PenterepMail

Virtual machine for teaching about hacking and IT security

Version: PenterepMail v1.5Download

Train

Download our virtual server and try out all types of attacks for a complete understanding. Learn how to search for and find vulnerabilities and explore the world of penetration testing.

Educate yourself

Credit to included guides and attack scenarios, you can learn about the types of vulnerabilities and how they can be exploited by attackers.

Participate in calls

In order to be more motivated to learn about the different types of vulnerabilities, you can perform thematic tasks that we have prepared for you.

Why the service was created

PenterepMail was created to enable those interested in IT security to legally test vulnerabilities in server services or web and mobile applications. Although there are a number of virtual machines on the market designed to teach you about specific vulnerabilities, they are usually very removed from the real world. Our goal thus was to create an application that is as realistic as possible and using which you can try out as many different attacks as possible in practice. In order to make the range of vulnerabilities included as broad as possible, we deliberately built the server on obsolete technologies for which there are a large number of publicly available exploits.

Who is the service for

The service is aimed at anyone interested in IT security who would like to learn about vulnerabilities in servers or web and mobile applications in a practical way. You will appreciate this service, for example, if:

you are studying IT security
you want to become a penetration tester
you are a lecturer in IT security

or if you need

to test specific attacks in practice
to demonstrate a specific vulnerability
a tool for practical security education

Vulnerabilities

With PenterepMail you can try hundreds of different types of attacks in practice. There are vulnerable technologies available running on a server, several vulnerable web apps that allow attacks against users and the server itself, or a vulnerable Android mobile app.

Data storage

Communications

Data providers

Authorization

Authentication

Activities

Broadcasts

Intents

API

Data storage

Communications

Data providers

Authorization

Authentication

Activities

Broadcasts

Intents

API

Missing Authorization

Insufficient Authorization

Technology Fingerprinting

HTTP Response Header

Banner Grabbing

Default cookie naming

Server Misconfiguration

Admin Interface Availability

Default Credentials

SQL Injection

Union-Based SQL injection

Boolean-Based SQL injection

Time-Based SQL injection

Error-Based SQL injection

DNS Exfiltration

Local File Disclosure via SQL injection

Remote Code Execution via SQL injection

Charset Mixing

SQL injection via Binary Hash

Stacked SQL injection

Stored / Second-order SQL injection

Multibyte SQL injection

Local File Disclosure via SQL injection

Command execute via SQL injection

SQL Truncation

LDAP injection

XPATH injection

SOAP injection

XML injection

Host Header Injection

Code Injection

Command Injection

Full Path Disclosure

Local File Disclosure

Local File Inclusion

Remote File Inclusion

SSI Injection

CGI Injection

PHP Object Injection (unserialize)

Function Injection

XML External Exntity

Denial of Services (XXE)

Local File Disclosure via XXE

Remote Code Execution via XXE

SSL vulnerabilities

HeartBleed

Poodle

Beast

Captcha cracking

HTTP Verb Tampering

Redirect Data Leak

User enumeration

Stored phpinfo

Backup files

GIT, SVN repository

Apache multiviews files enumeration

Directory Listing

Local Session Poisoning

Session Values Injection

Server-Side Request Forgery (SSRF)

Unautorized Direct Access

ShellShock

Unsecured Upload

Unsecured Download

Using Components with Known Vulnerabilities

phpMyAdmin

PHPMailer

Adminer

Mpdf

Simple PHP Captcha

Missing Authorization

Insufficient Authorization

Technology Fingerprinting

HTTP Response Header

Banner Grabbing

Default cookie naming

Server Misconfiguration

Admin Interface Availability

Default Credentials

SQL Injection

Union-Based SQL injection

Boolean-Based SQL injection

Time-Based SQL injection

Error-Based SQL injection

DNS Exfiltration

Local File Disclosure via SQL injection

Remote Code Execution via SQL injection

Charset Mixing

SQL injection via Binary Hash

Stacked SQL injection

Stored / Second-order SQL injection

Multibyte SQL injection

Local File Disclosure via SQL injection

Command execute via SQL injection

SQL Truncation

LDAP injection

XPATH injection

SOAP injection

XML injection

Host Header Injection

Code Injection

Command Injection

Full Path Disclosure

Local File Disclosure

Local File Inclusion

Remote File Inclusion

SSI Injection

CGI Injection

PHP Object Injection (unserialize)

Function Injection

XML External Exntity

Denial of Services (XXE)

Local File Disclosure via XXE

Remote Code Execution via XXE

SSL vulnerabilities

HeartBleed

Poodle

Beast

Captcha cracking

HTTP Verb Tampering

Redirect Data Leak

User enumeration

Stored phpinfo

Backup files

GIT, SVN repository

Apache multiviews files enumeration

Directory Listing

Local Session Poisoning

Session Values Injection

Server-Side Request Forgery (SSRF)

Unautorized Direct Access

ShellShock

Unsecured Upload

Unsecured Download

Using Components with Known Vulnerabilities

phpMyAdmin

PHPMailer

Adminer

Mpdf

Simple PHP Captcha

Form and Parameter Manipulation

Hidden Fields Modification

Parameters Tampering

Insufficient Input Data Validation

Authentication

User Enumeration

Horizontal Guessing

Vertical Guessing

Form Based Authentication

HTTP-Basic Authentication

Post & Back Attack

Authentication Bypass via Cookie Value

Authorization

Insufficient Authorization

Forced Browsing

Authorization Bypass via Cookie Value

Session Management

Session Stealing

Session Fixation

Session Donation

Session Prediction

Session Token in URL

Cross-Subdomain Cooking

Insufficient logout

Insufficient Session Expiration

SessionID Cookie Name Fingerprinting

Missing HttpOnly Cookie Attribute

Missing Secure Cookie Attribute

Cross-Site Tracing

Reflected HTTP Header Value

Cross-Site Request Forgery (CSRF)

Clickjacking

Path Relative StyleSheet Import (PRSSI)

Javascript Hijacking

Open Redirect

HTTP Parameter Pollution

HTTP Response Splitting (CRLF injection)

HTTP Response Smuddling

Sensitive Data in Browser Cache

Sensitive Data in Cookie

Sensitive Data in Local Storage

Cache poisoning

Cross-Site Scripting (XSS)

Stored XSS

via Showing text

via Tag Attribute

via File Content

via File Name

via Javascript Wrapper

via Data Wrapper

via Missing Content-Type

via Missing Charset

Reflected XSS

via Showing text

via Tag Attribute

via URL address

via Referer Header

via User-Agent Header

via Host Header

via X-Forwarded-For Header

via JSON

via XML Parser

via Flash Banner

Dom-Based XSS

via Form Input

via URL address

Blind Stored XSS

Cross-Site Messaging (XSM)

User DoS

Cookie injection

Cross domain data hijacking

Reflected File Download

CSV injection

Cross-Site WebSockets

WebSockets Manipulating

Form and Parameter Manipulation

Hidden Fields Modification

Parameters Tampering

Insufficient Input Data Validation

Authentication

User Enumeration

Horizontal Guessing

Vertical Guessing

Form Based Authentication

HTTP-Basic Authentication

Post & Back Attack

Authentication Bypass via Cookie Value

Authorization

Insufficient Authorization

Forced Browsing

Authorization Bypass via Cookie Value

Session Management

Session Stealing

Session Fixation

Session Donation

Session Prediction

Session Token in URL

Cross-Subdomain Cooking

Insufficient logout

Insufficient Session Expiration

SessionID Cookie Name Fingerprinting

Missing HttpOnly Cookie Attribute

Missing Secure Cookie Attribute

Cross-Site Tracing

Reflected HTTP Header Value

Cross-Site Request Forgery (CSRF)

Clickjacking

Path Relative StyleSheet Import (PRSSI)

Javascript Hijacking

Open Redirect

HTTP Parameter Pollution

HTTP Response Splitting (CRLF injection)

HTTP Response Smuddling

Sensitive Data in Browser Cache

Sensitive Data in Cookie

Sensitive Data in Local Storage

Cache poisoning

Cross-Site Scripting (XSS)

Stored XSS

via Showing text

via Tag Attribute

via File Content

via File Name

via Javascript Wrapper

via Data Wrapper

via Missing Content-Type

via Missing Charset

Reflected XSS

via Showing text

via Tag Attribute

via URL address

via Referer Header

via User-Agent Header

via Host Header

via X-Forwarded-For Header

via JSON

via XML Parser

via Flash Banner

Dom-Based XSS

via Form Input

via URL address

Blind Stored XSS

Cross-Site Messaging (XSM)

User DoS

Cookie injection

Cross domain data hijacking

Reflected File Download

CSV injection

Cross-Site WebSockets

WebSockets Manipulating

SSH

FTP

POP3

IMPAP

SMTP

HTTP

SSL

MySQL

Adminer

Phpmyadmin

Apache

Nginx

Lightpd

Webmin

VNC

Samba

Sendmail

SSH

FTP

POP3

IMPAP

SMTP

HTTP

SSL

MySQL

Adminer

Phpmyadmin

Apache

Nginx

Lightpd

Webmin

VNC

Samba

Sendmail

How to get started

To run PenterepMail, you will need a virtualization tool such as Oracle VirtualBox, Hyper-V, or VMware.

Installation and setup

Start by using the link above to download the latest PenterepMail image and import it into the virtualization tool. After the import is done, you will need to enable and properly configure the network card in the virtual machine. We recommend that you set up your network card in a bridge so that you can test everything also from other devices on the network, for example from your mobile phone. This allows you to attack each other in the team even from multiple computers. Once the virtual machine starts and boots, it will be assigned an IP address, which will be displayed under the welcome banner. At this point, the only thing left to do is to add an entry assigning an IP address to the www.penterepmail.loc domain in the hosts file on the system from which you will connect to PenterepMail, for example:

192.168.1.100 penterepmail.loc www.penterepmail.loc

However, we would rather recommend that you set PenterepMail's IP address straight as your DNS server. You'll then be able to access other web applications running on the same server, or test attacks against DNS-related vulnerabilities.

Anything else?

To make sure you enjoy testing all vulnerabilities 100%, you will need two more virtual machines. One under which you will act as the attacker - we recommend the Kali Linux distribution - and another under which you will act as the victim. On the other machine, you can deploy, for example, Windows or another system that you regularly use. You can also successfully use your main operating system instead of the victim virtual machine.

To test some of the types of attacks, it will definitely be useful if you run your own web server, such as Apache, on the attacker's device. In this case, you will need to own a domain to point to the attacker's server. All you need is a fictitious domain name to which you assign an entry using the hosts file on all machines that will access that domain. Since the PenterepMail virtual server itself will probably need to be able to access your domain, you will also need to edit its hosts file, which is made available at http://www.penterepmail.loc/admin/hosts.php.

Using a mail client

PenterepMail is not just a web application, but a full-fledged mail server that you can also connect to using any mail client such as Outlook or Thunderbird. POP3, IMAP and SMTP protocols are available for connection. If you want to use this option, set up the SMTP/POP3/IMAP server in your mail client to www.penterepmail.loc. The services run on standard ports.

As PenterepMail is a fully featured mail server, you can send messages from it to any email address. However, be aware that these messages will be sent from a non-existent domain (penterepmail.loc) and will therefore likely be treated as spam by the recipient’s system and discarded.

Licences

PenterepMail is and always will be completely free. You can use it free of charge not only for personal purposes, but also for public demonstrations or teaching. The tool is distributed under the MIT licence.