Merging KALI LINUX WITH TAILS : Improving Kali Linux system for Anonymity ( TOR, RAM wipe,secure-delete, and LUKS+NUKE)
Hello everyone. This post is gonna be the result of a lot of work on different ways to improve your security while hacking.
Let's go ! If you wanna direct instructions, skip the next part. If you want a better in depth understanting, read the whole article
0 - Our goal
- Make Kali Linux get similars features to Tails- Setup an encrypted LUKS partition with a NUKE feature
What is TAILS ?
https://tails.boum.org/TAILS, also well known as the OS Edward Snowden used when he leaked NSA documents, is a TOR based secured linux.
This OS offers three major features (and is based on Debian) :
- Only runs in RAM so it leaves no traces on the hard drive, no swap is used, and RAM is WIPED at halt
- Routes all outgoing/incoming connection through TOR and uses OpenDNS
- Persistence only if asked at boot, Sudo ability only if asked at boot
Why don't we simply use TAILS and import Kali's tools in it ?
Believe me, I tried... I was starting on the idea of thoses two articles (yeah i like this guy) :
http://leaksource.info/2014/08/09/hack-back-a-diy-guide-for-those-without-the-patience-to-wait-for-whistleblowers/
http://leaksource.info/2014/11/09/recommendations-for-the-hacktivist-community/
I wanted to configure an Encrypted persistence, and get source/binaries from some most used hacking tool but
1) It's a pen in the ass
2) TAILS is damn slow
3) DNS !!! DNS in tails is made in a weird which uses tor and OpenDNS to make dns queries, and each time i tried to run a tool, i got a "Cound't resolve hostname".
I tried diggin, got discouraged, and forsake it.
So how will we get TAILS features in Kali ?
- Running in RAM only -> use Kali linux LIVE Forensic's mode
- Leave no trace on the computer we use nor in the USB Key we use -> Kali linux forensic mode and a few script to wipe RAM, and securely delete all traces (
- Use a script to route everything through tor
What is LUKS and NUKE ?
- LUKS is linux standard for encryption
https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup
It provides a main password, which is then encrypted, and is used to re-encrypt a master-key, which encrypt your datas
- NUKE is a feature added, which allows you to setup an "autodestruction" passphrase : When you enter it, the masterkey is overwritten, makin decryption impossible. Just like if you wanted to crack a hashed password, but the hash would have been overwritten.
1 - Introduction to Paranoïa : Why "rm" and "halt are not enough
Do you know Cold Boot attacks ?https://en.wikipedia.org/wiki/Cold_boot_attack
To make it simple : Even if your Hard Drive is encrypted, your system doesn't encrypt the RAM. Moreover, the RAM is a bit persistent : Once you halted your system, bits/bytes (which basically are only electrons flow) can persist in their state for around 5 minutes (though the information suffers from degradation)
The attack cools down the computer/RAM and boot it in a special way, not to overwrite RAM, to keep it state and save it.
In this way, an attacker/Law Enforcement can get sensitive data from your computer, which may compromise you
Is it realistic ? No. We haven't yet seen Law Enforcement/SWAT/Special Agents break into places with some liquid nitrogen or things like that.
BUT this is not reason to say, it can't happen
What will we do to prevent it ? Wipe the ram at shutdown. Overwrite the memory with Zeros, Random datas; Special datas; etc...
Why we dont want it to happen ? Maybe it'll leak some proofs of what illegal hack you were doing, maybe it'll leak a part of your LUKS encryption key ?
We'll use the same idea when deleting our files :
The simple "rm" only tells the system that the space allocated to the file is now available. The datas are still here, but not visible, it stays somewhere in the hard drive.
But, aren't we running already in RAM ? What's the point in wiping datas ?
We'll make sure that no traces will stay in RAM nor upon the USB stick - the idea stays the same : even if there's no persistences, the USB stick is used to run the system, so it WILL leave traces. Just WIPE EVERYTHING.
Moreover, this will let us wipe potentially sensitive data from our LUKS encrypted partition (but it is encrypted no ? Yes, but be paranoiac)
Oh and obviously, boot in live USB using KALI FORENSIC MODE
2 - The tools we'll use : secure-delete and cryptsetup
Secure-delete :This package contains lot of useful utilities that allows a secure removal of files, folders, ram and swap.
Tools we'll use in this package : srm ; sdmem
They work on the same principle, overwrite with zeros, overwrite with random and special datas.
Advantage over 'shred' : srm is recursive, not shred
Cryptsetup :
Standard utility for setting up LUKS encrypted partitions
Tor :
Seems obvious. If you're new to this -> https://www.torproject.org
3 - Setting up the USB stick
a) Global Idea :The USB Key will have three partitions :
Partition 1) Kali System
Partition 2) LUKS encrypted
Partition 3) A little non encrypted space
Cryptsetup and secure-delete packages aren't included by default in Kali's installation. We want to install them when we boot up, without the need to apt-get each time. So, we need a space to store the Debian Packages, and our setup scripts, that's why we need a little non encrypted space (partition 3)
b) Partitioning :
Just run GPARTED and make sure there's three partitions.
- Let the first partition alone (Kali system)
- Set one great partition (2nd one) large enough
- Set the last one so we'll store packages and scripts there, a few Mb are enough (50 ~)
c) Downloading cryptsetup, tor and secure delete packages :
https://packages.debian.org/fr/squeeze/cryptsetup
https://packages.debian.org/sid/utils/secure-delete
https://packages.debian.org/squeeze/tor
Move them to your little unencrypted partition
Installing them :
dpkg -i [package name]
SCRIPT THAT !!
d) Setting up LUKS on partition 2
Check this blog :
http://martiensk.blogspot.fr
Here's the succession of commands, for more details check the above link :
(I copied/pasted the commands and some text, thanks for your cool write up man)
Set up the partition and password
cryptsetup --verbose --verify-passphrase -h sha512 luksFormat /dev/sdXX
(note the -h sha512 for more security) (type twice your password, honestly, make it long, hard, complicated....)
Cryptsetup mount it :
cryptsetup luksOpen /dev/sdbXX my_usb
To double check that it is indeed mounted, run ls /dev/mapper | grep usb if your teminal returns my_usb, the container is successfully mounted.
Format and label it :
mkfs.ext4 -L persistence /dev/mapper/my_usb
e2label /dev/mapper/my_usb persistence
Mount it (for real this time ;) ):
mkdir -p /mnt/my_usb
mount /dev/mapper/my_usb /mnt/my_usb
Umount it once done and close it :
umount /dev/mapper/my_usb
cryptsetup luksClose /dev/mapper/my_usb
Set up NUKE feature :
cryptsetup luksAddNuke /dev/sdXX
You might want to set up a Backup to reverse the nuke ; but i don't want.
(Oh and By The Way, type LUKS in google image, you should also find a sexy model)
Oh and i'll save you the time to type it on your keyboard :
4 - Automatic secure-delete and secure RAM wipe on halt
Before I begin, I'd introduce a little thing :I made my researches to make Kali Looks like TAILS. TAILS actually do not use "secure-delete (sdmem)" as way to wipe RAM, as they found a really minor flaw. They actually use kexec to boot into a "memtest86" iso that was patched to run on test and rewrite RAM securely.
https://tails.boum.org/blueprint/more_efficient_memory_wipe/memtest86plus/
Though I tried to patch memtest86's sources and kexec it, I failed multiple times, if you wanna try all is described above.
That's why i'll only use secure-delete's sdmem
a) Our goal :
Execute some instructions on halt :
1) Wipe all RAM using sdmem
2) Delete root directory, and some /usr/share and /etc directories, to make sure no traces of the execution of our tools is left.
b) How to do it ?
Here's a simple explanation, if you want more infos, search for '/etc/init.d', '/etc/rc0.d', 'update-rc' and Linux runlevels
If you look closely when you halt your computer you'll see linux executing some commands, stopping services etc... These instructions are execute from scripts presents in '/etc/init.d/', and are symlinked to '/etc/rcXX'.
The 'XX' means one of the 6 rc directories (rc0.d rc1.d rc2.d...) which all are linked to a linux run level : example rc0.d is for halt, rc6.d is reboot...
In order to execute a script at halt, you have to put your script in /etc/init.d/, then symlink it to the right rcXX.d directory (or use update-rc)
The order of execution is Alphabetical dependent. But we don't want to follow an alphabetical order, we want to execute the RAM and file wipe just before the system cuts the power.
We don't have to write a brand new script, we can just modify the halt script locate in /etc/init.d/halt and symlinked to /etc/rc0.d/K13halt
(K13 is the last to execute).
Or better, we can just remove the /etc/init.d/ halt script, replace it with ours, and chmod it 755
That's what we'll do, and here's my halt script, maybe you'll modify it, it was originally designed to be an emergency script, so it lessens the WIPE security for more (much more) speed :
#! /bin/sh
### BEGIN INIT INFO
# Provides: halt
# Required-Start:
# Required-Stop:
# Default-Start:
# Default-Stop: 0
# Short-Description: Execute the halt command.
# Description:
### END INIT INFO
NETDOWN=yes
PATH=/sbin:/usr/sbin:/bin:/usr/bin
[ -f /etc/default/halt ] && . /etc/default/halt
. /lib/lsb/init-functions
do_stop () {
if [ "$INIT_HALT" = "" ]
then
case "$HALT" in
[Pp]*)
INIT_HALT=POWEROFF
;;
[Hh]*)
INIT_HALT=HALT
;;
*)
INIT_HALT=POWEROFF
;;
esac
fi
# See if we need to cut the power.
if [ "$INIT_HALT" = "POWEROFF" ] && [ -x /etc/init.d/ups-monitor ]
then
/etc/init.d/ups-monitor poweroff
fi
# Don't shut down drives if we're using RAID.
hddown="-h"
if grep -qs '^md.*active' /proc/mdstat
then
hddown=""
fi
# If INIT_HALT=HALT don't poweroff.
poweroff="-p"
if [ "$INIT_HALT" = "HALT" ]
then
poweroff=""
fi
# Make it possible to not shut down network interfaces,
# needed to use wake-on-lan
netdown="-i"
if [ "$NETDOWN" = "no" ]; then
netdown=""
fi
log_action_msg "Wipping RAM"
sdmem -fllv
srm -llrvz /root /usr/share/apache2 /usr/share/armitage /usr/share/arp-scan /usr/share/arpwatch /usr/share/beef-xss /usr/share/dirbuster /usr/share/dns* /usr/share/dsniff /usr/share/fierce /usr/share/gcc /usr/share/gdb /usr/share/hashcat* /usr/share/hydra /usr/share/iceweaselisr-evilgrade /usr/share/java* /usr/share/joomscan /usr/share/macchanger /usr/share/metasploit-framework /usr/share/mozilla /usr/share/mysql /usr/share/nano /usr/share/ncap* /usr/share/ncat-w32 /usr/share/nikto /usr/share/ollydbg /usr/share/openvas /usr/share/openvpn /usr/share/p0f /usr/share/perl* /usr/share/php5 /usr/share/postgresql /usr/share/postgresql-common /usr/share/power* /usr/share/python* /usr/share/samba /usr/share/sqlmap /usr/share/ssl* /usr/share/w3m /usr/share/w3af /usr/share/vlc /etc
log_action_msg "Will now halt"
halt -d -f $netdown $poweroff $hddown
}
case "$1" in
start)
# No-op
;;
restart|reload|force-reload)
echo "Error: argument '$1' not supported" >&2
exit 3
;;
stop)
do_stop
;;
*)
echo "Usage: $0 start|stop" >&2
exit 3
;;
esac
:
Notice the "srm" and all the directories listed. Modify it according to your needs, and to what tools you use most
Also modify the srm and sdmem options to give more security.
Commands to copy it :
rm /etc/init.d/halt
cp myhaltscript /etc/init.d/halt
chmod 755 /etc/init.d/halt
Let's recap this with a little script :
echo "Installing Cryptsetup and SD-tools"
dpkg -i cryptsetup_1.1.3-4squeeze2_i386.deb
dpkg -i secure-delete_3.1-6_i386.deb
echo "Removing original /etc/init.d/K13halt"
rm /etc/init.d/halt
echo "Copying improved halt"
cp K13halt_emergency2 /etc/init.d/halt
chmod 755 /etc/init.d/halt
5 - Routing ALL traffic through TOR
Seems like we've secured our local system. What should we now ? Route everything through TOR, and use some proxies/VPN for a bit higher securityLots of tutorials are on the web on "how to use nmap through TOR" or any other tool, using privoxy. Here i'm showing you a better way, to be sure to route EVERYTHING through tor, and avoid DNS leaks.
The script below is taken from Parrot OS scripts. Parrot os is another nice security focused distro.
Source : https://github.com/EclipseSpark/anonsurf/blob/master/anonsurf.sh
This script is a modification of the original Backbox anonymous script :
https://github.com/raffaele-forte/backbox-anonymous
#!/bin/bash ### BEGIN INIT INFO # Provides: anonsurf # Required-Start: # Required-Stop: # Should-Start: # Default-Start: # Default-Stop: # Short-Description: Transparent Proxy through TOR. ### END INIT INFO # AnonSurf is inspired by the homonimous module of PenMode, developed by the "Pirates' Crew" in # order to make it fully compatible with # Parrot OS and other debian-based systems, and it is part of # parrot-anon package. # # # Devs: # Lorenzo 'EclipseSpark' Faletra <eclipse@frozenbox.org> # Lisetta 'Sheireen' Ferrero <sheireen@frozenbox.org> # Francesco 'mibofra'/'Eli Aran'/'SimpleSmibs' Bonanno <mibofra@ircforce.tk> <mibofra@frozenbox.org> # # # anonsurf is free software: you can redistribute it and/or # modify it under the terms of the GNU General Public License as # published by the Free Software Foundation, either version 3 of the # License, or (at your option) any later version. # You can get a copy of the license at www.gnu.org/licenses # # anonsurf is distributed in the hope that it will be # useful, but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Parrot Security OS. If not, see <http://www.gnu.org/licenses/>. export BLUE='\033[1;94m' export GREEN='\033[1;92m' export RED='\033[1;91m' export RESETCOLOR='\033[1;00m' # Destinations you don't want routed through Tor TOR_EXCLUDE="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8" # The UID Tor runs as # change it if, starting tor, the command 'ps -e | grep tor' returns a different UID TOR_UID="debian-tor" # Tor's TransPort TOR_PORT="9040" function notify { if [ -e /usr/bin/notify-send ]; then /usr/bin/notify-send "AnonSurf" "$1" fi } export notify function init { echo -e -n " $GREEN*$BLUE killing dangerous applications" killall -q chrome dropbox iceweasel skype icedove thunderbird firefox chromium xchat transmission notify "dangerous applications killed" echo -e -n " $GREEN*$BLUE cleaning some dangerous cache elements" bleachbit -c adobe_reader.cache chromium.cache chromium.current_session chromium.history elinks.history emesene.cache epiphany.cache firefox.url_history flash.cache flash.cookies google_chrome.cache google_chrome.history links2.history opera.cache opera.search_history opera.url_history &> /dev/null notify "cache cleaned" } function starti2p { echo -e -n " $GREEN*$BLUE starting I2P services" service tor stop cp /etc/resolv.conf /etc/resolv.conf.bak touch /etc/resolv.conf echo -e 'nameserver 127.0.0.1\nnameserver 199.175.54.136\nnameserver 23.94.123.134' > /etc/resolv.conf echo -e " $GREEN*$BLUE Modified resolv.conf to use localhost and FrozenDNS" sudo -u i2psvc i2prouter start iceweasel http://127.0.0.1:7657/home & notify "I2P daemon started" } function stopi2p { echo -e -n " $GREEN*$BLUE stopping I2P services" sudo -u i2psvc i2prouter stop if [ -e /etc/resolv.conf.bak ]; then rm /etc/resolv.conf cp /etc/resolv.conf.bak /etc/resolv.conf fi notify "I2P daemon stopped" } function ip { echo -e "\nMy ip is:\n" sleep 1 wget -qO- http://frozenbox.org/ip echo -e "\n\n----------------------------------------------------------------------" } function iceweasel_tor { directory="/dev/shm/.mozilla/firefox/profile/a6mpn2rf.default" profile="profile_for_tor.tar.gz" if [ -d "$directory" ] ; then echo -e "\n[$CYAN nfo$RESETCOLOR ]$GREEN Please wait ...$RESETCOLOR\n" notify "Please wait ..." sleep 0.7 echo -e "\n[$CYAN nfo$RESETCOLOR ]$GREEN The profile was loaded in the ram.$RESETCOLOR\n" notify "The profile was loaded in the ram." sleep 0.4 killall -q iceweasel firefox iceweasel -profile /dev/shm/.mozilla/firefox/profile/a6mpn2rf.default & exit else echo -e "\n[$CYAN nfo$RESETCOLOR ]$GREEN Please wait ...$RESETCOLOR\n" notify "Please wait ..." sleep 0.3 cd /opt/anonsurf/ cp $profile /dev/shm/ #> /dev/null sleep 0.3 cd /dev/shm/ tar xzvf $profile #> /dev/null sleep 0.3 echo -e "\n[$CYAN nfo$RESETCOLOR ]$GREEN The profile was loaded in the ram.$RESETCOLOR\n" notify "Starting browser in RAM-only mode" sleep 0.4 killall -q iceweasel firefox iceweasel -profile /dev/shm/.mozilla/firefox/profile/a6mpn2rf.default & exit fi } function start { # Make sure only root can run this script if [ $(id -u) -ne 0 ]; then echo -e -e "\n$GREEN[$RED!$GREEN] $RED R U DRUNK?? This script must be run as root$RESETCOLOR\n" >&2 exit 1 fi # Check defaults for Tor grep -q -x 'RUN_DAEMON="yes"' /etc/default/tor if [ $? -ne 0 ]; then echo -e "\n$GREEN[$RED!$GREEN]$RED Please add the following to your /etc/default/tor and restart service:$RESETCOLOR\n" >&2 echo -e "$BLUE#----------------------------------------------------------------------#$RESETCOLOR" echo -e 'RUN_DAEMON="yes"' echo -e "$BLUE#----------------------------------------------------------------------#$RESETCOLOR\n" exit 1 fi # Check torrc config file grep -q -x 'VirtualAddrNetwork 10.192.0.0/10' /etc/tor/torrc if [ $? -ne 0 ]; then echo -e "\n$RED[!] Please add the following to your /etc/tor/torrc and restart service:$RESETCOLOR\n" >&2 echo -e "$BLUE#----------------------------------------------------------------------#$RESETCOLOR" echo -e 'VirtualAddrNetwork 10.192.0.0/10' echo -e 'AutomapHostsOnResolve 1' echo -e 'TransPort 9040' echo -e 'SocksPort 9050' echo -e 'DNSPort 53' echo -e 'RunAsDaemon 1' echo -e "$BLUE#----------------------------------------------------------------------#$RESETCOLOR\n" exit 1 fi grep -q -x 'AutomapHostsOnResolve 1' /etc/tor/torrc if [ $? -ne 0 ]; then echo -e "\n$RED[!] Please add the following to your /etc/tor/torrc and restart service:$RESETCOLOR\n" >&2 echo -e "$BLUE#----------------------------------------------------------------------#$RESETCOLOR" echo -e 'VirtualAddrNetwork 10.192.0.0/10' echo -e 'AutomapHostsOnResolve 1' echo -e 'TransPort 9040' echo -e 'SocksPort 9050' echo -e 'DNSPort 53' echo -e 'RunAsDaemon 1' echo -e "$BLUE#----------------------------------------------------------------------#$RESETCOLOR\n" exit 1 fi grep -q -x 'TransPort 9040' /etc/tor/torrc if [ $? -ne 0 ]; then echo -e "\n$RED[!] Please add the following to your /etc/tor/torrc and restart service:$RESETCOLOR\n" >&2 echo -e "$BLUE#----------------------------------------------------------------------#$RESETCOLOR" echo -e 'VirtualAddrNetwork 10.192.0.0/10' echo -e 'AutomapHostsOnResolve 1' echo -e 'TransPort 9040' echo -e 'SocksPort 9050' echo -e 'DNSPort 53' echo -e 'RunAsDaemon 1' echo -e "$BLUE#----------------------------------------------------------------------#$RESETCOLOR\n" exit 1 fi grep -q -x 'SocksPort 9050' /etc/tor/torrc if [ $? -ne 0 ]; then echo -e "\n$RED[!] Please add the following to your /etc/tor/torrc and restart service:$RESETCOLOR\n" >&2 echo -e "$BLUE#----------------------------------------------------------------------#$RESETCOLOR" echo -e 'VirtualAddrNetwork 10.192.0.0/10' echo -e 'AutomapHostsOnResolve 1' echo -e 'TransPort 9040' echo -e 'SocksPort 9050' echo -e 'DNSPort 53' echo -e 'RunAsDaemon 1' echo -e "$BLUE#----------------------------------------------------------------------#$RESETCOLOR\n" #exit 1 fi grep -q -x 'DNSPort 53' /etc/tor/torrc if [ $? -ne 0 ]; then echo -e "\n$RED[!] Please add the following to your /etc/tor/torrc and restart service:$RESETCOLOR\n" >&2 echo -e "$BLUE#----------------------------------------------------------------------#$RESETCOLOR" echo -e 'VirtualAddrNetwork 10.192.0.0/10' echo -e 'AutomapHostsOnResolve 1' echo -e 'TransPort 9040' echo -e 'SocksPort 9050' echo -e 'DNSPort 53' echo -e 'RunAsDaemon 1' echo -e "$BLUE#----------------------------------------------------------------------#$RESETCOLOR\n" exit 1 fi grep -q -x 'RunAsDaemon 1' /etc/tor/torrc if [ $? -ne 0 ]; then echo -e "\n$RED[!] Please add the following to your /etc/tor/torrc and restart service:$RESETCOLOR\n" >&2 echo -e "$BLUE#----------------------------------------------------------------------#$RESETCOLOR" echo -e 'VirtualAddrNetwork 10.192.0.0/10' echo -e 'AutomapHostsOnResolve 1' echo -e 'TransPort 9040' echo -e 'SocksPort 9050' echo -e 'DNSPort 53' echo -e 'RunAsDaemon 1' echo -e "$BLUE#----------------------------------------------------------------------#$RESETCOLOR\n" #exit 1 fi echo -e "\n$GREEN[$BLUE i$GREEN ]$BLUE Starting anonymous mode:$RESETCOLOR\n" if [ ! -e /var/run/tor/tor.pid ]; then echo -e " $RED*$BLUE Tor is not running! $GREEN starting it $BLUE for you\n" >&2 echo -e -n " $GREEN*$BLUE Service " service resolvconf stop service dnsmasq stop service nscd stop sleep 4 service tor start sleep 6 fi if ! [ -f /etc/network/iptables.rules ]; then iptables-save > /etc/network/iptables.rules echo -e " $GREEN*$BLUE Saved iptables rules" fi iptables -F iptables -t nat -F cp /etc/resolv.conf /etc/resolv.conf.bak touch /etc/resolv.conf echo -e 'nameserver 127.0.0.1\nnameserver 199.175.54.136\nnameserver 23.94.123.134' > /etc/resolv.conf echo -e " $GREEN*$BLUE Modified resolv.conf to use Tor and FrozenDNS" # set iptables nat iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53 iptables -t nat -A OUTPUT -p tcp --dport 53 -j REDIRECT --to-ports 53 iptables -t nat -A OUTPUT -p udp -m owner --uid-owner $TOR_UID -m udp --dport 53 -j REDIRECT --to-ports 53 #resolve .onion domains mapping 10.192.0.0/10 address space iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports 9040 iptables -t nat -A OUTPUT -p udp -d 10.192.0.0/10 -j REDIRECT --to-ports 9040 #exclude local addresses for NET in $TOR_EXCLUDE 127.0.0.0/9 127.128.0.0/10; do iptables -t nat -A OUTPUT -d $NET -j RETURN done #redirect all other output through TOR iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $TOR_PORT iptables -t nat -A OUTPUT -p udp -j REDIRECT --to-ports $TOR_PORT iptables -t nat -A OUTPUT -p icmp -j REDIRECT --to-ports $TOR_PORT #accept already established connections iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #exclude local addresses for NET in $TOR_EXCLUDE 127.0.0.0/8; do iptables -A OUTPUT -d $NET -j ACCEPT done #allow only tor output iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT iptables -A OUTPUT -j REJECT echo -e "$GREEN *$BLUE All traffic was redirected throught Tor\n" echo -e "$GREEN[$BLUE i$GREEN ]$BLUE You are under AnonSurf tunnel$RESETCOLOR\n" notify "Global Anonymous Proxy Activated" sleep 4 } function stop { # Make sure only root can run our script if [ $(id -u) -ne 0 ]; then echo -e "\n$GREEN[$RED!$GREEN] $RED R U DRUNK?? This script must be run as root$RESETCOLOR\n" >&2 exit 1 fi echo -e "\n$GREEN[$BLUE i$GREEN ]$BLUE Stopping anonymous mode:$RESETCOLOR\n" iptables -F iptables -t nat -F echo -e " $GREEN*$BLUE Deleted all iptables rules" if [ -f /etc/network/iptables.rules ]; then iptables-restore < /etc/network/iptables.rules rm /etc/network/iptables.rules echo -e " $GREEN*$BLUE Iptables rules restored" fi echo -e -n " $GREEN*$BLUE Service " if [ -e /etc/resolv.conf.bak ]; then rm /etc/resolv.conf cp /etc/resolv.conf.bak /etc/resolv.conf fi service tor stop sleep 4 service resolvconf start service nscd start service dnsmasq start sleep 1 echo -e " $GREEN*$BLUE Anonymous mode stopped\n" notify "Global Anonymous Proxy Stopped" sleep 4 } function change { service tor reload sleep 4 echo -e " $GREEN*$BLUE Tor daemon reloaded and forced to change nodes\n" notify "Identity changed" sleep 1 } function status { service tor status } case "$1" in start) init start ;; stop) init stop ;; change) change ;; status) status ;; myip) ip ;; iceweasel_tor) iceweasel_tor ;; starti2p) starti2p ;; stopi2p) stopi2p ;; restart) $0 stop sleep 1 $0 start ;; *) echo -e " Parrot AnonSurf Module (v 1.3.1) Usage: $RED┌──[$GREEN$USER$YELLOW@$BLUE`hostname`$RED]─[$GREEN$PWD$RED] $RED└──╼ \$$GREEN"" anonsurf $RED{$GREEN""start$RED|$GREEN""stop$RED|$GREEN""restart$RED|$GREEN""change$RED""$RED|$GREEN""status$RED""} $RED start$BLUE -$GREEN Start system-wide anonymous tunneling under TOR proxy through iptables $RED stop$BLUE -$GREEN Reset original iptables settings and return to clear navigation $RED restart$BLUE -$GREEN Combines \"stop\" and \"start\" options $RED change$BLUE -$GREEN Changes identity restarting TOR $RED status$BLUE -$GREEN Check if AnonSurf is working properly ----[ I2P related features ]---- $RED starti2p$BLUE -$GREEN Start i2p services $RED stopi2p$BLUE -$GREEN Stop i2p services $RESETCOLOR" >&2 exit 1 ;; esac echo -e $RESETCOLOR exit 0
Just start it with ./parrotscript start (or stop or restart or status...)
BUT remember : tor is funded (80%) by US government... (and vpn collaborate too...)
6 - Conclusion
Goals reached ?- System running in RAM only
- RAM wiped at halt
- Files securely deleted
- LUKS encryption and NUKE feature
- All traffic through tor
Script it !
And don't forget to macchange
Nice try, but lots of missing info and broken links...
RépondreSupprimerAs I have no Linux knowledge but would like to use this system as described I like to know if someone has a completeted version.
RépondreSupprimerThanks for your hard work
RépondreSupprimerHow to update Kali Linux