Information Security
windows linux professional-education exploit-development
Updated Fri, 20 May 2022 22:18:12 GMT

Hackable linux distributions

A few years ago we had that awesome Linux distribution called Damn Vulnerable Linux. But unfortunately it looks like the project is dead. So my question is are there other Linux distributions which are meant to be hacked (explicit in the view of exploit development). Also welcome would be applications on the Windows platform for exploit exercises (like vulnerable server). Thanks in advance


Vulnhub is a collection of vulnerable distributions along with walkthroughs contributed by the community. provides a variety of virtual machines, documentation and challenges that can be used to learn about a variety of computer security issues such as privilege escalation, vulnerability analysis, exploit development, debugging, reverse engineering, and general cyber security issues.

PentesterLab has interesting exercises, some o them are about exploit development.

RebootUser has a lab that includes a Vulnix - a vulnerable Linux machine, VulVoIP - a relatively old AsteriskNOW distribution and has a number of weaknesses, and VulnVPN - a VM that you can practice exploiting the VPN service to gain access to the sever and internal services.

BackTrack PenTesting Edition lab is an all-in-one penetration testing lab environment that includes all of the hosts, network infrastructure, tools, and targets necessary to practice penetration testing. It includes: a DMZ network with two hosts targets, an internal network with one host target and a pre-configured firewall.

PwnOS is a Debian VM of a target on which you can practice penetration testing with the goal of getting root.

Holynix is an Linux vmware image that was deliberately built to have security holes for the purposes of penetration testing.

Kioptrix VM is targeted at the beginner.

Scene One is a pentesting scenario liveCD made for a bit of fun and learning.

Sauron is a Linux system with a number of vulnerable web services.

LAMPSecurity training is designed to be a series of vulnerable virtual machine images along with complementary documentation designed to teach Linux, Apache, PHP and MySQL security.

OSCP, OSCE, SANS 660 and HackinkDOJO are some of the paid courses that have good practical labs.

Hacking challenge websites can also provide challenges that are increasing in difficulty, fun and addictive. WeChall is a website that aggregates scores on other challenge websites and it has a category for websites with exploits.

CTF (Capture The Flag) events have challenges where you are required to exploit local or remote software. Most live events are available on CTFTime but there are repositories of past events and some CTFs are still available after the live event.

But for exploit development, I suggest installing vulnerable applications on your own computer where you could easily perform analysis. The application doesn't necessarily have to be a server or run on a different computer. Go to exploit-db and find old exploits there, then look for that version of the vulnerable software and start working on it. If you need hints, the actual exploit can point you in the right direction.

Comments (2)

  • +1 – about your suggestion. Thats what i actually did, but isn't "hints from the (original) exploit" just like cheating. Or being a copycat? I try to avoid that, thats also the reason i am searching for exercises and learn doing it on my own. — May 14, 2014 at 18:15  
  • +2 – I call it training, not cheating. And I call it research if you work on software that doesn't have public exploits. Go to this address for new software you can do research on. — May 14, 2014 at 19:18