PenTest, Forensics and Rescue Live CDs
Some pentesting live CDs have been updated recently or will be shortly. Time for an overview.
Disclaimer:
- This is ony a link collection – I haven’t tried nor tested all the distros myself and I can’t be made responsible if they break something or if they are harmful to you or others in any way!
- Be sure so obey legal restrictions when using the distros. It’s your liability and responsibility! If in doubt ask a lawyer!
Pentesting Distros
- Samurai: http://sourceforge.net/projects/samurai/
- Kali: http://www.kali.org/downloads/
- OWASP Live CD: http://www.owasp.org/index.php/LiveCD
new download site: http://AppSecLive.org - S-T-D (security tools distribution): http://s-t-d.org/index.html
- PHLAK: http://sourceforge.net/projects/phlakproject/
- Heorot: http://forums.heorot.net/
- Network Security Toolkit (NST): http://www.networksecuritytoolkit.org/nst/index.html / http://sourceforge.net/projects/nst/
- VAST (VIPER Assessment Security Tools): http://vipervast.sourceforge.net/
- Katana (Kyuzo): http://www.hackfromacave.com/katana.html
- Matriux: http://www.matriux.com/
- NodeZero Linux (formerly known as Ubuntu Pentest Edition): http://www.netinfinity.org/
- NetSecL: http://netsecl.com/
- Backbox Linux: http://www.backbox.org/public/content/about-us
- PenTBox: http://www.pentbox.net
- SECmic: http://sourceforge.net/p/secmic/home/
- Mantra: http://www.getmantra.com/index.html
- Blackbuntu: http://sourceforge.net/projects/blackbuntu/
- Bugtraq: http://bugtraq-team.com/
- ESSPEE – Penetration Testing & Forensics: http://sourceforge.net/projects/esspee/
- Pentoo: http://www.pentoo.ch/
- VulnVoIP (Vulnerable VoIP) – The Fundamentals of VoIP Hacking: http://www.rebootuser.com/?p=1069
- RŌNIN: http://ronin-linux.org/
- Hacking Lab Live CDs: http://media.hacking-lab.com/largefiles/livecd/
- Weakerthan / WEAKERTHAN: http://hr.weaknetlabs.com/
- OWASP STeBB (Security Testing Browser Bundle): http://www.stebb.org
- BlackArch: http://www.blackarch.org/
- IronWASP: http://www.ironwasp.org/
- MobiSec: http://mobisec.professionallyevil.com/
- ArchAssault: https://archassault.org/
- Parrot Security OS: http://www.parrotsec.org/
- pwnOS: http://www.pwnos.com/
- Pentest Box: https://pentestbox.com/
- Web Security Dojo: https://www.mavensecurity.com/web_security_dojo/
- Pentestly: https://github.com/praetorian-inc/pentestly
- new: RedHunt Linux Distribution: https://github.com/redhuntlabs/RedHunt-OS
Forensic / Analysis Distros:
- CAINE (Computer Aided INvestigative Environment, includes now Win-UFO): http://www.caine-live.net/
- Helix: http://www.filecluster.com/System-Utilities/Other-Utilities/Download-Helix.html
- Remnux: http://zeltser.com/remnux/
- Deft: http://www.deftlinux.net
- Santoku: https://santoku-linux.com/about-santoku
- PALADIN: http://sumuri.com/index.php/joomla/what-is-paladin-forensic-software
- Raptor: http://forwarddiscovery.com/Raptor
- Images for CERT exercises: http://www.enisa.europa.eu/activities/cert/support/exercise/images-for-CERT-exercises
- CERT Tapioca: http://www.cert.org/blogs/certcc/post.cfm?EntryID=203 / http://www.cert.org/vulnerability-analysis/tools/cert-tapioca.cfm
- Digital Forensics Framework (DFF): http://www.digital-forensic.org/downloads/dff
- Dshell: https://github.com/USArmyResearchLab/Dshell
- OpenSOC: http://opensoc.github.io/
Rescue Distros
- SystemRescueCD: http://www.sysresccd.org/
- Parted Magic: http://partedmagic.com/
- Grml: http://grml.org/
- F-Secure Rescue CD: http://www.f-secure.com/en/web/labs_global/removal/rescue-cd
- Linklist: Comprehensive List of 26 Bootable Antivirus Rescue CDs for Offline Scanning: http://www.raymond.cc/blog/13-antivirus-rescue-cds-software-compared-in-search-for-the-best-rescue-disk/
- Rescatux: http://wiki.rescatux.org/
Tools Distros:
- Darik’s Boot and Nuke (DBAN): http://www.dban.org/
- Levinux: http://mikelev.in/ux/
- Tails: https://tails.boum.org/
- CrunchBang: http://crunchbang.org/
- Greenbone VM: https://isc.sans.edu/diary/Greenbone+and+OpenVAS+Scanner/16874
- ophcrack: http://ophcrack.sourceforge.net/
Victims
Vulnerable testing images are available also:
- DVL (Damn Vulnerable Linux): http://www.damnvulnerablelinux.org/
- WeakNet Linux: http://weaknetlabs.com/linux/
- DVWA (Damn Vulnerable Web App): http://sourceforge.net/projects/dvwa/
- owaspbwa (Open Web Application Security Project (OWASP) Broken Web Applications Project): http://code.google.com/p/owaspbwa/
- Dojo: http://www.mavensecurity.com/dojo.php
- Badstore.net: http://www.badstore.net/
- Metasploitable: http://blog.metasploit.com/2010/05/introducing-metasploitable.html
- Metasploitable 2: https://community.rapid7.com/docs/DOC-1875
- exploit.co.il Vulnerable Web App: http://sourceforge.net/projects/exploitcoilvuln/
- LAMPSecurity Training: http://sourceforge.net/projects/lampsecurity/
- pwnOS: http://www.pwnos.com/
- Virtual Hacking Lab: http://sourceforge.net/projects/virtualhacking/
- PuzzleMall: http://code.google.com/p/puzzlemall/
- OWASP Bricks: https://www.owasp.org/index.php/OWASP_Bricks
- OWASP Vulnerable Web Applications Directory (VWAD): https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project#tab=Main
- Damn Vulnerable IOS application: http://damnvulnerableiosapp.com/
- CySCA2014-in-a-Box: http://cyberchallenge.com.au/inabox.html
- LAMPSecurity Training: http://sourceforge.net/projects/lampsecurity/
- Vuln Hub (meta site): https://www.vulnhub.com/
- bWAPP (Buggy Web Application): http://users.telenet.be/mmeit/bwapp/index.htm
- DVIA (Damn Vulnerable iOS App): http://damnvulnerableiosapp.com/
- ExploitMe Mobile Android Labs: http://securitycompass.github.io/AndroidLabs/
- iGoat: https://code.google.com/p/owasp-igoat/
- InsecureWebApp: http://insecurewebapp.sourceforge.net/main/
- Shepherd: https://www.owasp.org/index.php/OWASP_Security_Shepherd
- Xtreme Vulnerable Web Application (XVWA): https://github.com/s4n7h0/xvwa
Honey Pots
- HoneyDrive: http://bruteforce.gr/honeydrive
- Stratagem: http://sourceforge.net/projects/stratagem/
- ADHD: http://sourceforge.net/projects/adhd/
Testing Applications
Stand-alone vulnerable testing applications:
- Stanford SecuriBench: http://suif.stanford.edu/~livshits/securibench/
- Stanford SecuriBench Micro: http://suif.stanford.edu/~livshits/work/securibench-micro/
- WebGoat: http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
- Mutillidae: http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
- vicnum: http://sourceforge.net/projects/vicnum/
- The ButterFly – Security Project: http://sourceforge.net/projects/thebutterflytmp/files/ButterFly%20Project/
- Hacme Casino: http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm
- Hacme Bank: http://www.foundstone.com/us/resources/proddesc/hacmebank.htm
- Updated version of HacmeBank: http://www.o2-ounceopen.com/technical-info/2008/12/8/updated-version-of-hacmebank.html
- Hacme Books: http://www.foundstone.com/us/resources/proddesc/hacmebooks.htm
- Hacme Travel: http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm
- Hacme Shipping: http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm
- Jarlsberg (Google): http://jarlsberg.appspot.com/
- Collection of vulnerable apps: http://sourceforge.net/projects/virtualhacking/files/
- WackoPicko: https://github.com/adamdoupe/WackoPicko
- BodgeIt Store: https://code.google.com/p/bodgeit/
- sqli-labs: https://github.com/Audi-1/sqli-labs
- FSExploitMe: https://github.com/OpenSecurityResearch/FSExploitMe
- Android-InsecureBankv2: https://github.com/dineshshetty/Android-InsecureBankv2
- Juice Shop: https://github.com/bkimminich/juice-shop
- Hack.me: https://hack.me/
- Hackademic: https://github.com/Hackademic/hackademic
- Hackxor: http://hackxor.sourceforge.net/cgi-bin/index.pl
- Peruggia: http://sourceforge.net/projects/peruggia/
Victim Sites
Vulnerable remote testing sites:
- Acunetix: http://testphp.acunetix.com/ , http://testasp.acunetix.com , http://testaspnet.acunetix.com
- SPI Dynamics: http://zero.webappsecurity.com/
- Cenzic: http://crackme.cenzic.com/
- Watchfire: http://demo.testfire.net/
- PCTechtips Challenge: http://pctechtips.org/hacker-challenge-pwn3d-the-login-form
- AltoroMutual: http://demo.testfire.net/
- OWASP Faux Bank:http://www.fauxbank.co.uk/
- Game of Hacks: http://www.gameofhacks.com/
- Google Gruyere: http://google-gruyere.appspot.com/
- Hack Yourself First: https://hackyourselffirst.troyhunt.com
- Hack This Site: http://hackthissite.org/
- Try2Hack: http://www.try2hack.nl/
- SlaveHack: http://www.slavehack.com/
- HackThis!!: https://www.hackthis.co.uk/levels/
- EnigmaGroup: http://www.enigmagroup.org/
Historic / Offline
- offline? Puck: http://h.ackerz.com/index.php?p=/projects#
- offline? GnackTrack: http://www.gnacktrack.co.uk/
- offline? nUbuntu: http://nubuntu.org/about.php
- offline? moth: http://www.bonsai-sec.com/en/research/moth.php
- historic (see Kali): Backtrack: http://www.backtrack-linux.org/