Pentesting Vulnerable Study Frameworks Complete List

It’s very difficult for a beginner security analyst, especially when it comes to the intrusive security field, to find good study resources. Starting from the principle that in security there are many other sub-areas of study like Penetration Testing (such as web app, network, wireless, mobile), forensics, reverse engineering, cryptography, etc, it becomes even more difficult to choose one and then find proper study resources.

Another thing is finding actual study environments and labs. Every pentester would generally say that you learn hacking by hacking, which for most beginners will be hard as they don’t generally have the knowledge necessary to build their own pentesting/hacking environments. Most beginners try to start hacking using public Internet resources, which will eventually get them in jail due to the several laws they will eventually break by attacking resources they don’t have previous permission to test.

With that thought in mind, I’ve decided to gather a list, as complete as I could make it, with all vulnerable pentesting apps, labs, online challenges, in other words, any resource that can be used to learn and test your security skills in a safe environment, without breaking any laws. The list is categorized based on the type of application (Web App, War Games, Capture the Flag, Insecure Distributions, etc). Due to the number of resources, I won’t be doing any reviews as it would make this post a lot bigger and make it very extremely boring to read. I will review every app eventually in future posts, at least for the ones that I feel are most relevant.

As I don’t know every pentesting insecure app on the planet (actually nobody does), feel free to contact me for any new resource, corrections to my list. Also please let me know if there is any correction to be done or links to be replaced if not working.

Notice that this post is intended to present the many different resources so you can test your hacking skills, this post doesn’t present the tools used to exploit them. Also on the PRICE column, follow this color code: 

  • $$$: Paid Resource
  • $$$Free Resource
  • $$$: Resources that offer free content, and also a paid subscription for additional content

And here we go …

 

War Games

This section presents resources for WarGame and misc type challenges websites.

Resource NameCompany / OwnerLanguagePriceURL
Hell Bound HackersHell Bound HackersEnglish$$$https://www.hellboundhackers.org/
PentestitPenetration Test LabsEnglish$$$https://lab.pentestit.ru
CrackmesS4R and BonclayEnglish$$$https://crackmes.one
Root-meRoot-meEnglish$$$https://www.root-me.org
Tuts 4 YouTust 4 YouEnglish$$$https://tuts4you.com
Smash the StackSmash the StackEnglish$$$https://www.smashthestack.org
Over the WireOver The WireEnglish$$$https://overthewire.org/wargames/
Hack This SiteHack This SiteEnglish$$$https://www.hackthissite.org
Hacking LabHacking LabEnglish$$$https://www.hacking-lab.com
Hacker101HackerOneEnglish$$$https://ctf.hacker101.com
Malware-Traffic-AnalysisMalware Traffic AnalysisEnglish$$$https://malware-traffic-analysis.net
Practical Pentest LabsPractical Pentest LabsEnglish$$$https://practicalpentestlabs.com
The Dead Lock EmpireThe Dead Lock EmpireEnglish$$$https://deadlockempire.github.io
The Crypto PalsThe Crypto PalsEnglish$$$https://cryptopals.com
SlaveHackSlaveHackEnglish$$$https://www.slavehack2.com
EnigmaGroupEnigmaGroupEnglish$$$https://enigmagroup.org
Android LabsSecurity CompassEnglish$$$https://securitycompass.github.io/AndroidLabs/index.html
TryHackMeTryHackMeEnglish$$$https://tryhackme.com
Defend The WebHack ThisEnglish$$$https://defendtheweb.net/
Bright ShadowsThe Black SheepEnglish$$$https://www.bright-shadows.net
Try2HackTry2HackEnglish$$$http://www.try2hack.nl/
PraetorianPraetorianEnglish$$$https://www.praetorian.com/challenges
PwnerRankPwnerRankEnglish$$$https://www.pwnerrank.com
SEED LabsSEED LabsEnglish$$$https://seedsecuritylabs.org/labs.html
id0-rsaid0-raEnglish$$$https://id0-rsa.pub/
LMGNetwork Forensics Puzzle ChallengesEnglish$$$https://forensicscontest.com
Hacker ProjectHacker ProjectEnglish$$$http://www.hacker-project.com
Hacker ForeverHacker ForeverEnglish$$$https://www.hackerforever.com/
Net ForceNet ForceEnglish$$$https://net-force.nl
Shelter LabsShelter LabsEnglish$$$http://shellterlabs.com/
BackDoorSDSLabsEnglish$$$https://backdoor.sdslabs.co
We ChallWe ChallEnglish$$$https://www.wechall.net
XSS GameGoogleEnglish$$$https://xss-game.appspot.com
Exploit-ExercisesExploit-ExercisesEnglish$$$https://exploit-exercises.com
W3ChallsW3ChallsEnglish$$$https://w3challs.com
Ring Zero TeamRing Zero TeamEnglish$$$https://ringzer0team.com/challenges
ChallengesKaoLabsEnglish$$$https://challenges.ka0labs.org
PWNABLE.KRPWNABLE.KREnglish$$$http://pwnable.kr
REVERSING.KRREVERSING.KREnglish$$$http://reversing.kr
MicroCorruptionMicroCorruptionEnglish$$$https://microcorruption.com/login
Hax Tor HuHax Tor HuEnglish$$$http://hax.tor.hu/welcome
CounterhackCounterhackEnglish$$$http://counterhack.net/Counter_Hack/Challenges.html
Mod-XMod-XEnglish$$$http://www.mod-x.co.uk/main.php
HackertestHackertestHackertest$$$http://www.hackertest.net
World of WargameWorld of WargameEnglish$$$https://wow.sinfocol.org
ElectricaCaesiumEnglish$$$http://www.caesum.com/game
Happy SecurityHappy SecurityGerman$$$http://www.happy-security.de
RankkRankkEnglish$$$http://www.rankk.org
Newbie ContestNewbie ContestFrench$$$https://www.newbiecontest.org
Lost ChallengeLost ChallengeEnglish$$$http://www.lost-chall.org
Yashira WargameYashira WargameSpanish$$$http://www.yashira.org
Brain QuestBrain QuestSlovak$$$http://www.brainquest.sk
ThisIsLegalThisIsLegalEnglish$$$https://thisislegal.com
TryThisOneTryThisOneEnglish$$$http://trythis0ne.com/
TDHackTDHackPolish$$$https://www.tdhack.com
+Ma’s Reversing+Ma’s ReversingEnglish$$$http://3564020356.org
Hacker.orgHacker.orgEnglish$$$http://www.hacker.org
HackBBSHackBBSFrench$$$https://hackbbs.org/index.php
Security TrapsSecurity TrapsPolish/English$$$https://www.securitytraps.pl
SPOJSPOJEnglish$$$http://www.spoj.com
WebHackingWebHackingKorean$$$http://webhacking.kr
uContestuContestEnglish/French$$$http://www.microcontest.com
ValhallaValhallaEnglish$$$https://halls-of-valhalla.org/
SuNiNaTasSuNiNaTasKorean$$$http://suninatas.com
YoireYoireEnglish$$$http://yoire.com
WixxerdWixxerdEnglish$$$https://www.wixxerd.com
Hacking ChallengesHacking ChallengesGerman$$$http://www.hacking-challenges.de
Red Tiger HackItRed Tiger LabsEnglish$$$https://redtiger.labs.overthewire.org
Tasteless ChallengesTastelessEnglish$$$http://chall.tasteless.eu
Mod XMod XEnglish$$$http://mod-x.co.uk/main.php
ae27ffae27ffEnglish$$$http://ae27ff.meme.tips/about.php
Hacker GatewayHacker GatewayEnglish$$$https://www.hackergateway.com
Pwnable TWPwnable TWEnglish$$$https://pwnable.tw
Try To DecryptTry To DecryptEnglish$$$https://www.trytodecrypt.com

Web Application Hacking

This section presents resources for Web Application Security.

Resource NameCompany / OwnerLanguagePriceURL
PentesterLabPentesterLabEnglish$$$https://pentesterlab.com/
MDSecPortSwiggerEnglish$$$http://mdsec.net/
ColiseumeLearnSecurityEnglish$$$https://www.elearnsecurity.com/virtual-labs/coliseum/
Security ShepherdOWASPEnglish$$$https://owasp.org/www-project-security-shepherd/
WebGoatOWASPEnglish$$$https://owasp.org/www-project-webgoat/
VicnumOWASPEnglish$$$https://owasp.org/www-project-vicnum/
InsecureWebAppOWASPEnglish$$$https://wiki.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project
Juice ShopOWASPEnglish$$$https://owasp.org/www-project-juice-shop/
HackademicOWASPEnglish$$$http://hackademic.teilar.gr/
BricksOWASPEnglish$$$https://sechow.com/bricks/
Web Security DojoMaven SecurityEnglish$$$https://www.mavensecurity.com/resources/web-security-dojo
Hack-Yourself-FirstTroy HuntEnglish$$$https://hack-yourself-first.com
Game of HacksCheckMarxEnglish$$$https://www.gameofhacks.com/
XSS Game AreaXSS Game AreaEnglish$$$https://xss-game.appspot.com/
Gruyere (previuosly Codelab)GoogleEnglish$$$https://google-gruyere.appspot.com
Hack MeHack MeEnglish$$$https://hack.me
Zero Personal BankingSPI DynamicsEnglish$$$http://zero.webappsecurity.com/
Acunetix 1AcunetixEnglish$$$http://testphp.vulnweb.com
Acunetix 2AcunetixEnglish$$$http://testsp.vulnweb.com
Acunetix 3AcunetixEnglish$$$http://testaspnet.vulnweb.com
Damn Vulnerable Web ApplicationDVWAEnglish$$$https://dvwa.co.uk/
MultilidaeIron GeekEnglish$$$https://github.com/webpwnized/mutillidae
The Butterfly Security ProjectThe Butterfly SecurityEnglish$$$https://sourceforge.net/projects/thebutterflytmp/
Hacme CasinoMcAfeeEnglish$$$https://www.mcafee.com/enterprise/en-us/downloads/free-tools.html
Hacme Bank 2.0McAfeeEnglish$$$https://www.mcafee.com/enterprise/en-us/downloads/free-tools.html
Updated HackmeBankMcAfeeEnglish$$$https://www.mcafee.com/enterprise/en-us/downloads/free-tools.html
Hacme BooksMcAfeeEnglish$$$https://www.mcafee.com/enterprise/en-us/downloads/free-tools.html
Hacme TravelMcAfeeEnglish$$$https://www.mcafee.com/enterprise/en-us/downloads/free-tools.html
Hacme ShippingMcAfeeEnglish$$$https://www.mcafee.com/enterprise/en-us/downloads/free-tools.html
stnadford SecuriBenchStandfordEnglish$$$https://cyberranges.com/scenario/stanford-securibench/
SecuriBench MicroStandfordEnglish$$$http://too4words.github.io/securibench-micro/
WebMaven/Buggy BankMaven SecurityEnglish$$$https://www.mavensecurity.com/about/webmaven
Exploit-dbOffensive SecurityEnglish$$$https://www.exploit-db.com
The Bodgeit StoreThe Bodgeit SToreEnglish$$$https://code.google.com/archive/p/bodgeit/
LampSecurityMadIrishEnglish$$$https://sourceforge.net/projects/lampsecurity/
hackxorHackxorEnglish$$$https://hackxor.net/
WackoPickoWackoPickoEnglish$$$https://github.com/adamdoupe/wackopicko
RSnake’s Vulnerabilty LabRSnakeEnglish$$$http://ha.ckers.org/weird/
bWAPPbWAPPEnglish$$$https://sourceforge.net/projects/bwapp/
PeruggiaPeruggiaEnglish$$$https://sourceforge.net/projects/peruggia/
Stereotyped ChallengesStereotypedEnglish$$$https://chall.stypr.com/
Hack BurgerHack BurgerEnglish$$$https://hackburger.ee

Vulnerable Machines and Hacking Playground

This section presents resources for resources with network full labs of different aspects of security, such as network, wireless, web, mobile pentesting, reverse engineering, privilege escalation, among others.

Resource NameCompany / OwnerLanguagePriceURL
Hack the BoxHack the BoxEnglish$$$https://www.hackthebox.eu/
Hera LabeLearnSecurityEnglish$$$https://ine.com/pages/cybersecurity
Vuln HubOffensive SecurityEnglish$$$https://www.vulnhub.com
Root the BoxRoot the BoxEnglish$$$https://root-the-box.com
Metasploitable 2Rapid7English$$$https://docs.rapid7.com/metasploit/metasploitable-2/
Metasploitable 3Rapid7English$$$https://github.com/rapid7/metasploitable3

Capture The Flag (CTF) Resources

This section presents resources for Capture The Flag (CTF) challenges.

Resource NameCompany / OwnerLanguagePriceURL
CTFtime (CTF Info Aggregator)CTFtimeEnglish$$$https://ctftime.org
CTF365CTF365English$$$https://ctf365.com
CTF LearnCTF LearnEnglish$$$https://ctflearn.com
HC’s Capture the FlagHDEnglish$$$https://ctf.hcesperer.org
iCTFUSCBEnglish$$$https://ictf.cs.ucsb.edu
PicoCTFPicoCTFEnglish$$$https://picoctf.com
HS CTFHS CTFEnglish$$$https://hsctf.com
Ghost in the ShellcodeShmooConEnglish$$$https://ghostintheshellcode.com
CSAW CTFCSAWEnglish$$$https://ctf.isis.poly.edu
Defcon CTFDefconEnglish$$$https://legitbs.net
Next HackerNext HackerEnglish$$$https://www.nexthacker.com
Cyber Forensics ChallengeBlack T-ShirtEnglish$$$https://cyberforensicschallenge.com

I hope you have fun!

Related posts