Parrot OS Security

Prattling a Distro; Parrot OS

Parrot OS was initially released on 10th April 2013. It has now grown to become one of the most popular penetration testing distros in the arena.

So, we asked the Parrot Dev Team some interesting questions and got some interesting answers. Here’s what NONG HOANG Tu, aka @dmknght, ​one of the developers, had to say:

How would you respond to “Kali vs Parrot” debate? How is Parrot better?

“Kali is Debian testing based distro + pentest tools are maintained by their developers. It was not designed for daily OS.

Parrot is Debian testing based distro + custom tools are developed by us + default configurations for environments + pentest tools are forked from Kali repo. So:

In the pentesting section:

Both distros are the same. (have the same toolkit)

Parrot has a home edition which is focused on privacy. We have pre-installed toolkit like anonsurf, mat2 (a tool that removes metadata from files), …

Parrot never wanted users to run the system as root. Kali has changed their login method from 2020.

Parrot has default configurations for a friendly environment: a default firefox profile with add-ons that protect users’ privacy, very useful and friendly to pannels, customized bashrc, … Kali just added their default zshrc (2020.3?) and well it looks… you know…

Performance:

This is a “myth”: some articles on the internet say Parrot has better runtime performance than Kali. well… This depends on Desktop Environment that the system is using. If you compare Gnome3 vs Mate, ofc mate is the winner *smile*. Since 2020, Kali provides their default customized XFCE DE so the comparison is not true anymore. I would like to see if there is any comparison of Kali XFCE and Parrot XFCE.

Undercover mode:

Our team agreed that was a theme changing only. Ofc Kali did a good job by creating a script for the XFCE environment. If you want something like that from Parrot in future. I’m sure we don’t do that. Try finding some Easter Eggs in our system. *Mona Lisa smile* Team:

The core team of Parrot now is having only 5 members. And we have to manage everything: servers, mirrors (there are many mirrors are maintained by volunteers, not our team. Big thanks to them), community, development.

More about tools:

We want to have a complete new pentesting / forensic toolkit and it has been a year but we couldn’t complete it because of human resource problem. A little secret: I’ve completed a solution for maintaining so many pentest tools for such a small team like Parrot so we can have a big update for the security section in the next few months.

We are researching a newer solution based on docker and sandbox. The scope is to protect users in both security edition and home edition.

We are researching our application firewall and malware scanner to provide users from known malicious activities (Well don’t expect it too much. A small team with some contributors is like dreamers. But I’m sure it can be better than chrootkit or rootkit hunter for checking real malware in your system and it can solve some critical problems of ClamAV).

So is Parrot better?

“There is nothing “wrong” or “worse”. But life can be a lot easier”

(A member in Nim programming language channel.) It is true. Well, in life, sometimes you have to hear the blame when bugs are made by a different team. *smile*

PS: Oh does Kali still use Perl script to do the “launcher update” after install/uninstall any applications using apt?

Well, if yes then we have a better thing *smile*: we have used a launcher updater that was written in Nim lang which has a rocket speed. We had a golang version before but nim version has a smaller binary size and faster runtime performance. Maybe many users didn’t notice it. Try it (4.10 vs 4.5 for example)”

Some people view ParrotOS as a distro for ScriptKiddies and Noobs, What would you say about it?

“Myth:

  • This error is on Parrot ONLYYYYYY… Parrot suxxxx
  • Kali is for Pro, Parrot is for noobs
  • Parrot is more friendly so it is for noob ( ?? 😀 ?? )
  • Parrot is a modded version of Kali (Lmao)

Answer:

  • Any error on Debian affects Parrot AND Debian testing based distros.
  • Any error on Kali (about pentesting tools only) could be on Parrot.
  • Are you (to everybody) sure any answer like “parrot is for noob” is not from a noob??
  • “Both have the same toolkit, so what is the problem?” –

Egg82. He is a very good guy with good security knowledge.”

(More and More people seem to convert to Parrot, nowadays. Ippsec also uses​    Parrot for his videos.)

“1 more thing: if you watch DEFCON, Hacktivity, you can see many security experts use Ubuntu, Windows (We call it winblows *laugh*), MacOS. Does anybody dare apply “For noob” on them?”

“Is Parrot OS Bloatware”?

“Yes and no. Parrot is made for a ready to use OS. Do you want to use the office suite? No? Well, but other users might use it. It is the same for everything else. And that means we have to deal with the size-limit of iso file and so many problems. I personally use keepassxc a lot but it was removed from default pre-installed list.

My tip: I’m using an encrypted USB that saves keepassxc data and I bring it with me. Try to secure your passwords by strong randomly password; always change and secure it. Have a good backup is also needed.

Security tools: It is forked from Kali and I’m sure the point is having enough tools for most common pentesting scenarios.”

Despite so much hype of privacy around the world, many people don’t know or use software like Anonsurf. What do you think could be the reason?

“Marketing problem? Herd behaviour (Well I’m using a translator for this word 😀 )? For example, if you are talking about being anonymous, ofc many people think about whonix and tail. Well, I’m no expert in this section but I’m sure AnonSurf can covert the network connection problem. Many users still think AnonSurf can’t do that as good as Tail or Whonix.  The job: redirects everything to the Tor network. So…?”

According to you, is 100% anonymity possible?

“Nothing is 100% but stop using Facebook and p*rnhub might be a good solution. *laugh*

My story: I live in a different city and I’m visiting home. A strange phone number called me “I’m sim provider from THIS city. Do you want to upgrade your sim?”. Well, it is a simple example of how I was being tracked by GSM and a sim card. Maybe your laptop’s privacy protection is good but are you sure it is the same for your other devices?”

I’d like to sincerely thank Parrot Dev Team and Nong Hoang Tu for the time he spared us. I hope this enables people to understand the depths of a distro and not promote hysterical myths. (Parrot is a modded version of Kali).

Happy Reading 🙂

About the author

Arslan Aslam

Arslan Aslam

A security enthusiast who aspires to learn more about computers with every passing byte. From Pakistan. Tweets at @Arslanoob.