CyberLizard : One Click Hacking's Back!
Insinia recently came across a newly released Hacking / Pen Testing OS: Parrot OS 1.9 : CyberLizard This blog will go through this new OS, it's functionality and why, if you're an IT pro who deals with attacks, it's probably just about to ruin your day! For years Pen Testers, including us, have favoured Kali Linux and it's predecessor, BackTrack. The guys at Offensive Security did (and do) an amazing job in developing and maintaining Kali and offering training for PenTesters and Ethical Hackers. Developing a stable version of a Debian based Linux OS, as well as a full training programme, is no small task! For the Linux buffs; Kali offers a tonne of functionality. Most hackers and PenTesters I know are in awe of Kali, and probably wouldn't be where they are now without it. It offers great structure, and is a seemless combination of information, tools and resources. If you know your way around Linux and PenTesting then you can fire up Kali and be carrying out pretty serious staged attacks in no time. It's fair to say that you have to take the rough with the smooth. Where good guys use Kali and other similar tools; bad guys do too. But Kali's not specifically designed for nefarious hacking, it's designed for Pen Testing, so you won't find any in-built anonymizers or VPN's running as standard. If you want to be secure and stealthy with Kali then it takes a bit (but not loads) of configuring. This often put people off using it at a lower level, forcing hacking groups such as Anonymous to distribute simpler Windows .exe based tools such as LOIC, HOIC etc. Groups can distribute these small exe files to every actor, allowing them to quickly and simply collectively hack a target. Sending each user instructions on how to boot/virtualize Kali, anonymise themselves and carry out a CL based attack would be far, far more effort, and would result in less people following through to the execution of an attack. This, in my opinion, is a good thing. It weeds out the LOIC using script kiddies from Kali, whilst providing a relatively simple platform for professional testers who have the required knowledge to use it. This means that I can use the exact same tools I was using at the command line 10 years ago, but I don't have to be exclusively at the Terminal, and I can do things far more quickly than before.
But with progression comes change, and Parrot's just changed the game. Completely. Parrot OS 1.9 : CyberLizard, the newest Debian based Hacking OS, has made an easily accessible, highly comprehensive armoury of tools openly available to the next generation of hackers. And that can't be good news. Whether people want to be malicious, mischievous, active or other; CyberLizard has just given everyone with a computer the tools and equipment needed to carry out instant and easy attacks against any size target. Including you. We first heard about CyberLizard a few days ago, and we had it fired up and running within 5 minutes of visiting the ParrotSec site. At 1.8GB it's smaller than Kali, lightweight, fast and, thus far, pretty impressive! Using CyberLizard : What's Included? CyberLizard has a range of tools, documents and resources. From metasploit to dictionaries and scripts; it's all here and open for anyone to use as they so desire. The first thing that stood out is the integrated stats panel, which is automatically in the background on startup. For those of you who are fans of Ubersicht or other similar tools; CyberLizard displays on screen readouts of vital stats including RAM usage, net traffic in/out, CPU usage, HDD usage and much more.
The next thing to catch our attention pretty quickly was the in-built "AnonSurf" anonymiser control panel. One click and you're anonymous, routing through the powerful TOR network or anywhere else you so wish. A powerful tool for anyone looking to hide themselves. That includes most nefarious hackers / hacktivists!
As we continued to delve deeper we came across an interesting feature on offer by CyberLizard. By placing the OS in to "PenMode" you instantly have a range of powerful "Stress Testing" (DoS) tools at your fingertips. These are offered as GUI's, making it quick and easy for someone with almost no technical knowledge to carry out some seriously powerful attacks.
Stress Testing Tools
CyberLizard is also crammed full of hacking tools, including Information Gathering, Vulnerability Scanning, Stress Testing, Forensics and Reporting facilities. This is clearly inspired by Kali, and ParrotSec has added a range of new features to improve the user experience. These include a start-menu type button at the bottom left for a more intuitive Windows feel. It's a nice system to use, and ParrotSec have clearly put a lot of work in to the development and production of this powerful new OS.
Info Gathering Tools
Exploitation Tools (inc. Metasploit Framework)
So what does this actually mean to our clients, Net Admins or any business owner? Well, quite simply; it means things just got a whole lot harder for you! Arguably; a hacker can't achieve anything in CyberLizard that they couldn't achieve in Kali. But they can do it much more quickly and easily, and therein lies the problem. Gone are the days where you need to know coding, Linux, networks, OS's, infrastructure and more to carry out a successful attack. Now you just need CyberLizard and an internet connection. No prior knowledge required. If you own or manage a website, e-mail service or anything that can be ground to a halt by a DoS attack; CyberLizard, and the tools within it, have just created a big problem for you. Any hacker, wannabe hacker or kid can download CyberLizard and smash your services apart, usually within a matter of seconds. If they use CyberLizard's built-in anonymising tools then it's going to be extremely hard to detect, defend and differ. Probably not the news you wanted to hear... It's open to debate whether CyberLizard's a good or bad thing.
Yes; it has made hacking easier for "noobs", and that will, in turn, create a much higher volume of what was, until now, a somewhat intricate attack. But on the flipside...
No, it hasn't allowed anyone to achieve anything that a competent hacker couldn't do with Kali anyway. ParrotSec haven't re-invented the wheel. They've just made it far more accessible to the previously unseen masses. If you've got a skilled hacker after your business then CyberLizard won't make any difference to you whatsoever. Chances are that you'll still experience the same attacks that you would have done before. But if you've got a lot of hactivists or low level hackers probing away... You might want to consider new protection protocols. The tools to take down your business just became a lot easier to use, a lot more accessible, and a lot more dangerous. And that's never a good thing. But there is light at the end of the tunnel. The best way to force someone to improve something is to hack it. By hacking things we find exploits and vulnerabilities that are fixed to make the service better and more secure. Using professional methods, such as the ones deployed by Insinia; you can protect from these attacks. But it's not easy, and you can't do it alone. As hacking gets easier; defending gets harder. Insinia offer full Penetration Testing, Incident Response and Data Management services. Insinia emulate these types of attacks and work with you to protect from them, helping you to pre-emptively mitigate them before they happen.
Don't get caught out by being left behind in the industry. Insinia work with you to protect and maintain your sensitive information and data. We work tirelessly, 24/7, to ensure we stay one step ahead. Let us do the hard work for you.... It's what we're good at!
Don't let yourself or your company become a victim of cybercrime. There's no excuse.