- Web Security Dojo
- OWASP Hackademics
- DVWA Damn Vulnerable Web Application
- OWASP Web Goat
- Google Gruyere
- Old ISOs - if you know what to look for (for example, old Ubuntu versions)
The Microsoft Developer Network (MSDN) subscription is also worth checking out. You can get collections online for about $200. If you are working in academia, also check out the Microsoft Developer Network Academic Alliance (http://msdn.microsoft.com/en-us/academic/bb250591)
Also check your basement - you never know what old discs you still have lying around!
Note: This blog post was inspired by a question in Matt Barrett’s webinar “How to set up a penetration testing test lab” as well as several audience submissions (thank you!). Watch the webinar now!