Parrot security and Ubuntu Focal templates

enmus · April 21, 2022, 2:09pm

My bad

mantis999 · April 21, 2022, 2:53pm

I think this could be to do with the signing of the .rpm

When following these instructions:

You will need to copy the key in to dom0:
qvm-run -p qube 'cat PATH_TO_KEY ' > unman.pub
and then import it: sudo rpm --import unman.pub

I get error: unman.pub: import read failed(0)
and
error: unman-public.pgp: import read failed(0)

B_ryr · April 23, 2022, 6:37pm

Thanks unman for your hard work, enjoy everything you and the others do…New parrot template unman did installed just fine. With the new parrot template the apps are not launching right. If I click like “run terminal” and parrot template will start but it will not launch “run terminal”. I have to go back in and click it again then it will populate.
Also I can’t install like “terminator” or even update/upgrade…
I am getting…
Ign:1 http://HTTPS///deb.parrot.sh/
500 Unable to connect [IP: 127.0.01 8082]
Err:1 Failed to fetch http://HTTPS//

How do I fix this?
Do I have to edit or remove

B_ryr · April 23, 2022, 10:19pm

Parrot will not update from qubes manager as well. I right click on parrot template and click on update and nothing happens. Thought I would just add that.

enmus · April 23, 2022, 11:33pm

Rolling distros - Parrot, Arch, Kali
Templates like Parrot or Kali are based on Debian testing.
To avoid breakage when updating, the core Qubes packages are on hold.
This means that they will not be updated.
You can confirm this by running apt-mark showhold in the template.
apt-mark unhold will remove the hold, and allow you to update the Qubes packages.
I suggest you restore the hold apt-mark hold to make sure that the Qubes packages are not removed when updating other packages.
So, while updating a template you will see that some packages cannot be upgraded because they will conflict with the Qubes packages.
Periodically, in the template, remove the hold on the Qubes packages. Update the package list with apt update and then update the Qubes packages - either manually with apt install... , or using a manager like aptitude, and selecting Qubes packages for upgrade.
Once the upgrade has been completed, put the Qubes packages back on hold, and upgrade again.
Undoubtedly a pain, but less than the pain of breaking your qubes, and having to crawl backwards to get them working again.
Then again, if you use aptitude you would be able to see what changes would be made, opt to retain the Qubes packages - always keep the Qubes packages , and avoid breakage that way. This depends on you looking to see what changes will be made and acting accordingly. Using apt-mark hold will take some pressure off.

https://qubes.3isec.org/Templates_4.1/README.html

blatchard · May 6, 2022, 12:14am

I have to admit, i’m totally confused by what this is and what it does, I changed my sources to just https, but i’m fairly sure that isn’t the idea? searched the forum and the net for “https://HTTPS///” and didn’t come up with anything.

Scrolled further back on this post and saw about apt-cacher-ng. Am sticking with changing to https as I don’t really need this.

unman · May 23, 2022, 12:39pm

I’ve been away.

The repos are configured to use a caching proxy.
Any proxy has to find a way to deal with encrypted requests -
https://…

Some solutions are:
MITM - the proxy intercepts the request, sends it own https request, and
returns cached
Don’t cache https request
Rewrite the client request: http://HTTPS/// means that the request is
sent to the proxy as http, and the proxy then rewrites it to https://
This means that outbound traffic still uses https, but the proxy can see
all requests and cached the packages.

Rewriting the repository definitions is fine:
sed -i s^http://HTTPS///^https://^ REPO_DEFINITION will do it.

B_ryr · May 23, 2022, 5:44pm

Thank you uman for all your help!
Glad you are back

B_ryr · May 24, 2022, 10:43am

Could someone explain how or where I would do this?

Is there a path to a file where I would enter this?
Example…sudo nano /etc/?/?

tzwcfq · May 24, 2022, 10:52am

I guess it’s for /etc/apt/source.list and /etc/apt/source.list.d/* but you can search for the files with this:

sudo grep -lr "http://HTTPS///" /etc

And if it’s source.list files then you can replace strings like this:

sudo sed -i s^http://HTTPS///^https://^ /etc/apt/source.list /etc/apt/source.list.d/*

B_ryr · May 24, 2022, 6:01pm

@tzwcfq thank you, I will try that later

unman · May 25, 2022, 3:44pm

sed is a Stream EDitor - it allows you to make changes to files.
Breaking it down:

REPO_DEFINITION - the file (or files) you want to change.
-i - edits files in place. Without this the edited file will be
shown in the terminal, but the original file will not be changed.
s ^TEXT^REPLACEMENT^ - Substitutes TEXT with REPLACEMENT - you can
use other delimiters

So the whole line will change the text http://HTTPS/// to https://
everywhere in the files you specify.

sed is a great tool for mass editing, and has many features.
Useful tip - If you use sed -ibk then the file will be edited in place but a backup
will be stored with suffix you specify - in this case bk

Joost · October 24, 2022, 6:29pm

Thanks @unman, and thank you to the qubes team for creating/maintaining this great project. I used it 4 years ago, however, due to school i had to switch back to Windows. Now, 4 years later, i can use Qubes for work, school, pentesting etc. etc.!

CanIGetHelp · December 4, 2022, 11:53pm

I have captured wifi handshakes using Parrot OS in Qubes.
I need to extract these handshakes from my Parrot VM and send them to a different VM.

I don’t see any file system application available within my Parot OS VM.

What commands can be ran in the CLI to extract my handshakes to a different VM?

enmus · December 5, 2022, 7:20pm

This post is duplicate of

and completely offtopic.

ConoRZ · March 9, 2023, 11:18am

any updates on here? i also installed unmans cacher now because i thought this would be the problem.
if i try sudo apt update i would get this back:

┌─[✗]─[user@parrot-hacking]─[~]
└──╼ $sudo apt update
Ign:1 https://deb.parrot.sh/parrot parrot InRelease
Ign:2 https://deb.qubes-os.org/r4.2/vm bookworm InRelease                                  
Ign:3 https://deb.parrot.sh/parrot rolling-security InRelease                              
Ign:1 https://deb.parrot.sh/parrot parrot InRelease  
Ign:2 https://deb.qubes-os.org/r4.2/vm bookworm InRelease
Ign:3 https://deb.parrot.sh/parrot rolling-security InRelease
Ign:1 https://deb.parrot.sh/parrot parrot InRelease  
Ign:2 https://deb.qubes-os.org/r4.2/vm bookworm InRelease
Ign:3 https://deb.parrot.sh/parrot rolling-security InRelease
Err:1 https://deb.parrot.sh/parrot parrot InRelease  
  Invalid response from proxy: HTTP/1.0 403 CONNECT denied (ask the admin to allow HTTPS tunnels)     [IP: 127.0.0.1 8082]
Err:2 https://deb.qubes-os.org/r4.2/vm bookworm InRelease
  Invalid response from proxy: HTTP/1.0 403 CONNECT denied (ask the admin to allow HTTPS tunnels)     [IP: 127.0.0.1 8082]
Err:3 https://deb.parrot.sh/parrot rolling-security InRelease
  Invalid response from proxy: HTTP/1.0 403 CONNECT denied (ask the admin to allow HTTPS tunnels)     [IP: 127.0.0.1 8082]
Reading package lists... Done                        
E: Failed to fetch https://deb.parrot.sh/parrot/dists/parrot/InRelease  Invalid response from proxy: HTTP/1.0 403 CONNECT denied (ask the admin to allow HTTPS tunnels)     [IP: 127.0.0.1 8082]
E: Failed to fetch https://deb.parrot.sh/parrot/dists/rolling-security/InRelease  Invalid response from proxy: HTTP/1.0 403 CONNECT denied (ask the admin to allow HTTPS tunnels)     [IP: 127.0.0.1 8082]
E: Failed to fetch https://deb.qubes-os.org/r4.2/vm/dists/bookworm/InRelease  Invalid response from proxy: HTTP/1.0 403 CONNECT denied (ask the admin to allow HTTPS tunnels)     [IP: 127.0.0.1 8082]
E: Some index files failed to download. They have been ignored, or old ones used instead.
┌─[✗]─[user@parrot-hacking]─[~]
└──╼ $

i also tried kali (but not the one from unman, the community one from the template-gui) and if i would fully update it, i would get a qrexec error, so it cant start.
im using the parrot-full btw.
and cacher should be fine, because if i want to update, i can see the cacher is starting

unman · March 9, 2023, 3:24pm

You are using the apt-cacher-ng proxy, but are still using https
requests in the repository definitions.
You need to change these - sed -i s^https://^http://HTTPS///^ applied
to repo defs will do it.
Alternatively run sudo qubesctl --skip-dom0 --targets=TARGET state.apply cacher.change_templates
This is explained in the README

Make sure that you have marked the qubes packages on hold - if you use
aptitude you are able to do this in a GUI - check the menus.

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.

ConoRZ · March 9, 2023, 3:38pm

oh yeah i run the sed command because i read above this should fix the issue, but it didnt, run again this sed command which would set it back to http, but also didnt helped.
anyhow, i deleted this parrot installation and cloned it again

the sudo qubesctl command is meant to run in dom0?

the hold should be here per default?

┌─[user@parrot-hacking]─[~]
└──╼ $apt-mark showhold
grub-pc
linux-image-amd64
qubes-core-agent
qubes-core-agent-networking
qubes-gui-agent

everytime if i want to install protonvpn (installing the .deb package) the parrot and kali os would break

ConoRZ · March 11, 2023, 4:43pm

ok i fixed everything now and would explain what ive done so, if anyone got the same issues, he could fix it, but anyhow i still got some issues, would explain them later, heres the write up:
first, i disabled cacher again in the dom0 terminal:

cat /etc/qubes/policy.d/30-user.policy

this should put out a line like:

qubes.UpdatesProxy * @type:TemplateVM @default allow target=cacher

so i vim`d into it:
sudo vim
and commented the line out

sudo apt update got still errors so i run the command:

sudo sed -i s^http://HTTPS///^https://^ /etc/apt/sources.list.d/*

then i run in parrot sudo apt update and got an error message like:

key is stored in legacy trusted gpg keyring

what i have done were:

sudo cp -r /etc/apt/trusted.gpg ~
mv /etc/apt/trusted.gpg /etc/apt/trusted.gpg.d/

now almost everything worked, to install quassel i had to run sudo aptitude install quassel

but now my issue here:
i also installed the proton deb and run a sudo apt update.
if i want to install with apt it doesnt work
with aptitude it would work but it wants to remove these packages:

      Remove the following packages:                                  
1)      python3-qubesdb [4.2.1-1+deb12u1 (<NULL>, now)]               
2)      qubes-core-agent [4.2.1-1+deb12u1 (now)]                      
3)      qubes-core-agent-network-manager [4.2.1-1+deb12u1 (now)]      
4)      qubes-core-agent-networking [4.2.1-1+deb12u1 (now)]           
5)      qubes-gui-agent [4.1.27-1+deb12u1 (now)]                      
6)      qubes-vm-dependencies [4.2.2-1+deb12u1 (<NULL>, now)]

same behavior if i want to install terminator.

is there a way to install terminator and / or protonvpn without installed gui agent etc.?
guess these are dependencies which i have to keep, if i would uninstall them, this qube wouldnt work anymore?

unman · March 12, 2023, 2:00pm

I should say that I have no issue updating Parrot using apt-cacher-ng.

If you install a new template when cacher is installed you can use
sudo qubesctl --skip-dom0 --targets=NEW_TEMPLATE state.apply cacher.change_templates

To restore the original repo definitions you can use:
sudo qubesctl --skip-dom0 --targets=NEW_TEMPLATE state.apply cacher.restore_templates.

This is covered in the README

This is a warning, not an error.
If you use the latest Parrot build the key is stored on disk.

I find this strange since the kali template has terminator installed
alongside those packages.
As far as I can see the terminator package in Parrot requires
downgrading various python packages, which would break some qubes
packages.
You need to wait until the terminator package is updated.

This is one of the issue you find when using anything based off a
testing release - things will break if you are not careful.