Top 5 Linux Penetration Testing Distributions

June 11, 2017

Linux penetration testing distributions are useful and versatile tools that can help you to get the most out of your Linux system while simultaneously avoiding the malicious threats of the internet. Of course, the reason for using a Linux pen testing distribution may seem obvious to anyone who understands what penetration testing is or performs security auditing professionally, it’s often less clear to people outside of the security industry that a wealth of open source tools exist to help them perform there own security testing.

As usual with Linux there is plenty of choice! With plenty of penetration testing distributions out there to choose from, this can prove challenging for beginners or people who are from outside the security industry. Overall the standard of Linux distros has increased over the years, in the beginning these distros were essentially Linux live cd’s with scripts / precompiled binaries dropped in a directory. Today distros like Kali are setting the standard, all scripts and tools are packaged and updated using the Debian distributions package manager.

However, with great choice, comes a great level of… indecisiveness 🙂

Narrowing down your decision and uncovering the best distro for the job can present some real difficulties.

Fortunately, we’re here to help. In this list, we’ve compiled what we believe to be some of the best options available today to help you get the most out of your security auditing.

Kali Linux (Authors Choice)

Kali Linux Penetration Testing Tools

Developed by Offensive Security, Kali Linux is the rewrite of BackTrack and has certainly earned its place at the top of our list for its incredible capabilities as an operating system to aid in hacking purposes. This OS is a Debian-based system that features over 500

Pen testing applications and tools already installed. This gives you an impressive start on your security toolbox and leaves little room for you to want more. The flexible tools it comes with are updated on a regular basis, metasploit framework is a packaged install and kept up to date by Rapid7 directly. Kali supports many different platforms, including VMware and ARM. Additionally, Kali Linux is also a workable solution for computer forensics, as it includes a live boot feature that offers the ideal environment to detect vulnerabilities and take care of them appropriately.

In addition, Kali Linux has also just released a new version—of which we’re thoroughly impressed, and think you will be too. Kali Linux 2017.1 brings new exciting features and updates in comparison to older versions and other options. Updated packages, better and increased hardware support, and countless updated tools. If you want to be completely up-to-date and have the best of the best in terms of your Linux penetration testing distro, then you might like Kali Linux’s new release as much as we do.

Parrot Security OS

Parrot Linux Penetration Testing Tools

Parrot Security OS is another one of our top choices when it comes to selecting the right Linux penetration testing distribution for your needs. Like Kali Linux, it’s another Debian-based OS option that packs a lot into its programming. Developed by the team at Frozenbox’s, Parrot Security is an option that’s cloud-friendly. The operating system is designed to specialize in ethical hacking, computer forensics, pen testing, cryptography, and more. Compared to other OS options on the market for these purposes, Parrot Security OS is a lightweight operating system that offers the utmost efficiency to users.

Parrot Security OS is the ideal blend of the best of Frozenbox OS and Kali Linux. Moreover, this incredibly customizable operating system is ideal for hacking and comes with a strong support community. If you run into trouble, this is one of the most user-friendly options when it comes to finding a right solution to get the OS to help you accomplish your goals.

Backbox

Backbox Linux Penetration Testing Tools

Backbox is our favorite Linux operating system for penetration testing that is not Debian-based. This is an Ubuntu-based operating system ideal for assessing the security of your computer and conducting penetration testing. Backbox Linux comes with a wide array of options in the way of security analysis tools, which can be applied for analysis of web applications, networks, and more. As a fast, easy to use, and efficient operating system, Backbox Linux is famous in the hacker’s community. The OS includes a complete desktop environment with software applications that are updated on a regular basis, always keeping you up to date and supplied with the most stable versions of all your most important programs.

If you are big on penetration testing and security assessment, then you will be happy to hear that these are exactly the things that Backbox’s OS specializes in. As one of the best distro in its field, Backbox always has its sights set on the best known ethical hacking tools and is always providing users with the latest stable versions available of an impressive array of tools for network analysis. The interface is designed with the goal of minimalism, and utilizes a XFCE environment for its desktop. The result is an effective, fast, customizable, comprehensive user experience with a helpful support community to back it.

BlackArch

If you are an ethical hacker or a researcher looking for a complete Linux distribution to cater to all your needs, then BlackArch Linux just might be the penetration testing distribution you want to set your sights on. The design was originally derived from Arch Linux, and users also have the option and capability to install the BlackArch Linux components over the top of it.

BlackArch, as an operating system, offers users over 1400 tools to use that are thoroughly tested prior to being added to the OS’s arsenal of tools and codebase. In addition, the developers are in a constant process of increasing the system’s capabilities, which is giving it a reputation that allows it to sit at the cool kid’s table of operating systems for hacking purposes. Even more good news about this distro? The list of tools groups, and tools contained within those groups, is constantly growing. Not only that, but if you are already a user of Arch Linux, you can set up the BlackArch tools collection on top of it to get the most out of your OS.

Fedora Security Spin

Fedora Security Spin - Pen Testing Tools

Fedora Security Spin was designed to be a variation of Fedora that is designed specifically for security testing and auditing. In addition, it can also be used for the purposes of teaching. This distro is designed to provide students and teachers alike with the support they need during learning or practicing security methodologies involving web application security, information security, forensics analysis, and more.

This just goes to show that not all Linux penetration testing distributions are made equal and there’s no one-size-fits-all answer when it comes to determining the best one on the market. If you’re more into the ethical hacking side of things, then you may find that Kali Linux or Parrot Security OS is more your style. However, if you are teaching others or still in the process of learning, or if you are more interested in forensics analysis than hacking, then you can’t go wrong with Fedora Security Spin.

The Verdict

We know there are plenty of options for you to choose from when it comes to choosing the best Linux penetration testing distributions. While this is by no means a comprehensive list and there are plenty of other admirable programs out there worthy of a shout out—Pentoo, Weakerth4n, and Matriux, to name a few—these are our favorites distros available today. After thorough trial and testing, although the list of operating systems worth their salt goes on and on, they are certainly not all made equal.

If you’re looking for the best of the best in terms of your penetration testing distro for your Linux system, you can’t go wrong with any of the top 5 we’ve included on our list. To narrow down your choice to the one and only match made in heaven that’s right for you, we recommend asking yourself the following questions:

What do I want to accomplish with a penetration testing distro?
What features do I need from a penetration testing distro to help me accomplish my goals?

Whether you are an aspiring information security expert, have already earned that title, or if you’re just looking to delve into the field to see what it can do, finding a decent Linux operating system that complements your goals is a necessity. Depending on your purposes, there are countless options for you to choose from, which is why it’s important to keep your goals in mind and narrow your options to those that will be able to help you accomplish your purposes.

The list we’ve compiled here, however, has something for everyone. Regardless of what you’re looking for, we’re confident that you will be able to find one that suits your needs. After a bit of research on each, you should find that one is standing out from the crowd in no time—and that will likely be your ideal Linux penetration testing distribution.

Internet of Things – The Next Gen Tech

Kelvin Smith

June 10, 2017

Ready for the next gen tech? The next gen tech is going to surprise us with new innovations. With it flourishing globally, the Internet and its peripherals have come to a long way since last 20 years. Starting from the modem dial-up on demand to broadband, then to Web 2.0 and a 4G mobile internet of today. It has continued to drive in new trends for all. BUT, since change is the only thing that’s constant, we wonder what’s next?

You accept or reject it, but the world is evolving speedily towards a perfect world where everything will be connected to the Internet. Every one of us is eagerly waiting for the next big thing that will change our life to a great extent – ‘Internet of Things’ (IoT). Yes, it’s the one that has already been quite familiar to us but it’s going to comfort our living further.

Let’s try to understand what exactly the ‘Internet of Things’ is. In simple terms, it’s the networking of devices and objects used daily, connected via the internet and managed in clusters, with a software. The objects allocated with unique identifiers that can communicate over the network. It’s a belief that networking of daily objects and devices to allow then to receive and send data is not only the next big thing but the biggest enhancement in the world of Internet since its start.

The next question that strikes our mind is what things or devices would be based on IoT? Currently, we all are using some various objects wirelessly – such as the wireless printer, laptop, desktop, tablet, household lights and lamps which can be controlled via the Internet, is nothing but an IoT device. Work is been put into connecting almost everything like the cars, household appliances, city infrastructure (traffic management systems, industry sending data about power usage and waste output a city, etc.), personal electronic devices (personal finance management, nutrition and fitness management, etc.) and industrial machinery, AND controlled via the Internet. Sounds strange! But you will soon see all these things working on automatic networks where no human efforts would be required.

Internet of things will connect an infinite variety of devices and sensors to develop new and innovative future applications. These applications will need support based on elastic, reliable and agile platforms. The Internet of things just can’t be imagined without the cloud computing platforms. It is expected that in the next few years, everything right from clothes to locks and door mats will find their way onto the internet as manufacturers expand their products through Internet connecting them to form IoT. It means there will be loads of data flying around that needs to be processed rapidly for everyone to enjoy the supply of the particular service without running out of stock.

Cloud computing is one of the best platforms to support Internet of things as one will need to serve the users who can be anywhere and at any time, day or night. There are various data centers managed by cloud hosting providers at different locations that make it perfect for increased analysis. Some cloud providers offer pay-as-you-go service which means that you can expand for peaks and then decrease paying only for the period you used the service. In addition to this, these providers can serve millions of users with their great infrastructure along with providing different products for shared load balancing security and so on.

The collaboration of both, cloud as well as IoT, will also help in lifting the startups from the ground-zero without inputting upfront capital in the resources toward infrastructure. Also, companies will be able to research on accurate data that will predict consumer preferences and behavior. With these insights, manufacturers or retailers will be able to define customized special solutions for the particular audience and deliver it to their smartphone during shopping. We can expect nothing less that miracles from cloud computing in order to promote real-time data access.

Are you thinking that you aren’t into IoT yet? Then look around and you will be surprised to find there are many devices – from gas pumps to washing machines that can access and transmit data over the Internet. The ATM is the perfect example of IoT. Even our smartphones make a part of an IoT. So, let’s prepare ourselves to embrace the Internet of Things that will take off your life to luxury and happiness.

This Week in Open Source News: Toyota Picks AGL for 2018 Camry, Raspberry Pi Vulnerability & More

The Linux Foundation

June 9, 2017

This week in open source and Linux news, Toyota’s 2018 Camry to feature Automotive Grade Linux (AGL) infotainment system, older Raspberry Pis risk vulnerability without updating, and more. Read on!

1) Toyota has adopted the Automotive Grade Linux (AGL) platform for its infotainment systems. The 2018 Toyota Camry will be their first vehicle to have it preinstalled.

Toyota Moves to Automotive Grade Linux for Infotainment – BlackBerry Hits Back– IoTNews

2) Older Raspberry Pi devices may be more vulnerable to the malware if they haven’t been updated in a while.

Linux Malware Enslaves Raspberry Pi to Mine Cryptocurrency– ZDNet

3) Toyota’s decision not to offer Apple CarPlay or Andriod Auto, favoring a Linux system. What will this mean for proprietary software fans?

Toyota owners to get Linux system instead of Apple CarPlay, Android Auto. Hooray?– The Car Connection

4) “[Red Hat Summit & OpenStack Summit] brought unique open source perspectives as a business and as a community.”

Red Hat Summit And OpenStack Summit: Two Weeks Of Open Source Software In Boston– Forbes

5) Eric S Raymond has brought back Colossal Cave Adventure as an open source program.

One of the First Computer Games Is Born Again in Open Source– ZDNet

Understanding Linux Links

Jack Wallen

June 9, 2017

Linux is, without a doubt, one of the single most flexible operating system platforms on the planet. With the flagship open source ecosystem, there is almost nothing you cannot do. What makes Linux so flexible? The answer to that question will depend on your needs. Suffice it to say, the list of answers is significant and starts from the kernel and works it way out to the desktop environment. This flexibility was built into the operating system from the beginning, borrowing quite a lot of features from UNIX. One such feature is links.

What are links? I’m glad you asked.

Links are a very handy way to create a shortcut to an original directory. Links are used in many instances: Sometimes to create a convenient path to a directory buried deep within the file hierarchy; other uses for links include:

Linking libraries
Making sure files are in constant locations (without having to move the original)
Keeping a “copy” of a single file in multiple locations

But aren’t these just “shortcuts”?

In a way, yes…but not exactly. Within the realm of Linux, there’s more to links than just creating a shortcut to another location. Consider this: A shortcut is simply a pseudo-file that points to the original location of the file. For instance, create a shortcut on the Windows desktop to a particular folder and, when you click that icon, it will automatically open your file manager in the original location. On Linux, when you create a link in Linux, you click on that link and it will open the link in the exact location in which it was created.

Let me explain. Say, for instance, you have an external drive, attached to your Windows machine. On that drive is a folder called Music. If you create a shortcut to the directory on your desktop, when you click to open the shortcut, your file manager will open to the Music directory on your external drive.

Now, say you have that drive attached to a Linux machine. That drive is mounted to, say, /data and on that drive is the folder Music. You create a link to that location in your home directory—so you how have a link from ~/Music that points to /data/Music. If you open the shortcut in your home directory, it opens the file manager in ~/Music, instead of /data/Music. Any changes you make in ~/Music will automatically be reflected in /data/Music. And that is the big difference.

Types of links

In Linux there are two different types of links:

Hard links
Symbolic links

The difference between the two are significant. With hard links, you can only link to files (and not directories); you cannot reference a file on a different disk or volume, and they reference the same inode as the original source. A hard link will continue to remain usable, even if the original file is removed.

Symbolic links, on the other hand, can link to directories, reference a file/folder on a different disk or volume, will exist as a broken (unusable) link if the original location is deleted, reference abstract filenames and directories (as opposed to physical locations), and are given their own, unique inode.

Now comes the fun part. How do you work with links? Let’s find out how to create both hard and symbolic links.

Working with hard links

We’re going to make this very simple. The basic command structure for creating a hard link is:

ln SOURCE LINK

Where SOURCE is the original file and LINK is the new file you will create that will point to the original source. So let’s say we want to create a link pointing to /data/file1 and we want to create the link in the ~/ directory. The command for this would be:

ln /data/file1 ~/file1

The above command will create the file ~/file1 as a hard link to /data/file1. If you open up both files, you will see they have the exact same contents. If you alter the contents in one, the changes will reflect in both. One of the benefits of using hard links is that if you were to delete /data/file1, ~/file1 would still remain. If you want to simply remove the link, you can use the rm command like so:

rm ~/file1

Working with symbolic links

The command structure for symbolic links works in the same manner as do hard links:

ln -s SOURCE LINK

The primary difference between hard and symbolic link creation, is that you use the -s option. Let’s create a symbolic link from ~/file2 to /data/file2 in similar fashion as we did above, only we’ll create a symbolic link, instead of a hard link. Here’s how that would be accomplished:

ln -s /data/file2 ~/file2

The above command will create a symbolic link from ~/file2 to the original location /data/file2. If you update the file in either location, it will update in both.

It is also important to note that you can use symbolic links for directories. Say, for instance, you have /data/directory1 and you want to create a symbolic link to that directory in ~/. This is done in the same way as creating a link to a file:

ln -s /data/directory1 ~/directory1

The above command will create the link ~/directory1 which points to /data/directory1. You can then add to that directory from either location and the change will reflect in both.

To see the difference between how each type of link looks from a terminal window, issue the command ls -li. You will see how each is represented with slight variation from one another (Figure 1).

Figure 1: Both hard links and symbolic links represented in the terminal window.

One interesting thing of note is how inodes are treated by way of the different types of links. In Figure 1, you can see that the inode (string of characters in the first column) for the hard links are the same, whereas the inodes for the symbolic links are different. This can be further illustrated by removing the original location of the symbolic link. When you do that, the soft link goes away (although the broken referral link file remains behind). Why? The reference inode the symbolic link pointed to no longer exists.

Unlike with hard links, if you delete the original file or directory, the symbolic link will remain, however it will now be considered a broken link and will be unusable. Remember, with hard links, you can remove the original and the link will remain and still be usable.

Learn more

Of course, you’re going to want to know more about using links. If you issue the command man ln, you can read the manual page for the ln command and gain an even more in-depth understanding as to how links work.

Learn more about Linux through the free “Introduction to Linux” course from The Linux Foundation and edX.

Opening Up the Way to Industry Transformation

Global Telecoms Business

June 9, 2017

Heather Kirksey leads the OPNFV community that is changing the way the telecoms industry innovates and the way it works. She talks to Alan Burkitt-Gray.

There’s a deep cultural change rolling through the industry. The way things have been done for the past century and a half – with vendors and operators doing their own R&D and competing vigorously – is being replaced by a new spirit of collaboration. At the heart of this is the move to software-defined networks (SDN) and network functions virtualisation (NFV) – two abbreviations that mean, in short, using IT industry-standard hardware in the network with software to define and run the services.

And leading the move is an organisation called Open Platform for NFV (OPNFV), whose director for the past two years has been Heather Kirksey.

Five Tips on Building Serverless Teams in an Enterprise

The New Stack

June 9, 2017

Streaming video provider Toons.TV — owned by Finnish enterprise Rovio Entertainment and most famous for its Angry Birds cartoon series — has amassed some 8.5 billion streaming views in the past four years. Marcia Villalba, Full Stack Developer at Rovio Entertainment spoke at the recent Serverlessconf conference in Austin to discuss how her team reoriented towards a serverless approach to meet these challenges and to speed up their backend systems.

And much like a game of Angry Birds itself, the challenge of implementing serverless in the enterprise can be seen as a source of frustration or as a challenge to reach the next level. Here are some of the lessons she picked up on the way:

You Are Not Google

Bradfield

June 9, 2017

Software engineers go crazy for the most ridiculous things. We like to think that we’re hyper-rational, but when we have to choose a technology, we end up in a kind of frenzy — bouncing from one person’s Hacker News comment to another’s blog post until, in a stupor, we float helplessly toward the brightest light and lay prone in front of it, oblivious to what we were looking for in the first place.

This is not how rational people make decisions, but it is how software engineers decide to use MapReduce.

As Joe Hellerstein sideranted to his undergrad databases class (54 min in):

The thing is there’s like 5 companies in the world that run jobs that big. For everybody else… you’re doing all this I/O for fault tolerance that you didn’t really need. People got kinda Google mania in the 2000s: “we’ll do everything the way Google does because we also run the world’s largest internet data service” [tilts head sideways and waits for laughter]

10 Critical Skills That Every DevOps Engineer Needs for Success

Tech Republic

June 9, 2017

Enterprises including Adobe, Amazon, and Target are increasingly turning to DevOps as a way to deliver software and security updates more rapidly, both internally and to customers. And the spread of the workflow means there are more DevOps engineer positions available than ever.

DevOps engineer came in at no. 3 on Indeed’s list of best jobs in America for 2017, in terms of salary, number of job postings, and opportunities for growth. These positions grew by 106% in the past few years, Indeed found, and boast an average base salary of $123,165.

Container Technologies Overview

D Zone

June 9, 2017

Containers are lightweight OS-level virtualizations that allow us to run an application and its dependencies in a resource-isolated process. All the necessary components that are required to run an application are packaged as a single image and can be re-used. While an image is executed, it runs in an isolated environment and does not share memory, CPU, or the disk of the host OS. This guarantees that processes inside the container cannot watch any processes outside the container.

The Economics of Software Security: What Car Makers Can Teach Enterprises

Dark Reading

June 9, 2017

Now back to software security. When it comes to embedding software security controls in the software development lifecycle, we may have to stop the car assembly line and incur some up-front cost in terms of changing the way we build software, but over time this cost will be properly amortized into the total cost of development.

Consider that there are two types of security controls available: controls that prevent defects before release and controls that detect defects after release. A good example of a preventive control is secure code review with an automated tool that helps to identify bugs in the source code well before software ships or is put into production. Detective controls identify defects as well, but only after release.