7

Are there any windows based pen testing vms out there similar to Metasploitable based on ubuntu?

Just starting to learn hacking and such a box would be very helpful.

10 Answers10

11

You can't distribute a windows VM legally. But a windows XP SP1 machine or a windows NT4 machine would be ideal. NT4 is no longer supported by Microsoft and there for contains numerous unpatched vulnerabilities. Even a windows 7 machine without patches could be exploited though an IE exploit.

Iszi
  • 26,997
  • 18
  • 98
  • 163
rook
  • 46,916
  • 10
  • 92
  • 181
11

If you want to get into pen-testing, I suggest reading this article by Robin Wood, where he discusses the $64 million dollar question "How to break into the security industry?". He provides lots of links, information and guidance.

As well as the answers provided, you could check out Multilladae or the Samurai WTF linux distro (which has the targets locally on the actual vm).

When hacking test boxes, run tcpdump/wireshark/tshark on the target and start examining the packet captures to truly understand what you're doing. Additionally, where possible, use the command-line :) I just released some pcaps from HackEire 2011 that show some real-world attacks and I'd recommend having a look at them.

Mark Hillick
  • 2,124
  • 11
  • 14
  • I actually have a pretty sound foundation of the theory behind security in general as i am currently taking a diploma course in it. Learning pen testing on my own now before the course covers it is actually more to do with interest, and of course i use command line :) –  Jun 04 '12 at 09:56
  • Cool :) One other thing I forgot is that Owasp have just redone Webgoat - https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project - it's good for learning and pretty stable. – Mark Hillick Jun 04 '12 at 10:05
5

As Rook said, this would violate a lot of copywrite laws. Another distribution you may be interested in is Damn Vulnerable Linux.

Fairlight
  • 705
  • 3
  • 5
4

You can use Web Security Dojo. It is based on ubuntu 10.04, includes tools and targets to practice web application security pen testing. It is easy to use on VM.

Jor-el
  • 2,061
  • 17
  • 24
3

You may try too damnvulnerable web application DVWA, or as alternative you may join hacking-lab.

zakiakhmad
  • 464
  • 3
  • 10
2

Maybe you can try with the Windows Virtual PC, set it up unpatched and vulnerable with most security controls turned off and try testing against it.

You can find it here:

http://www.microsoft.com/windows/virtual-pc/

Epoch Win
  • 922
  • 2
  • 7
  • 14
1

there's also LAMPsecurity as a VM that's really good.Also, I really like practicing online with something like CrackMe bank which is legal,here http://crackme.cenzic.com/Kelev/view/home.php

1

You can also check out pwnOs. A colleague and I have developed a couple hackable Linux VMs, with the third underway. The VM has real world vulnerabilities in it. Have fun!

Link

0

As this question is old and the security area evolves daily, it should be noted that there is currently a Linux distro specific to Pen Testing. This distro already comes with numerous tools installed ready to use. In addition to a dedicated design for compatibility and portability for Android devices.

0

May also want to have a look on comprehensive list of Pentesting or Hackers OS provides penetration testers, Security researchers a comprehensive collection of security related tools includes many well known security tools.

You can check a detail list here to choose from:-

http://securityurls.com/resources/hackers-os/

Assyrians
  • 1
  • 1