Playing with Parrot Security OS

Slashdot it! Delicious Share on Facebook Tweet! Digg!

Key Applications

The Swiss Army knife of pen testing tools is made easier partly by having a menu for the most used tools but also because a tool tip appears explaining what the tool does when mousing over the application.

Parrot Security OS has many old favorites. A GUI version 2.2 of John the Ripper password cracker is included, as is the more flexible command-line version; they are nicknamed Johnny and John, respectively, for easy navigation.

No suite of password-cracking tools would be complete without version 3 of Ophcrack, which comes without the rainbow tables for cracking Windows XP/Vista passwords, although these can be downloaded free of charge. For command-line lovers, the utility RainbowCrack can perform similar functions.

Of particular note are the range of Information Gathering tools offered by Parrot. Chief among these is v3.4.1 of Angry IP Scanner, which gathers interesting information about live hosts. This can be enormously useful when scanning a network to make sure, for instance, that users aren't running P2P file-sharing programs and using precious bandwidth [10].

Another wizard application is DMitry (Deepmagic Information Gathering Tool), which is a quick and easy way to run Whois lookups on the IP address or domain name of a host and even search for potential email addresses.

Users of Kali will be pleased to hear that version 2.1.1 of Lynis is included. Lynis performs a lightning array of security control checks on a Linux system to check for flaws like wrongly configured packages.

For those interested in testing the security of web applications, the latest version of Burp Suite is also bundled with the full version of Parrot Security OS. Unlike Kali, the full version also comes with the website cloning tool HTTrack preinstalled. Version 2.5.0 of OWASP ZAP is also bundled and is particularly recommended to developers who are coding web applications for the first time to search for common vulnerabilities. Needless to say this should only be used with the permission of the person who owns the ASP-based website in question.

Exploitation Tools also feature heavily in Parrot. One spectacular tool is version 2 of Penmode, which combines a number of tools for web scanning, information gathering, and analysis of CMS platform security into an easy-to-use GUI (Figure 3).

Figure 3: Penmode 2 combines a number of scanning and information gathering tools into a GUI that is very easy on the eye.

The almighty Metasploit Framework is also pre-installed and comes bundled with a couple of built-in tools. First there's a handy Update Metasploit application that ideally should be run weekly to stay up to date.

Anyone new to Metasploit can also now take advantage of Armitage, which visualizes targets, recommends exploits, and exposes advanced post-exploitation features in the framework.

Sadly, Parrot doesn't include the complimentary threat emulation toolset Cobalt Strike. Armitage can be used to fire Cobalt Strike's Beacon payload with a Metasploit exploit, saving the trouble of finding a real network to attack [11].

Another exploitation tool from the good people at TrustedSec is the Social-Engineer Toolkit (SET), which can also be found in Kali. This Python utility has an array of hacking tools so powerful in nature that, on startup, users must agree to the terms and conditions, stating that they will only use it for good.

Chief among these tools is the Mass Mailer Attack , which floods any email address with mail either through your own mail server or a googlemail (Gmail) address. Additionally, the Infectious Media Generator will create an autorun.inf file with either a Metasploit payload or the executable of your choice to place onto DVD/USB. Choosing from a numbered list gives you a choice of, for instance, spawning a command shell on the target device and sending back to the attacker, or even a VNC server.

Parrot includes a thoughtful selection of Wireless Testing and Sniffing & Snooping tools. Kali users will be happy to see that version 1.5.2 of Reaver is included, which allows for easy WPS attacks. The free version of Fern WiFi Cracker (Figure 4) is also available as a GUI front end for Reaver and aircrack-ng , allowing WPA/WPA2 cracking with dictionary or WPS-based attacks [12].

Figure 4: Fern WiFi Cracker provides an appealing interface to test the encryption of access points.

Digital forensics specialists will also be pleased to see that they have not been forgotten. Version 2.24 of the Autopsy Browser works out of the box and allows for easy setup and logging of any forensics investigation. Unfortunately, this is the latest version to support non-Windows versions, which might pose problems because it doesn't support all features in the latest Sleuth Kit versions, such as viewing timelines of cases [13].

Fortunately, Parrot also includes the command-line versions of all the tools in the Sleuth Kit suite, which can still be run individually if necessary.

Final Words

First impressions of Parrot Security OS are that it overlaps strongly with Kali Linux, which is hardly surprising because the developers initially based their new OS on Kali itself. Much of the tools are the same and because the OS is based on Debian, it's only a matter of running apt-get install to download more.

That said, what tips the balance in Parrot's favor is the consideration for newer developers and pen testers. Common tools are not only grouped together, but their purpose is explained in tool tips. By default, many tools offer to show a help guide first. GUI front ends for common apps like aircrack-ng are included where possible.

The system also lends itself well for day-to-day use, and robust anti-forensic tools mask your browsing activity and securely remove files that undermine anonymity. The most exciting and colorful part about Parrot Security OS is the sheer number of tools available. The only way to explore the full range and decide if it's the perfect pen-testing distro is to download the ISO for yourself.

The Author

Nate Drake is a Freelance Journalist specializing in CyberSecurity and Retro Tech.

Buy this article as PDF

Express-Checkout as PDF

Pages: 4

Price $0.99
(incl. VAT)

Buy Ubuntu User

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content