Penetration testing

Pentesting distributions and installer kits for your Raspberry Pi

Jay Turla
May 13, 2013 by
Jay Turla

Raspberry Pi for pwning and penetration testing? Of course! Why not? As an introduction, Raspberry Pi is an ARM GNU / Linux box or a credit card size mini computer that can be plugged in to your TV using an HDMI cable then to your USB type of keyboard and mouse.

Aside from office work, programming, personal usage, and gaming, it is also used by enthusiasts out there as a penetration testing box by installing Ubuntu or Debian Linux and a couple of tools for information gathering, vulnerability assessment, exploitation, maintaining access, reverse engineering, social engineering, forensic analysis and VOIP analysis.

Earn two pentesting certifications at once!

Earn two pentesting certifications at once!

Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.

In this article, I will introduce some penetration testing distributions and kits that are available for your Raspberry Pi:


PwnPi is a Linux-based penetration testing drop box distribution that has over 200 network security tools pre-installed and uses Xfce as its window manager. Below are some of the tools of PwnPi as described by the lead developer:

  • 6tunnel - TCP proxy for non-IPv6 applications
  • aircrack-ng - WEP/WPA cracking program
  • amap - a powerful application mapper
  • arp-scan - arp scanning and fingerprinting tool
  • bfbtester - Brute Force Binary Tester
  • bing-ip2hosts - Enumerate hostnames for an IP using bing
  • bsqlbf - Blind SQL injection brute forcer tool
  • btscanner - ncurses-based scanner for Bluetooth devices
  • chaosreader - trace network sessions and export it to html format
  • chkrootkit - rootkit detector
  • cryptcat - A lightweight version netcat extended with twofish encryption
  • darkstat - network traffic analyzer
  • dhcpdump - Parse DHCP packets from tcpdump
  • dissy - graphical frontend for objdump
  • dmitry - Deepmagic Information Gathering Tool
  • dns2tcp - TCP over DNS tunnel client and server
  • dnswalk - Checks dns zone information using nameserver lookups
  • dsniff - Various tools to sniff network traffic for cleartext insecurities
  • enum4linux - a tool for enumerating information from Windows and Samba systems
  • etherape - graphical network monitor
  • fcrackzip - password cracker for zip archives
  • fimap - local and remote file inclusion tool
  • flasm - assembler and disassembler for Flash (SWF) bytecode
  • foremost - forensic program to recover lost files
  • fping - sends ICMP ECHO_REQUEST packets to network hosts
  • ftp-proxy - application level proxy for the FTP protocol
  • galleta - An Internet Explorer cookie forensic analysis tool
  • ghettotooth - a simple but effective blue driving tool
  • hostmap - hostnames and virtual hosts discovery tool
  • hping3 - Active Network Smashing Tool
  • httptunnel - Tunnels a data stream in HTTP requests
  • httrack - Copy websites to your computer (Offline browser)
  • hydra - Very fast network logon cracker
  • ike-scan - discover and fingerprint IKE hosts (IPsec VPN Servers)
  • inguma - Open source penetration testing toolkit
  • iodine - tool for tunneling IPv4 data through a DNS server
  • ipcalc - parameter calculator for IPv4 addresses
  • isr-evilgrade - take advantage of poor upgrade implementations by injecting fake updates
  • ipgrab - tcpdump-like utility that prints detailed header information
  • john - active password cracking tool
  • kismet - Wireless 802.11b monitoring tool
  • knocker - Simple and easy to use TCP security port scanner
  • lcrack - A generic password cracker
  • lynis - security auditing tool for Unix based systems
  • macchanger - utility for manipulating the MAC address of network interfaces
  • mboxgrep - Grep through mailboxes
  • mdk3 - bruteforce SSID's, bruteforce MAC filters, SSID beacon flood
  • medusa - fast, parallel, modular, login brute-forcer for network services
  • metagoofil - an information gathering tool designed for extracting metadata
  • metasploit - security project which provides information about security vulnerabilities
  • mysqloit - SQL Injection takeover tool focused on LAMP
  • mz - versatile packet creation and network traffic generation tool
  • nbtscan - A program for scanning networks for NetBIOS name information
  • netcat-traditional - TCP/IP swiss army knife
  • netdiscover - active/passive network address scanner using arp requests
  • netrw - netcat like tool with nice features to transport files over network
  • netsed - network packet-altering stream editor
  • netwag - graphical frontend for netwox
  • netwox - networking utilities
  • nikto - web server security scanner
  • nmapsi4 - graphical interface to nmap, the network scanner
  • nmap - The Network Mapper
  • nstreams - a tcpdump output analyzer
  • obexftp - file transfer utility for devices that use the OBEX protocol
  • onesixtyone - fast and simple SNMP scanner
  • openvas-client - Remote network security auditor, the client
  • openvas-server - remote network security auditor - server
  • ophcrack-cli - Microsoft Windows password cracker using rainbow tables (cmdline)
  • ophcrack - Microsoft Windows password cracker using rainbow tables (gui)
  • otp - Generator for One Time Pads or Passwords
  • p0f - Passive OS fingerprinting tool
  • packeth - Ethernet packet generator
  • packit - Network Injection and Capture
  • pbnj - a suite of tools to monitor changes on a network
  • pentbox - Suite that packs security and stability testing oriented tools
  • pdfcrack - PDF files password cracker
  • pnscan - Multi threaded port scanner
  • proxychains - redirect connections through proxy servers
  • pscan - Format string security checker for C files
  • ptunnel - Tunnel TCP connections over ICMP packets
  • ratproxy - passive web application security assessment tool
  • reaver - brute force attack tool against Wifi Protected Setup PIN number
  • s.e.t - social engineering toolkit
  • scrub - writes patterns on magnetic media to thwart data recovery
  • secure-delete - tools to wipe files, free disk space, swap and memory
  • sendemail - lightweight, command line SMTP email client
  • siege - HTTP regression testing and benchmarking utility
  • sipcrack - SIP login dumper/cracker
  • sipvicious - suite is a set of tools that can be used to audit SIP based VoIP systems
  • skipfish - fully automated, active web application security reconnaissance tool
  • socat - multipurpose relay for bidirectional data transfer
  • splint - tool for statically checking C programs for bugs
  • sqlbrute - a tool for brute forcing data out of databases using blind SQL injection
  • sqlmap - tool that automates the process of detecting and exploiting SQL injection flaws
  • sqlninja - SQL Server injection and takeover tool
  • ssldump - An SSLv3/TLS network protocol analyzer
  • sslscan - Fast SSL scanner
  • sslsniff - SSL/TLS man-in-the-middle attack tool
  • sslstrip - SSL/TLS man-in-the-middle attack tool
  • stunnel4 - Universal SSL tunnel for network daemons
  • swaks - SMTP command-line test tool
  • tcpdump - command-line network traffic analyzer
  • tcpflow - TCP flow recorder
  • tcpick - TCP stream sniffer and connection tracker
  • tcpreplay - Tool to replay saved tcpdump files at arbitrary speeds
  • tcpslice - extract pieces of and/or glue together tcpdump files
  • tcpspy - Incoming and Outgoing TCP/IP connections logger
  • tcptrace - Tool for analyzing tcpdump output
  • tcpxtract - extracts files from network traffic based on file signatures
  • theHarvester - gather emails, subdomains, hosts, employee names, open ports and banners
  • tinyproxy - A lightweight, non-caching, optionally anonymizing HTTP proxy
  • tor - anonymizing overlay network for TCP
  • u3-tool - tool for controlling the special features of a U3 USB flash disk
  • udptunnel - tunnel UDP packets over a TCP connection
  • ussp-push - Client for OBEX PUSH
  • vidalia - controller GUI for Tor
  • vinetto - A forensics tool to examine Thumbs.db files
  • voiphopper - VoIP infrastructure security testing tool
  • voipong - VoIP sniffer and call detector
  • w3af-console - framework to find and exploit web application vulnerabilities (CLI only)
  • w3af - framework to find and exploit web application vulnerabilities
  • wapiti - Web application vulnerability scanner
  • wash - scan for vunerable WPS access points
  • wavemon - Wireless Device Monitoring Application
  • wbox - HTTP testing tool and configuration-less HTTP server
  • webhttrack - Copy websites to your computer, httrack with a Web interface
  • weplab - tool designed to break WEP keys
  • wfuzz - a tool designed for bruteforcing Web Applications
  • wipe - Secure file deletion
  • wireshark - network traffic analyzer - GTK+ version
  • xprobe - Remote OS identification
  • yersinia - Network vulnerabilities check software
  • zenmap - The Network Mapper Front End
  • zzuf - transparent application fuzzer

The default username for this distro is root and the default password is toor, which reminds me of BackTrack Linux.

Download Link:

Kali Linux

BackTrack Linux's successor "Kali Linux" is also available for Raspberry Pi and for other ARM architectures. It has XFCE as its desktop manager for sleek performance, but it still rides like your new favorite penetration testing distro "Kali Linux." Unlike BackTrack Linux, Kali is based on Debian GNU / Linux distribution but it is still aimed at computer forensics, reverse engineering, wireless penetration testing, web hacking, and many more.

There are more than 300 penetration testing tools and security auditing programs pre-installed for this distro, which includes theMetasploit Framework, Nmap, SQLmap, Openvas, Aircrack-ng, John, Hydra, Maltego, zaproxy, Wireshark, sslsniff, webmitm, hexinject, dex2jar, etc.

The tools for Kali Linux are also categorized as Top 10 Security Tools: Information Gathering, Vulnerability Analysis, Web Applications, Password Attacks, Wireless Attacks, Exploitation Tools, Sniffing/Spoofing, Maintaining Access, Reverse Engineering, Stress Testing, Hardware Hacking, Forensics, and Reporting Tools.

Download Link:

Raspberry Pwn

Raspberry Pwn is an installer from Pwnie Express for transforming your Debian distribution that is running on Raspberry Pi into a penetration testing kit which is loaded with a suite of security and auditing tools like SET, Fasttrack, kismet, aircrack-ng, nmap, dsniff, netcat, nikto, xprobe, scapy, wireshark, tcpdump, ettercap, hping3, medusa, macchanger, nbtscan, john, ptunnel, p0f, ngrep, tcpflow, openvpn, iodine, httptunnel, cryptcat, sipsak, yersinia, smbclient, sslsniff, tcptraceroute, pbnj, netdiscover, netmask, udptunnel, dnstracer, sslscan, medusa, ipcalc, dnswalk, socat, onesixtyone, tinyproxy, dmitry, fcrackzip, ssldump, fping, ike-scan, gpsd, darkstat, swaks, arping, tcpreplay, sipcrack, proxychains, proxytunnel, siege, sqlmap, wapiti, skipfish, and w3af.

It is just easy to install Raspberry Pwn, but make sure that you have already booted up Debian or Soft-float Debian "wheezy" which can be downloaded here.


  1. Resize the root partition and use the whole SD card.
  2. Start the SSH service and SSH into your Raspberry Pi so that you can have access into the terminal or console of your Debian box. You may also grab your terminal right away if your Raspberry Pi is already connected to your TV or monitor.
  3. Change to the root user:

    # sudo -s

  4. Install git (Make sure you are connected to the Internet):

    # apt-get install git

  5. Download or clone the Raspberry Pwn installer from the Pwnie Express Github repository:

    # git clone

  6. Move into the Raspberry-Pwn directory and run the installer script: cd Raspberry-Pwn ; ./
  7. And then, wait for the installation to finish!


PwnBerryPi is another pentesting suite for the Raspberry Pi and is based from Pwnie Express's Raspberry Pwn, so basically you can expect the same tools from Raspberry Pwn. You can download or clone the PwnBerryPi installer from the g13net Github repository from here:

Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.





Jay Turla
Jay Turla

Jay Turla is a security consultant. He is interested in Linux, OpenVMS, penetration testing, tools development and vulnerability assessment. He is one of the goons of ROOTCON (Philippine Hackers Conference). You can follow his tweets @shipcod3.