Vulnerable systems setup

I frequently get asked how to set up a test lab to practice hacking on. Usually I point the curious in the direction of VMWare or VirtualBox and tell them to set up VM's. There are plenty of guides explaining how to do this, but one step that is often missing is how to configure realistic VM's for vulnerable configurations. You might want to know how the exploit you are trying would work against different systems, or how it would work against targets at the time it was released. So I looked through some release timelines and postings to figure out which versions of your favorite browser, plugins, and PDF reader would be installed if you had up-to-date versions of each on January 1st of the past three years, and where you can get them from. This may also be useful if you are putting together a CTF or other challenge:

For your beginning-of-2010 vulnerable system you should have:
IE 8 with MS09-072/KB294871 update
Flash player
Java SE 6 Update 17
Acrobat Reader 9.2

For beginning-of-2011 you should have:
IE 8 with MS10-090/KB2416400 update
Flash player 10.1
Java SE 6 Update 23
Acrobat Reader 10.0
or 9.5.0

For beginning-of-2012 you should have:
IE 8 (most popular) or 9 with MS11-099/KB2618444 update
Flash player
Java SE 6 Update 30
Acrobat Reader 10.1.1

Comments are closed.