PentestGround, free pentesting labs

Preparing a lab for practicing pentest can take time. Depending of the vulnerable and attacker machines, you may need to download a vulnerable virtual machine, install it, fix eventual issues on VirtualBox or VMware, start services, maybe prepare the database, tools, proxies, certificates, etc… A list of these labs is available on owasp.org. They’re fun, useful, some of them are offline, others are online.

TryHackMe

A simple alternative to use a few of them is to go to TryHackMe. You can find for example OWASP Juice ShopOWASP Mutillidae IIDVWA (Damn Vulnerable Web Application). You can execute them anytime, they’re free, but you need to create a TryHackMe account.

PentestGround by pentest-tools.com

If for some reason you don’t want to subscribe TryHackMe, I’ve just found a nice website with this kind of learning tools for pentesters, without subscription and instantaneously available. This website is PentestGround.

You’ll find a list of vulnerable machines with different technologies, web apps, a Redis server and APIs like REST API or GraphQL and their vulnerabilities.

PentestGround page made by pentest-tools.com showing the list of vulnerable systems available for practicing

DVWA

If you click for example the first link for Damn Vulnerable Web Application, you’re directed to PentestGround’s instance which appears in a second and is ready to use.

DVWA homepage available on pentest-ground.com

REST API

You can also test a REST API by clicking the third link. A first page provides some technical detail and URL for this API.

vulnerable REST API homepage available on pentest-ground.com and showing technical specifications

If you click “Scan this API” bottom page, a quick walkthrough explains how to use PentestTools for testing the API without virtual machines or local tools and setup an authorization header. If you don’t have any account on this website, just subscribe here before testing the API.

Numbered list showing how to scan the vulnerable API and providing the authentication header

If you have your own virtual machines or (pen)testing tools locally installed , you can just launch Postman and Burp Suite.

You can now explore and hack each of them. Thanks to PentestTools for providing these free labs.

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.

Creative Commons License CC BY-SA 4.0