Playing with Parrot Security OS

Parrot Security OS, which recently celebrated its 4th birthday [1], comes from the Frozenbox Network, an Italian network dedicated to hacking, IT security, and programming [2]. It follows in the footsteps of already mighty security-focused OSs such as CAINE [3] and WeakerThan [4] both of which were also developed in Italy.

The OS doesn't follow an official release frequency but since 2014 has released versions on roughly a monthly basis.

Version 3.1, code-named Defcon, was released in July and is based on Debian jessie. It is available both for 32-bit and 64-bit architectures, as well as ARM and IoT images, including the Raspberry Pi and Cubieboard 4 (CC80). Visitors to the Parrot Security OS website can download either the Full or the Lite version of the ISO from a variety of mirrors. Alternatively, the ISO can be downloaded via BitTorrent.

As the names suggest, the Full version contains all the tools available via Parrot's repository and the full development environment out of the box. The Lite version is a lightweight 2GB version of the OS, allowing users to install their own penetration testing tools as needed [5].

Another very exciting version is the Parrot Cloud Edition (also known as Parrot Server Edition), which can be deployed quickly and easily for remote cloud pen tests. The system naturally doesn't come with a GUI, and most forensic tools are not present. The idea is to have a dedicated OS installed on your own VPS or remote server, complete with security tools to perform penetration tests without bringing confidential data with you. In case VPS providers don't allow installing a customized OS, a script on the Parrot Security website converts a VPS with a minimal Debian installation into a full Parrot Cloud environment [6].

For users with less specific needs, the full edition of the OS can be run in a Live environment or loaded into RAM for the sake of speed. Installation is also possible and requires a minimum of 8GB of space (16GB recommended).

The Parrot desktop has been well laid out, from the colorful eponymous bird in the centre, to the chirpy Computer Ready message when logging on. The vast array of tools has been neatly sorted into categories in the main menu (Figure 1).

Figure 1: Parrot OS categorizes the dozens of tools, making them much easier to navigate.

Parrot on the Fly

When booting from the ISO, users are given a choice to run in Live mode as well as a Forensic mode, which is non-invasive and will avoid automounts. In the interests of speed, the Advanced Options also allow the entire system to be loaded into RAM.

Despite the colorful wallpaper and slick menus, Parrot Security OS uses the LightDM display manager, so it has very minimal requirements. The website states that a minimum of 256MB of RAM is required, although it recommends twice that. Testing in a virtual machine caused kernel panic when only 256MB of RAM was assigned, but it ran perfectly on 512MB. Parrot requires no graphic acceleration at all and, at minimum, a 1GHz dual-core CPU [7].

Users for whom RAM isn't an issue may be impressed by the vast array of tweaks for the look and feel of Parrot Security OS, from Themes (Blue-Submarine is a personal favorite) to pop-up notifications. Icons and wallpapers can also be modified.

In addition to the funky interface, a number of non-security-related tools make this pen-testing distro a strong candidate for everyday use. Brasero and Rhythmbox allow for playing and burning CDs, respectively. Transmission and VLC Media Player allow downloading and playing of media files.

The full version of Parrot Security OS also boasts a large number of productivity apps; it contains the full LibreOffice suite as well as AbiWord and Gnumeric.

Persistent Parrot

Given the range of applications, serious penetration testers as well as interested users might want to install Parrot to retain their settings from one session to the next. It uses a custom hardened version of the Linux 4.5 Kernel. It's also possible to encrypt the installation drive using LUKS, as with any Debian install.

For the security conscious, installing Parrot to a drive doesn't have to undermine privacy because of the array of numerous anti-forensic tools. Of particular mention is tccf (Two Cents Cryptography Frontend), which simply serves as a more friendly GUI front end for cryptsetup and gpg to encrypt as well as delete data securely. It allows encrypting anything from a single file to an entire drive with AES/Serpent/Twofish without typing tricky commands into the terminal.

Another honorable mention goes to zuluCrypt, which not only can create encrypted volumes but open those created in TrueCrypt/VeraCrypt and support volumes using cascading encryption (e.g., Twofish-AES).

The built-in Pandora's Box module can also scrub the RAM to protect machines from a cold boot attack, as with Tails [8]. Like Kali Linux [9], it's possible to apply a nuke patch to Cryptsetup to have an alternative password that erases the headers (i.e., destroys the data). For sensitive data, version 1.10 of BleachBit is bundled with the full version of Parrot and not only shreds files and folders but automates the clearing of temporary files, caches, and so on.

Firefox 45.2, the default browser for the full installation, also comes with a Stealth RAM mode that leaves no trace on the OS, even if installed. It comes with some familiar extensions to protect private data like HTTPS Everywhere, NoScript, and WOT (Web of Trust).

Unlike many other pen-testing distros, it's possible to anonymize your connection by starting anonymous mode , which automatically runs all connections through the Tor network (Figure 2). The system also helpfully closes down any "dangerous" applications that can undermine the anonymity of the machine. Firefox also contains a link to the Hidden Wiki, which has lists of links on the dark web for those who want to delve further.

Figure 2: Anonymization mode Torifies your connection and uses FrozenDNS to prevent DNS spoofing.

Key Applications

The Swiss Army knife of pen testing tools is made easier partly by having a menu for the most used tools but also because a tool tip appears explaining what the tool does when mousing over the application.

Parrot Security OS has many old favorites. A GUI version 2.2 of John the Ripper password cracker is included, as is the more flexible command-line version 1.8.0.6; they are nicknamed Johnny and John, respectively, for easy navigation.

No suite of password-cracking tools would be complete without version 3 of Ophcrack, which comes without the rainbow tables for cracking Windows XP/Vista passwords, although these can be downloaded free of charge. For command-line lovers, the utility RainbowCrack can perform similar functions.

Of particular note are the range of Information Gathering tools offered by Parrot. Chief among these is v3.4.1 of Angry IP Scanner, which gathers interesting information about live hosts. This can be enormously useful when scanning a network to make sure, for instance, that users aren't running P2P file-sharing programs and using precious bandwidth [10].

Another wizard application is DMitry (Deepmagic Information Gathering Tool), which is a quick and easy way to run Whois lookups on the IP address or domain name of a host and even search for potential email addresses.

Users of Kali will be pleased to hear that version 2.1.1 of Lynis is included. Lynis performs a lightning array of security control checks on a Linux system to check for flaws like wrongly configured packages.

For those interested in testing the security of web applications, the latest version of Burp Suite is also bundled with the full version of Parrot Security OS. Unlike Kali, the full version also comes with the website cloning tool HTTrack preinstalled. Version 2.5.0 of OWASP ZAP is also bundled and is particularly recommended to developers who are coding web applications for the first time to search for common vulnerabilities. Needless to say this should only be used with the permission of the person who owns the ASP-based website in question.

Exploitation Tools also feature heavily in Parrot. One spectacular tool is version 2 of Penmode, which combines a number of tools for web scanning, information gathering, and analysis of CMS platform security into an easy-to-use GUI (Figure 3).

Figure 3: Penmode 2 combines a number of scanning and information gathering tools into a GUI that is very easy on the eye.

The almighty Metasploit Framework is also pre-installed and comes bundled with a couple of built-in tools. First there's a handy Update Metasploit application that ideally should be run weekly to stay up to date.

Anyone new to Metasploit can also now take advantage of Armitage, which visualizes targets, recommends exploits, and exposes advanced post-exploitation features in the framework.

Sadly, Parrot doesn't include the complimentary threat emulation toolset Cobalt Strike. Armitage can be used to fire Cobalt Strike's Beacon payload with a Metasploit exploit, saving the trouble of finding a real network to attack [11].

Another exploitation tool from the good people at TrustedSec is the Social-Engineer Toolkit (SET), which can also be found in Kali. This Python utility has an array of hacking tools so powerful in nature that, on startup, users must agree to the terms and conditions, stating that they will only use it for good.

Chief among these tools is the Mass Mailer Attack , which floods any email address with mail either through your own mail server or a googlemail (Gmail) address. Additionally, the Infectious Media Generator will create an autorun.inf file with either a Metasploit payload or the executable of your choice to place onto DVD/USB. Choosing from a numbered list gives you a choice of, for instance, spawning a command shell on the target device and sending back to the attacker, or even a VNC server.

Parrot includes a thoughtful selection of Wireless Testing and Sniffing & Snooping tools. Kali users will be happy to see that version 1.5.2 of Reaver is included, which allows for easy WPS attacks. The free version of Fern WiFi Cracker (Figure 4) is also available as a GUI front end for Reaver and aircrack-ng , allowing WPA/WPA2 cracking with dictionary or WPS-based attacks [12].

Figure 4: Fern WiFi Cracker provides an appealing interface to test the encryption of access points.

Digital forensics specialists will also be pleased to see that they have not been forgotten. Version 2.24 of the Autopsy Browser works out of the box and allows for easy setup and logging of any forensics investigation. Unfortunately, this is the latest version to support non-Windows versions, which might pose problems because it doesn't support all features in the latest Sleuth Kit versions, such as viewing timelines of cases [13].

Fortunately, Parrot also includes the command-line versions of all the tools in the Sleuth Kit suite, which can still be run individually if necessary.

Final Words

First impressions of Parrot Security OS are that it overlaps strongly with Kali Linux, which is hardly surprising because the developers initially based their new OS on Kali itself. Much of the tools are the same and because the OS is based on Debian, it's only a matter of running apt-get install to download more.

That said, what tips the balance in Parrot's favor is the consideration for newer developers and pen testers. Common tools are not only grouped together, but their purpose is explained in tool tips. By default, many tools offer to show a help guide first. GUI front ends for common apps like aircrack-ng are included where possible.

The system also lends itself well for day-to-day use, and robust anti-forensic tools mask your browsing activity and securely remove files that undermine anonymity. The most exciting and colorful part about Parrot Security OS is the sheer number of tools available. The only way to explore the full range and decide if it's the perfect pen-testing distro is to download the ISO for yourself.

The Author

Nate Drake is a Freelance Journalist specializing in CyberSecurity and Retro Tech.