10 Places to Find Vulnerable Machines for Your Lab

Blog Post created by ckirsch on Dec 13, 2011

iStock_000018102545XSmall.jpgIt can sometimes be challenging to find vulnerable machines for your penetration testing or vulnerability management lab. Here’s a list of vulnerable machines you should check out:


  1. Metasploitable
  2. UltimateLAMP
  3. Web Security Dojo
  4. OWASP Hackademics
  5. DVWA Damn Vulnerable Web Application
  6. Mutillidae
  7. De-ICE
  8. OWASP Web Goat
  9. Google Gruyere
  10. Old ISOs - if you know what to look for (for example, old Ubuntu versions)


The Microsoft Developer Network (MSDN) subscription is also worth checking out. You can get collections online for about $200. If you are working in academia, also check out the Microsoft Developer Network Academic Alliance (


Also check your basement - you never know what old discs you still have lying around!


Note: This blog post was inspired by a question in Matt Barrett’s webinar “How to set up a penetration testing test lab” as well as several audience submissions (thank you!). Watch the webinar now!