMannino/OWASP-GoatDroid-Project
Lab
binjitsu	https://github.com/binjitsu/binjitsu
CTFd	https://github.com/isislab/CTFd
Mellivora	https://github.com/Nakiami/mellivora
NightShade	https://github.com/UnrealAkama/NightShade
MCIR	https://github.com/SpiderLabs/MCIR
Docker	https://www.docker.com/
Vagrant	https://www.vagrantup.com/
NETinVM	http://informatica.uv.es/~carlos/docencia/netinvm/
SmartOS	https://smartos.org/
SmartDataCenter	https://github.com/joyent/sdc
vSphere Hypervisor	https://www.vmware.com/products/vsphere-hypervisor/
GNS3	http://sourceforge.net/projects/gns-3/
OCCP	https://opencyberchallenge.net/
XAMPP	https://www.apachefriends.org/index.html
Miscellaneous
VulnVPN	http://www.rebootuser.com/?page_id=1041
VulnVoIP	http://www.rebootuser.com/?page_id=1041
Vulnserver	http://www.thegreycorner.com/2010/12/introducing-vulnserver.html
NETinVM	http://informatica.uv.es/~carlos/docencia/netinvm/
DVRF	https://github.com/praetorian-inc/DVRF
HackSys Extreme Vulnerable Driver	http://www.payatu.com/hacksys-extreme-vulnerable-driver/
VirtuaPlant	https://github.com/jseidl/virtuaplant
Fosscomm	https://github.com/nikosdano/fosscomm
Morning Catch	http://blog.cobaltstrike.com/2014/08/06/introducing-morning-catch-a-phishing-paradise/
AWBO	https://labs.snort.org/awbo/awbo.html