Meet Parrot Security OS (a Linux Distro) – Pentesting in the cloud!

Meet Parrot Security OS (a Linux Distro) – Pentesting in the cloud!

Henry Dalziel | Pentesting Distros | November 5, 2013

Many of our regular readers and Hacker Hotshot community know by now that we enjoy covering news on Linux Pentesting Distro’s, and whilst the heavy hitters such as Kali Linux and BackBox tend to get most of the lime light, we particularly like exposing upcoming distros, and here is one certainly worth blogging about: Parrot Security OS.

Linux Penetration Testing distro’s (call them hacking distro’s if you want) basically revolve around the same premise, i.e. storing ‘best of breed’ pentesting tools within an easy to use Operating System that are efficiently updated. Now, the interesting thing about Parrot Security OS is that the team behind it have a novel way of using the cloud to manage the OS. We have to be honest in that we are not entirely sure how the Cloud Pentesting Distro concept works – and for that reason we’d be grateful if any readers could chime in and drop a comment below to help improve this post.

Here’s what we do know about this distro, which does have a feeling that it is packing a punch, is the following:

First off, that it is based on Debian GNU/Linux mixed with Frozenbox OS and Kali Linux, to, in their own words: ‘provide the best penetration and security testing experience.’ Certainly, taking the Debian Kali Linux route is a smart move since it is a tried and tested platform that offers reliability.

Another thing we do know, is that the design of the distro, as you would expect from a bunch of Italian Pentesters looks very slick and easy on the eye – and let’s be honest, that is important because if you are anything like us you are spending too much time in front of your monitors. Of interest, and on the subject of Italy, we do note that there are several IT security distro’s that hail from Italy, namely BackBox and CAINE (which is actually more of a forensics distro).

Pentesting in the cloud
This does intrigue us and how it can be applied to a penetration testers operating system. Does the OS fit into a particular cloud service model? As per the National Institute of Standards and Technology (NIST SP800-145) definition there are three cloud service models. They are:

  • Infrastructure as a Service (IaaS): whereby the provider supplies hardware and network connectivity. The tenant on the other hand is responsible for the virtual machine and the software stack that operates within it.
  • Platform as a Service (PaaS): this is when the tenant supplies the web or database application (for example) that they would like to deploy, and the provider supplies all the necessary components required to run the app.
  • Software as a Service (SaaS): this is the last category whereby the provider supplies the app and all the components necessary for its’ operation. SaaS is meant to be a ‘quick-fix’ for the tenant.

In Summary
We might be way off the mark here – and if we are – please let us know by dropping a comment below. We will be keeping an eye on the Parrot Security OS so please consider this as your first introduction to what looks like a promising project, and don’t forget where you heard it first!

On the subject of penetration distro’s, we had an interesting Hacker Hotshot presentation from Andrew Hoog in which he discussed ‘How To Turn BYOD Risk Into Mobile Security Strength’. The reason we are bringing that up is because Andrew is the co-founder of viaForensics and co-developer of Santoku, a distro that focuses on mobile forensics – another niche and interesting area of IT security.

We wish the Parrot (Frozen Box) team all the best and look forward to hearing how the project develops.

  • and thanks for this article 🙂 i’ll add this website to our sponsor lists 🙂

  • of course, as you’ve said, it’s not simple to imagine the concept of cloud seen in a pentesting environment, our first idea is to develop a “server edition” of parrot with no GUI tools and only the tools that could be used on a remote environment, for example: who cares about airodump-ng on a server? probably we could use aircrack, john and so more in order to perform a remote bruteforcing/cracking operation with the material captured by our client, we can perform a stress testing attack using the internet upload speed of the servers even if our local connection is not one of the best, and in the end we can store remotely all our material in the cloud, having it with us all the time even if we use a live device or different pentesting devices or even a different OS

    so we have to follow another way to choose the tools, but we have to think about an intuitive way to manage one or more Parrot servers.
    Probably it is science fiction but we are trying to develop a client that could start services as metasploit community or other services usable via http, mount the remote storage as a local one via sftp as every remote gnu/linux connection client does, open a shell on the server, create a socket tunnel and so on

    but it is only an idea we are still building, now we have to realize it!

    p.s. sorry for my english

  • we released a new version (0.7) now available here

Leave a comment or reply below...thanks!