Review: Linux Security Distributions

Where once Linux was relegated to long-bearded gurus sitting atop servers bathed in a the dull glow of fluorescent lighting, today it's much more hip and found in one form or another in most enterprises, even on the desktop, not to mention that it underpins the net as we know it today.

It's kinda useful. But it's also inherently flexible, versatile and extensible and you can now download Linux distributions tailored for everything from office desktops and embedded computing to education and science. And, of course, security.

In fact, there are a surprisingly large number of security-oriented distributions that can form part of any CSO or staff toolkit, depending on what you want to accomplish.

Here's our take on some of the more well-known options.

NST - Network Security Toolkit

Based on: Fedora
Current version: 18 SVN:4509

Based on the Fedora Core distribution, the Network Security Toolkit is a bootable live-CD that rolls the most popular open-source security applications into one neat package. Its list of tools is extensive and includes Wireshark (the popular protocol analyser), Etherape (graphical network browser), Ettercap (packet sniffer for man-in-the-middle attacks), AirSnort (WEP key cracker, though you should note this has been superseded by others like Aircrack-ng), and Angry IP scanner (find live hosts and determine basic data about them) among many others. It also sports a nifty geolocation plotting tool to map IP data, trace-route results, and even active connections.

Unfortunately the interface isn't terribly intuitive, and although based on the slick Gnome 3.0 graphical desktop, doesn't make it easy to find and launch the plethora of programs on offer—the Search field will let you filter for programs, but if you haven't used them before and don't know what to look for, this isn't all that helpful. You can, however, browse all programs by clicking on Activities followed by Show Applications, it's not pretty but it works.

NST is flexible in that it can be set up as a network monitor, networks scanner and traffic analyser, virtual system service server, wireless network monitoring or intrusion detection system. And while the live-CD can be used stand-alone and booted from a USB key on any machine, the distribution can also be installed to a hard drive and updated for more permanent duties.

NetSecL OS

Based on: OpenSUSE
Current version: 4.0

NetSecL is interesting for a number of reasons: beyond its focus on security, it's been built using SUSE's appliance studio (—a brilliant web-based interface to literally roll your own customised distribution. You can even launch distributions live in the browser for testing before downloading a custom ISO.

As a result NetSecL OS can be obtained from the NetSecL OS homepage, or directly from SUSE Studio. It is, however, not quite as polished as other distributions covered here, dumping a lot of the penetration testing tools into a folder structure for you to explore and figure out. It does, though, include a good selection of programs including those designed to be used against Oracle and CISCO products.

Apart from this some other staples as seen in other distributions covered here include WireShark, Metasploit, Zenmap, and Etherape.

Unique to NetSecL OS among our selection here is that it also includes DOSBox, for running DOS programs, as well as Wine (Wine Is Not an Emulator) for running Windows programs natively. These could certainly prove useful for older DOS tools or more familiar Windows ones that you regularly use, though it's worth noting Wine isn't bullet-proof and not every program is guaranteed to run (but considering it's a collection of reverse-engineered Windows .dlls that run natively on Linux, it's none-the-less impressive).

On first glance NetSecL OS isn't as easy to use as other products we've looked at here nor is it as extensive, but it has its own unique toolsets and you may find it apt to your cause. Incidentally, since it's not immediately obvious from the homepage, the password for the default login is 'linux'.


Based on: Slackware
Current version: 4.4.3

WiFiSlax is, not surprisingly, given its name based on the Slackware distribution and bundles a range of security and forensic tools optimised not just for WiFi penetration and testing but general network security as well.

Some of the wide range of tools include WireShark (previously mentioned), WiFi Radar (find nearby devices), Hydra (network password cracker), Zenmap (GUI for the popular NMap port scanner), the bmon signal analyser, the aptly named MACchanger MAC address changer, and a host of utilities for WPA and WPS password cracking and protocol attacking.

The desktop interface is based on KDE, making it familiar for both Windows and Linux users alike, and includes more traditional desktop software such as browsers (Firefox and Konqueror), multimedia playback tools, torrent clients, and text editors. It also includes updating scripts to keep the less traditional penetration and cracking utilities not usually found in Slackware's repositories up-to-date.

WiFiSlax is a Spanish distribution so if you intend to browse the homepage, Chromium and its auto-translate function will be useful—the download ISO and software itself however still sport English menus. Aside from a live-CD, a pre-installed Virtualbox image can also be downloaded.

WiFiSlax is unique in that—beyond the inclusion of wifi-based security testing and penetration tools—its kernel is also updated with various unofficial drivers to ensure it supports the widest array of wifi hardware out of the box. It doesn't get better than this when it comes to testing and debugging the security of your wireless networks.


Based on: Ubuntu
Current version: 3.05

Compared to some of the other distributions covered here Backbox looks and feels slick. Based off Ubuntu, the world's most popular desktop Linux distribution, it inherits an Xfce-based (lightweight, low-resource usage) desktop and Ubuntu's package management and auto-update system.

Billed as the ultimate penetration testing, incident response, and forensic analysis tool it certainly goes a long way to fulfilling this with a veritable playground of security-focused apps. These include Aircrack-ng (wireless WPA/WPA2 cracking), ophcrack Windows password cracker, ZAP (the Zed Attack Proxy for web app penetration testing), W3AF application attack and audit framework, Skipfish site vulnerability probing, and protocol tools like tcpdump, Ettercap and Wireshark. It also bundles a range of forensic apps, stress testing tools, and social and reverse engineering programs such as the widely-popular Websploit.

In addition to these, standard desktop apps are included, with everything from Firefox and LibreOffice to XChat IRC and VLC, making it quite flexible as a workbench when testing. By far Backbox's key advantage is its great interface and clearly organised toolsets (13 categories in all that cover vulnerability assessment, privilege escalation, exploits, social engineering, forensic analysis and documentation and reporting among others).

We've covered version 3.01 of Backbox previously, this latest version sports faster performance, improved WiFi drivers, support for the latest 3.8 kernel, and updated hacking tools.

Kali Linux

Based on: Debian
Current version: 1.02

Kali Linux is described as an 'offensive security project', as well as 'the most advanced penetration testing distribution, ever'. Bold words, so does it deliver?

On first glace it's certainly got the image: Kali boots into a clean Gnome 3.0-based desktop and neatly separates its penetration testing tools from the stock Debian distribution programs. These include its 'Top 10' security tools which encompass Aircrack-ng, Hydra, WireShark and Metasploit among others as well as a veritable shopping mall of other security and testing programs categorised under Information Gathering, Vulnerability Analysis, Password Attacks, Wireless Attacks, Sniffing and spoofing, Exploits, Reverse engineering and Hardware hacking to name a few. Notables in here include the pyrit GPGPU (that is, graphics-card accelerated) password cracker, sets of tools for both Android and Arduino, and forensic programs for networks and RAM.

It also bundles a selection of programming tools including an IDE for Arduino, as well as the standard apps like VLC for media playback, the IceWeasel browser (essentially, re-branded Firefox), and TrueCrypt for encryption.

Kali can be downloaded as a live-CD ISO, a VMWare appliance, and for a range for embedded solutions include Samsung's Galaxy Note 10.1 tablet and the Rasperry Pi. Alternatively, though you need more extensive experience with Linux, you can edit Kali's build scripts to create your own customised version of Kali with just the specific tools and services you need.

With its own regularly-updated repositories, a simple yet effective interface, vast range of tools and platform flexibility it's easily one of the better security-focused distributions covered here.


Based on: Gentoo
Current version: 2013 RC 1.1

Pentoo is a penetration-focused distribution based off Gentoo (hence the name), a flexible source-based distribution that compiles programs from source-code to your specific requirements.

In much the same vein as its Gentoo base, Pentoo actually drops you to the command-line on first boot enabling you to start work sans GUI, which can be especially helpful on memory-constrained machines. Launching the GUI is just a matter of typing 'startx' to run the X Window Manager and load the default desktop environment: in this case the lean and fast Xfce.

Also bundled is a MacOS-X-like dock for the essentials of launching a terminal, file manager or the web browser. And, like the other distributions covered here, combines a large number of tools to test and gauge the security of your network, covering everything from wireless cracking and data forensics to Bluetooth vulnerabilities and even VoIP exploits. It also bundles CUDA/OpenCL (aka GPGPU) enhanced cracking software for accelerated vulnerability analysis.

Like other live-CDs, Pentoo can also optionally be installed to a hard drive and, if required, basic desktop tools are included for office, email and instant messaging. On the whole it isn't quite as slick as something like Backbox, though its default desktop background is more amusing, but it is security hardened, fast (something Gentoo is known for), and easily challenges Backbox and Matriux for the huge range of tools on offer.

Join the CSO newsletter!

Error: Please check your email address.

Tags network security toolkitWiFiSlaxBackboxMatriux LinuxPentooGentoofedoraOpenSUSEubuntuSlackwareNetSecLdebianKali LinuxLinux security distributionsRemnux

More about BackboxBuiltCSODebianFedoraGalaxyISOKDEKDELinuxMicrosoftNSTOracleRed HatSamsungToolkitUbuntu

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ashton Mills

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts