Setting Up a Pen-Test Lab with vulnerable VMs

Since ESXi 3.5 is installed on my server, I was looking for already vulnerable VMs that can be deployed to it. The following list contains the VMs that I found via a google search:

• Metasploitable

It's a VM that is provided by Rapid 7, the owner of Metasploit. Metasploitable is a Virtual Machine (running Ubuntu 8.04) with a lot of vulnerabilities, that can be used to test the Metasploit framework and execute attacks against it.

Description of Metasploitable
PirateBay Link

• Ultimate LAMP

The purpose of Ultimate LAMP was not to be vulnerable, but the VM is pretty old, it is from Mai 2006 (so it should contain some vulnerabilities :-).

Here is the description of the Homepage for UltimateLAMP:

UltimateLAMP is a fully functional environment allowing you to easily try and evaluate a number of LAMP stack software products without requiring any specific setup or configuration of these products.

UltimateLAMP
Description of Ultimate LAMP
Direct download Link

• Damn Vulnerable Linux (DVL)

DVL is a VM that, as the name already implies, is damn vulnerable and is based on Slackware. Unfortunately the Homepage is under constructions for several months now and I didn't found any direct download link. But there is a torrent available. DVL is based on BackTrack 2.

Distrowatch
PirateBay Link

If you know more vulnerable VMs that can be used in a penetration testing lab, leave a comment. Thx.

Besides these VMs, the OWASP Project is also hosting a website called HackingLab. You just have to register and then you are able to connect into the HackingLab with an OpenVPN Client . The OWASP Project also provides an already configured VM that can be used to connect into the HackingLab. When you are connected you are able to execute several web application pentests against the HackingLab Test Environment. Here you can find the whole list of challenges.


URL:
How to set up a penetration testing Lab