Vulnerable Windows virtual machines to hack There are plenty of vulnerable virtual machines to practice your hacking skills available on vulnhub.com, but they're all Linux boxes. If you'd like to practice on Windows, Microsoft has made available for download Windows XP with Internet Explorer 6, up through Windows 10 with the Edge browser. Security vulnerabilities of Microsoft Windows Xp: List of all related CVE security vulnerabilities. CVSS Scores, vulnerability details and links to full CVE details.
Recently I bought a gaming computer with some of the best specs out there (i7, gtx670, 16gig ram, ssd, etc) and decided to finally set up my own Pentesting lab so I can practice breaking and securing 'real' boxes of my own. My current setup consists of my router connected to my apartment's WAN using DHCP, which issues private DHCP leases to the connected boxes on my network. I have a Windows 7 laptop of my own, a Windows 7 desktop host machine running VMs, and a Ubuntu 12.10 server for all my main Linux needs (I have SSH set up so I can access this box from work and other places). My friends also connect to this network via Wifi, so there are random Win7 and OSx computers connected to it.
As for my virtualized boxes, I have Windows XP (different SPs), Windows Server 2003, 2008, and 2012, Metasploitable 2, DVL (Damn Vulnerable Linux), BackTrack5R3 (I hack from this box), and a few other exploitable machines. I will be setting up a Windows Vista and a couple other *nix distros to exploit, as well. I am using, which is provided to me for free through my University and our agreement.
For those who do not have access to such great tools, you can use the free version, but be forewarned that certain options may be different. I apologize if there are any problems when following my guides using Player instead of Workstation, but I will do my best to remedy these.
Click OK to start the program. Once it is successfully done, you'll see the message, 'The product was successfully activated'. 
Getting Started. Below is a list of exploitable and vulnerable VMs/ISOs(updated 10/29/12): - Probably the best VM to use. Complete vulnerable VM with services set up for everything.
Most of my tutorials will start with exploiting this. Damn Vulnerable Linux 1.5 - Discontinued, but I have the ISO. I will upload it *somewhere* when I'm home. Either directly through this site or on a sharing site (you could torrent, but I want all the download to be able to be directly downloaded). - LAMP stands for Linux Apache MySQL PHP, and this version is for the security testing of those.
- Self Explanatory; OWASP's Broken Web App Project! Below is a list of VMs and ISOs that you can configure yourself: - Scroll down for the download link; a complete LAMP (Linux, Apache, MySQL, PHP) distro. Below is a list of VMs and ISOs to hack from: - I use the Gnome 32bit VM one and just load it into my VMWare; all of my tutorials will be from Ubuntu 12.04 LTS, or BT5R3 (which is Ubuntu, as well). BackTrack has been replaced by the following: - Another Ubuntu based Pentesting distro - Yet another Ubuntu based Pentesting distro Creating Your Pentesting Network.
Now that we have a host machine with a virtual machine application (I suggest VMWare), it's time to set up your network so you can see all your exploitable (and maybe non exploitable) VMs! For the machines that are already built for VM usage (aka they're VMDK and not ISO), just double click the.VMX file which is the configuration file for the virtual machine, and it will automatically open with the configured VM software. For the machines that you downloaded in ISO format, we have to add them into our VM software. Below I will show you how to do so in VMWare Workstation (though I believe the free version of VMWare is the same). Creating a Virtual Machine from an ISO.
This part is important because you cannot have two of the same name (duh), and because if you store all your VMs together, as they become larger there needs to be sufficient disk space on the drive you are saving them to. Name each of your Virtual Machines so you can tell them apart. Some of mine have specific names (like Metasploitable2) and some have just the distro name if its generic (like Ubuntu 12.04 LTS). The next step is the size of the virtual disk you will be creating for this VM.
It is very important to make it large enough so that if you use it often (installing applications/writing programs/etc) it will not fill up, but not too large that you're wasting space. Note that the files become larger as you use the space, so you can overshoot a bit for this. For our Ubuntu I'm just going to put it to 8gigs since I'll probably be deleting it (I already have a few Ubuntus spun up). After clicking next, this screen shows the brief overview of what we have selected.