Review: Linux Security Distributions

Where once Linux was relegated to long-bearded gurus sitting atop servers bathed in a the dull glow of fluorescent lighting, today it's much more hip and found in one form or another in most enterprises, even on the desktop, not to mention that it underpins the net as we know it today.

It's kinda useful. But it's also inherently flexible, versatile and extensible and you can now download Linux distributions tailored for everything from office desktops and embedded computing to education and science. And, of course, security.

In fact, there are a surprisingly large number of security-oriented distributions that can form part of any CSO or staff toolkit, depending on what you want to accomplish.

Here's our take on some of the more well-known options.

NST - Network Security Toolkit

Based on: Fedora
Current version: 18 SVN:4509

Based on the Fedora Core distribution, the Network Security Toolkit is a bootable live-CD that rolls the most popular open-source security applications into one neat package. Its list of tools is extensive and includes Wireshark (the popular protocol analyser), Etherape (graphical network browser), Ettercap (packet sniffer for man-in-the-middle attacks), AirSnort (WEP key cracker, though you should note this has been superseded by others like Aircrack-ng), and Angry IP scanner (find live hosts and determine basic data about them) among many others. It also sports a nifty geolocation plotting tool to map IP data, trace-route results, and even active connections.

Unfortunately the interface isn't terribly intuitive, and although based on the slick Gnome 3.0 graphical desktop, doesn't make it easy to find and launch the plethora of programs on offer—the Search field will let you filter for programs, but if you haven't used them before and don't know what to look for, this isn't all that helpful. You can, however, browse all programs by clicking on Activities followed by Show Applications, it's not pretty but it works.

NST is flexible in that it can be set up as a network monitor, networks scanner and traffic analyser, virtual system service server, wireless network monitoring or intrusion detection system. And while the live-CD can be used stand-alone and booted from a USB key on any machine, the distribution can also be installed to a hard drive and updated for more permanent duties.

NetSecL OS

Based on: OpenSUSE
Current version: 4.0

NetSecL is interesting for a number of reasons: beyond its focus on security, it's been built using SUSE's appliance studio (—a brilliant web-based interface to literally roll your own customised distribution. You can even launch distributions live in the browser for testing before downloading a custom ISO.

As a result NetSecL OS can be obtained from the NetSecL OS homepage, or directly from SUSE Studio. It is, however, not quite as polished as other distributions covered here, dumping a lot of the penetration testing tools into a folder structure for you to explore and figure out. It does, though, include a good selection of programs including those designed to be used against Oracle and CISCO products.

Apart from this some other staples as seen in other distributions covered here include WireShark, Metasploit, Zenmap, and Etherape.

Unique to NetSecL OS among our selection here is that it also includes DOSBox, for running DOS programs, as well as Wine (Wine Is Not an Emulator) for running Windows programs natively. These could certainly prove useful for older DOS tools or more familiar Windows ones that you regularly use, though it's worth noting Wine isn't bullet-proof and not every program is guaranteed to run (but considering it's a collection of reverse-engineered Windows .dlls that run natively on Linux, it's none-the-less impressive).

On first glance NetSecL OS isn't as easy to use as other products we've looked at here nor is it as extensive, but it has its own unique toolsets and you may find it apt to your cause. Incidentally, since it's not immediately obvious from the homepage, the password for the default login is 'linux'.


Based on: Slackware
Current version: 4.4.3

WiFiSlax is, not surprisingly, given its name based on the Slackware distribution and bundles a range of security and forensic tools optimised not just for WiFi penetration and testing but general network security as well.

Some of the wide range of tools include WireShark (previously mentioned), WiFi Radar (find nearby devices), Hydra (network password cracker), Zenmap (GUI for the popular NMap port scanner), the bmon signal analyser, the aptly named MACchanger MAC address changer, and a host of utilities for WPA and WPS password cracking and protocol attacking.

The desktop interface is based on KDE, making it familiar for both Windows and Linux users alike, and includes more traditional desktop software such as browsers (Firefox and Konqueror), multimedia playback tools, torrent clients, and text editors. It also includes updating scripts to keep the less traditional penetration and cracking utilities not usually found in Slackware's repositories up-to-date.

WiFiSlax is a Spanish distribution so if you intend to browse the homepage, Chromium and its auto-translate function will be useful—the download ISO and software itself however still sport English menus. Aside from a live-CD, a pre-installed Virtualbox image can also be downloaded.

WiFiSlax is unique in that—beyond the inclusion of wifi-based security testing and penetration tools—its kernel is also updated with various unofficial drivers to ensure it supports the widest array of wifi hardware out of the box. It doesn't get better than this when it comes to testing and debugging the security of your wireless networks.


Based on: Ubuntu
Current version: 3.05

Compared to some of the other distributions covered here Backbox looks and feels slick. Based off Ubuntu, the world's most popular desktop Linux distribution, it inherits an Xfce-based (lightweight, low-resource usage) desktop and Ubuntu's package management and auto-update system.

Billed as the ultimate penetration testing, incident response, and forensic analysis tool it certainly goes a long way to fulfilling this with a veritable playground of security-focused apps. These include Aircrack-ng (wireless WPA/WPA2 cracking), ophcrack Windows password cracker, ZAP (the Zed Attack Proxy for web app penetration testing), W3AF application attack and audit framework, Skipfish site vulnerability probing, and protocol tools like tcpdump, Ettercap and Wireshark. It also bundles a range of forensic apps, stress testing tools, and social and reverse engineering programs such as the widely-popular Websploit.

In addition to these, standard desktop apps are included, with everything from Firefox and LibreOffice to XChat IRC and VLC, making it quite flexible as a workbench when testing. By far Backbox's key advantage is its great interface and clearly organised toolsets (13 categories in all that cover vulnerability assessment, privilege escalation, exploits, social engineering, forensic analysis and documentation and reporting among others).

We've covered version 3.01 of Backbox previously, this latest version sports faster performance, improved WiFi drivers, support for the latest 3.8 kernel, and updated hacking tools.

Kali Linux

Based on: Debian
Current version: 1.02

Kali Linux is described as an 'offensive security project', as well as 'the most advanced penetration testing distribution, ever'. Bold words, so does it deliver?

On first glace it's certainly got the image: Kali boots into a clean Gnome 3.0-based desktop and neatly separates its penetration testing tools from the stock Debian distribution programs. These include its 'Top 10' security tools which encompass Aircrack-ng, Hydra, WireShark and Metasploit among others as well as a veritable shopping mall of other security and testing programs categorised under Information Gathering, Vulnerability Analysis, Password Attacks, Wireless Attacks, Sniffing and spoofing, Exploits, Reverse engineering and Hardware hacking to name a few. Notables in here include the pyrit GPGPU (that is, graphics-card accelerated) password cracker, sets of tools for both Android and Arduino, and forensic programs for networks and RAM.

It also bundles a selection of programming tools including an IDE for Arduino, as well as the standard apps like VLC for media playback, the IceWeasel browser (essentially, re-branded Firefox), and TrueCrypt for encryption.

Kali can be downloaded as a live-CD ISO, a VMWare appliance, and for a range for embedded solutions include Samsung's Galaxy Note 10.1 tablet and the Rasperry Pi. Alternatively, though you need more extensive experience with Linux, you can edit Kali's build scripts to create your own customised version of Kali with just the specific tools and services you need.

With its own regularly-updated repositories, a simple yet effective interface, vast range of tools and platform flexibility it's easily one of the better security-focused distributions covered here.


Based on: Gentoo
Current version: 2013 RC 1.1

Pentoo is a penetration-focused distribution based off Gentoo (hence the name), a flexible source-based distribution that compiles programs from source-code to your specific requirements.

In much the same vein as its Gentoo base, Pentoo actually drops you to the command-line on first boot enabling you to start work sans GUI, which can be especially helpful on memory-constrained machines. Launching the GUI is just a matter of typing 'startx' to run the X Window Manager and load the default desktop environment: in this case the lean and fast Xfce.

Also bundled is a MacOS-X-like dock for the essentials of launching a terminal, file manager or the web browser. And, like the other distributions covered here, combines a large number of tools to test and gauge the security of your network, covering everything from wireless cracking and data forensics to Bluetooth vulnerabilities and even VoIP exploits. It also bundles CUDA/OpenCL (aka GPGPU) enhanced cracking software for accelerated vulnerability analysis.

Like other live-CDs, Pentoo can also optionally be installed to a hard drive and, if required, basic desktop tools are included for office, email and instant messaging. On the whole it isn't quite as slick as something like Backbox, though its default desktop background is more amusing, but it is security hardened, fast (something Gentoo is known for), and easily challenges Backbox and Matriux for the huge range of tools on offer.

Page Break

Matriux Linux

Based on: Debian
Current version: 2.49 Beta

The Ec-centric release of Matriux boasts over 300 tools you can use for penetration testing, security auditing, system and network management, vulnerability analysis, forensic investigation, and 'ethical' hacking.

Much like Kali Linux, Matriux is built upon Debian and sports a Gnome-classic desktop with a cliché dark theme replete with its own icon sets. Tools are broken down under an appropriately named 'Arsenal' sub-menu and include popular stalwarts like Etherape, Wireshark, Zenmap, WiFi Radar and Aircrack-ng along with some lesser known entries such as Bluetooth and VoIP tools, website exploits, smartphone penetration tests, a selection of debuggers and even a stenography program to hide and share data.

It also makes the interesting choice in the bundling of Mantra, a security-focused fork of Firefox that includes dozens of security-minded plugins covering everything from geolocation and code inspection through to proxies and penetration testing. It's actually quite impressive, and you should certainly go through your public-facing website pages utilising its range of analysis and exploit plugins to see just how your site stacks up.

The distribution itself is also security-hardened and includes its own custom kernel, while updates can be had through Debian's package management system.

Matriux is certainly one of the more comprehensive distributions out there, with its breadth of tools reflected in the download of the live-CD -- in fact, calling it such is a bit of a misnomer when it weighs in as a 3G ISO image!

Another one for which the password is not immediately evident: to login in to the live-CD as the Matriux user, enter the password 'toor', and have fun exploring.


Based on: Ubuntu
Current version: 4.0

Renmux is included here as security focused but with a slightly different mandate: its goal is to assist in the reverse-engineering of malware. It does however still include security-focused tools such as Wireshark while its version of Firefox is automatically configured for website analysis.

Unlike the other distributions here, it comes with an excellent cheat-sheet for new and experienced Linux users alike in making use of all the tools included, explaining how to start analysing network malware, examining malicious websites, and scanning suspicious executable and document files. In fact it has everything you need to analyse Microsoft Word doc and PDF infections, perhaps helping you track down the source of an exploit that's entered your network.

Wine is also bundled to allow for running Windows programs and, naturally, assist in determining the nature of any Windows-borne intrusions.

Matriux's focus means it bundles less security-focused tools than some of the other products covered here, but it's also a smaller download and comes pre-configured as a virtual appliance in both the OVF/OVA and VMWare formats, in addition to providing a live-CD ISO. Using Renmux combined with one of the other distributions we've looked at here, all your bases will be covered.

Distribution primer

If you're unfamiliar with the wide and diverse ecosystem of Linux distributions, here's a quick primer on the core ones that the security distributions we covered here are based on. Put another way, all of these security-focused versions of Linux are derivatives in one form or another of the following well-known Linux distributions.

Building task-specific distributions this way is one of the key advantages of Linux and open source—taking an appliance and changing it to suit a particular need. Doing so not only provides a stable platform on which to build, but often provides access to the wealth of software packages for that base distribution as well. For example Kali Linux is based on Debian, so any packages from the Debian repositories can be installed in addition to those provided by Kali Linux.


Debian is one of the earliest and oldest Linux distributions. Its focus has always been consistency and stability, and as a result many other distributions are based on it, including a good chunk of the more popular server-based appliances. However, this same focus often sees it as slow to adapt new versions of packages (in order to ensure stability through thorough testing) and so other distributions often build on it with more up-to-date programs. This is ostensibly how Ubuntu began, which is also based on Debian and is now the world's most popular desktop distribution.


Fedora is an official fork of the Red Hat distribution, also one of the oldest Linux distributions. While initially community-driven, Red Hat has since evolved into one of the world's most well-known enterprise Linux platforms, and remains so today. Fedora is somewhat of a return to the community-driven model and is both a playground for new software and is officially endorsed and supported by Red Hat. While Red Hat is enterprise focus, many desktop-focused distributions use Fedora as a base.


Gentoo popularised the source-based distribution many years ago, a system by which software is packaged not as binaries but as source-code that is compiled real-time when a package is installed. On the one hand this makes installing software slower, but on the other gives full control over how a program is configured, while also allowing optimisations like platform-specific code to be used by the compiler and which frequently provides a performance boost (as opposed to generic binaries designed to run on the widest range of hardware).


SUSE Linux is the most popular Linux distribution in Europe, and with good reason. Its excellent package management tools and pioneering projects like SUSE Studio have seen it not only dominate the other side of the globe but also spawn a great many distributions that use it as a base. As with Red Hat and its community-driven Fedora fork, OpenSUSE is the community-managed version of SUSE Linux, the primary competitor to Red Hat in the enterprise for Linux and open-source software.


Slackware is often spoken about is hushed tones of reverence for it was essentially the first mainstream Linux distribution, bundling a wide range of programs beyond just the kernel and basic utilities, that was first released almost 20 years ago. And while it's a niche distribution today, it's unique in that the project is still lead and maintained by its original author.


If you haven't heard of Ubuntu then you're probably in the wrong industry. Built by Canonical, a company founded by South African billionaire Mark Shuttleworth, Ubuntu first popularised Linux for the average user with its desktop-focused ease-of-use distribution. However, it has since expanded into the enterprise space, built its own cloud-storage and iTunes-competing music store, and is soon to release a phone operating system to go up against Android and iOS. Literally, Ubuntu means 'humanity to others'.