Pentesting Distros

[sud0nick]

I've been using Kali for a long time and I'm comfortable with it but I feel it's time to move on. From what I understand, since it is an OS strictly for pentesting it doesn't take into account the user's own security. In the past I've used Kali for brief periods of time without worrying about the security of the system I was on. However, if I am to become better at pentesting then I must upgrade the tools I use. I also want to practice on the same system I would use for actual pentests. Which OS can you recommend that provides the power and tool selection that Kali does but also provides security similar to Tails? I know there won't be a perfect cross-over but I'm looking for the closest one available.

I have found a list of pentesting distros including BlackArch (which I've used briefly), BackBox, and ArchAssault. I'll continue researching but would appreciate your opinions and experiences with these various distros.

Edited January 3, 2016 by sud0nick

[digininja]

Any distro can be made secure, you just have to put some effort in. I wouldn't go for a single OS and certainly don't practice on the same machine as you test with, if you do then you risk going onto site with vulnerabilities open and a messed up machine.

I'd suggest picking an OS that you are comfortable with, be it Windows, OSX or a Linux distro and then using one of the virtualisation systems (VMWare, VBox etc) to create new machines to use to test with and to practice on. You can't use a single OS to do everything, you might use a Windows box to work on Windows networks, a Linux distro to run most tools and then a few other machines to use tools that need special dependencies. You can also create vulnerable machines to test on but make sure they are turned off when you do testing.

[sud0nick]

Maybe I should have been more clear and not made it sound like I'm looking for "one box to rule them all". I understand different networks require different tools but it seems the primary tool today is Kali which can make an attacker vulnerable if it is not secured. I know it can become secure but I also don't know what I don't know. I don't know all of Kali's weaknesses but I have heard many people claim they exist and that is enough for me to pose the question above. If I can find an OS that starts off more secure than Kali and has the same potential it would save a lot of time.

When I said "I also want to practice on the same system I would use for actual pentests" I meant I want to become familiar enough with the only OS I should be using for pentests. I didn't mean I would use the same physical machine. I just want to know your experiences with different pentesting distros to see which you prefer so I can add that to my list of distros I'm researching. Having references will make a distro stand out for me and will help with my decision.

[digininja]

I wouldn't worry about what is more secure out of the box, learn to secure the one you choose to use. Kali can be fully locked down or could be opened completely depending on what you do to it, what you install and how you configure things. For example if you take the most locked down OS and install Apache, Samba and NFS and have them all start on boot then you've just opened a load of ports and so increased your attack surface. If you accidentally configure NFS to share the root of your drive then you are even more open. On the other hand, if you take XP and lock it down well then it can be made to be pretty much secure.

In learning how to secure your own box you learn about weaknesses and which will then help with your testing.

I meant I want to become familiar enough with the only OS I should be using for pentests.

You shouldn't be using just one OS for tests, you should be using whatever is appropriate for the test, I can use 4-5 in some tests depending on the tools required.

If you want to know my favourite then I use Windows 8.1 with a Debian box for most of my tools on one laptop and Debian with Windows VMs on my second.

[sud0nick]

If you want to know my favourite then I use Windows 8.1 with a Debian box for most of my tools on one laptop and Debian with Windows VMs on my second.

Thanks.

In learning how to secure your own box you learn about weaknesses and which will then help with your testing.

I understand this but like I said, I don't know what I don't know. I could apply the security concepts I understand to the box but I'm always paranoid there is more that I will miss. If I'm concerned with security in code that I write it is easy to post it to the forums and have people review it to tell me what I missed whereas I can't easily do that with an OS. Hence the reason I'm asking for the experiences of others.

[digininja]

Change that, my second laptop is running Ubuntu not Debian, it had better support for the hardware out of the box.

[digininja]

So if you want the most secure OS out of the box then go for OpenBSD but even with that you can completely mess it up with a simple configuration mistake.

[sud0nick]

So would you mind explaining why you use two laptops instead of combining everything into one? Is it strictly because a single laptop can't handle the load of everything you use or is there a specific reason?

[digininja]

Nothing to do with security or anything like that. I have a really nice high end Lenovo that started acting up and freezing so became unusable. It was about 2.5 years old so bought myself a new one to replace it. I then found out that the Lenovo was still under warranty so got it fixed and now I have a spare. The Lenovo is now mostly a desktop machine, the Dell an actual laptop.

I could have returned or sold the Dell but as I'm a freelancer and I have to have a working machine I kept it.

[digip]

I think the problem is not kali, as much as it is, learn how to setup users and sudo, and change all the default passwords on your own. Kali can be used with sudo, just like backtrack and any other distro. you have to set it up yourself though. As for security or being insecure, I think it's more that people don't take into account CHANGE THE DEFAULT PASSWORD ON BOOT since it's well documented. If you use it in a VM, and installed, change the default password for root(no matter what way you decide to go), and/or add a new user with lower privileges and use sudo. You can still boot and run as root when needed, but most things will still work with sudo, or just sudo su a specific terminal to run it as root for the session. I've never had any issues with things not working from sudoers in my older backtrack laptop, and haven't had the need really for kali since I use it in a VM and am only testing things on my local network. If I was going out in the wild live booting or native install to my laptop, I'd change the default password every boot or setup sudo on the thing.

edit:

I should add, if you're relying on the security of your OS as a matter of "security" preferecne alone, you're in the wrong field. No matter what the OS, windows, OSX, etc, you own the machine, it's your responsibility to check what's not locked down, running, and needs to be disabled for your own safety. This applies to all operating systems and machines you own, from desktops, VM's, laptops and mobile devices.

Edited January 6, 2016 by digip

[sud0nick]

Do you think the only problem that people reference is the default setup of accounts and permissions? If so then I would probably continue to use Kali. Some of the things I've heard make it sound as if the OS is inherently insecure aside from root being the only user by default. As I stated before I wouldn't have any idea what is actually wrong with the OS unless if someone told me. So if the general consensus is that Kali is only insecure at first because you need to create an unpriv account and lock down root then I can deal with that. That's easy stuff.

[digip]

Do you think the only problem that people reference is the default setup of accounts and permissions? If so then I would probably continue to use Kali. Some of the things I've heard make it sound as if the OS is inherently insecure aside from root being the only user by default. As I stated before I wouldn't have any idea what is actually wrong with the OS unless if someone told me. So if the general consensus is that Kali is only insecure at first because you need to create an unpriv account and lock down root then I can deal with that. That's easy stuff.

This would kind of be the same with any linux distro(or OS). know what services are running and on at boot, what you can start manually vs not needed at all times, which services will cause more ports to be open and such, default user password for root being the biggest issue with kali(or any os/devices), but that's kind of a no brainer, change the default password everywhere across all your hardware and software, from home routers and firewalls to software you run.

If live, every time you boot, you have to change it, which is a good start. Native installs or VM's, setup new users, but STILL change the default root password.

Problem with it being as "insecure" is that most pentesters are using these a boot and nuke boxes, where sometimes all they are allowed to bring into a companies premises for a pentest might be a cd/dvd or USB stick(and have to leave them when done). Some places if you bring a phone or laptop, will not let you leave with it, so having throw away hardware(or charged to the company for the job) or portable media you can say, break the cd in half when leaving the job or leave them the USB stick on end of the job, is cheaper than carrying native installed devices that you may not even be allowed to bring onto the premises. This is also where security folk can get in trouble too, as you can find online stories of pentesters nor changing the default passwords and getting owned in the field, or even at places like conferences. I recall not too long ago this happened to a bunch of new pineapple users who didn't lock down their new toys at Defcon or BlackHat.

[digininja]

This is the link to IHuntPineapples at Defcon.

http://www.networkworld.com/article/2462478/microsoft-subnet/hacker-hunts-and-pwns-wifi-pineapples-with-0-day-at-def-con.html

As Digip says, if you know how to lock things down, you can lock down anything, if you don't know or understand what you are working with you can mess anything up.

Most out-of-the-box secure OS is OpenBSD but I challenge you to actually use it as a day-to-day OS, it is just too awkward.

[sud0nick]

Well this definitely makes me feel better about using Kali. I misunderstood the "flaws" that were spoken of by others. I was under the impression they were inherent system flaws rather than conveniences. I'm starting to play around with BackBox to see how I like it but now I'll keep Kali on my list too.

[digininja]

Check out Pentoo as well, a mate of mine created it and puts a lot of effort into keeping it current.

[sud0nick]

Sweet! Downloading it now.

[vantramp]

My preference is to install Kali via the custom image "XFCE-light". At that point, you can lock it down, add users for whatever tasks you may need, tune it, harden it, remove any other crap you don't want on it then add the packages you want and know you need. I couldn't begin to guess how many distros & various *nix's I have adminned or used since I started by installing Slak from about 14 floppy disks back in the early 90's. This particular method and config has become my favorite by far.

That said, If you are set on trying something other than Kali, both Arch and Pentoo are very decent.