CTF练习资源大全集

Practice CTF List / Permanant CTF List

Here's a list of some CTF practice sites and tools or CTFs that are long-running. Thanks, RSnake for starting the original that this is based on. If you have any corrections or suggestions, feel free to email ctf at the domain psifertex with a dot com tld.

Live Online Games

Recommended

Whether they're being updated, contain high quality challenges, or just have a lot of depth, these are probably where you want to spend the most time.

• http://pwnable.kr/ (one of the more popular recent wargamming sets of challenges)
• https://picoctf.com/ (Designed for high school students while the event is usually new every year, it's left online and has a great difficulty progression)
• https://microcorruption.com/login (one of the best interfaces, a good difficulty curve and introduction to low-level reverse engineering, specifically on an MSP430)
• http://ctflearn.com/ (a new CTF based learning platform with user-contributed challenges)
• http://reversing.kr/
• http://hax.tor.hu/
• https://w3challs.com/
• https://pwn0.com/
• https://io.netgarage.org/
• http://ringzer0team.com/
• http://www.hellboundhackers.org/
• http://www.overthewire.org/wargames/
• http://counterhack.net/Counter_Hack/Challenges.html
• http://www.hackthissite.org/
• http://vulnhub.com/
• http://ctf.komodosec.com

Others

• https://www.onlinectf.com/challenges/
• https://backdoor.sdslabs.co/
• http://smashthestack.org/wargames.html
• http://hackthecause.info/
• http://bright-shadows.net/
• http://www.mod-x.co.uk/main.php
• http://scanme.nmap.org/
• http://www.hackertest.net/
• http://net-force.nl/
• http://securityoverride.org/ Some good concepts, but "canned" vulnerabilities (string matching on input) will frustrate knowledgable hackers and teach newbies the wrong lessons

Meta

• http://www.wechall.net/sites.php (excellent list of challenge sites)
• http://ctf.forgottensec.com/wiki/ (good CTF wiki, though focused on CCDC)
• http://repo.shell-storm.org/CTF/ (great archive of CTFs)

Webapp Specific

• http://demo.testfire.net/
• http://wocares.com/xsstester.php
• http://crackme.cenzic.com/
• http://test.acunetix.com/
• http://zero.webappsecurity.com/

Forensics Specific

• http://computer-forensics.sans.org/community/challenges
• http://computer-forensics.sans.org/community/challenges
• http://forensicscontest.com/

Recruiting

• https://www.praetorian.com/challenges/pwnable/
• http://rtncyberjobs.com/
• http://0x41414141.com/

Paid Training

• http://heorot.net/

Downloadable Offline Games

• http://www.badstore.net/
• http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
• http://www.owasp.org/index.php/Owasp_SiteGenerator
• Damn Vulnerable Web App
• Stanford SecureBench
• Stanford SecureBench Micro
• http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10

Virtual Machines

• https://pentesterlab.com/exercises/
• http://sourceforge.net/projects/metasploitable/files/Metasploitable2/
• Damn Vulnerable Linux (not currently live? local mirror)

Inactive or Gone

Just around for historical sake, or on the off-chance they come back.

• http://rootcontest.com/
• http://intruded.net/
• https://how2hack.net
• WebMaven (Buggy Bank)
• http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm
• http://www.foundstone.com/us/resources/proddesc/hacmebooks.htm
• http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm
• http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm
• http://hackme.ntobjectives.com/
• http://testphp.acunetix.com/
• http://testasp.acunetix.com/Default.asp
• http://prequals.nuitduhack.com
• http://www.gat3way.eu/index.php (Russian)
• http://exploit-exercises.com/ (challenges mirrored on vulnhub)
• http://damo.clanteam.com/
• http://p6drad-teel.net/~windo/wargame/
• http://roothack.org/
• http://ha.ckers.org/challenge/
• http://ha.ckers.org/challenge2/
• http://www.dc3.mil/challenge/

常用【在线类工具】

Objectif Sécurité 在线LMHASH破解
https://www.hashkiller.co.uk/ hash破解
https://github.com/ 全球知名在线管理开发平台
http://astalavista.box.sk 最好的注册码、注册机、序列号搜索引擎
http://www.s0ftpj.org/ 意大利老站
http://recover-weblogic-password.appspot.com/ 在线weblogic密文破解
http://tools88.com/safe/vnc.php 在线VNC密文破http://www.vpnhunter.com/ 在线查找VPN，mail接口
http://mailinator.com 一次性邮箱
http://www.yopmail.com/zh/ 一次性邮箱

国内外安全大牛的【个人博客】

http://www.insecure.org (Fyoderr的个人站点,即Nmap的老家) 　
http://www.guninski.com/ 安全专家Guninski的主页，有大量系统漏洞工具具及源代码 　　
http://blog.gentilkiwi.com/ mimikatz
https://www.schneier.com/ Bruce,Schneier的博客（专业Blackhat会棍）
http://an7isec.blogspot.co.il/ “整蛊小黑必备” 博客 发现了WVS8版本远程溢出漏洞
https://fail0verflow.com/blog/index.html 一个硬件牛的BLOG
https://blog.0x80.org/ 破解过jeep车锁的大牛
https://www.netspi.com/blog 对MSSQL渗透有研究的大牛
http://hakin9.org
http://websec.ca/blog 渗透tips
http://www.derkeiler.com/
http://www.xssed.com/
http://adsecurity.org/ 内网渗透、域渗透牛人
http://securityxploded.com
http://www.devttys0.com/blog/ 国外路由器安全大牛

这些国内外大牛的个人博客，是一定要关注的，不管想当职业赛棍，还是仅仅是对ctf感兴趣，从中学些安全技术，这些是最宝贵的经验。

【综合类型网站】

http://www.blackhat.com/
http://shiyanbar.com（线上资源均免费，经常性的举办各种有奖活动）
http://packetstormsecurity.com (有大量exploit程序)
http://www.ussrback.com/ 比较活跃的安全站
http://www.attrition.org/ 内容全面的安全站 　(更新至2013年)
http://www.social-engineer.org/ 社会工程学研究所
https://www.soldierx.com
http://www.windowsecurity.com/(windowsnetworking.com)包含论坛、博客、新闻、工具windowsnetworking.com
http://www.blackmoreops.com
http://www.securitytube.net 大量视频

如何开始你的CTF比赛之旅
http://www.freebuf.com/articles/others-articles/36927.html
http://blog.idf.cn/2015/02/ctf-field-guide/ CTF领域指南
https://ctftime.org/event/list/upcoming CTF预告

CTF练习平台

http://hackinglab.cn/ 网络信息安全攻防学习平台
http://captf.com/ ctf题目
http://oj.xctf.org.cn/ XCTF_OJ练习平台
http://ctf.3sec.cn/ Jlu.CTF
http://www.baimaoxueyuan.com/ctf 白帽学院ctf挑战赛
http://www.ichunqiu.com/tiaozhans i春秋ctf挑战
http://ctf.idf.cn/ IDF实验室
http://ctf.moonsos.com/pentest 米安网ctf
http://www.hetianlab.com/CTFrace.html 合天ctf
http://www.shiyanbar.com/ctf/ 实验吧
https://bctf.cn/#/challenge BCTF复盘

CTF XSS

http://xss.pkav.net/xss/
http://xss-quiz.int21h.jp/
http://escape.alf.nu/

CTF SQL Inject

http://redtiger.labs.overthewire.org/ 个人感觉挺不错的
https://github.com/Audi-1/sqli-labs

CTF RE & PWN

http://reversing.kr/ 逆向
http://pwnable.kr/ PWN
http://exploit-exercises.com/ 提供各种虚拟机、文档和挑战
http://security.cs.rpi.edu/courses/binexp-spring2015/ 各种逆向题(英文)
http://www.52pojie.cn 吾爱破解论坛

CTF游戏

http://1111.segmentfault.com/ 光棍节程序员闯关秀
http://monyer.com/game/game1/梦之光芒的小游戏
http://www.fj543.com/hack/ 黑客丛林之旅
http://hackgame.blackbap.org/ 习科黑客游戏
http://www.helloisa.com/test/ ISA闯关游戏
http://hkyx.myhack58.com/ 红客闯关游戏
http://hackit.sinaapp.com/ hackit游戏

CTF Tools

http://bobao.360.cn/news/detail/1100.html PWN工具
http://www.tasfa.cn/index.php/2016/01/29/ctf-tools-2/ CTF瑞士军刀
http://forum.cnsec.org/thread-93930-1-1.html 世界著名CTF战队提供的工具
http://wololo.net/talk/viewtopic.php?f=27&t=39000 CTF-GUI (英文)

CTF WriteUp

http://bobao.360.cn/ctf/ 360播报
https://github.com/ctfs/ github上writeup
http://www.secpulse.com/archives/category/exclusive/ctf-writeup 安全脉搏

国外篇*********
(梯子自搭。。。。)

http://overthewire.org 类似wargame
http://www.root-me.org/?lang=en 经常玩的一个
http://www.wechall.net 比较杂乱，建议英文好的才用这个
http://insight-labs.org/ 有逆向题还有paper(部分中文)
http://wargame.kr/ 比较不错
http://canyouhack.it/ CTF综合练习，分类较清楚，首选
http://webhacking.kr/ 游戏，有点酷炫。没玩过
http://prompt.ml/0 XSS
http://fun.coolshell.cn/ 闯关游戏
http://ringzer0team.com/challenge分类比较独特，需要注册账号
https://backdoor.sdslabs.co/ 闯关游戏，挺有意思的，网站做的不错，新手适合
http://smashthestack.org/ 漏洞利用练习网站