Categories
Articles

Practicing your Hacking skills

The main differences between Ethical or White Hat hacking versus Black Hat Hacking is down to the intent and legality of what is being carried out. So how do you stay the right side of the law?

You have read some books and followed some courses on Penetration Testing, now it is time to improve and practice your newly acquired skills. You could fire up your computer and pick a website on the internet or log onto a public WiFi network to find a target computer … but that could land you in a lot of trouble.

Bottom line is that hacking without prior permission is illegal!

So how do you go about hacking legally? One way is to join a site such as Bugcrowd, HackerOne or Synack and go after some bug bounties. Perhaps these are viable options down the line but first you may want to hone your skill-set and build up your confidence.

Fortunately there are a variety of software packages and websites that are made available just for this purpose. They have built-in flaws and vulnerabilities that you can legally try to exploit. In this article we will examine some of these:

Defend the Web

an interactive security platform where you can learn and challenge your skills.

defendtheweb.net

This site is used by 700k+ members and focuses on the following:

  • Learn – 70+ articles covering a variety of security topics including Hacking, Coding, Encryption & Stenography, Network Security.
  • Challenge – 60+ challenges to test your knowledge.
  • Collaborate – a community of hackers, developers & security experts sharing knowledge via forums.
  • Progress – keep track of your activity by earning points & medals in the Challenges.

Check out defendtheweb.net for more.

Hack The Box

An online platform to test and advance your skills in penetration testing and cyber security. Join today and start training in our online labs.

hackthebox.eu

These are the membership options to Hack The Box (HTB):

  • Individuals – “A massive playground for you to learn and improve your pen-testing skills” with two levels:
    • Free includes Active Machines (10), Challenges, Technical Support, and Server Regions (EU, USA, AU & SG).
    • VIP includes all the Free features plus Retired Machines (110+), Retired Machine Walkthroughs, and Limited Users Per Server for $10/month.
  • Companies – “Grow your cyber security team through a massive training environment, hands-on gamified learning and top talent acquisition” with three levels:
    • Standard includes Isolated Environment, Dedicated VPN Server, Private Scoreboard, Multiple Admins, Official Machine Writeups, Machine Management, and Full HTB Machine Pool for $3600/year.
    • Advanced includes all the Standard features plus Exclusive Machines, Guest Users, User Activity Monitoring, and Reporting for $6000/year.
    • Enterprise includes all the Advanced features plus Unlimited Pwnbox, and Upload Custom Machines for ‘Contact Us’ pricing.

The HTB service is also available free for Universities.

In addition to the above services, HTB also provides an array of courses through their HTB Academy.

Hacking-Lab

an online ethical hacking, computer network and security challenge platform, dedicated to finding and educating cyber security talents.

hacking-lab.com

This site provides a set of mission-style challenges covering forensics, cryptography, reverse-engineering, ethical hacking, and defense.

The lab software runs in a VMWare or VirtualBox installation using a LiveCD that can be installed. A VPN is then used to connect via a GUI or CLI Terminal into Hacking-Lab.

Challenges can then be solved and you explain the vulnerability plus remedy/mitigation. Solutions are next graded by teachers.

Membership is Euro 49 per year – for further details visit Hacking-Lab.

HackThisSite.org

a free, safe and legal training ground for hackers to test and expand their ethical hacking skills with challenges, CTFs, and more.

hackthissite.org

This website provides a variety of Hacking Challenges as well as a Blogs, News, Articles, Lectures and an online magazine. Additionally there is a Community that includes Forums, and the ability to chat via Private Messages, Discord and IRC.

Hacking Challenges

These are grouped together in the following missions:

  • Basic – small challenges are straight forward and are designed to outline the fundamentals of a hacker’s first steps in web hacking.
  • Realistic – complete websites with built-in security flaws and simulated objectives.
  • Application (Reversing) – operating system / programming specific skills, these missions test your ability to manipulate and gather information from applications on your own machine.
  • Stegonography – this covers hiding information in plain sight (rather than using encryption) which is hard to do discretely.
  • JavaScript – no longer just for pretty effects but can be used to make entire web applications. Exploiting JavaScript is an important skill for a hacker’s tool set.
  • Extended Basic – vulnerable code snippets that you then have to exploit or patch.

HackTheSite.org is a free site but requests donations to help with running costs.

Metasploitable

The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities.

rapid7.com

Examples of vulnerabilities included within Metasploitable are Malicious & Unintentional Backdoors, Weak Passwords, Vulnerable Web Services, Mutillidae (a flawed web app), and DVWA (Damn Vulnerable Web App).

Downloads

Virtual Machine (VM) images are available either pre-built or you can download the very latest components and build them yourself.

VM’s of Metasploitable 2 are available for VMware, VirtualBox and other virtualization platforms – click here for details.

To download the components that make up Metasploitable 3 visit https://github.com/rapid7/metasploitable3 which includes instructions for both automatic and manual builds.

Documentation

Documentation to both of the above versions can be found here:

WebGoat

WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.

github.com/WebGoat

The aim of the program is to demonstrate common server-side application flaws.

There are four methods of running WebGoat:

  • Docker container – a docker image containing WebGoat and WebWolf.
  • Docker stack – a composer-file, also containing WebGoat and WebWolf, can be deployed in a docker stack.
  • Standalone – this involves running the WebGoat server and WebWolf .jar files.
  • Run from sources – the GIT code is cloned, compiled and installed, then run using Maven.

For further details on the above methods please visit here.

In our article Exploitation Tools (part 2) we covered WebGoat in some details – please checkout the last section of the article.


Tell us which service or application you find the best for practicing your Pentesting skills against? Are there any additions that should be in the above article? Please comment below and let us know.

Leave a Reply