This time we are talking about various desktop Linux distributions, but there is a place for Android and even Windows.
Most hacker OSes are somewhat similar to the collections of highly specialized utilities that I have already laid out. They are pre-made tool kits with some presets for optimal performance - nothing exclusive. Simple scripts, for example, katoolin or PFT , turn ordinary Ubuntu or Debian into a penetration testing distribution in a couple of commands, so many of Bastion’s employees work from ordinary Linux distributions tailored to their needs, while others mainly use Kali.
Kali Linux needs no introduction. Despite the large number of dependencies and associated update issues, this distribution has become the de facto industry standard for pentesters. It runs on a wide variety of platforms , from the Raspberry Pi to smartphones, and it has instructions and tutorials for every occasion. However, with the advent of Subsystem for Linux, many tools from the same Kali can be run directly on Windows. For example, our incident responders use this opportunity to look for clues on compromised computers.
At the same time, there is a huge variety of Linux distributions , and among the conditional BolgenOS there are many projects with their own vision, features and active support, which, unlike Kali Linux, are unknown even to some experienced pentesters.
Parrot is based on Debian and is similar in concept to Kali Linux, but offers more pre-installed software for “peaceful” everyday use. However, there are enough specialized utilities inside: the distribution kit includes more than 600 tools for Red and Blue Teaming, grouped in a menu by purpose.
Parrot is available as VirtualBox, Parallels and VMware images and runs in virtual machines on the Mac M1. Also, this OS can be deployed in a Docker container. It supports forensic mode, which leaves no traces on the host system. Although Parrot is less popular, it is not inferior to Kali in terms of ease of use.
BlackArch stands out with its huge library of specialized applications. Now the project repository contains 2812 tools, and it can take more than one day to study it.
This is both a plus and a minus of the project. On the one hand, there are utilities for every occasion, and on the other hand, there are many programs in the BlackArch repository that duplicate each other’s functionality. And, although the tools can be installed one by one or in groups, this operating system is still heavy and does not work quickly on every computer. In addition, novice users note a complex interface, poor documentation, and a lack of video tutorials. Bottom line: BlackArch is harder to use than Kali or Parrot.
LiveUSB distribution with a set of pre-configured tools and a kernel modified to hack Wi-Fi networks. It’s based on Gentoo Linux, so it gives you low-level OS tuning experience and lets you dig into the nuances of compiling software for hacking and reverse engineering. It continues to develop since 2014, despite the almost complete absence of official documentation.
Bottom line: Pentoo feels like a tool for academic research and experimentation, rather than everyday work. In fact, this OS is intended for those users who are well versed in the original distribution.
The developers of Fedora maintain many specialized distributions, including a security build. According to Joerg Simon, the creator of Fedora Security Lab, this version of the OS appeared as a training and demonstration platform for lectures on information security.
Fedora Security Lab runs from a USB drive, saves software and work results to it. But, most importantly, it comes with tutorials and a well-documented Fedora Security Lab Test Bench , where you can legally hone your hacking skills.
BackBox has been around since 2010, and this summer received the 8th, updated version, codenamed “Sara”, and with it a fresh kernel (Linux 5.15) and a modified UI based on the XFCE shell. Conceptually, this distribution is aimed at beginner pentesters and security professionals. All pre-installed programs in it are systematized and selected in such a way as to avoid redundancy. Functionally, BackBox is poorer than Kali Linux, but it may well come in handy for novice researchers.
This project is being developed with the support of the OWASP Foundation. Samurai is a platform for rapid deployment of training targets, such as the Juice Shop . Samurai includes a set of popular pentesting tools (Maltego and Fierce, w3af and Burp Suite, etc.) and a wiki for writing pentest reports.
SANS Investigative Forensic Toolkit is a digital forensics distribution created by Rob Lee in 2007 for the SANS FOR508 course . Since then, many SANS training courses have focused on its use. SIFT Workstation supports 14 forensic evidence formats (Evidence Image) from AFF (Advanced Forensic Format) to qcow.
This OS is based on Ubuntu, installed on top of the original operating system, and as a virtual machine. And the developers of the distribution kit declare official support for the Linux subsystem in Windows 10.
The SANS Institute was the birthplace of more than one specialized Linux distribution. REMnux came about with the assistance of Lenny Zeltser , author of the SANS FOR610 course on reverse engineering malware. Accordingly, REMnux is focused on forensic analysis of malware. It provides tools for static and dynamic code analysis, memory expertise - inside a complete package of necessary utilities .
REMnux is also positioned as a standalone Linux distribution and is installed either as a virtual machine or container, or on top of Ubuntu. Moreover, it is installed without any problems along with SIFT Workstation. The creators of both distributions claim that their builds work correctly in tandem.
CommandoVM was officially presented at the beginning of 2019 at Black Hat Asia Arsenal. Perhaps it cannot be considered a full-fledged operating system. CommandoVM is a set of configuration scripts designed to prepare a Windows 10 virtual machine for offensive operations using the Chocolatey package manager , Boxstarter and MyGet . This stack allows you to automatically update the contents of the OS centrally, much like in Linux.
Mandiant, which supports the development of CommandoVM, positions it as a platform for conducting internal penetration tests, a system for working with Active Directory. However, CommandoVM allows you to run Kali Linux using WSL, so the potential scope is wider. By the way, VcXsrv is integrated into CommandoVM - a server for working with the Kali Linux graphical interface on the Windows desktop.
Mandiant has other projects for special distributions based on Windows. FLARE VM is inspired by Kali Linux and REMnux. It combines tools for penetration testing, reverse engineering and malware analysis. This set of scripts deploys debuggers, disassemblers, decompilers, utilities for static and dynamic analysis and application vulnerability assessment. Plus tools developed by the FLARE team such as FLOSS and FakeNet-NG.
ThreatPursuit VM, in turn, is designed for analysts and is focused on intelligence, analytics, statistics collection and threat search and modeling.
This variation of Linux appeared as part of Trace Labs, a crowdsourced project to find missing people. It was created so that new researchers can quickly get involved, so it provides a ready-made set of basic tools and scripts for open source intelligence with a focus on people search. Based on live-build-config Kali Linux.
Another Linux distribution based on Ubuntu - this time focused on digital forensics, malware analysis and open source intelligence and, interestingly, computer vision research. Debuted at the AvTokyo Security Conference in 2018.
Tsurugi Linux is focused on ease of use: pre-installed programs in the menu are grouped by stage of investigation, and built-in profiles allow you to switch between sets of utilities for forensics and OSINT. It is distributed under the GNU license, but some of the tools included in it are not open source.
It is a cross between Tsurugi and SIFT Workstation. This distribution has incorporated more than 175 tools for cyber investigations, forensics, collection and recording of evidence. It is based on the Ubuntu 22.04 LTS server version, passes all traffic through Tor, similar to how Tails does, but at the same time, CSI LINUX can be connected to the Whonix gateway.
One of the features of this distribution, which is not in similar assemblies, is how it helps to structure information. Using the CSI Case Management utility, the operating system automatically collects the results of running tools and sorts them into the appropriate folders. This saves the researcher from a lot of routine actions.
A platform for monitoring network security, managing logs and searching for threats in corporate networks. Allows you to quickly deploy monitoring and collect alerts from hundreds of network nodes and analyze the received data. Includes tools such as Elasticsearch, Logstash, Kibana, Stenographer, CyberChef, NetworkMiner, Suricata, Zeek, Wazuh, Elastic Stack and many more.
Bonus: Operating Systems for Personal Cybersecurity
Most of the operating systems from this category have already been repeatedly written on Habré, but privacy and anonymity are becoming more and more relevant, so these solutions deserve one more mention.
Linux Kodachi is a pre-configured Ubuntu-based distribution with forced serial tunneling of system-generated traffic over VPN and TOR, a suite of privacy protection tools (VeraCrypt, zuluCrypt, KeePassXC, metadata anonymization utilities, etc.), and an emergency data wipe feature from a computer.
Septor - similar to Kodachi in concept, but appeared relatively recently and relies more on the TOR network.
Tails OS is a distribution that is secured by booting from media and deleting data after each reboot. Weakly suitable for everyday work, but it allows you to work on unreliable computers and leaves no traces on your hard drive. His old but still relevant review was published on Habré.
Whonix is a duo of a pair of Debian-based virtual machines with advanced protection against network attacks aimed at deanonymizing a user.
Qubes OS is a hypervisor-based operating system that promotes the concept of security through isolating everything and everything in dedicated containers. It has a complex and interesting architecture . This operating system has a competitor - Subgraph OS , however, this OS is being reworked and is not currently available for download on the official website.
GrapheneOS is an Android-based mobile operating system designed for Google Pixel smartphones. Its important difference from numerous custom assemblies and revisions of AOSP is in the working verification of the signature of the operating system with user keys. This feature allows you to re-lock the bootloader after installing the OS and thus closes many attack vectors that are possible with physical access to the smartphone. In addition, GrapheneOS has paid a lot of attention to fixing known vulnerabilities and improving privacy. For example, the hardened libc library and the secure malloc memory allocator are used , the SELinux and seccomp-bpf policies are tightened.
Not Kali Linux alone. As you can see, there are many specialized distributions designed for information security specialists, and it is unlikely that there is a person who thoroughly knows the features of each of them. Write in the comments if you are interested in reading a professional review of one of these projects and maybe I can persuade our pentesters to work with it.