So, we asked the Parrot Dev Team some interesting questions and got some interesting answers. Here’s what NONG HOANG Tu, aka @dmknght, ​one of the developers, had to say:

How would you respond to “Kali vs Parrot” debate? How is Parrot better?

“Kali is Debian testing based distro + pentest tools are maintained by their developers. It was not designed for daily OS.

Parrot is Debian testing based distro + custom tools are developed by us + default configurations for environments + pentest tools are forked from Kali repo. So:

In the pentesting section:

Both distros are the same. (have the same toolkit)

Parrot has a home edition which is focused on privacy. We have pre-installed toolkit like anonsurf, mat2 (a tool that removes metadata from files), …

Parrot never wanted users to run the system as root. Kali has changed their login method from 2020.

Parrot has default configurations for a friendly environment: a default firefox profile with add-ons that protect users’ privacy, very useful and friendly to pannels, customized bashrc, … Kali just added their default zshrc (2020.3?) and well it looks… you know…

Performance:

This is a “myth”: some articles on the internet say Parrot has better runtime performance than Kali. well… This depends on Desktop Environment that the system is using. If you compare Gnome3 vs Mate, ofc mate is the winner *smile*. Since 2020, Kali provides their default customized XFCE DE so the comparison is not true anymore. I would like to see if there is any comparison of Kali XFCE and Parrot XFCE.

Undercover mode:

Our team agreed that was a theme changing only. Ofc Kali did a good job by creating a script for the XFCE environment. If you want something like that from Parrot in future. I’m sure we don’t do that. Try finding some Easter Eggs in our system. *Mona Lisa smile* Team:

The core team of Parrot now is having only 5 members. And we have to manage everything: servers, mirrors (there are many mirrors are maintained by volunteers, not our team. Big thanks to them), community, development.

More about tools:

We want to have a complete new pentesting / forensic toolkit and it has been a year but we couldn’t complete it because of human resource problem. A little secret: I’ve completed a solution for maintaining so many pentest tools for such a small team like Parrot so we can have a big update for the security section in the next few months.

We are researching a newer solution based on docker and sandbox. The scope is to protect users in both security edition and home edition.

We are researching our application firewall and malware scanner to provide users from known malicious activities (Well don’t expect it too much. A small team with some contributors is like dreamers. But I’m sure it can be better than chrootkit or rootkit hunter for checking real malware in your system and it can solve some critical problems of ClamAV).

So is Parrot better?

“There is nothing “wrong” or “worse”. But life can be a lot easier”

(A member in Nim programming language channel.) It is true. Well, in life, sometimes you have to hear the blame when bugs are made by a different team. *smile*

PS: Oh does Kali still use Perl script to do the “launcher update” after install/uninstall any applications using apt?

Well, if yes then we have a better thing *smile*: we have used a launcher updater that was written in Nim lang which has a rocket speed. We had a golang version before but nim version has a smaller binary size and faster runtime performance. Maybe many users didn’t notice it. Try it (4.10 vs 4.5 for example)”

Some people view ParrotOS as a distro for ScriptKiddies and Noobs, What would you say about it?

“Myth:

• This error is on Parrot ONLYYYYYY… Parrot suxxxx
• Kali is for Pro, Parrot is for noobs
• Parrot is more friendly so it is for noob ( ?? ?? )
• Parrot is a modded version of Kali (Lmao)

Answer:

• Any error on Debian affects Parrot AND Debian testing based distros.
• Any error on Kali (about pentesting tools only) could be on Parrot.
• Are you (to everybody) sure any answer like “parrot is for noob” is not from a noob??
• “Both have the same toolkit, so what is the problem?” –

Egg82.​ He is a very good guy with good security knowledge.”

(More and More people seem to convert to Parrot, nowadays. Ippse​ c also uses​    Parrot for his videos.)

“1 more thing: if you watch DEFCON, Hacktivity, you can see many security experts use Ubuntu, Windows (We call it winblows *laugh*), MacOS. Does anybody dare apply “For noob” on them?”

“Is Parrot OS Bloatware”?

“Yes and no. Parrot is made for a ready to use OS. Do you want to use the office suite? No? Well, but other users might use it. It is the same for everything else. And that means we have to deal with the size-limit of iso file and so many problems. I personally use keepassxc a lot but it was removed from default pre-installed list.

My tip: I’m using an encrypted USB that saves keepassxc data and I bring it with me. Try to secure your passwords by strong randomly password; always change and secure it. Have a good backup is also needed.

Security tools: It is forked from Kali and I’m sure the point is having enough tools for most common pentesting scenarios.”

Despite so much hype of privacy around the world, many people don’t know or use software like Anonsurf. What do you think could be the reason?

“Marketing problem? Herd behaviour (Well I’m using a translator for this word )? For example, if you are talking about being anonymous, ofc many people think about whonix and tail. Well, I’m no expert in this section but I’m sure AnonSurf can covert the network connection problem. Many users still think AnonSurf can’t do that as good as Tail or Whonix.  The job: redirects everything to the Tor network. So…?”

According to you, is 100% anonymity possible?

“Nothing is 100% but stop using Facebook and p*rnhub might be a good solution. *laugh*

My story: I live in a different city and I’m visiting home. A strange phone number called me “I’m sim provider from THIS city. Do you want to upgrade your sim?”. Well, it is a simple example of how I was being tracked by GSM and a sim card. Maybe your laptop’s privacy protection is good but are you sure it is the same for your other devices?”

I’d like to sincerely thank Parrot Dev Team and Nong Hoang Tu for the time he spared us. I hope this enables people to understand the depths of a distro and not promote hysterical myths. (Parrot is a modded version of Kali).

Happy Reading

TOR (The Onion Routers)

Tor (The Onion Routers) is a distributed network which is used for anonymity and privacy and is used by Activists, Hacktivists, Ethical Hacker, Black Hat Hackers and other people who want to hide their activities onlin. It is designed in a way that the IP Address of the client using TOR is hidden from server that client is visiting and the data and other details are hidden from client’s Internet Service Provider (ISP). TOR network uses hops to encrypt the data between client and server, and that’s why it provides better anonymity than a VPN. TOR network and TOR browser are pre-installed and configured in Parrot OS.

OnionShare

Onion Share is an open source utility which is used to share files of any size over the TOR network securely and anonymously. It is so secure and so simple to use, just drag your file and drop it to the OnionShare. It will then generate a long random URL which can be used by recipient to download the file over the TOR network using TOR browser.

AnonSurf

Anonsurf is a utility that makes whole operating system communication to go over TOR, I2P or other anonymizing networks. You don’t need extra browser or anything for it. It doesn’t make only your browser communication secure but it also anonymizes your P2P communication and a lot of other communication protocols. You can start or restart anonsurf service from Parrot Sec menu, for CLI options

I2P

I2P is another anonymizing network like TOR but it works in a little different way. It provides good anonymity & privacy on the internet and it can also be used to access darknet services.

Electrum Bitcoin Wallet

Electrum Bitcoin Wallet is a wallet to keep and transfer your Bitcoin currency securely. It can sign transactions offline and then these transaction can be broadcasted online from another computer. It has distributed servers to keep your transactions anonymous.

Kayak – The Car Hacking Tool

Parrot Security OS has a whole menu devoted for Automotive Pentesting tools, kayak is one of these amazing tools. It is a GUI tool based on Java to analyze CAN traffic. It has some cool modern features, such as GPS tracking, recording and playback capabilities.

EtherApe

EtherApe is a GTK GUI based open source network sniffer and network analyzer. It display IP layer, link layer and protocol layer and uses different colors to differentiate the protocols.

GPA – GNU Privacy Assistant

GPA is a GUI encryption software that makes the use of OpenPGP, a public key cryptography protocol to encrypt and decrypt files, documents and emails. It is also used to generate key pairs, storing them and to export the public keys.

Ricochet

Ricochet is an anonymous and secure chat powered by TOR Network. Instead of usernames, it provides you with a long random string which looks something like ricochet:qs7ch34jsj24ogdf which is the address of the user. Messages sent using Ricochet are end to end encrypted and fully anonymous.

Nmap

Nmap (Network Mapper) is the most flexible and comprehensive tool used for port scanning and network security auditing. It is available in Parrot Security OS with Command Line and Graphical Interface which is called Zenmap. Usage example,

Nikto

Nikto is a powerful, free and Open Source Scanner which is used to identify common security loopholes in web servers. It scans Web Server’s version to check for version related problems. It also scans Web Server’s configurations such as HTTP allowed methods, default directories and files. Usage examples are

SQLMap

SQLMap is a powerful yet free penetration testing tool that is used to analyze vulnerabilities related to databases. It can automatically detect and exploit database vulnerabilities, also it can extract or manipulate the data from various types of databases. It automates the whole process of database pentesting and it can gather user infos, passwords and other details from the databases alone.

Target:

At least one of these options has to be provided to define the
target(s)

Crunch

Crunch is a dictionary maker for password attacks. It can generate wordlists according to your specifications and it will generate a dictionary with all permutations and combinations of letters, numbers and special characters.

Crunch can create a wordlist based on criteria you specify.  The output from crunch can be sent to the screen, file, or to another program.

CUPP

Custom User Password Profiler (CUPP) is an advanced dictionary generator for custom password profiling. It is better than crunch in a lot of ways, because it will prompt for some user data like username, birthdays, pet names and it’ll generate a wordlist automatically based on these specifications, so you won’t have to remember long syntaxes.

[ Options ]

-h   You are looking at it baby!
For more help take a look in docs/README
Global configuration file is cupp.cfg

-i   Interactive questions for user password profiling

-w   Use this option to improve existing dictionary,
or WyD.pl output to make some pwnsauce

-l   Download huge wordlists from repository

-a   Parse default usernames and passwords directly from Alecto DB.
Project Alecto uses purified databases of Phenoelit and CIRT
which where merged and enhanced.

-v   Version of the program

Metasploit Framework

Metasploit is a famous penetration testing and exploitation framework which is used to test for security vulnerabilities. It is built in Ruby language and supports Postgresql database for data management. It is has msfvenom which is used for exploit code generation and encoders to evade payload from antivirus solutions. To try Metasploit, type

Bleachbit

Bleachbit is a free disk space cleaner which is used to delete useless log files, internet history, cookies and temporary files. It has some advanced features like shredding files to prevent forensics and other data recovery techniques. It’s a complete all-in-one tool for permanently deleting your junk with no chance of forensics or recovery.

Macchanger

Macchanger is an awesome tool used to change interface’s MAC Address. It is used mostly to evade MAC filtering on routers and also to stay anonymous. Your device’s MAC Address is its identity, it can be used to locate you or to detect your on the internet, so it’d better be changed. To change your MAC Address, type

Aircrack-ng

Aircrack-ng is a suite of tools used for Wireless Security Auditing or say WiFi cracking. It can be used to analyze, test, crack and attack Wireless Security Protocols like WEP, WPA, WPA2. Aircrack-ng is command line based tool and also has some third party GUI interfaces. Aircrack-ng has a lot of tools used for different purposes to attack the wireless network. It can be used to recover forgotten passwords.

OPENVAS

OpenVAS is free vulnerability scanner and it is a forked version of last free Nessus code on github after it was close sourced in 2005. For its plugins, it still uses the same NASL Language of Nessus. It’s a free, Open Source and powerful network vulnerability scanner.

If you are using OpenVAS for the first time then you need to auto-configure it using the following command. It’ll configure openvas service and generate a user and its password.

Netcat

Netcat is a raw TCP and UDP port writer and it can also be used as a port scanner. It’s an amazing tool which can be used to interact with any protocol like HTTP, SMTP, FTP, POP3 without using an application level software. It can connect to both TCP and UDP ports and also allows binding of an application.

To check for an open port, write

To scan for a range of ports, type

CONCLUSION

With all these great tools, I am sure you will enjoy Parrot Security OS.

It is a customised version of Debian which doesn’t only come with security tools but It also has pre-installed development, security and anonymity tools like Tor, Tor chat, I2P, Anonsurf, Zulu Crypt that are commonly used by developers, security researchers and privacy-concerned people. It can be dual-booted with other operating systems or can be used in virtual environments or docker.

It has separate “Forensics Mode”, in which it doesn’t mount any of the system hard drives or partitions and leaves no effect on host system, making it more stealth than its ordinary mode. This mode is used to perform forensics operations on the host system.

System Requirements

CPU: x86 architecture with minimum 700 MHz

RAM: Minimum 256MB for i386 and 320MB for amd64

HDD: almost 16GB for installation

Architecture: supports i386, amd64, 486 (legacy x86), armel, armhf (ARM)

Boot Mode: Legacy preferred

According to its category, it can be compared to Backtrack or Kali Linux. Kali Linux is awesome but there are some things which Kali lacks like Anonymity or Advanced cryptography tools. Mostly, it also comes with wireless drivers installed that are compatible with most systems, so you won’t have to install them manually.  Here are some cool features of Parrot Security OS which makes it preferable among other Linux distros.

Anonymity & Security

A lot of Linux distros even Kali Linux don’t have anonymity tools like Tor Browser, Anonsurf, Tor chat, I2P pre-installed. Parrot Security OS has a lot tools to hide your identity on local network and on the internet. For example, Macchanger is used to change the MAC of your PC, it can change it on regular basis. Tor network or Anonsurf is used to hide your IP Address on the internet. Firefox in Parrot OS also has “No Script” extension installed which prevent running JavaScript on your computer, it keeps you safe from Crypto Jacking attacks or running malicious scripts to monitor your activities.

Cryptography

Parrot Security has pre-installed tools which can be used to encrypt files, folders and drives with passwords or private keys to keep them safe and away from hackers. These tools include TrueCrypt, Zulu Mount GPA that support both symmetric and asymmetric encryption algorithms. You can send someone an encrypted message or file so no one in the middle can read the communication.

Programming & Development

Parrot Security OS doesn’t only has tools for Ethical Hacking and Penetration Testing, it comes with a lot of powerful languages’ compilers and interpreters and IDEs. So in Parrot Security OS, you can even program Arduino or you can write code in your favorite language.

Lightweight

Parrot Security OS is lightweight if compared to Kali Linux because it has MATE as its default desktop environment and Kali Linux has GNOME. Parrot Security OS with its MATE environment just needs 256-320 Mbs of RAM which is way less than GNOME. It runs faster and smoother on even old hardware with limited resources. This feature makes it favorable to use in virtual environments where less consumption of resources is a preference.

Sandboxed

Parrot OS offers a restricted and secured environment for its users’ better security. That makes it more secure than Kali Linux which is root by default.

Hardware hacking

Parrot Security OS also ships with Hardware Programming & Hacking tools installed in it. These tools include Arduino IDE, GNU Radio, Kayak and other Radio sniffing tools. One of the interesting tool you’ll see here is the “Kayak – The car hacking tool” that can be used to test cars for vulnerabilities. Despite having only WiFi tools, it also has Bluetooth, RFID and NFC communication hacking tools.

User friendly

Parrot OS is more User friendly as compared to Black Arch Linux or Kali Linux according to reviews. It comes pre-installed with Libreoffice packages and a lot of other general purpose tools that make it really easy to use.

Conclusion

Generally, Parrot OS is pretty great user friendly and lightweight distro. While using it, you’ll find it nearly equal to Kali Linux except for some minor differences. It may not offer a lot of tools that are present in Kali Linux but overall collection of tools is amazing. It also offers some tools that are not present in Kali and other similar distros. Parrot Security OS isn’t just for Ethical Hacking and Pentesting, it is also for development, anonymity and privacy

It comes with pre-installed development and security tools that are commonly used by developers, security researchers and privacy-concerned people.

Requirements

RAM: Minimum 256MB for i386 and 320MB for amd64
HDD: almost 16GB for installation
Architecture: supports i386, amd64, 486 (legacy x86), armel, armhf (ARM)

Installation

Parrot OS supports a range of platforms. It can be installed in Virtualbox, VMware, docker and Raspberry pi, also it can be dual booted with Windows.

If you want a Open virtualization (OVF) image of Parrot Sec OS for virtualization platforms, you can download it here https://www.parrotsec.org/download-security.php with no need to install it manually, just import the OVF file and you’re all set to go. For hardware install, download the hybrid ISO of Parrot OS from its official website.

Making a bootable USB Drive

For dual-boot or single-boot installation of Parrot Sec OS, you need a USB drive with minimum 4GB of space. Download the ISO and burn it to USB drive. If you are on Linux, you can use either dd or Etcher utility (https://www.balena.io/etcher/). On Windows, you should use Win32DiskImager utility to burn ISO to the USB drive.

Hardware Install

If you want to dual-boot Parrot OS with Windows, you’d need an extra step to free up some space for Parrot. Go to partition manager

Right click on any partition you want to shrink to free up some space

Now choose how much space you want to leave for Parrot OS and then click shrink. You’ll see an unallocated space at the right.

If you want to single boot your PC with Parrot Sec OS, you can skip above step.

Installation Procedure

Restart your PC and from boot menu, choose your bootable USB drive. Parrot OS boot screen will be shown

Go to install and from there, choose Graphical install

Select your language from the manu.

Now choose your time zone.

Now select the keyboard map based on your preferred language.

You’ll be prompted to setup your account details including your Name, username and password.

Enter the username for your account.

Then enter and verify your password. Make sure that you choose a strong password that includes special characters and numbers.

After that, Installer will start disk partitioning. If you are doing single boot install, you can choose “Guided – use entire disk” and go to the next step. If you are an expert and can do advanced partitioning then you can select “Manual” option.

But if you are dual booting it with Windows, you’ll see the option “Guided – use the largest continuous free space”.

Based on your needs, you can make separate partitions for “/home” and “/var” but if you are not sure what it is, then you can go with “All files in one partition”.

You’ll be shown with all partitioning of your disk. Now select “Finish partitioning and write changes to disk”.

Confirm the dialog “Write the changes to disks”.

Now installation begins. It will take some time, wait for it to finish off.

After this, you’ll be asked to install GRUB boot loader to the master boot record. Click “Yes”.

Specify the drive where you wanna install GRUB boot loader. Normally it’s “/dev/sda”.

After some time, it’ll finish the installation procedure and will ask you to remove USB drive and reboot to the newly installed OS.

Now you’ve installed the Parrot Security OS, you can now configure it according your needs. If you have any issues or questions related to it, you can ask in Parrot Sec community forum https://community.parrotsec.org/ .

Conclusion

Parrot Security OS can be installed alone or with Windows Operating System, it can also be run inside a docker container or a virtual system like Virtualbox and VMware. It totally depends upon your requirements that how you wanna use it. If you have high end system specifications and you want to use it for testing purposes, then you might want to install it in virtual environment instead of dual booting. And if you have low system specs then you should dual boot it with Windows or any other OS you are using because if you install it in Virtual environment, you might end up being your PC getting slow.

If you don’t fit into any of those categories, it doesn’t mean that you have no use for pentest Linux distributions. Regardless of whether you want to pursue a career in information security, become a Linux administrator, or just learn more about computers and networks, pentest Linux distributions let you get hands-on experience with technologies most people only read about.

In this article, we compare what are currently the two most popular pentest Linux distributions, Kali Linux and Parrot Security OS, to help you get started on your pentest journey. While you can use both Kali Linux and Parrot Security OS as your main operating system, most pentesters run them from a USB drive instead to increase their privacy and security.

Penetration Testing Explained

The Chinese general, military strategist, philosopher, and reputed author of The Art of War, Sun Tzu, said, “If ignorant of your enemy and yourself, you are certain to be in peril.”

This nugget of wisdom is especially applicable when it comes to cybersecurity because it explains why organizations and individuals alike must use the same tools as attackers to evaluate the security of their cyber defenses, which is what penetration testing boils down to.

Penetration testing makes it possible to find security weaknesses, evaluate organization’s security policy and its adherence to compliance requirements, and raise employee awareness by simulating cyber-attacks using a wide variety of security assessment tools that are available for this exact purpose.

Pentest Linux distributions are one very important category of penetration testing tools. They bring together hundreds of professional tools for security testing, software development, and privacy defense, and present them in the form of a convenient live distribution.

Kali Linux

First released by Offensive Security in March 2013, Kali Linux is arguably the most widely known pentest Linux distribution in the world. It’s derived from Debian, but large chunks of it come from BackTrack, which was the previous Linux distribution of Offensive Security.

Kali Linux has three core developers—Mati Aharoni (muts), Devon Kearns (dookie), and Raphaël Hertzog (buxy)—but they are by far not the only people who contribute to it. The distribution has thousands of supporters around the world, so bug fixes never take too long to be released, and support questions never take too long to be answered.

Bundled with Kali Linux is a massive collection of over 600 penetration testing software applications, including Nmap (a port scanner), Wireshark (a packet analyzer), Aircrack-ng (a software suite for penetration-testing wireless LANs), and many others.

Most software applications are imported from the Debian repositories, and Kali Linux itself is based on Debian Testing. Because Debian Testing is not exactly a bleeding-edge Linux distribution, it shouldn’t come as a surprise to you that software in Kali Linux is often a few versions old. The obvious benefit of including older, more tested software is stability, and Kali Linux truly excels in this regard.

To run Kali Linux, you need a minimum of 1 GB hard disk space for installation and at least 512 MB of RAM for i386 and AMD64 architectures. Both 32-bit and 64-bit images are available, and Kali Linux even supports ARM devices like Raspberry Pi, BeagleBone Black, or Odroid U2.

Parrot Security OS

Developed by Frozenbox Network, the first version of Parrot Security OS saw the light of day in 2013. Just like Kali Linux, Parrot Security OS is based on Debian’s testing branch, and it follows a rolling release development model.

The people behind Parrot Security OS include Lorenzo Faletra (palinuro), Lisetta Ferrero (sheireen), Francesco Bonanno (mibofra), Nicolas North (nikksno), and Federica Marasà (marafed). It’s true that Parrot Security OS doesn’t have such a large community of users behind it as Kali Linux, but the distribution has been gaining a lot of momentum in recent months, so things could be very different just a year or two from now.

Parrot Security OS goes beyond pentesting software applications and includes a whole host of privacy-oriented tools, as well as a full development stack with the best editors, languages, and technologies. One incredibly useful privacy-oriented tool included in Parrot Security OS is Anonsurf, which is a network anonymizer that forces all connections through Tor and/or the i2p network. Also supported are popular cryptocurrencies, including Bitcoin, making the distribution a great choice for all blockchain enthusiasts who care about their privacy.

Unlike Kali Linux, which uses GNOME 3, Parrot Security OS uses MATE as its default desktop environment. Because MATE started as a fork of GNOME 2, its system requirements are very modest, and you can feel it by how well Parrot Security OS runs on older and low-end computers. Only 256 MB of RAM for i386 and 320 MB of RAM for amd64 is required, but it definitely doesn’t hurt to have more.

There are several editions of Parrot Security OS you can choose from. Parrot Security is a complete suite of tools intended for penetration testing, digital forensics, reverse engineering, and software development. Parrot Home is a special version of Parrot Security OS designed for daily use. Last but not least, there are also special builds of Parrot Security OS, which let you run this pentest Linux distribution on various ARM devices, including Raspberry Pi, Orange Pi, and Pine64.

Conclusion

Both Kali Linux and Parrot OS are excellent pentesting Linux distributions that can help all aspiring and seasoned penetration testers uncover hidden vulnerabilities to prevent hackers with bad intentions from exploiting them. Kali Linux has a broad community of users, who are always willing to help newbies solve any problems they might have. Parrot Security OS, on the other hand, stands out with its strong technical team and recent popularity surge.