Best forensic and pentesting Linux distros:

Administering a network connected to the Internet isn’t a job for the timid anymore. To ward off unwanted attention from bad actors, the network admin must be able to understand the potential security weaknesses in their IT infrastructure before they can take adequate measures to harden the network periphery.

The good news is that the most popular and best tools for the job are open source. And the even better news is that there are several projects that create specialized Live distros that bundle these tools and will help you identify the weaknesses in your network.

  1. BackBox
  2. BlackArch
  3. Kali Linux
  4. Parrot Security
  5. Pentoo

 

1. BackBox



Best distro for pentesting enthusiasts

REASONS TO BUY
+Forensics mode
+Useful tooltips
+Can route all traffic through Tor
REASONS TO AVOID
-No Tor utilities

BackBox is based on Ubuntu 20.04 LTS and uses the Xfce desktop, and is available as a single ISO only for 64-bit machines. In addition to the regular boot options, the distro’s boot menu also offers the option to boot into a forensics mode where it doesn’t mount the disks on the computer.

BackBox includes some of the most common security and analysis tools. The project aims for a wide spread of goals, ranging from network analysis, stress tests, sniffing, vulnerability assessment, computer forensic analysis, exploitation, privilege escalation, and more. 

All the pentesting tools are neatly organized in the Auditing menu under relevant categories. These are broadly divided into three sections. The first has tools to help you gather information about the environment, assess vulnerabilities of web tools, and more. The second has tools to help you reverse-engineer programs and social-engineer people. The third has tools for all kinds of analysis.

BackBox has further customized its application menu to display tooltips with a brief description of each bundled tool, which will be really helpful for new users who aren’t familiar with the tools.

As an added bonus, the distro also ships with Tor and a script that will route all Internet bound traffic from the distro via the Tor network.

 

2. BlackArch



Best distro for experienced pentesters

REASONS TO BUYbsite: 
+Extensive collection of tools
+Categorized repositories
REASONS TO AVOID
-Esoteric desktop environments

BlackArch is based on Arch Linux. The main feature of the distro is its huge collection of tools, numbering over 2500, many of which you wouldn’t find in any of the other distros. 

The distro sorts the tools by classifying them under categories, such as anti-forensic, backdoor and cracker. These are however arranged alphabetically and offer no further sub-categories, which poses interesting navigation issues. For instance, some categories, such as cracker, recon and automation list over a hundred tools each, which makes scrolling through the menus rather cumbersome.

BlackArch’s best customization is its smart repository arrangement. If you are already an Arch user, you can install BlackArch atop your existing installation by pulling in packages via groups such as blackarch-cracker, blackarch-exploitation, blackarch-forensic, and dozens more. 

On the flip side, the distro relies on a bunch of light-weight but esoteric window managers to draw the desktop. By default, the distro uses fluxbox but also offers i3, openbox, fluxbox, and others. This further restricts the audience for the distro. All things considered, BlackArch is meant for users who are adept at pentesting and care more about having the tools at their disposal and don’t care much about the interface.

3. Kali Linux

Best distro for pentesting learners

REASONS TO BUY
+Smart categorized menu
+Supports multiple platforms
+Offers tons of documentation

Perhaps the most well-known pentesting distro, Kali Linux is based on Debian and uses the Xfce desktop. It features a customized menu that is divided into numbered categories, which are further broken down into logical sub-categories. This arrangement not only simplifies navigation but also makes it easier to find the right tool for the task at hand.

Unlike distros like BlackArch, Kali Linux doesn’t include each and every pentesting tool out there. However its developers, many of whom work as pen testers themselves, assure that the ones it does include have been carefully curated to avoid duplicates and are the best tool for a particular job.

Kali Linux also makes it very easy to roll your own custom Kali-based distro. You can use its scripts to customize and tweak all aspects of the distro. To help you with the process, the Kali Linux project also has a couple of precooked build recipes to create custom Kali spins.

Kali Linux is available as an Live installable ISO, an install-only image as well as a netinstall ISO for both 32-bit and 64-bit machines. The project also offers images for several ARM-based devices including several Chromebooks, Raspberry Pi, BananaPi and Beaglebone Black.

Perhaps the biggest factor for Kali’s popularity is the project’s ample documentation, both on and off the project’s website. Besides the official sources of documentation, you also find various third-party documentation, including books, screencasts and video tutorials all over the Internet.

4. Parrot Security

Best distro for new pentesters

REASONS TO BUY
+Encrypted USB persistence
+Has a home edition
+Several privacy tools

Parrot Security is designed for penetration testing and vulnerability assessment, the distro has a bigger mandate than most of its peers, such as Kali Linux.

One of the first things you note about the distro is its extensive boot menu. For instance, when used from a USB disk, you can choose to boot into the Live environment along with a persistent partition to save your changes. There’s also a very useful option to encrypt this persistent partition.

Its large selection of tools are filed inside a neat menu structure that categorizes the tools as per their use. All the pen-testing tools are listed within the Parrot menu, which has sub-menus named Information Gathering, Vulnerability Analysis, Exploitation Tools, Password Attacks, Digital Forensics and several more. Most of these menus have more topical sub-menus. For instance, the Wireless Testing menu has sub-menus for 802.11 wireless tools, Bluetooth tools, RFID and NFC tools and more. The Digital Forensics section of the distribution is the result of the project’s collaboration with the lead developer of CAINE (Computer Forensics Linux Live Distro).

In addition to targeting pentesters, Parrot also aspires to be useful for average computer users that need a secure and privacy-focused distro like hacktivists, and journalists. The distro also has a Home edition designed for day-to-day use for anyone who cares about privacy and online anonymity.

5. Pentoo

Best pentesting distro for users familiar with Gentoo

REASONS TO BUY
+Can install over Gentoo
+Custom hardened kernel
REASONS TO AVOID
-Poor documentation

Pentoo is based on the venerable source-based Gentoo distro, and even though it runs Xfce on the desktop, managing the distro will require familiarity with its Gentoo underpinnings.

Pentoo is also available as an overlay, which means that Gentoo users can install Pentoo atop their existing installations with a single command. Another unique aspect of the distro is that it uses a customized hardened kernel with several relevant patches. 

In terms of pen testing, like all of the other distros in this list, Pentoo too has a categorized list of apps. However, unlike some of the other options in this guide, Pentoo’s categorization is a little too broad for our tastes, though they shouldn’t trouble experienced pen testers, which is whom the distro seems to be targeting, in our opinion.

As per the documentation on the project’s website, Pentoo at present produces three images; beta, daily and stable. However we couldn’t find the stable image in any of the project’s mirrors. That said, Pentoo’s beta images worked as advertised.

Pentoo also fairs pretty poorly in the help and support department especially when compared to some of its peers. There’s a small FAQ and the docs section has an introductory video from the lead developer at Defcon 2014, but that’s about all the help you can expect from the project.