BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking.

It’s a superb tool to recreate, examine and understand exploits that potentially exist in operating systems and web applications. provide an excellent introduction to some of BackTrack’s functionality.

Particularly impressive is the lesson which create’s a Virtual Network Computing (VNC) link to a Windows XP machine. VNC gives you a graphical interface to the XP box.

Although this lesson is easily defeated by simply turning on the Windows XP Firewall. It shows the potential for harm that a malicious hacker can cause on a poorly configured machine.

Damn Vulnerable Web App (DVWA)

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that comes with a set of deliberate vulnerablities built into it.

I can across it while reading through some of the NY Poly courseware.

DVWA is similair to the Web Goat application I mentioned in an earlier post. DVWA’s aims ‘are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.’

While working on DVWA, I came across this superb set of tutorials on the website

What’s particularly impressive about these tutorials is that they integrate DVWA with BackTrack, Burp Suite, John the Ripper and a number of other security testing tools.

You’d pay quite a lot of money to attend a training course and get access to this kind of information. These tutorials are laid out brialliantly, easy to follow – and they’re free!

Definitely worth checking out.

Web Vulnerabilities and WebGoat

I’ve completed the Web Goat tutorials. This is an excellent resource to introduce yourself to web vulnerabilities. It’s a stand alone vulnerable web application. A series of exercises are provided that walk you through the exploitation of these vulnerabilities.

The tutorials are backed with a strong list of solution videos.

I’m using the free version of Burp Suite to intercept browser traffic.

Just a couple of things of interest, in case you are new to the whole area of web vulnerabilities. I’m running Web Goat on Windows XP. If you are running Windows you will need to install Java on your machine. You will also need to include Java in your Windows PATH to start the Tomcat server that comes with Web Goat.

Also, for those looking for an introduction to web vulnerabilities. Here’s an excellent intro video to the area from the NY Poly Cryptocity site