Have you ever wondered where to start, where to get more knowledge and even test and improve your hacking skills? Here's a selection of the best sites to help you. The sites listed below will help you understand every aspect of the secure (or rather, insecure) side of software, networks, servers, and every single element that can be represented in the world of information security.
Hack The Box is an online platform that allows you to test your penetration testing skills and exchange ideas and methodologies with thousands of people in the security field. To start using this platform, you need to register in the CTF style.
Hack The Box provides many tasks - in the form of virtual machines - simulating real security problems, which are constantly updated, and you also have the opportunity to complete different tasks such as steganography, reverse engineering, etc. At the time of writing, there are 182 CTF tasks available.
Vulnhub is a site where you can find images of vulnerable virtual machines on which you can practice on your local network. They are usually marked with difficulty level, most of them have step-by-step instructions if you get stuck and they are completely legal. The platform is also used by schools, universities and governments for teaching and interviewing organizations.
Smash The Stack has several wargames. Wargame can be described as an ethical hacking environment that simulates real software vulnerabilities and allows for legal exploitation. The software can be an operating system, a network protocol, or any custom application. Each wargame contains many tasks, ranging from standard vulnerabilities to reverse engineering tasks.
OverTheWire is suitable for everyone who wants to study the theory of information security and apply it in practice, regardless of their experience. Wargames offered by the OverTheWire community can help you learn and practice security concepts in the form of games. To find out more about a specific wargame, simply visit its page listed in the menu on the left. Beginners should start with the Bandit level challenges as they are needed to further other challenges.
Root Me is a fast, easy and affordable way to hone your hacking skills. Root-me has many kinds of tasks. CTF, hacking, cryptanalysis, forensics, programming, shorthand. This is definitely one of the best sites on our list.
Defend the Web is an interactive platform where you can learn and test your skills. For solving problems, you get a certain number of points depending on the difficulty level. Similar to Hack This Site, Defend the Web also has a lively community, numerous articles and news about hacking, and a forum where you can discuss security-related tasks and issues.
TryHackMe is one of the best platforms where you can improve your cybersecurity skills. The platform develops virtual classrooms that not only allow users to deploy learning environments with the click of a button, but also add a new approach - question and answer. This is a convenient type of training using pre-designed courses that use virtual machines hosted in the cloud.
While using a question and answer model does make learning easier, TryHackMe allows users to create their own virtual classrooms to teach specific topics. This not only provides other users with rich and varied content, but also helps to strengthen understanding of fundamental concepts. Some private organizations use the platform to assess the ability of interviewees.
CRYPTOHACK is a fun way to learn cryptography as well as gain valuable CTF skills. With a series of puzzles, you must crack the poor implementations of "modern" cryptography such as AES, RSA, and Elliptic-Curve. While CryptoHack took inspiration from Capture the Flag competitions, it focuses exclusively on their cryptographic aspects, i.e. breaking ciphers, decrypting, encoding, and converting between formats.
Reversing Hero is a set of 15 tasks designed to teach reverse engineering, starting with the basics and continuing with more advanced topics. There are no special rules for passing the levels: everything is allowed.
CrackMes is a simple place with a user-friendly interface where you can improve your reverse engineering skills.
Hacking-Lab is an online platform for ethical hacking, computer networks designed for cybersecurity education. The goal of Hacking-Labs is to raise awareness of raising the level of information security education through a series of cyber competitions that include forensics, cryptography, reverse engineering, flag capture, ethical hacking, and defense. Its goals are to develop young cyber talent, and one of the key Hacking-Lab initiatives is to create an environment that creates cyber defense through education.
Lin.security privilege escalation is an image of a Linux virtual machine (1.7 GB) that suffers from a number of vulnerabilities that allow a user to gain root access on a computer. The main goal is to help understand how certain built-in applications and services, if misconfigured, could be exploited by an attacker. It will help you improve your skills, techniques, and toolkits for local privilege escalation.
PWNABLE is a classic, one of the favorites of all time. A non-profit site with wargames that offers various tasks related to the operation of the system. The main purpose of pwnable is to “have fun”. By playing, you can learn / improve your hacking skills. The only thing you need to do is click “play” in the upper left area, select a game and start it. They have a scoring system: the more difficult the task, the more points you win.
picoCTF is a free game with original educational content for middle and high school students, built on a flag capture platform created by security and privacy experts at Carnegie Mellon University. The game consists of a series of challenges centered around a unique storyline. All tasks are created with the intention of being hacked, making it a great legal way to gain hands-on experience. You can find all the code on GitHub https://github.com/picoCTF.
Exploit Education provides a variety of virtual machines, documentation, and tasks that you can use to study various computer security issues such as privilege escalation, vulnerability analysis, exploit development, debugging, reverse engineering, and general cybersecurity issues.
Enigma Group contains over 300 tasks, these tasks cover the exploits listed in the list of the 10 best exploits of OWASP, the company also trains participants in many other types of exploits that are found in modern applications; thus helping them to become better programmers at the same time. The site has nearly 48,000 active members and hosts weekly CTF contests as well as weekly and monthly contests.
HellBound Hackers is a completely legal web site for security education. Here you can find traditional tasks with exploits and such task formats that are not available on other resources. For example, application patching and time-limited tasks. In patching tasks, you are given a vulnerable code snippet and need to suggest a fix for this vulnerability. HBH also provides an extensive library of articles and helpful forum posts.
Try2Hack - This site offers several security related tasks for your entertainment. Each task requires a different approach to solve and it gets more difficult as you progress. This is one of the oldest sites on our list.
IO is a wargame from the creators of netgarage.org, which involves solving problems by level. The game is constantly being updated as technology advances.
Exploit Exercises despite the small number of virtual machines and their relatively long publication, you can learn something new here too. Here you can learn about privilege escalation, exploit development, reverse engineering, and more.
Game of Hacks - This game was designed to test your hacking skills. You will be presented with code snippets, and your mission is to find the vulnerability as quickly as possible.
Cryptopals is a series of cryptography problems created by the former Matasano Security team. This is a collection of 48 exercises divided into 8 parts. When you solve all the tasks, you will not only learn a lot about how cryptosystems are built, but also understand how they are attacked.
Typhoon is a multi-vulnerability virtual machine that provides a lab environment for researchers looking to enhance their cybersecurity skills. Typhoon was developed by the Prisma CSI team to provide a small environment for hands-on penetration testing training. You can download a virtual machine and install it on your system, which will give you a hands-on experience.
Command Challenge is an interesting site that emulates a bash terminal inside the browser, all commands are executed remotely in a Docker container. You have specific tasks that you need to solve using only the command line. It all starts with simple tasks, but they gradually get more complicated.
Hack.me is a free eLearnSecurity project. The community may create, host, and publish vulnerable web application code for educational and research purposes. It aims to become the largest collection of vulnerable web applications running on the Internet.
Hacksplaining provides a cataloged and visual online tutorial on major web vulnerabilities. For each vulnerability, a detailed description is provided, how common it is, how difficult it is to exploit it, and its level of severity. Each vulnerability is accompanied by a detailed description, an exploitation vector, vulnerable code, and recommendations for elimination and protection.
Practical Pentest Labs, with a wide range of vulnerability hosts that are constantly updated to keep your skills up to date, virtual labs are geared towards anyone interested in the art of discovering, exploiting and developing vulnerabilities. Step by step, you will be guided through all aspects of hacking from A to Z, covering dozens of techniques and many tools.
SQLZoo is a well established online platform (since 1999) for writing and executing SQL queries against a live database. The online course was created specifically for people who have never encountered programming, it is extremely easy to use and, moreover, completely free. You can see the actual result of your query without checking if it matches the solution - what matters is the result. This is not a regular online book of tutorials, but a platform with tests, links and tutorials to help you learn SQL.
The XSS game consists of several levels that resemble real applications that are vulnerable to XSS - your task will be to find the problem and attack the applications.
alert (1) to win is a place to practice XSS, in particular bypassing filters. Knowledge of javascript and HTML is required to pass.
XSSEducation is a set of tasks for people who are just learning XSS and for people who just need a good place to practice their already amazing skills.
WackoPico is a vulnerable web application that contains known and common vulnerabilities so that you can use your web penetration skills and knowledge, such as XSS vulnerabilities, SQL injection, sessionID, LFI and RFI vulnerabilities, parameter manipulation, logical errors in the code.
The BodgeIt Store is an open source vulnerable web application that is currently targeted at people new to web penetration testing. It is easy to install and use. It includes vulnerabilities such as cross-site scripting, SQL injection, hidden (but insecure) content, debug code, unsafe object references, and application logic vulnerabilities.
Hackxor is a realistic web hacking game designed to help players of all skill levels develop their skills. All missions are based on real vulnerabilities that you can personally discover when conducting penetration tests, finding bugs and researching.
Hacker Gateway is the perfect place for hackers looking to put their skills to the test. Challenges cover many categories including cryptography, steganography, programming, and more.
ThisIsLegal is a site with wargames and many other things like forums and tutorials. The goal is to help you learn and improve as much as possible, as well as provide an opportunity for the community to network.
DVWA - PHP / MySQL Vulnerable Web Application, is one of the most famous web applications used to test your penetration testing skills and your knowledge of SQL injection, XSS, Blind SQL, etc. DVWA is developed by Ryan Duhurst, also known as ethicalhack3r, and is part of the RandomStorm OpenSource project.
Mutillidae is a free open source web application for penetration testing and website hacking developed by Adrian Crenshaw (Irongeek) and Jeremy Drouin (webpwnized). It's vulnerable and perfect for practicing your skills like SQL injection, cross-site scripting, HTML injection, Javascript injection, clickjacking, LFI, authentication bypass techniques, remote code execution and more based on the OWASP top 10.
WebGoat is an OWASP project and a notoriously insecure web application designed to teach web application security concepts. It allows users to demonstrate their understanding of the security problem by exploiting a real vulnerability in the application in every lesson.
W3Challs is a multi - tasking learning platform in a variety of categories, including hacking, wargaming, forensics, cryptography, steganography, and programming. The goal of the platform is to provide realistic challenges. Depending on the complexity of the problem solved, you get points. There is also a forum where you can discuss and solve problems with other members.
Metasploitable is a Linux virtual machine containing many types of vulnerabilities commonly found in the operating system that can be exploited. The Metasploitable project is also created and maintained by the rapid7 community (Metasploit-FrameWork community). Simply put, Metasploitable is a Linux-based operating system specifically designed to practice penetration testing skills, network security skills, the Metasploit-Framework, and many more.
Holynix is a Linux distribution that was specifically built to have security holes for penetration testing purposes.
Vulnserver is a Windows based TCP streaming server application. This software is primarily intended as a tool for teaching how to find and use buffer overflows, and each of the bugs it contains is subtly different from the others, requiring a slightly different approach when writing an exploit.
Ethernaut is a Web3 / Solidity based wargame inspired by overthewire. Each level is a smart contract that needs to be hacked. The game is completely open ( https://github.com/OpenZeppelin/ethernaut ) and all levels are created by other players.
247CTF is an awesome platform that provides CTF challenges available 24/7, with categories from binaries to networking to cryptography.
AttackDefense - Over 1900 unique lab exercises covering topics such as exploration, exploitation, post-exploitation, data theft, web applications, traffic analysis, CVE, network components, infrastructure attacks, privilege escalation, forensics, firmware analysis, reversal, secure coding, IoT networks, Metasploit, Python for information security and many more. New laboratories are added weekly.
SecGen creates vulnerable virtual machines for you to learn penetration testing techniques. VMs like Metasploitable2 are always the same, this project uses Vagrant, Puppet and Ruby to quickly create randomly generated vulnerable VMs that can be used for training.
Awesome CTF - A list of frameworks, libraries, resources, software and tutorials for Capture The Flag. This list is meant to help beginners as well as seasoned players find everything CTF-related in one place.
CTF-tools is a set of scripts for installing various security research tools. Of course, all the utilities can be installed manually, but it's really nice to have them in one place that can be easily deployed to new machines.
Ignitetechnologies contains repositories that will help you understand the basics of privilege escalation by example https://github.com/Ignitetechnologies/Privilege-Escalation, as well as a table with Vulnhub machines by their complexity https://github.com/Ignitetechnologies/CTF- Difficulty.
Don't be discouraged if (when) you get stuck. Everyone starts somewhere, and even if you don't solve the problem, you can still learn something valuable and gain enough knowledge to make the next task a little easier. Information security is a huge area with many different skills involved and there is a lot to learn.
To complete the full circle, we also recommend that you make your own reports. Try to explain what you did and why your solution worked, this may come in handy later!
Hack The Box is an online platform that allows you to test your penetration testing skills and exchange ideas and methodologies with thousands of people in the security field. To start using this platform, you need to register in the CTF style.
Hack The Box provides many tasks - in the form of virtual machines - simulating real security problems, which are constantly updated, and you also have the opportunity to complete different tasks such as steganography, reverse engineering, etc. At the time of writing, there are 182 CTF tasks available.
Vulnhub is a site where you can find images of vulnerable virtual machines on which you can practice on your local network. They are usually marked with difficulty level, most of them have step-by-step instructions if you get stuck and they are completely legal. The platform is also used by schools, universities and governments for teaching and interviewing organizations.
Smash The Stack has several wargames. Wargame can be described as an ethical hacking environment that simulates real software vulnerabilities and allows for legal exploitation. The software can be an operating system, a network protocol, or any custom application. Each wargame contains many tasks, ranging from standard vulnerabilities to reverse engineering tasks.
OverTheWire is suitable for everyone who wants to study the theory of information security and apply it in practice, regardless of their experience. Wargames offered by the OverTheWire community can help you learn and practice security concepts in the form of games. To find out more about a specific wargame, simply visit its page listed in the menu on the left. Beginners should start with the Bandit level challenges as they are needed to further other challenges.
Root Me is a fast, easy and affordable way to hone your hacking skills. Root-me has many kinds of tasks. CTF, hacking, cryptanalysis, forensics, programming, shorthand. This is definitely one of the best sites on our list.
Defend the Web is an interactive platform where you can learn and test your skills. For solving problems, you get a certain number of points depending on the difficulty level. Similar to Hack This Site, Defend the Web also has a lively community, numerous articles and news about hacking, and a forum where you can discuss security-related tasks and issues.
TryHackMe is one of the best platforms where you can improve your cybersecurity skills. The platform develops virtual classrooms that not only allow users to deploy learning environments with the click of a button, but also add a new approach - question and answer. This is a convenient type of training using pre-designed courses that use virtual machines hosted in the cloud.
While using a question and answer model does make learning easier, TryHackMe allows users to create their own virtual classrooms to teach specific topics. This not only provides other users with rich and varied content, but also helps to strengthen understanding of fundamental concepts. Some private organizations use the platform to assess the ability of interviewees.
CRYPTOHACK is a fun way to learn cryptography as well as gain valuable CTF skills. With a series of puzzles, you must crack the poor implementations of "modern" cryptography such as AES, RSA, and Elliptic-Curve. While CryptoHack took inspiration from Capture the Flag competitions, it focuses exclusively on their cryptographic aspects, i.e. breaking ciphers, decrypting, encoding, and converting between formats.
Reversing Hero is a set of 15 tasks designed to teach reverse engineering, starting with the basics and continuing with more advanced topics. There are no special rules for passing the levels: everything is allowed.
CrackMes is a simple place with a user-friendly interface where you can improve your reverse engineering skills.
Hacking-Lab is an online platform for ethical hacking, computer networks designed for cybersecurity education. The goal of Hacking-Labs is to raise awareness of raising the level of information security education through a series of cyber competitions that include forensics, cryptography, reverse engineering, flag capture, ethical hacking, and defense. Its goals are to develop young cyber talent, and one of the key Hacking-Lab initiatives is to create an environment that creates cyber defense through education.
Lin.security privilege escalation is an image of a Linux virtual machine (1.7 GB) that suffers from a number of vulnerabilities that allow a user to gain root access on a computer. The main goal is to help understand how certain built-in applications and services, if misconfigured, could be exploited by an attacker. It will help you improve your skills, techniques, and toolkits for local privilege escalation.
PWNABLE is a classic, one of the favorites of all time. A non-profit site with wargames that offers various tasks related to the operation of the system. The main purpose of pwnable is to “have fun”. By playing, you can learn / improve your hacking skills. The only thing you need to do is click “play” in the upper left area, select a game and start it. They have a scoring system: the more difficult the task, the more points you win.
picoCTF is a free game with original educational content for middle and high school students, built on a flag capture platform created by security and privacy experts at Carnegie Mellon University. The game consists of a series of challenges centered around a unique storyline. All tasks are created with the intention of being hacked, making it a great legal way to gain hands-on experience. You can find all the code on GitHub https://github.com/picoCTF.
Exploit Education provides a variety of virtual machines, documentation, and tasks that you can use to study various computer security issues such as privilege escalation, vulnerability analysis, exploit development, debugging, reverse engineering, and general cybersecurity issues.
Enigma Group contains over 300 tasks, these tasks cover the exploits listed in the list of the 10 best exploits of OWASP, the company also trains participants in many other types of exploits that are found in modern applications; thus helping them to become better programmers at the same time. The site has nearly 48,000 active members and hosts weekly CTF contests as well as weekly and monthly contests.
HellBound Hackers is a completely legal web site for security education. Here you can find traditional tasks with exploits and such task formats that are not available on other resources. For example, application patching and time-limited tasks. In patching tasks, you are given a vulnerable code snippet and need to suggest a fix for this vulnerability. HBH also provides an extensive library of articles and helpful forum posts.
Try2Hack - This site offers several security related tasks for your entertainment. Each task requires a different approach to solve and it gets more difficult as you progress. This is one of the oldest sites on our list.
IO is a wargame from the creators of netgarage.org, which involves solving problems by level. The game is constantly being updated as technology advances.
Exploit Exercises despite the small number of virtual machines and their relatively long publication, you can learn something new here too. Here you can learn about privilege escalation, exploit development, reverse engineering, and more.
Game of Hacks - This game was designed to test your hacking skills. You will be presented with code snippets, and your mission is to find the vulnerability as quickly as possible.
Cryptopals is a series of cryptography problems created by the former Matasano Security team. This is a collection of 48 exercises divided into 8 parts. When you solve all the tasks, you will not only learn a lot about how cryptosystems are built, but also understand how they are attacked.
Typhoon is a multi-vulnerability virtual machine that provides a lab environment for researchers looking to enhance their cybersecurity skills. Typhoon was developed by the Prisma CSI team to provide a small environment for hands-on penetration testing training. You can download a virtual machine and install it on your system, which will give you a hands-on experience.
Command Challenge is an interesting site that emulates a bash terminal inside the browser, all commands are executed remotely in a Docker container. You have specific tasks that you need to solve using only the command line. It all starts with simple tasks, but they gradually get more complicated.
Hack.me is a free eLearnSecurity project. The community may create, host, and publish vulnerable web application code for educational and research purposes. It aims to become the largest collection of vulnerable web applications running on the Internet.
Hacksplaining provides a cataloged and visual online tutorial on major web vulnerabilities. For each vulnerability, a detailed description is provided, how common it is, how difficult it is to exploit it, and its level of severity. Each vulnerability is accompanied by a detailed description, an exploitation vector, vulnerable code, and recommendations for elimination and protection.
Practical Pentest Labs, with a wide range of vulnerability hosts that are constantly updated to keep your skills up to date, virtual labs are geared towards anyone interested in the art of discovering, exploiting and developing vulnerabilities. Step by step, you will be guided through all aspects of hacking from A to Z, covering dozens of techniques and many tools.
SQLZoo is a well established online platform (since 1999) for writing and executing SQL queries against a live database. The online course was created specifically for people who have never encountered programming, it is extremely easy to use and, moreover, completely free. You can see the actual result of your query without checking if it matches the solution - what matters is the result. This is not a regular online book of tutorials, but a platform with tests, links and tutorials to help you learn SQL.
The XSS game consists of several levels that resemble real applications that are vulnerable to XSS - your task will be to find the problem and attack the applications.
alert (1) to win is a place to practice XSS, in particular bypassing filters. Knowledge of javascript and HTML is required to pass.
XSSEducation is a set of tasks for people who are just learning XSS and for people who just need a good place to practice their already amazing skills.
WackoPico is a vulnerable web application that contains known and common vulnerabilities so that you can use your web penetration skills and knowledge, such as XSS vulnerabilities, SQL injection, sessionID, LFI and RFI vulnerabilities, parameter manipulation, logical errors in the code.
The BodgeIt Store is an open source vulnerable web application that is currently targeted at people new to web penetration testing. It is easy to install and use. It includes vulnerabilities such as cross-site scripting, SQL injection, hidden (but insecure) content, debug code, unsafe object references, and application logic vulnerabilities.
Hackxor is a realistic web hacking game designed to help players of all skill levels develop their skills. All missions are based on real vulnerabilities that you can personally discover when conducting penetration tests, finding bugs and researching.
Hacker Gateway is the perfect place for hackers looking to put their skills to the test. Challenges cover many categories including cryptography, steganography, programming, and more.
ThisIsLegal is a site with wargames and many other things like forums and tutorials. The goal is to help you learn and improve as much as possible, as well as provide an opportunity for the community to network.
DVWA - PHP / MySQL Vulnerable Web Application, is one of the most famous web applications used to test your penetration testing skills and your knowledge of SQL injection, XSS, Blind SQL, etc. DVWA is developed by Ryan Duhurst, also known as ethicalhack3r, and is part of the RandomStorm OpenSource project.
Mutillidae is a free open source web application for penetration testing and website hacking developed by Adrian Crenshaw (Irongeek) and Jeremy Drouin (webpwnized). It's vulnerable and perfect for practicing your skills like SQL injection, cross-site scripting, HTML injection, Javascript injection, clickjacking, LFI, authentication bypass techniques, remote code execution and more based on the OWASP top 10.
WebGoat is an OWASP project and a notoriously insecure web application designed to teach web application security concepts. It allows users to demonstrate their understanding of the security problem by exploiting a real vulnerability in the application in every lesson.
W3Challs is a multi - tasking learning platform in a variety of categories, including hacking, wargaming, forensics, cryptography, steganography, and programming. The goal of the platform is to provide realistic challenges. Depending on the complexity of the problem solved, you get points. There is also a forum where you can discuss and solve problems with other members.
Metasploitable is a Linux virtual machine containing many types of vulnerabilities commonly found in the operating system that can be exploited. The Metasploitable project is also created and maintained by the rapid7 community (Metasploit-FrameWork community). Simply put, Metasploitable is a Linux-based operating system specifically designed to practice penetration testing skills, network security skills, the Metasploit-Framework, and many more.
Holynix is a Linux distribution that was specifically built to have security holes for penetration testing purposes.
Vulnserver is a Windows based TCP streaming server application. This software is primarily intended as a tool for teaching how to find and use buffer overflows, and each of the bugs it contains is subtly different from the others, requiring a slightly different approach when writing an exploit.
Ethernaut is a Web3 / Solidity based wargame inspired by overthewire. Each level is a smart contract that needs to be hacked. The game is completely open ( https://github.com/OpenZeppelin/ethernaut ) and all levels are created by other players.
247CTF is an awesome platform that provides CTF challenges available 24/7, with categories from binaries to networking to cryptography.
AttackDefense - Over 1900 unique lab exercises covering topics such as exploration, exploitation, post-exploitation, data theft, web applications, traffic analysis, CVE, network components, infrastructure attacks, privilege escalation, forensics, firmware analysis, reversal, secure coding, IoT networks, Metasploit, Python for information security and many more. New laboratories are added weekly.
SecGen creates vulnerable virtual machines for you to learn penetration testing techniques. VMs like Metasploitable2 are always the same, this project uses Vagrant, Puppet and Ruby to quickly create randomly generated vulnerable VMs that can be used for training.
Awesome CTF - A list of frameworks, libraries, resources, software and tutorials for Capture The Flag. This list is meant to help beginners as well as seasoned players find everything CTF-related in one place.
CTF-tools is a set of scripts for installing various security research tools. Of course, all the utilities can be installed manually, but it's really nice to have them in one place that can be easily deployed to new machines.
Ignitetechnologies contains repositories that will help you understand the basics of privilege escalation by example https://github.com/Ignitetechnologies/Privilege-Escalation, as well as a table with Vulnhub machines by their complexity https://github.com/Ignitetechnologies/CTF- Difficulty.
Don't be discouraged if (when) you get stuck. Everyone starts somewhere, and even if you don't solve the problem, you can still learn something valuable and gain enough knowledge to make the next task a little easier. Information security is a huge area with many different skills involved and there is a lot to learn.
To complete the full circle, we also recommend that you make your own reports. Try to explain what you did and why your solution worked, this may come in handy later!
