Home

Awesome

awesome-cyber-skills

License Stars Forks

A curated list of hacking environments where you can train your cyber skills free, legally and safely

About the List

In the field of Information Security, understanding the enemy, the hacker, is crucial. By knowing your enemy, you can effectively defend and secure the digital world.

"Know the enemy, and you can defeat the enemy."

In the USA, even high-ranking retired police officers continue to advise residents on how to better secure their homes. They visit houses and identify weak points, sharing their knowledge of the criminals' techniques to help prevent break-ins.

To hone your cybersecurity skills, you need to keep your hacking skills up-to-date. To achieve this, a safe, legal, and free environment is necessary for practice.

This list compiles websites that offer various opportunities to practice your cyber skills. Each site has a unique approach, and a brief description is provided to highlight its focus.

Some sites offer tutorials to guide you, while others encourage self-directed exploration.

This post will be regularly updated with new sites, so bookmark it or follow me to stay informed with the latest overview.

If you are missing a site not mentioned in the list, feel free to contribute.

CONTRIBUTORS

foleranserfilinpavelBenDrysdaleHrushikeshKdeveyNullnirmalunagarroya0045photoelfAverageSpentesttools-comWarxim

About the Author

LinkedIn 🌍 Twitter 🌍 Cybersecurity News

Joe Shenouda - "Our work is no longer to secure computers alone, it's now about securing society."

Joe Shenouda is a seasoned cybersecurity expert with experience in engineering, consulting, and research. He has worked with leading companies like Verizon and Accenture, specializing in operational cybersecurity. Joe is passionate about mentoring and training the next generation of cybersecurity specialists, using industry standards like ISO, NIST, and CIS Controls to guide organizations in adopting best practices.

Accolades:

Geography: Benelux, Middle-East & Nordics (Belgium, Netherlands, Luxembourg, Denmark, Norway, Sweden, Finland, Egypt, Monaco, Vatican City)

GitHub Portfolio: https://github.com/joe-shenouda/

✨ Active security clearance ✨

Please share this list if you find it useful. Let me know if you like it

Support

If you would like to support this project, you can make a donation through PayPal:

Donate with PayPal

Don't forget to give this repo a ✨ STAR!

Ạ̸͛̀̑̚w̷̙͓͊̑̈́͂̀̈́ẻ̸̟̝̒͠s̸̛̜̣͖̘̪̦͂͂̃͛͜o̷͕̺͎͔͌̏m̵͈̝͎̓̓̀͆̂ẻ̴͕̲̳͝ ̸̺̽̋̒̚̕Ĉ̷̺̩̭̐͘͝ỳ̴̨̱͂́b̷̀̉̍̓̀͋̈́̚ͅḛ̸̲̝̈́̊̈́̾͑̏̀̒r̴̰̬̘̻͙̉̌̀͆̎ ̴̰͐S̷̫̜̖͍̋͌̎k̸̢̯͒͊̀̍̽͂͝͠ï̴̛̘͚͘l̴̤̬͕̺̙̮̱͇͊̉ḽ̷̝̣̪̘́̅s̷̼̜̀̉͒̈́

Site nameDescription
Altoro MutualAltoro is a fake banking website, containing various security vulnerabilities.
Arizona Cyber Warfare RangeThe ranges offer an excellent platform for you to learn computer network attack (CNA), computer network defense (CND), and digital forensics (DF). You can play any of these roles.
AzureGoatAzureGoat : A Damn Vulnerable Azure Infrastructure.
BodgeIt StoreThe BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to pen testing.
bWAPPbuggy web application, is a free and open source deliberately insecure web application. It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful penetration testing and ethical hacking projects.
Cyber DegreesFree online cyber security Massive Open Online Courses (MOOCS).
Commix testbedA collection of web pages, vulnerable to command injection flaws.
CryptOMGCryptOMG is a configurable CTF style test bed that highlights common flaws in cryptographic implementations.
Cyber Security BaseCyber Security Base is a page with free courses by the University of Helsinki in collaboration with F-Secure.
Cybersecuritychallenge UKCyber Security Challenge UK runs a series of competitions designed to test your cyber security skills.
CyberTraining 365Cybertraining365 has paid material but also offers free classes. The link is directed at the free classes.
Cybrary.itFree and Open Source Cyber Security Learning.
Damn Small Vulnerable WebDamn Small Vulnerable Web (DSVW) is a deliberately vulnerable web application written in under 100 lines of code, created for educational purposes. It supports the majority of (most popular) web application vulnerabilities together with appropriate attacks.
Damn Vulnerable Android AppDamn Vulnerable Android App (DVAA) is an Android application which contains intentional vulnerabilities.
Damn Vulnerable Hybrid Mobile AppDamn Vulnerable Hybrid Mobile App (DVHMA) is a hybrid mobile app (for Android) that intentionally contains vulnerabilities.
Damn Vulnerable iOS AppDamn Vulnerable iOS App (DVIA) is an iOS application that is damn vulnerable.
Damn Vulnerable LinuxDamn Vulnerable Linux (DVL) is everything a good Linux distribution isn't. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks.
Damn Vulnerable Router FirmwareThe goal of this project is to simulate a real-world environment to help people learn about other CPU architectures outside of the x86_64 space. This project will also help people get into discovering new things about hardware.
Damn Vulnerable Stateful Web AppShort and simple vulnerable PHP web application that naïve scanners found to be perfectly safe.
Damn Vulnerable Thick Client AppDVTA is a Vulnerable Thick Client Application developed in C# .NET with many vulnerabilities.
Damn Vulnerable Web AppDamn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.
Damn Vulnerable Web ServicesDamn Vulnerable Web Services is an insecure web application with multiple vulnerable web service components that can be used to learn real-world web service vulnerabilities.
Damn Vulnerable Web SocketsDamn Vulnerable Web Sockets (DVWS) is a vulnerable web application which works on web sockets for client-server communication.
Damnvulnerable.meA deliberately vulnerable modern-day app with lots of DOM-related bugs.
DareyourmindOnline game, hacker challenge (mirror archive).
DefboxExperience real-Life Cyber Threats in a safe Environment.
DIVA AndroidDamn Insecure and vulnerable App for Android.
ENISA Training MaterialThe European Union Agency for Network and Information Security (ENISA) Cyber Security Training. You will find training materials, handbooks for teachers, toolsets for students and Virtual Images to support hands-on training sessions.
exploit.co.il Vulnerable Web Appexploit.co.il Vulnerable Web app designed as a learning platform to test various SQL injection Techniques.
Exploit-exercises.comexploit-exercises.com provides a variety of virtual machines, documentation and challenges that can be used to learn about a variety of computer security issues such as privilege escalation, vulnerability analysis, exploit development, debugging, reverse engineering, and general cyber security issues.
ExploitMe MobileSet of labs and an exploitable framework for you to hack mobile an application on Android.
GameOverProject GameOver was started with the objective of training and educating newbies about the basics of web security and educate them about the common web attacks and help them understand how they work.
Gh0stlabA security research network where like-minded individuals could work together towards the common goal of knowledge.
GOAD (Game Of Active Directory)GOAD is a pentest active directory LAB project. The purpose of this lab is to give pentesters a vulnerable Active directory environment ready to use to practice usual attack techniques.
GoatseLinuxGSL is a Vmware image you can run for penetration testing purposes.
Google GruyereLabs that cover how an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF). Also, you can find labs how to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution.
Gracefully Vulnerable Virtual MachineGraceful’s VulnVM is VM web app designed to simulate a simple eCommerce style website which is purposely vulnerable to a number of well know security issues commonly seen in web applications.
Hack The BoxHack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. In order to join you should solve an entry-level challenge.
Hack This SiteMore than just another hacker wargames site, Hack This Site is a living, breathing community with many active projects in development, with a vast selection of hacking articles and a huge forum where users can discuss hacking, network security, and just about everything.
Hack Yourself FirstThis course is designed to help web developers on all frameworks identify risks in their own websites before attackers do and it uses this site extensively to demonstrate risks.
HackademicOffers realistic scenarios full of known vulnerabilities (especially, of course, the OWASP Top Ten) for those trying to practice their attack skills.
HackazonA modern vulnerable web app.
Hackertest.netHackerTest.net is your own online hacker simulation with 20 levels.
Hacking-LabHacking-Lab is an online ethical hacking, computer network and security challenge platform, dedicated to finding and educating cyber security talents. Furthermore, Hacking-Lab is providing the CTF and mission style challenges for the European Cyber Security Challenge with Austria, Germany, Switzerland, UK, Spain, Romania and provides free OWASP TOP 10 online security labs.
HacksplainingSecurity Training for Developers.
HackSys Extreme Vulnerable DriverHackSys Extreme Vulnerable Driver is intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level.
HackThis!!Test your skills with 50+ hacking levels, covering all aspects of security.
HackxorHackxor is a web app hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat but with a plot and a focus on realism&difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, etc.
HolynixHolynix is a Linux VMware image that was deliberately built to have security holes for the purposes of penetration testing.
Information Assurance Support Environment (IASE)Great site with Cybersecurity Awareness Training, Cybersecurity Training for IT Managers, Cybersecurity Training for Cybersecurity Professionals, Cybersecurity Technical Training, NetOps Training, Cyber Law Awareness, and FSO Tools Training available online.
Java Vulnerable LabVulnerable Java based Web Application.
Juice ShopOWASP Juice Shop is an intentionally insecure web app for security training written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws.
LAMPSecurity TrainingLAMPSecurity training is designed to be a series of vulnerable virtual machine images along with complementary documentation designed to teach Linux,apache,PHP,MySQL security.
Magical Code Injection RainbowThe Magical Code Injection Rainbow! MCIR is a framework for building configurable vulnerability testbeds. MCIR is also a collection of configurable vulnerability testbeds.
Metasploit UnleashedFree Ethical Hacking Course.
Metasploitable 3Metasploitable3 is a VM that is built from the ground up with a large number of security vulnerabilities.
Microcorruption CTFChallenge: given a debugger and a device, find an input that unlocks it. Solve the level with that input.
Morning CatchMorning Catch is a VMware virtual machine, similar to Metasploitable, to demonstrate and teach about targeted client-side attacks and post-exploitation.
MutillidaeOWASP Mutillidae II is a free, open source, deliberately vulnerable web application providing a target for web-security enthusiast.
MysteryTwister C3MysteryTwister C3 lets you solve crypto challenges, starting from the simple Caesar cipher all the way to modern AES, they have challenges for everyone.
National Institutes of Health (NIH)Short courses on Information Security and Privacy Awareness. They have a section for executives, managers and IT Administrators as well.
OpenSecurityTraining.infoOpenSecurityTraining.info is dedicated to sharing training material for computer security classes, on any topic, that are at least one day long.
OverthewireThe wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games.
OWASP Broken Web Applications ProjectOWASP Broken Web Applications Project is a collection of vulnerable web applications that is distributed on a Virtual Machine.
OWASP GoatDroidOWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security. GoatDroid requires minimal dependencies and is ideal for both Android beginners as well as more advanced users.
OWASP iGoatiGoat is a learning tool for iOS developers (iPhone, iPad, etc.).
OWASP Mutillidae IIOWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.
OWASP Security ShepherdThe OWASP Security Shepherd project is a web and mobile application security training platform.
OWASP SiteGeneratorOWASP SiteGenerator allows the creating of dynamic websites based on XML files and predefined vulnerabilities (some simple, some complex) covering .Net languages and web development architectures (for example, navigation: Html, Javascript, Flash, Java, etc...).
PentesterlabThis exercise explains how you can, from a SQL injection, gain access to the administration console, then in the administration console, how you can run commands on the system.
Pentest-GroundPentest-Ground is a free playground with deliberately vulnerable web applications and network services.
PeruggiaPeruggia is designed as a safe, legal environment to learn about and try common attacks on web applications. Peruggia looks similar to an image gallery but contains several controlled vulnerabilities to practice on.
PicoCTFpicoCTF is a computer security game targeted at middle and high school students. The game consists of a series of challenges centered around a unique storyline where participants must reverse engineer, break, hack, decrypt, or do whatever it takes to solve the challenge.
Professor MesserGood free training video's, not only on Security but on CompTIA A+, Network and Microsoft related as well.
PuzzlemallPuzzleMall - A vulnerable web application for practicing session puzzling.
Pwnable.kr'pwnable.kr' is a non-commercial wargame site which provides various pwn challenges regarding system exploitation. while playing pwnable.kr, you could learn/improve system hacking skills but that shouldn't be your only purpose.
PwnosPwnOS is a vulnerable by design OS .. and there are many ways you can hack it.
Reversing.krThis site tests your ability to Cracking & Reverse Code Engineering.
RingzeroChallenges you can solve and gain points.
Root MeHundreds of challenges and virtual environments. Each challenge can be associated with a multitude of solutions so you can learn.
Roppers Academy TrainingFree courses on computing and security fundamentals designed to train a beginner to crush their first CTF.
RPISEC/MBEModern Binary Exploitation Course materials.
RPISEC/MalwareMalware Analysis Course materials.
SANS Cyber AcesSANS Cyber Aces Online makes available, free and online, selected courses from the professional development curriculum offered by The SANS Institute, the global leader in cyber security training.
Scene OneScene One is a pen testing scenario liveCD made for a bit of fun and learning.
SEED LabsThe SEED project has labs on Software, Network, Web, Mobile and System security and Cryptography labs.
SentinelTestbedVulnerable website. Used to test sentinel features.
SG6 SecGameSpanish language, vulnerable GNU/Linux systems.
SlaveHackMy personal favorite: Slavehack is a virtual hack simulation game. Great for starters, I've seen kids in elementary school playing this!
SlaveHack 2 BETASlavehack 2 is a sequel to the original Slavehack. It's also a virtual hack simulation game but you will find features much closer to today's Cyber reality.
SmashthestackThis network hosts several different wargames, ranging in difficulty. A wargame, in this context, is an environment that simulates software vulnerabilities and allows for the legal execution of exploitation techniques.
SocketToMeSocketToMe SocketToMe is little application for testing web sockets.
SQLI labsSQLI labs to test error based, Blind boolean based, Time based.
SqlilabsLab set-up for learning SQL Injection Techniques.
Stanford SecuriBench / Securibench MicroStanford SecuriBench / Securibench Micro is a series of small test cases designed to excercise different parts of a static security analyzer. Each test case in Securibench Micro comes with an answer, which simplifies the comparison process.
The ButterFly - Security ProjectThe ButterFly project is an educational environment intended to give an insight into common web application and PHP vulnerabilities. The environment also includes examples demonstrating how such vulnerabilities are mitigated.
ThisIsLegalA hacker wargames site but also with much more.
Try2HackTry2hack provides several security-oriented challenges for your entertainment. The challenges are diverse and get progressively harder.
TryHackMeTryHackMe is an online platform that teaches Cybersecurity through hands-on virtual labs. Whether you are an expert or beginner, learn through a virtual room structure to understand theoretical and practical security elements.
UltimateLAMPUltimateLAMP is a fully functional environment allowing you to easily try and evaluate a number of LAMP stack software products without requiring any specific setup or configuration of these products.
Vulnerable NodeA very vulnerable web site written in NodeJS to explore various vulnerabilities.
VulnhubAn extensive collection of vulnerable VMs with user-created solutions.
VulnserverWindows-based threaded TCP server application that is designed to be exploited.
W3ChallsW3Challs is a penetration testing training platform, which offers various computer challenges, in categories related to security
WackoPickoWackoPicko is a vulnerable web application used to test web application vulnerability scanners.
Web Attack and Exploitation DistroWAED is pre-configured with various real-world vulnerable web applications in a sandboxed environment. It includes pen testing tools as well.
Web Security DojoWeb Security Dojo is a preconfigured, stand-alone training environment for Web Application Security.
WebGoatWebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. You can install and practice with WebGoat.
WechallFocussed on offering computer-related problems. You will find Cryptographic, Crackit, Steganography, Programming, Logic and Math/Science. The difficulty of these challenges varies as well.
XSS-gameIn this training program, you will learn to find and exploit XSS bugs. You'll use this knowledge to confuse and infuriate your adversaries by preventing such bugs from happening in your applications.
XVWAXVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security.

Ạ̸͛̀̑̚w̷̙͓͊̑̈́͂̀̈́ẻ̸̟̝̒͠s̸̛̜̣͖̘̪̦͂͂̃͛͜o̷͕̺͎͔͌̏m̵͈̝͎̓̓̀͆̂ẻ̴͕̲̳͝ ̸̺̽̋̒̚̕Ĉ̷̺̩̭̐͘͝ỳ̴̨̱͂́b̷̀̉̍̓̀͋̈́̚ͅḛ̸̲̝̈́̊̈́̾͑̏̀̒r̴̰̬̘̻͙̉̌̀͆̎ ̴̰͐S̷̫̜̖͍̋͌̎k̸̢̯͒͊̀̍̽͂͝͠ï̴̛̘͚͘l̴̤̬͕̺̙̮̱͇͊̉ḽ̷̝̣̪̘́̅s̷̼̜̀̉͒̈́