De-ICE are Penetration LiveCD images available from http://forum.heorot.net and provide scenarios where students can test their penetration testing skills and tools in a legal environment.

Courtesy of student Cody M.

De-ICE are Penetration LiveCD images available from http://forum.heorot.net and provide scenarios where students can test their penetration testing skills and tools in a legal environment.

Courtesy of student Chadwick B.

-- S1.110

SCENARIO

The scenario for this LiveCD is that a CEO of a small company has tasked you to do more extensive penetration testing of systems within his company. The network administrator has reconfigured systems within his network to meet tougher security requirements and expects you to fail any further penetration attempts. This system is an ftp server used by the network administrator team to create / reload systems on the company intranet. No classified or sensitive information should reside on this server. Through discussion with the administrator, you found out that this server had been used in the past to maintain customer information, but has been sanitized (as opposed to re-built).

Prove to the network administrator that proper system configuration is not the only thing critical in securing a server.

CONFIGURATION

PenTest Lab Disk 1.110:

This LiveCD is configured with an IP address of 192.168.1.110 - no additional configuration is necessary.

Pentest Machine:

Your second system will use the BackTrack (v.2) LiveCD as provided by remote-exploit.org. A copy of the LiveCD can be downloaded from remote-exploit.org. This disk is configured to obtain an IP address through DHCP - thus no additional configuration is required. All tools necessary to exploit Disk 1.110 can be found on the BackTrack Disk. No additional installations will be necessary.

Router Configuration:

The PenTest Lab system and the PenTest machine must connect to a router that has been configured with the following values: + DHCP Server: active + Pool Starting Addr.: 192.168.1.2

LAN TCP/IP: + IP Address: 192.168.1.1 + IP Subnet Mask: 255.255.255.0

Source: http://forums.hackingdojo.com/viewtopic.php?f=16&t=17

-- Level 1

Where to get the current PenTest Lab Level 1 disks:

192.168.1.100 = http://heorot.net/instruction/tutorials/iso/de-ice.net-1.100-1.1.iso 192.168.1.110 = http://heorot.net/instruction/tutorials/iso/de-ice.net-1.110-1.0.iso

The MD5 Hash Values of Each Disk:

a3341316ca9860b3a0acb06bdc58bbc1 ==>de-ice.net-1.100-1.1.iso a626d884148c63bfc9df36f2743d7242 ==>de-ice.net-1.110-1.0.iso

Where to get the scenario information for each disk:

192.168.1.100 = http://forums.heorot.net/viewtopic.php?f=16&t=15 192.168.1.110 = http://forums.heorot.net/viewtopic.php?f=16&t=17

Where to get the BackTrack disk:

http://remote-exploit.org/backtrack_download.html (NOTE: version "bt20061013.iso" and "BT2_Beta-Nov_19_2006.iso" were used to exploit the PenTest disks. Newer (when released) and older versions may work just as well).

Where to get the network configuration information:

Network configuration: 192.168.1.xxx = http://forums.heorot.net/viewtopic.php?f=16&t=15

Source: http://forums.hackingdojo.com/viewtopic.php?f=16&t=13

-- S1.100

SCENARIO

The scenario for this LiveCD is that a CEO of a small company has been pressured by the Board of Directors to have a penetration test done within the company. The CEO, believing his company is secure, feels this is a huge waste of money, especially since he already has a company scan their network for vulnerabilities (using nessus). To make the BoD happy, he decides to hire you for a 5-day job; and because he really doesn't believe the company is insecure, he has contracted you to look at only one server - a old system that only has a web-based list of the company's contact information.

The CEO expects you to prove that the admins of the box follow all proper accepted security practices, and that you will not be able to obtain access to the box. Prove to him that a full penetration test of their entire corporation would be the best way to ensure his company is actually following best security practices.

CONFIGURATION

PenTest Lab Disk 1.100: This LiveCD is configured with an IP address of 192.168.1.100 - no additional configuration is necessary.

Pentest Machine:

Your second system will use the BackTrack (v.2) LiveCD as provided by remote-exploit.org. A copy of the LiveCD can be downloaded from remote-exploit.org. This disk is configured to obtain an IP address through DHCP - thus no additional configuration is required. All tools necessary to exploit Disk 1.100 can be found on the BackTrack Disk. No additional installations will be necessary.

Router Configuration:

The PenTest Lab system and the PenTest machine must connect to a router that has been configured with the following values: + DHCP Server: active + Pool Starting Addr.: 192.168.1.2

LAN TCP/IP: + IP Address: 192.168.1.1 + IP Subnet Mask: 255.255.255.0

Source: http://forums.hackingdojo.com/viewtopic.php?f=16&t=15

-- Level 1

Where to get the current PenTest Lab Level 1 disks:

192.168.1.100 = http://heorot.net/instruction/tutorials/iso/de-ice.net-1.100-1.1.iso 192.168.1.110 = http://heorot.net/instruction/tutorials/iso/de-ice.net-1.110-1.0.iso

The MD5 Hash Values of Each Disk:

a3341316ca9860b3a0acb06bdc58bbc1 ==>de-ice.net-1.100-1.1.iso a626d884148c63bfc9df36f2743d7242 ==>de-ice.net-1.110-1.0.iso

Where to get the scenario information for each disk:

192.168.1.100 = http://forums.heorot.net/viewtopic.php?f=16&t=15 192.168.1.110 = http://forums.heorot.net/viewtopic.php?f=16&t=17

Where to get the BackTrack disk:

http://remote-exploit.org/backtrack_download.html (NOTE: version "bt20061013.iso" and "BT2_Beta-Nov_19_2006.iso" were used to exploit the PenTest disks. Newer (when released) and older versions may work just as well).

Where to get the network configuration information:

Network configuration: 192.168.1.xxx = http://forums.heorot.net/viewtopic.php?f=16&t=15

Source: http://forums.hackingdojo.com/viewtopic.php?f=16&t=13

Damn Vulnerable Linux (DVL) E605 (1.3):

Added many many vulnerabilities. Added much exercise material including sources. Now included the HoneyNet Project and WebGoat.

  • 0000070: [Reverse Code Engineering] Add Boomerang Decompiler
  • 0000082: [Application Development] Free Pascal Compiler
  • 0000136: [Tools] Add Valgrind 3.2.0 + Valkyrie
  • 0000135: [Application Development] Add SmallBasic 0.9.7
  • 0000134: [Application Development] Add Dr. Scheme
  • 0000133: [Application Development] Add SWI Prolog
  • 0000131: [Application Development] Add GCC-g77
  • 0000127: [Web Exploitation] Add Cyphor
  • 0000109: [Shellcode / Exploitation] Add atari800 Local Root Exploit
  • 0000120: [Shellcode / Exploitation] Add phpBB 2.0.13 (admin_styles.php) Remote Command Execution Exploit
  • 0000125: [Web Exploitation] Add Joomla <= 1.0.9 (Weblinks) Remote Blind SQL Injection Exploit
  • 0000126: [Web Exploitation] Add Joomla <=1.0.7 (feed) Denial of Service Exploit
  • 0000123: [Web Exploitation] Add PHPNuke 7.8
  • 0000124: [Application Development] Add PHP-Nuke 7.4 POST Method Admin Variable Privilege Escalation
  • 0000122: [Shellcode / Exploitation] Add linux-ftpd-ssl 0.17 (MKD/CWD) Remote Root Exploit
  • 0000110: [Shellcode / Exploitation] Add Aeon 0.2a Local Linux Exploit
  • 0000108: [Shellcode / Exploitation] Add SoX Local Buffer Overflow Exploit
  • 0000111: [Shellcode / Exploitation] Add sash <= 3.7 Local Buffer Overflow Exploit
  • 0000104: [Shellcode / Exploitation] Add splitvt < 1.6.5 Local Exploit
  • 0000121: [Web Exploitation] Add e107 <= 0.6172 (resetcore.php) Remote SQL Injection Exploit
  • 0000102: [Shellcode / Exploitation] Add ProFTPD <= 1.3.0a (mod_ctrls support) Local Buffer Overflow PoC
  • 0000016: [Reverse Code Engineering] Fenris should be added
  • 0000067: [Reverse Code Engineering] Add ELFIO
  • 0000084: [Application Development] Add FakeAP
  • 0000083: [Application Development] Add BestCrypt
  • 0000085: [Application Development] Add FindDDOS
  • 0000078: [Tools] Add QTParted
  • 0000094: [Shellcode / Exploitation] Add Minicom 1.81
  • 0000096: [Shellcode / Exploitation] Add Nestea \"Off By One\" attack
  • 0000099: [Web Exploitation] Add PhpBB 2.0.12 Session Handling Authentication Bypass
  • 0000100: [Web Exploitation] Add WordPress 1.5.1.1 SQL Injection
  • 0000101: [Web Exploitation] Add Nabopoll 1.2 Remote File Inclusion, Remote Configuration Disclosure
  • 0000093: [Application Development] Add HLA Compiler Construction Kit
  • 0000092: [Application Development] Add YASM Assembler
  • 0000091: [Application Development] Add FASM
  • 0000090: [Application Development] Add SciLab
  • 0000081: [Application Development] Add GSL GNU Scientific Library
  • 0000080: [Application Development] Add FreeBasic
  • 0000079: [Application Development] Add BlueFish Editor
  • 0000033: [Application Development] RHIDE should be added
  • 0000089: [Application Development] Add C++6 libs
  • 0000088: [Application Development] Add LibGC
  • 0000087: [Application Development] Add BOOST Library
  • 0000076: [Application Development] Remove JRE and add JDK 1.5
  • 0000075: [Application Development] Add QEMU
  • 0000074: [Application Development] Add Scite Editor
  • 0000073: [Peneration Testing] Add OWASP's WebGoat

DVL Strychnine + E605 is final! I just remastered the ISO and we land at 1050 MB size which fits perfectly on a 2 GB USB stick (and gives us more free space to add additional stuff). I will upload the ISO today and inform the mirrors. Finally after all this installation part I can play myself with it :)

Source: http://web.archive.org/web/20071024101507/https://www.damnvulnerablelinux.org/content/view/32/73/

Source: http://web.archive.org/web/20071012222920/http://blog.damnvulnerablelinux.org/2007/07/27/dvl-strychnine-e605-is-final/

Source: http://web.archive.org/web/20090312135824/http://www.damnvulnerablelinux.org/index.php/eng/Damn%20Vulnerable%20Linux%20Distro/Damn%20Vulnerable%20Linux/Release%20Notes%20for%20Damn%20Vulnerable%20Linux%20(up%20to%20release%201.4)

Damn Vulnerable Linux (DVL) Strychnine (1.2):

Added several tools. Switched to BackTrack 2 Final as core system. DVL Strychnine will contain a Knowledge Base as well!

  • 0000072: [Application Development] Add Flawfinder
  • 0000071: [Application Development] Add JLint
  • 0000025: [Reverse Code Engineering] libdisasm_0.21-pre2 should be added
  • 0000068: [Reverse Code Engineering] Add REC 1.6
  • 0000051: [Reverse Code Engineering] Add LTRACE
  • 0000047: [Reverse Code Engineering] ELF Shell should be added
  • 0000007: [Requirements] Firefox Tabs should be cleaned up
  • 0000035: [Application Development] KDevelop should be added
  • 0000015: [Reverse Code Engineering] Bastard 0.17 should be added
  • 0000011: [Requirements] Boot text should be branded for DVL instead for BT
  • 0000032: [Application Development] NEdit should be added
  • 0000012: [Requirements] A new bootspash has to be designed and included
  • 0000048: [Reverse Code Engineering] Add ELF Kickers
  • 0000014: [Shellcode / Exploitation] Splint static code analyzer should be added
  • 0000045: [Reverse Code Engineering] Add BIEW
  • 0000040: [Reverse Code Engineering] LDasm should be added
  • 0000063: [Application Development] Add BASIC-256
  • 0000028: [Web Exploitation] A vulnerable PHP.ini should be used
  • 0000058: [Application Development] PHPmyAdmin should be installed
  • 0000065: [Application Development] Add GAS
  • 0000064: [Bugs] HLA does not work under Konsole
  • 0000059: [Documentation] Define Directory Structure for Documentation
  • 0000060: [Tutorials] Define Directory Structure for Tutorials
  • 0000004: [Documentation] DVL needs a concept on how to hold documentation
  • 0000019: [Reverse Code Engineering] ht-2.0.2 should be added
  • 0000020: [Cryptography] stegdetect-0.6 should be added
  • 0000022: [Reverse Code Engineering] STAN 0.4.1 Stream Analyzer should be added
  • 0000024: [Cryptography] Outguess 0.2 should be added
  • 0000038: [Reverse Code Engineering] memgrep should be installed
  • 0000039: [Reverse Code Engineering] ALD Assembly Language Debugger should be added
  • 0000049: [Reverse Code Engineering] Add REVDump
  • 0000061: [Tutorials] Define Directory Structure for exercises
  • 0000010: [Shellcode / Exploitation] SudoEdit 1.6.8 should be added (Local Exploit)
  • 0000013: [Reverse Code Engineering] LIDA disassembler needs to be installed and linked in menues
  • 0000017: [Reverse Code Engineering] GDBINIT colorized by Mammon should be added.
  • 0000018: [Application Development] HLA Assembly Language should be added
  • 0000023: [Reverse Code Engineering] Sandmark should be added
  • 0000031: [Application Development] jEdit should be installed
  • 0000041: [Reverse Code Engineering] The Examiner should be added
  • 0000050: [Reverse Code Engineering] Add RADARE
  • 0000057: [Reverse Code Engineering] Add Sinister
  • 0000029: [Application Development] MySQL should be installed
  • 0000037: [Application Development] Jed Editor should be added
  • 0000030: [Application Development] Wine Windows Emulator needs to be installed
  • 0000027: [Requirements] Apache with PHP 4 and 5 included
  • 0000054: [Reverse Code Engineering] Add MemFetch
  • 0000052: [Reverse Code Engineering] Add STRACE
  • 0000056: [Reverse Code Engineering] Add lsof

DVL Strychnine is finally final. The last pre-compilation is running at the moment, then the final compilation of the remaster will follow. Some nasty bugs fixed such as permissions problems of the pre-installed MySQL database containing first vulnerabe web examples. Click on the link below to see the current changelog. This shows you which additions have been added to the “classic” BT 2.0 release to build the base of the new era of Damn Vulnerable Linux. Some more minor unimportant features are left to install, however I believe it is time to go with the release to concentrate finally on the production of the most important: training lessons!

DVL Strychnine will be available via BitTorrent this weekend (never published before using BitTorrent! let's see if I run into problems!) - Later I place it on the mirrors. File size at the moment 822 MB, sorry for that but let the community decide what to kill!

A short intro video will follow soon, maybe I can make it this weekend.

Source: http://web.archive.org/web/20070911160224/http://blog.damnvulnerablelinux.org/2007/05/25/dvl-strychnine-final-available-very-soon-via-bittorrent-following-via-mirrors/

Source: [http://web.archive.org/web/20090312135824/http://www.damnvulnerablelinux.org/index.php/eng/Damn%20Vulnerable%20Linux%20Distro/Damn%20Vulnerable%20Linux/Release%20Notes%20for%20Damn%20Vulnerable%20Linux%20(up%20to%20release%201.4](http://web.archive.org/web/20090312135824/http://www.damnvulnerablelinux.org/index.php/eng/Damn%20Vulnerable%20Linux%20Distro/Damn%20Vulnerable%20Linux/Release%20Notes%20for%20Damn%20Vulnerable%20Linux%20(up%20to%20release%201.4)

DVL 1.1 (Black Hat Edition):

The following important files have been added (minor tool additions not listed):

  • Metsploit 3.0 Framework. The Metasploit Framework is a development platform for creating security tools and exploits. The framework is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby. programming language and includes components written in C and assembler.
  • Web Exploitation Package 02. Includes 4 real life web targets.
  • Crackme Package 01. Includes 61 Linux crackmes for reverse code engineering challenges.
  • Debug Contest Package Windows. Includes 11 compiled Windows targets for analysis challenges.
  • Binary Exploitation Package 01. Includes 24 compiled targets for binary exploitation.
  • Binary Exploitation Package 02. Includes 40 compiled targets by Gera for binary exploitation.
  • Binary Exploitation Package 03. Includes 6 compiled targets by Juliano for binary exploitation.
  • Binary Exploitation Package 04. Includes 5 compiled targets by IITAC for binary exploitation.
  • Pre-Configured vulnerable PHP.ini.
  • Adapted .bashrc for HLA Assembly Language integration.
  • All collectable sources code examples for HLA Assembly Language programming.
  • Wine for Windows target analysis.
  • xcalc calculator.
  • rar.
  • VGUI.
  • VIM (VI Improved).
  • A comprehensive collection of core utils.
  • Outguess Steganography.
  • Steghide Steganography.
  • Scite Editor for many languages including Assembly.

Source: http://web.archive.org/web/20071012190055/http://blog.damnvulnerablelinux.org/2007/04/

Source: [http://web.archive.org/web/20090312135824/http://www.damnvulnerablelinux.org/index.php/eng/Damn%20Vulnerable%20Linux%20Distro/Damn%20Vulnerable%20Linux/Release%20Notes%20for%20Damn%20Vulnerable%20Linux%20(up%20to%20release%201.4](http://web.archive.org/web/20090312135824/http://www.damnvulnerablelinux.org/index.php/eng/Damn%20Vulnerable%20Linux%20Distro/Damn%20Vulnerable%20Linux/Release%20Notes%20for%20Damn%20Vulnerable%20Linux%20(up%20to%20release%201.4)

DVL 1.0 (Initial Core Release):

The Core Release is a tool release only. It contains the following important tools:

  • HT 0.5
  • libreadline4_4.2a-5_i386
  • gdb_5.2.cvs20020401-6_i386
  • binutils_2.12.90.0.1-4_i386 (including objdumps,gas,strings ...)
  • nasm-0.98-1.i386
  • HLA v1.86
  • libelfsh0-dev_0.65rc1-1_i386
  • elfsh_0.65rc1-1_i386
  • Apache 2.0.5.4
  • Php 4.4.0
  • ethereal-common_0.9.4-1woody12_i386
  • ethereal_0.9.4-1woody12_i386
  • libpcap0_0.6.2-2_i386
  • tcpdump_3.6.2-2.8_i386
  • lsof_4.57-1_i386
  • ltrace_0.3.26_i386
  • nmap_2.54.31.BETA-1_i386
  • strace_4.4-1.2_i386
  • ELFkickers-2.0a (including sstrip, rebind, elfls, ebfc, elftoc)
  • GCC/G++ 3.3.4
  • GNU Make 3.80
  • bastard_bin- 0.17.tgz
  • Mysql-server 4.4.1
  • Ruby 1.8
  • Python 2.3
  • lida-03.00.00
  • DDD 3.3.1

Source: http://web.archive.org/web/20090312135824/http://www.damnvulnerablelinux.org/index.php/eng/Damn%20Vulnerable%20Linux%20Distro/Damn%20Vulnerable%20Linux/Release%20Notes%20for%20Damn%20Vulnerable%20Linux%20(up%20to%20release%201.4)

Scene 1

Your pentesting company has been hired to perform a test on a client company's internal network. Your team has scanned the network and you have been assigned one of the discovered systems. Perform a test on this system starting from the beginning of your chosen methodology and submit your report to the project manager at scenes AT 21LTR DOT com

Scope Statement

The client has defined a set of limitations for the pentest: - All tests will be restricted to the systems identified on the 192.168.2.0/24 network. - All commands run against the network and systems must be supplied in the form of script files packaged with the submission of the report - A final report indicating all identified vulnerabilities and exploits will be provided to the company's engineering department within 90 days of the start of this engagement.

Configuration

Scenario Pentest Lab Scene 1:

This LiveCD is configured with an IP address of 192.168.2.120 - no additional configuration is necessary.

Source: http://21ltr.com/scenes/21LTR.com_Scene1_2.120_v1.0.txt

Damn Vulnerable Linux (DVL) Strychnine+E605 (1.4):

Added more tools. Now Reverse Code Engineering tools is 99%, added Truecrypt, Eclipse IDE for Java and C++, added Mono for .NET vulnerability. Rearranged the menu, minor bug fixes ( :grin: ). We close tool addition with this and focus on bug fix and training material only from now on.

  • [Application Development] Add Motor IDE
  • [Application Development] Update HLA to 1.98 and StdLib to 2.3
  • [Application Development] Add LogWatch
  • [DVL Core] Add XEN
  • [Reverse Code Engineering] Add Insight GDB Debugger
  • [Tutorials] Add CPU Sim - An Interactive Java-based CPU Simulator
  • [Reverse Code Engineering] Add JAD Java Decompiler
  • [Tools] Add VLC Media Player
  • [Documentation] Add TeTex
  • [Documentation] Add JabRef
  • [Application Development] Add Kile
  • [Documentation] Add kDissert Mindmapper
  • [Peneration Testing] Add JBroFuzz
  • [Application Development] Add WebScarab
  • [Peneration Testing] Add CAL9000
  • [Reverse Code Engineering] Add KDBG
  • [Application Development] Add xchm
  • [DVL Core] Add gtk libs
  • [Tools] Add xvidcap
  • [Tools] Add AcroRead
  • [Tools] Add Scite

DVL 1.4 final is ready to go and is uploaded at the moment. We hit the 1.6 GB size, including all necessary to train software development, IT security and Reverse Code Engineering. During the next time the mirrors will be informed. After this we post the links. As well we do a short intro video to show all features and on how to use DVL.

Source: http://blog.security4all.be/2008/02/damn-vulnerable-linux-14-released.html

Source: [http://web.archive.org/web/20090312135824/http://www.damnvulnerablelinux.org/index.php/eng/Damn%20Vulnerable%20Linux%20Distro/Damn%20Vulnerable%20Linux/Release%20Notes%20for%20Damn%20Vulnerable%20Linux%20(up%20to%20release%201.4](http://web.archive.org/web/20090312135824/http://www.damnvulnerablelinux.org/index.php/eng/Damn%20Vulnerable%20Linux%20Distro/Damn%20Vulnerable%20Linux/Release%20Notes%20for%20Damn%20Vulnerable%20Linux%20(up%20to%20release%201.4)