I had a request to review Parrot OS. I haven’t looked at it in quite some time, so I downloaded the latest from: https://www.parrotsec.org/
What is it?
In short, Parrot Security OS is a security/anonymity/pentesting distribution of Linux, similar to Kali. It is Debian-based, and they too have gone to a “rolling” release of the operating system and tools. This is a security project from https://www.frozenbox.org/, which has several other security-oriented products and services, such as public DNS, encrypted XMPP/IRC chat, certificate authority, etc.
In short, Parrot OS is basically a customized version of Debian Linux which has all of the industry-standard pentesting tools like Kali has, but this also has anonymity features such as i2p, tor, bleachbit, AnonSurf, etc. – and also has regular Linux-y stuff like LibreOffice, IceDove, Hexchat, etc. This also uses the Mate window manager instead of regular Gnome or KDE too.
Here’s a quick look at the login greeter, and some of the menus:
I played around with it for a while, and everything seems to work like it should. Really, in a custom distro, it just comes down to whether you like what was assembled. And generally, yeah – this is pretty cool, and best of all, everything works like it should.
If there is any negative, it’s just around the concept. Whether you are pentesting or being a black hat, you REALLY need to have clean opsec. That means ZERO chance of your contaminating your machine with your live/personal data. So, if you have a pentesting rig, it really shouldn’t have e-mail on it for example. You should have one environment for security stuff, and a different, discrete environment for your personal stuff – not even on the same hard drive.
This distribution seems like it’s trying to be everything to everyone: you have your pentest tools, but you also have your creature comforts of e-mail and IM. Although that is great, that (to me) seems like it’s just a matter of time before some people might slip-up. For example, when you open fb link in Firefox, you correlate your Facebook cookie with that anonymized connection where you just performed your hack, tying you, potentially criminally, to an event! It’s super easy to have your personally-identifiable data leak into your other work.
So I guess the conclusion I come to is that I want a pentesting rig to be specialized and ONLY have what I need for those sorts of activities. If I also feel “comfortable” enough to use my personal stuff on that setup, that’s a recipe for disaster (for me, at least)!
With that said, there isn’t anything about the distribution that forces you to be sloppy, it’s just something to consider. Arguably too, the target audience could be someone who LIVES in their pseudonym. In which case, e-mail, IM, facebook, etc of their “hacker identity” is not as dangerous to potentially leak. For example, a reporter, whistleblower, or dissident might use all of these features effectively, and safely.
In the end, it looks like a totally comparable alternative to Kali (plus a bunch more), if you are looking for a new distribution!