Bits and bytes of a hacker.

Docker Images for Penetration Testing Practice

My previous post outlined the necessary steps to install Docker on Kali Linux. Now that Docker is up and running, here’s a few docker images that can be launched to pentest against:

  1. Acme-lock-me-out by Websecurify
    Acme-lock-me-out is a login bruteforce demo webapp written in NodeJS and MongoDB.

  2. Aceme-no-login by Websecurify
    Acme-no-login is a demo login bypass attack webapp written in NodeJS and MongoDB.

  3. Acme-no-login-ng by Websecurify
    Acme-no-login-ng is another demo login bypass attack webapp written in NodeJS and MongoDB.

  4. Security Ninjas AppSec Training by OpenDNS
    Security Ninjas AppSec Training is a vulnerable webapp that teaches the OWASP Top 10 vulnerabilities.

  5. Damn Vulnerable Web Application (DVWA)
    docker pull citizenstig/dvwa
    DVWA is a vulnerable web app written in PHP and MySQL. Vulnerabilities can be exploited with varying degrees of difficulty.

  6. Mutillidae 2 by OWASP
    docker pull citizenstig/nowasp
    Mutillidae 2 is a vulnerable webapp that teaches the OWASP Top 10 vulnerabilities.

  7. Vulnerable Wordpress by WPScanteam
    docker pull wpscanteam/vulnerablewordpress
    Vulnerable Wordpress is a vulnerable webapp designed by the creators of WPScan.

  8. Webgoat by OWASP
    docker pull danmx/docker-owasp-webgoat
    WebGoat is a vulnerable PHP webapp designed to teach security principles. The ASP.NET version is available here as well.

  9. Shellshock: Vulnerability As A Service
    docker pull hmlio/vaas-cve-2014-6271
    This image showcases the Shellshock vulnerability by running a vulnerable Debian distro.

  10. Security Shepherd by OWASP
    docker pull ismisepaul/securityshepherd
    Security Shepherd teaches webapp and mobile app security principles.

  11. Heartbleed: Vulnerability As A Service
    docker pull hmlio/vaas-cve-2014-0160
    This image showcases the Heartbleed vulnerability by running a vulnerable Debian distro.

  12. Bricks by OWASP
    docker pull citizenstig/owaspbricks
    Bricks is a vulnerable webapp written in PHP and MySQL, it’s well documented and has accompanying videos.