In this section, I will make short reviews of public online penetration testing labs on the Internet, which are being held by third parties.
Nowadays, there are a lot of such online penetration testing lab portals available, which offer plenty of various network services and lab environment topologies suitable for almost any training tasks and needs. But, there is at least one common thing with them that is important for any junior penetration tester – you do not need to install, set up, and maintain any hardware or software on your own; it is already done for you.
It is worth mentioning that you cannot change all lab components settings and this is the reason why they are not suitable for some kinds of specific tasks, which demand configuring specific lab environment parameters.
To start training with online penetration testing labs, you will need the following:
- A computer with Internet access
- A web browser
- An e-mail address, which will be used only for working with online penetration testing lab portals and will not be connected to your other e-mail accounts
- BackTrack 5R3 virtual machine
Let us check some online lab portals with a short description of each. We will start by examining "Hacking-Lab" – one of the most interesting online hacking portals, which offers you various online hacking challenges, including OWASP TOP 10 trainings:
- Open your browser and enter the address as https://www.hacking-lab.com/. You should see the following page:
- Click on Remote Security Lab on the left side of the main page, then click on Topology to see that the Hacking Lab portal consists of two logical parts: Public web portal and VPN-protected lab network:
To start using the Hacking Lab programs, you need to register and log in with your account.
- Click on Create a free account now! on the left side of the web page and register.
- Click on the Events link to check which events are available at the moment:
- Choose the event and click on Register Now in the Status column. In my case, it is OWASP Top Ten.
- Return to the Events page, click on the event that you have chosen and select the challenge from the opened list to read details.
Some of the events require a VPN connection to the lab. Let me show you how to establish it with OWASP Top Ten event #1 - OWASP A1 - Blind SQL Injection Attack. Remember that you will be allowed to establish a connection only if you are registered to one of the events which requires it.
- Click on the Download link on the left side of the web page and choose LiveCD.
- Select the last version and download VMware8 Appliance.
- Now, run VMware Workstation and select Open in the File menu and select the LiveCD VMware8 Appliance in the new dialog window.
- In the Import Virtual Machine dialog window, set the virtual machine name directory and click on Import.
- Run the LiveCD virtual machine:
- Click on the flag icon at the top-right corner and change the keyboard layout to US.
- Now, right-click on the VPN connection icon next to keyboard layout and select Connect Password. The following window will be opened:
- Enter your Hacking-Lab ID (e-mail) with the initial password and click on OK. The VPN connection icon at the top-right corner should become green if everything was correct.
- Now, open the browser and enter the vulnerable application URL: http://glocken.hacking-lab.com/12001/inputval_case2/inputval2/index.html.
- Start solving the challenge!
Now, let us take a look at another portal called Hack-a-Server.
This portal is used not only by white-hat hackers and penetration testers who want to improve their skills, but also by system administrators and owners of real servers who want to test its security and are ready to pay for vulnerabilities disclosure. You can find the main idea of that portal right at its home page.
- Open the browser and enter the address as https://www.hackaserver.com/.
- Click on Sign Up at the top right-corner of the page.
- Enter your nickname, e-mail, password, and click on Sign Up.
- Check your e-mail; you will receive a message from the Hack-A-Server portal containing your account activation link. Click on the link.
Only Training and Exam arenas are available for you in this step. But, it is worth mentioning that Hack-A-Server is a commercial start up and that is why it allows you to earn money for vulnerabilities disclosure and exploitation at the playground arena.
But, before you can access the playground arena where money could be earned, you have to pass the exam.
- Click on the Training Arena link at the top of the web page and check what is available for practising your penetration testing skills:
- Select any target and click on Hack It! to view the target details.
- The portal will ask you to download the certificate bundle (connection package) to create a VPN connection to the training arena.
- Download the certificate bundle and unzip it.
- Start the BackTrack 5R3 virtual machine.
- Copy the unzipped connection package to your virtual BackTrack 5R3 machine.
- Open the terminal and change the working directory to the certificate bundle directory.
- Run the following command:
openvpn client.conf
- Now, open a new terminal window and check the connection to the target by trace routing and pinging its IP address (you can find it on the target details web page):
- Now hack it!
To pass the exam, you will have to find as many vulnerabilities as you can at the exam arena and submit a report to the Hack-a-Server team for review. If you pass the exam, you will be allowed into the playground arena, where you can get paid for hacking.
If you are interested in trying as many online hacking playgrounds as possible, you should definitely check the following ones too: