The Most Vulnerable and Exploitable Operating System Ever? Damn Vulnerable Linux

DVL is a great teaching tool for security

OK, put your arrows, stones and guns away please. I am not saying every version of Linux is the most vulnerable and exploitable OS ever. But Damned Vulnerable Linux very well may be. But why not, that is exactly what its developers want it to be.

The brainchild of Dr. Thorsten Schneider of Bielefeld University, DVL was designed to build up a training system that he could use for his university lectures. His goal "was to design a Linux system that was as vulnerable as possible, to teach topics such as reverse code engineering, buffer overflows, shellcode development, Web exploitation, and SQL injection." 

DVL is made up of older and vulnerable packages like older versions of Apache, MySQL, PHP, and FTP and SSH daemons. There are also tools like GCC, GDB, NASM, strace, ELF Shell, DDD, LDasm, LIDa to help students decompile and reverse engineer some of the packages in the Linux distro.

DVL was made by people with significant security backgrounds from organizations including www.Reverse-Engineering.net and Crackmes.de. Also Dr, Schneider is also behind the TeutoHack group, which is the hacker lab at Bielefeld University. 

You can download the 1.8GB distribution on ISO from here.

While DVL is a great security teaching tool, there is another lesson to be learned here. While we may argue until the cows come home about which OS is more or less secure, if you don't keep up with the latest versions and patches, no matter what you use it will be vulnerable. It is misplaced arrogance to assume any OS or application is above being vulnerable.  Of course any time human beings are involved they can be the weakest link in the chain as well.  But all software over time can become a security weak link if you don't keep up with the updates. So please update your applications and OS regularly.

Teaching security is very much a hands on affair.  Having a teaching aid like DVL around is a great resource for anyone teaching security or wanting to polish up their security chops.  If you interested in this you should give it a whirl. Just make sure you don't use it in a real life production environment by mistake.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT