Cyber Illuminate – Prism

gAtO lOcO-  I know conspiracy theory’s but this one stop me cold.  I was looking at a newscast and the NSA Prism illuminate_dollarlogo came on, OK pink Floyd – dark side of the moon rip-off but something caught my eye – the triangle on the dollar bill and the Prism logo triangle ummmm…. – an all seeing triangle -what every one tells about the Illuminate logo. If you apply a prism to data -it’s the same thing you grab all the light/data and filter it down to different data streams, categories -colors. I can see the meaning of the logo for prism now, wonder how much they paid a no-bid contractor for that logo.  prism-logo-61013

—a new world order – cyberspace —

Then I remember the CISPA fight we had a while back and on one of them it said. “Cyber Intelligence Sharing & Protection Act” that was pretty much the same thing we find now in what Prism does with phone and data collection. So my question is, if Prism has been going on since the Patriot Act and the NSA has been doing this legally.

Why CISPA? Why SOPA? Why PIPA? Come on Prism is legal so why all this data sharing when the government was doing it under our nose. I think what this kid Shoden did was stupid, but it’s his choice and he will live with this one way or another. What he showed us has opened a discussion that I think was needed in the cyber world. cispa

Cyber society is the new norm and we older-people must accept that these young men and women know this technology and how to use it better than we do. Cyberspace belongs to everyone today and I hope we together can change things for the better. But I don’t think the powers that be will give over so easily. Prsim is a perfect example of how the cold war mentality has change with the digital domain becoming more real. We will not recognize the Internet 10 years from now, but if the Illuminate have there way they will be watching us –  gAtO lOcO oUt…      Illuminate



Cyber Women and Hollywood

Cyber Women please stand Up

CSI creator launch a new Cybergeddon Yahoo Show GREAT –http://cybergeddon.yahoo.com

Pierluigi and gAtO met with Dare To Pass – CSI – Anthony e. Zuiker, Matthew Weinberg and Josh Cadwell to talk about the new Cyber sensation Cybergeddon in Yahoo. I never met any hollywood types but these guy’s were just dead set on making the show great, and real life. They met with Symantec/Norton folks but they were not prepared for Pierluigi’s charm and solid knowledge of what is in the deep dark web and a loco gAtO that has no rules or reason sometimes.

Let’s just say we where informative and entertaining and after the meeting Josh Cadwell CSI’s real geek -(producer, writer, director too) took the lead. I think this relationship will make the show more real, more believable and as they use real tools and how 2- of the black hackers they will be in a position to not just make a great entertainment show but also it may help other online people to become aware of the dangers of cyberspace. CSI broke new bounds and educated people to the cool science and how technology can be use for good things and help solve crimes. Cybergeddon is set to become another CSI but in cyber Space- About cyber Space— IMHO

gAtO does not even own a TV so I had no clue who CSI was- but these guy’s are really very smart, creative and played hardball when it comes to what they want. Anthony is solid TV Producer type, Matt is a cool genius and Josh has so much knowledge about Tor this that it made us feel comfortable, he is a techno class dude…he knows his technology.

This show is so different not just the content but by putting it on Yahoo they have over 50 million points as a distribution model. This is how smart movie executives are not fighting the Internet but they are embracing it and fixing it to make the model work. We all seen Kim DotCom and other pirate distribute content worldwide – movie guys saw this and said WOW we could keep the distribution cost down and get more views and that’s a big win, win for US the viewers and them the creators.

“I wanna be a Hackers” has become a new cool thing. The geek is becoming a superstar – where the football hero and the nerdy computer club president has similar status. This is new a turn for intelligence not just brute force – I’m one geek that got the beauty queen and so will others. Cybergeddon show’s that even the 4 eye nerd can become a person of power and respect – take the character “Rabbit” yeah I can say I know some hacker like him –

Give them a break guy::: I know you can’t hack everything in 15 keystrokes but they have a limited time – Viewer can have the concentration of a nat, so I will give them that and it has to be entertaining and Chloe the lady Hacker is so cool – I have a daughter that is a strong woman and can hack (a little ) but the role model this set’s up for women in technology is great –

I know of 3 cyber women (they are gonna kill me) C3nTuri0n ?@Centauri3  and ?? ?@7JGoldOrlando and Kandy- these are real live cyber queens that know their shit and are very intelligent, strong and vocal – they take no shit from anyone in cyberspace and sorry but that is cool. They dabble with SE, Bot-Nets and they know cyber security – I feel fortunate to know great ladies like this they teach me so much.. Thanks guy’s…

Cyber Women please stand Up

So my Gray hat goes out the CSI team in wanting to show such a good woman role model, this is a change and I seen it with Latino women shouting about TangoDown all over Latino countries – Women in cyberspace are gaining a lead – we men can sometimes communicate with grunts and get the message across (nOt)- I know this show can be great for equality in cyberspace.

I want to thank Lauren -Dare to Pass – Nicole – National Science Foundation for helping Pierluigi and gATO to have a chance to help in this project. el gAtO lOcO had fun talking about “The Deep Dark Web” (our Book) (available in Amazon) and security, Bitcoins market and the other fantastic cyber things we talked about.

Anthony called me up the next day and we talked about helping them on a new show about a cyber cop who dies and get’s re-born and goes out in the Dark Web to get the bad guys- I think the working title is “RESTART” it should be kinda cool. But hollywood types are all takers – pro bono- but they reap the rewards. I guess that gAtO will not be a famous star— gAtO OuT


What Are ToR Hidden Service?

gAtO tHiNkInG – anonymity serves different interest for different user groups; To a private citizen it’s privacy, to a business it’s a network security issue. A business needs to keep trade secrets or have IP (knowledge base data-centers), communicate with vendors securely and we all know that business need to keep an eye on there competition – the competition can check your stats

update -11-14-2012 -uscyberlabs.com Tor Hidden Servicehttp://otwxbdvje5ttplpv.onion gAtO built this as a test sandbox / honeypot — cool logs stats -DOWN 4 upgrade – 06-11-2013

(http://www.alexa.com/siteinfo/uscyberlabs.com) and check on how your business is doing, what keywords your using, demographics of users hitting your site—— by the way in the Tor-.onion network a web site/service cannot be monitored unless you want it…

How would a government use a ToR-network I’m asked all the time —

// if I was an (agent/business-person)state actor doing business in China (and other countries too) well I would use a ToR-.onion connection to keep my

business private from a government that is know to snoop a bit on travelers to their country. The fact is governments need anonymity for their security -think about it “What does the CIA Google for?” Maybe they us ToR??? But this is about Hidden services right.


What is a hidden service in ToR-.onion network?

SImply put it’s a web site/service, a place in the ToR network were we have a service like:

  • Search Engine
  • Directories
  • web / pop3 email
  • PM Private Messages
  • Drop Box’s
  • Re-mailers
  • Bulletin Boards BBS
  • Image Boards
  • Currency exchange
  • Blog
  • E-Commercce
  • Social Networks
  • Micro-Blog –

Hidden Services are called hidden, because your website’s IP in ToR is hidden- they cannot see the IP of your server — they can’t track you- if they can’t find you how are they gonna hack you???? Sorry I had to say that -((more about that later)). Now how do I keep this secret (my IP) and let you the user use my services. In the normal web if your in uscyberlabs.com your on my site,— my server -you can do a whois and get my IP and geo-location— then you can attack my website with dDoS and other IP attack vectors, you also get my location so you can physically find me- my server/my website – maybe go dumpster diving in the trash and get my company secrets— mAyBe sI – nO,

Well in the ToR-.onion network you the client ask the business website if they can use the websites service / then decide and start a handshake to a rendezvous POINT to meet  —we meet at an OR ((onion relay))-a rendezvous POINT) not at my server/ my IP — so your never ever on the business site/server when your in onionLand, you can’t do a whois and get my IP because we meet at an OR, you cannot find my geo-location…..

We have heard of the killings of Iranians and Syrian rebels being killed in todays news, when an Iranian rebel is fighting for his and his families life if they(the government) finds his IP or the IP of the website he visited // they will hunt that person down and the Iranian police/government will kill the whole family sometimes. So keeping an IP from someone is not an evil act it is an act of privacy for safety on both sides the client and the business.

you need to look at Figure 2 to explains this better:

Now let’s focus on R2 OR the yellow key. That’s the spot were you(your company’s hidden website) and your client meet — I know it’s a sneaky way of doing business but once again if they can’t get to your IP at least that is one attack vector that can’t be used to hack you or ddos you. OK they can still hack you but it’s software then. How it’s all done – the magic —the technical thingy to this is below —/this is just an outline of events of the client /hidden web/service protocol:

I goes something like this —

  • INTRODUCE2 cell
  • INTRODUCE2 cell
  • RENDEZVOUS1 cell
  • sends a RENDEZVOUS2 cell Chat
  • sends a RENDEZVOUS2 cell Blog

1. Whenever the rendezvous point receives a RELAY_COMMAND_RENDEZVOUS1  with the same cookie as the OR sent in the RELAY_COMMAND_INTRODUCTION1 cell it logs the reception and the IP address of the immediate transmitter of the cell. At the same time, the OR middle node monitors the circuits passing through it. Whenever it receives a DESTROY  cell over a circuit it checks:

1) whether the cell was received just after the rendezvous point received the RELAY_COMMAND_RENDEZVOUS1 cell;

2) if the next node of the circuit at the middle node coincides with the previous node of the circuit at the rendezvous point;

3) whether the number of forwarded cells is exactly 2 cells up the circuit and 52 cells down the circuit.

More Geek network kinda stuff::

1. Jun 03 20:50:02.100 [notice] Tor (r14739) opening new log file.

2. Jun 03 20:50:11.151 [notice] We now have enough directory information to build circuits.

3. Jun 03 20:50:12.697 [info] rend_services_introduce(): Giving up on sabotage as intro point for stuptdu2qait65zm.

4. Jun 03 20:50:18.633 [info] rend_service_intro_established(): Received INTRO_ESTABLISHED cell on circuit 1560 for service stuptdu2qait65zm

5. Jun 03 20:51:18.997 [info] upload_service_descriptor(): Sending publish request for hidden service stuptdu2qait65zm

6. Jun 03 20:51:22.878 [info] connection_dir_client_reached_eof(): Uploaded rendezvous descriptor (status 200 (“Service descriptor stored”))

People ask me how can these hidden services be attacked???

It’s all the same as in the surface web you find the software the hidden service is using /// let’s say Worpress (or flatPress) if they use an old version with vulnerabilities then, that site can be hacked by traditional hacking attack vectors— gAtO can’t wait till USCyberLabs.com will have a sandbox in the .onion were we can have a honeypot for people to hack and learn from.  (we need Funding for these project donate please – we will share) gAtO has not tried Backtrack 5 on ToR-.onion network – mAyBe sI -nO – uscyberlabs.com has been hacked a few times already and is consistently fighting bot’s and spammer, it goes on and on.everywhere-.-.-.-

Here are some technologies used in the ToR-.onion network:

update -11-14-2012 -uscyberlabs.com Tor Hidden Service = http://otwxbdvje5ttplpv.onion gAtO built this as a test sandbox and it turned into a honeypot — cool logs stats

TorStatusNet – http://lotjbov3gzzf23hc.onion/   is a microblogging service. It runs the StatusNet microblogging software, version 0.9.9, available under the GNU Affero General Public License.

FlatPress is a blogging engine like -Wordpress blog http://flatpress.org/home/   – http://utup22qsb6ebeejs.onion/

Snapp BBS works fine in OnionLand – http://4eiruntyxxbgfv7o.onion/

PHP BBS – http://65bgvta7yos3sce5.onion/

Nginx is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server.  – http://ay5kwknh6znfmcbb.onion/torbook/

Anyway I hope this open up the mystery of a hidden service in ToR – it’s just a website, you go to a rendezvous point and do your business — your IP and the business IP are totally secure. No digital breadcrumbs. Now a word to the wise in the ToR-.onion network you have some very tech savvy people and some are very stupid be a critical-cyber user always -gAtO oUt.


Protocol-Level Hidden Server Discovery -WRONG

sOrRy – AROGANT gAtO – Open letter to:zhenling – jluo -wkui – xinwenfu – at seu.edu.cn cs.uvic.ca cs.uml.edu  – I wrote to you and gave you a chace to reply so her it goes for everyone to see that you rigged your lab in real life it does not work like you claim — gATO OuT – may be wrong mAyBe Si -nO 


Protocol-Level Hidden Server Discovery

Since entry onion router is the only node that may know the real IP address of the hidden service— -note [3] The assumption was made in virtually all attacks towards the Tor network. This is reasonable because onion networks routers are set up by volunteers.

WRONG folks — So criminals work in these sterile structured surrounding – following rules and making assumptions that I’m stupid enough to not know how to control ENTRY and EXIT nodes into my Tor Website— COme on Dudes this is not school it’s the real world… otwxbdvje5ttplpv.onion here is my site now find my IP —

WHo am I – Richard Amores – @gAtOmAlO2 – I run http://uscyberlabs.com – I just finished a boot -“ The Deep Dark Web” Amazon New eBook -The Deep Dark Web – http://www.amazon.com/dp/B009VN40DU   Print Book – http://www.amazon.com/The-Deep-Dark-Web-hidden/dp/1480177598 :- I do a we bit of real life research and I disagree — I go thru a proxie and a VPN in EU… before I go into Tor so the chances that you will find my IP just went up a notch or too. But I’m a legit – Security Researcher – imagine if I run Silk Road — making a bunch of Bitcoins a DAY— how many layers do they have—

how about a basic BRIDGE RELAY — and there it goes – u can’t touch this — how about a simple modification of the torrc file with these
HiddenServiceAuthorizeClient AND – HidServAuth
with these few modification the Tor site is hidden unless you have the key (HiddenServiceAuthorizeClient) in your browser/- that was generated to match the HidServAuth)-of the server– I think that your chances of finding my mean ass hidden service ip address —are ZERO…

I like what you’ll did cool analyst and you explained it great – but this puts fear into people – dissidents will maybe not use Tor because of what you guy’s say and maybe they may get caught and killed… It’s not only CRIMINALS — I know that gets grants money — but Tor is used to communicate and it allows – Freedom of Speech in Cyberspace- I’m gonna write something about this and I want to be nice so please explain why — you can say from an educational place of knowledge and allow this – “in the box” thinking that is being hacked everyday because they say— we did everything they told us to do— this is wrong and not true —

If you could get the IP of Silk Road — or better yet – PEDO BEAR the largest PEDO directory in TOR — tell me the IP and I will take it down myself— but don’t come at me saying we are right and every hacker is wrong  — learn please our world is depending on your great minds —

RickA- @gAtOmAlO2 http://uscyberlabs.com

Here is the original paper —http://www.cs.uml.edu/~xinwenfu/paper/HiddenServer.pdf
A recent paper entitled Protocol Level Hidden Server Discovery, by Zhen Ling, Kui Wu, Xinwen Fu and Junzhou Luo.  Paper is starting to be discussed in the Tor community.  From my perspective, it is a nice attack to reveal the IP address of a hidden service.  It would require resources to actually implement effectively, but for Law enforcement trying to shutdown and arrest owners of illegal websites selling drugs, weapons, or child pornography and are hiding behind Tor, it is an option.  Of course that also means the capability to find anyone that might be doing something a government or large entity does not agree with. The paper is here.
This stuff reminds me of a statement a professor said to a class I was in once:  “Guns are not good or bad.  It depends on who is holding the gun and which end is pointed at you.”


CYber Investigation over General Patraeus

CYber Investigation over General Patraeus

gAtO rEaD – NO CRIME committed- that the investigation for the top CIA general was because someone sent an eMail that said” I saw you touching the Generals leg at Dinner -Stop It” Yeah so one lady said to another lady – STOP MESSING WITH MY MAN – Pow – ZAP they get a court order to go thru someones eMail.

So if we take this premise that Judges will sign -COURT ORDERS to search your emails and any other emails that link it because of a jealous lover. It looks to gAtO that they have to much POWER – or the FBI is gonna search everyones emails now – legally. Court Ordered

This should send shock waves thru our industry – everyone is now warned that anyone’s email can be open to LE anytime and just about for any reason. I trusted the system, I trusted the Judges but lack of a crime should of not happened. There was NO CRIME committed the investigation turned out. But it has now taken down the reputation of 2 generals. NO CRIME

Now these are 2 famous generals what chance do mere mortals have that our eMails are going to be court order to investigate why simply because they can now. This shows to me the lack of justice or the erosion of justice that is coming down the cyber pipelines. If this is now a wake up call for security professionals to wake up and smell the coffee. Your email will be next unless we support less government control of our digital rights.

Freedom of Speech in cyberspace is a right not a privilege -gAtO oUt




The deep Dark Web -Book Release

gATO hApPy – 

AVAILABLE @ AMAZON – http://www.amazon.com/dp/B009VN40DU

AVAILABLE @SmashWords website  @http://www.smashwords.com/books/view/247146

I learned that I hate WORD: – but it’s the general format for publishing  – text boxes- get imbedded and you can’t format to EPUB or .mobi or anything – solution after going lOcO gAtO – was copy and paste into txt editor – save as RTF then copy paste back into a new WORD document and then reformat everything from scratch – and copy over the pictures – as you can tell I had fun-..-ugh mEoW F-F-F-F as much fun as a hairball but if it get’s the message out “FREEDOM OF SPEECH IN CYBERSPACE” then we done our job, anyway I hope you read it Thank you Pierluigi a best friend a security gAtO ever had – gATO oUt

This Book covers the main aspects of the fabulous and dangerous world of -“The Deep Dark Web” . We are just two cyber specialists Pierluigi Paganini & Richard -gAtO- Amores, with one passion and two souls we wanted to explain the inner working of the deep dark web. We have had a long collaboration in this efforts to document our findings we made infiltrations into the dark places inaccessible to many to give a you the reader a clear vision on the major mystery of the dark hidden web that exist today in the Tor Onion network..

The Web, the Internet, mobile cell devices and social networking has become commonly used words that identify technological components of daily Internet user’s experience in the cyberspace. But how much do we really know about cyberspace? Very, very little, Google / Yahoo / Bing only show us 20% of the Internet the other 80% is hidden to the average user unless you know were to look.

The other 80% of the Internet is what this book is about the “Deep Dark Web”, three words with millions of interpretations, mysterious place on the web, the representation of the hell in the cyberspace but also the last opportunity to preserve freedom of expression from censorship. Authorities and corporation try to discourage the use of this untapped space because they don’t control it. We the people of the free world control this network of Tor -Onion Routers by volunteer around the world.

The Deep Dark Web seems to be full of crooks and cyber criminals, it is the hacker’s paradise, where there are no rule, no law, no identity in what is considered the reign of anonymity, but this is also the reason why many persecuted find refuge and have the opportunity to shout to the world their inconvenient truths.

The Deep Dark Web is a crowded space with no references but in reality it is a mine of information unimaginable, a labyrinth of knowledge in the book we will try to take you by the hand to avoid the traps and pitfalls hopefully illuminating your path in the dark.

Cybercrime, hacktivism, intelligence, cyber warfare are all pieces of this complex puzzle in which we will try to make order, don’t forget that the Deep Dark Web has unbelievable opportunity for business and governments, it represents the largest on-line market where it is possible to sell and acquire everything, and dear reader where there is $money$  you will find also banking, financial speculators and many other sharks.

Do you believe that making  money in Deep Web is just a criminal prerogative? Wrong, the authors show you how things works in the hidden economy and which are the future perspectives of is digital currency, the Bitcoin.

This manuscript proposes both faces of the subject, it illustrates the risks but also legitimate use of anonymizing networks such as TOR adopted by journalist to send file reports before governments agents censored his work .

Here are some question we may answers to:

How many person know about the cyber criminals and their ecosystem in the deep web? 

How many have provided information on the financial systems behind the “dirty affairs”? 

How the law enforcement and governments use Dark Web?

Let’s hold your breath and start the trip in the abyss of knowledge to find answers to the above questions. We hope that with this book you can learn something new about – The Deep Dark Web.


Diary of a Professional Botmaster

gAtO –found this and had to share with you. If you want to know how a botMaster is created check this out. A simple software engineer becomes a botMaster sounds like “surreal Walter White in Breaking Bad”. First you will noticed that this was written in 2010 and it’s been a model of the botMaster persona. This is a fictional tale now add the Tor onion network to hide the c&c and mobile Android /iApple devices but it comes so close to the real edge, have fun reading -gAtO oUt

Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

 Diary of a Professional Botmaster 

June 20, 2009 

I’ve decided to restart the diary. I used to keep one many years ago, but stopped when I moved down to London and started my MSc in Computing & Security at King’s College – much use that degree ever turned out to be!

I found out yesterday that me and most of the team are going to be made redundant at the end of the month. It appears that the company doesn’t need so many developers after they decided to sell off the Private Banking division to some German brokerage and they ditched those annoying trader guys up on the 18th floor a couple of months back.

Anyhow, I’d better start looking for a new job. The markets pretty tight at the moment. It seems that all the banks are laying off folks and the developers are the first to go. Not surprising really. I’ve been thinking about setting up my own business for a while though. Perhaps it’s time to bite the bullet and just do it. Take that redundancy cheque and invest it in myself?

June 22, 2009 

Was down at the pub for most of the afternoon with Bill & Ted. We were tossing around ideas of businesses I could start – in particular, businesses that could make me a millionaire in a year’s time. Granted, most of the ideas were completely off the wall and would be destined to fail or end in my bankruptcy within weeks of starting them (or would likely land me in prison within short order) but some of the grey areas look like they could be pretty exciting.

Ted was going on about botnets and how they’re not really illegal. Sounds like rubbish to me, but I’ll check it out anyway.

Last year when we had that worm go around the office and the Ops guys spent a couple of weeks chasing it down and cleaning up systems – that was pretty cool, and I can see how the authors of that worm could make quite a bit of money from it with a little banking knowledge. I don’t think they ever got caught either. Ted told me that James – the lardy guy over in second-level helpdesk – said that they were still having outbreaks of that very same worm and uncovering other infected computers almost every day (after an entire year). How cool is that!

June 25, 2009

I’ve been reading up on botnets. The Internet is full of great information about them. YouTube even has tutorials on how to create the malware, deliver the bot agents, manage the Command and Control (CnC) and turn the stolen data into real money.

I did some digging on these hacker forums too. They’re pretty cool. Most are well organized and there are bundles of tutorials, guides and discussion threads on all aspects of the botnet business. There’s even entire forums dedicated to matching buyers with sellers – Craigslist style! Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

June 26, 2009

Had a great session with Demitri over IRC today. He’s been running a handful of botnets over the last couple of years and seems to know what he’s talking about. Came across his advertisement on one of the boards and was offering a free 2-hour test-drive of his botnet CnC console – so I got to play with a couple hundred computers. Some of the functionality was grayed out, but I got a chance to DDoS the companies’ website – from the comfort of my desk ?

I spoke with a couple of the company Internet ops guys afterwards – being careful in what I said of course – to see if they noticed. Apparently they did. It didn’t bring down the site, but they were alerted from their IPS. Supposedly this is a common enough occurrence and happens most weeks. I guess I’m a little disappointed with that. I wonder how many bots I’d need to take down the webserver?

Dimitri said that he normally uses about 5,000 bots to take down big websites – but 200 is more than enough to wipe out corporate VPN appliances. Handy to know!

June 27, 2009

Sat down with Jim the lawyer this afternoon. I wanted to go over the details of setting up my own contracting business. Since I haven’t had much luck on the replacement job front looking for permanent roles, I figured I’d just go down the contracting route – since there are more opportunities going for temporary software engineering positions.

There’s not much to creating your own business. Jim helped me with all the forms – so I just need to mail them off tomorrow, and I’ll be on the way to creating my first business. He also explained some of the nuances to setting up a company in some other countries and the possibilities of “offshore accounts” and tax havens. I took plenty of notes. You never know when that’ll come in useful.

June 28, 2009 

Spent all day harvesting hacker boards for tools and playing with them on a couple of old laptops. This stuff really is easy.

I even came across this guy(?) on one of the chat forums (who can’t have been more than 14 years old) who was selling a botnet of 2,000 computers for $400. The funny part though was when the flame war stated about how overpriced that was. Apparently you can pick up 2,000 computers for as low as a $50 Walmart giftcard.

June 29, 2009

I woke up this morning with an epiphany (or was it just a delayed hangover?). I’m going to start my own botnet – but not just any botnet, I’m going to do it properly and make a business from it! I’ll still pursue any legit consulting roles that crop up – still got to eat and pay the bills – but it’ll make a convenient front while I’m building botnets.

Why the botnet business? Because it’s cool! Well, actually, it’s more than that. I don’t want to work forever in a dull office job and, from what I can tell, botnet building seems to be pretty profitable – and not many people get caught. And, if they do get caught, they basically only get a slap on the wrist. Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

Having read quite a few of the news articles about the folks that got caught, it looks to me that they got caught because they did something stupid and/or they clearly crossed the criminal line – and the police were forced to do something about them.

I’m pretty sure that I’m smarter than that. Didn’t any of these guys ever consider building a business plan first? Plan it all out – have a strategy and stick to it!

I’ve left the computer downloading a few tool collections I found on one of the Argentinean malware blog sites. 4Gb of tools, kits and exploits. Awesome! And it’s all free!!

June 30, 2009

Final pay date from the “old job”, and I’m now officially free of the company. Ended up with a little over £35k after taxes too – so that’ll tide me over the next few months as I pull together my new business(es).

Last night’s download worked out pretty good. There are hundreds of botnet kits in there – complete with CnC interfaces, exploit packs, phishing templates, malware creators and obfuscators. Supposedly there’s a high likelihood that many of them are backdoored, but who cares – it’s time to play! I’m going to try a couple of them out on the corporate laptop before I have to hand it back – preferably one with a good rootkit. I wonder if they’ll ever notice?

July 1, 2009

Woke up this morning having dreamed about what kind of botnet business I want to build. Also figured out a few “rules” that I want to work towards – maybe more of a “guiding principles” perspective really.

1. DON’T GET CAUGHT – which means I’m going to be damned careful in setting up everything and making sure that nothing can be traced back to me personally. Sure, there’ll be layers to the onion, but I’m not going to allow myself to be let down by poor tradecraft and bad habits. Those hackers in France and Spain got caught because they didn’t have enough layers of deniability and mixed the use of their personal systems and their botnet infrastructure.

2. DON’T DO CRIMINAL HARM – While I’m pretty far removed from planning on being a Robin Hood, I’m not going to get mixed in with the Mob or other organized crime. Similarly, I’m not going to get involved with any political or religious drivel. I also don’t want to cause any physical harm – as that’s a sure way of getting the interest of the police – and, besides, it’s not who I really am. The more legit I can make this business, the easier it’ll be to bow out after I’ve made my money.

3. RESILIENCE AND SCALABILITY ARE MY FRIENDS – Since this is going to be a business, based upon the lessons I learned from the Private Banking firm and all I’ve been reading over the last couple of weeks, it should be possible to build pretty big botnets really fast – if I plan it well.

Resilience will be even more important though. Getting back to the “don’t get caught” principle and the layers of deniability (and abstraction), if I plan for making the CnC and distribution systems robust, I’ll endeavor to split things over Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

several hosting providers and geographic regions.

Also spent some time on the hacker portals and responding to some of the threads. Some of the more interesting forums are currently closed to me because I haven’t developed a site reputation – which can be gained by posting 20, 50 and 100 messages. This’ll be pretty easy though. Lots of questions about coding problems which I can answer without too much thought.

July 3, 2009

I think I’ve managed to plan out a few more CnC infrastructure ideas. I found a few more tutorials online – and also some good message threads on domain registration tactics, Dynamic DNS operators and folks that’ll distribute malware for a few cents. It appears that a good rate at the moment is around $100 for 2,000 guaranteed installs. A little pricey if I was buying, but it sounds like good money if I was to become a seller ?

I also realized that I forgot a rather important principle for inclusion – my zero’th principle…

0. I WANT TO BE RICH – but, more to the point I want to retire rich, not be the richest bloke in jail.

Which all means that I need to do some more investigation on how to secure the money. I don’t want the money to be directly traceable to me – nor to the consulting company I’ve just created – but I’m going to need ways to pay for stuff and ways to accept payments. All deniable of course.

Made a few new connections on the hacker forums. Now that I’m posting to some threads I’m getting direct messages from some of the folks there. A couple of the guys that reached out were trying to pimp out their services – both of them malware dropper services. Someone else asked if I was with the FBI.

The USA perspective was interesting. I hadn’t realized that the guys on the forums can see/track my IP address and from there work out where I’m located. I’ll have to do some experimenting with anonymous proxies and TOR networks. I ran across a few video tutorials on the topic yesterday. That’ll be my homework for this evening – getting something setup and hiding my IP address forever more…

July 4, 2009 

Surprise in the snail mail – company papers just came back. I’m now the CEO of Thrull Networks! Cool company name huh! I wonder if anyone will ever figure it out – thought it was apt at the time. Maybe it’s a little too close to the mark. 5% on the dumbness scale I guess. Will have to be smarter in the future. I’m going to keep it though. Even saw that some related .com and .net domain names are available for registering.

Earlier this morning I went out and bought a couple of new laptops. Nothing special, just some small(ish) $800 laptops that I’m dedicating to my botnet business – and will never taint them with the Thrull Networks consulting business. Although I will be claiming them as tax deductable expenditures. Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

Also spent most of today coming up with the rules I’m going to work under for achieving principles (1) and (3)… and maybe a little of (0) too.

So, the new rules…

A) Separate systems for work/pleasure/personal and botnets. The two new laptops are JUST for the botnet business. I’ve already installed a full disk encryption scheme and come up with a 44 character password. I doubt that anyone’ll be breaking that mother anytime soon.

B) Never connect to the botnet CnC or do any botnet-related business from my home network. Given the general availability of free WiFi at Starbucks and McDonald, etc., I’ll use those. A couple of additional rules there though – don’t frequent them in a regular pattern (sounds like a Tom Clancy spy novel), and don’t use stores that have CCTV setups. I was tempted to use some of the unsecured WiFi networks in the neighborhood – but that may be a little too close for comfort. Besides, the coffee will be better than what I have at home.

C) Change the MAC on the laptops regularly. I’ve already downloaded and installed a cool piece of software that does precisely that. I’ve also installed a bundle of different Web browsers – but have deliberately not installed any plug-ins etc. I was reading recently a couple of online projects that showed how they could query your Web browser through JavaScript and the DOM to build a signature of the browser – and how “unique” that became once you started installing plug-ins and how regularly you kept them patched. So I’m planning on keeping the laptops as simple and “dumb” as possible.

D) Never connect directly to the botnet infrastructure. Lesson learned yesterday. TOR and anonymous proxies are now default on all my computers – especially the two new laptops!

E) While encryption is my friend. Asymmetric crypto is going to be my live-in lover. Thanks Bruce for the tips!

July 9, 2009

Been playing around all week with the DIY kits I downloaded a couple of weeks back. The Zeus kit is pretty impressive with its polymorphic malware generator. I was running its output past some of the free online antivirus scanning portals and noting which (if any) antivirus tools detected the samples. On average, only a couple of the AV tools detected anything – and if they did, it was only some kind of generic signature such as w32.suspicious etc.

I was originally using www.virustotal.com, but when I tried to find other AV portals that might have more AV products in them I stumbled over a couple of cool threads that explained why I shouldn’t use that site (and a few others) because they share the malware samples with the AV vendors. Therefore the AV vendors will have detection signatures for the malware out within a few days. That sucks – because I probably just wasted a few dozen cool pieces of Zeus malware. Luckily there were plenty of alternative AV testing portals being recommended and (yet more) tutorials on how to set up your own malware QA testing regimes. Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

I’ve settled on www.virtest.com now. They charge a few dollars for the privilege of testing the malware I submit, but they allow me to upload multiple malware samples simultaneously in bulk format. They also have some other services for checking out the malware delivery websites too – so you can check to see if the exploit packs used by the Zeus kit (and others) are correctly installed and whether the other AV components (e.g. HIPS) detect the infection. Their VIP account is $50 per month. I’ll have to figure out a good way to pay for the service. Something that can’t be traced back to me personally…

July 10, 2009 

I spent the entire morning down at the Starbucks down by the park using their “free” WiFi. Cost me about $26 in coffee for the 4 hours.

Anyway, I set up a handful of free webmail accounts. A couple of Gmail accounts, a couple of Hotmail accounts and a couple of Yahoo accounts. I entered in garbage “personal” information, but gave them all the same password – “Lucky4Me*Unlucky4U”. They’re disposable accounts for trialing out a few new concepts and learning what works.

Next, I created a couple of websites to host the Zeus CnC console pages. I had originally been worried about how I was going to have to pay for the web hosting – but a quick search for “free web hosting” revealed plenty of services – including portals that provide detailed reviews of all the providers. Woohoo.

It took me about an hour to create the sites on 0000free.com. It’s the first website I’ve ever built – and I had to learn some PHP while doing it all. On the job training if you like. The index page is just a copy/paste job from some car-parts website – and the Zeus CnC configuration and bot registration pages are off in a subfolder. They’re accessible if you know the URL, but they’re intentionally not linked to from anywhere. I don’t really want some search engine crawling the sites and flagging the Zeus CnC.

I’ll be spending some time later tonight generating some malware samples that’ll use the two new CnC URLs. That’ll be hard work – should take me all of 10 seconds ?

July 11, 2009 

A botnet is born. I’m a father!

So, this morning I headed off to the Starbucks over by the athletics center to play with my newly minted malware and the CnC services.

I originally set up a VMWare session on the laptop and infected it with the new malware bot agent and watched it reach out to the CnC server. Meanwhile I browsed to the website, logged in to the CnC console, and saw the test victim register itself – so I spent a good half hour testing out all the features of the bot agent. It’s pretty slick. Ugly, but slick. The toughest part of all this was setting up the TOR agent to provide the anonymous web access in reaching the CnC console.

To get the bot malware into play I decided to upload the samples to the Newsgroups – since they don’t require me to host the files directly and also provide anonymous Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

uploading. One file I named “Windows7KeygenCrack.exe” and the other “iTunesDRMRemover.exe”, and included some BS text about how good the tools are. They were both uploaded to a handful of different alt.binaries. groups using different email accounts and source IP addresses.

I hung around Starbuck for another hour, but didn’t see any victims appear on the Zeus console – so paid a visit to Bill & Ted and grabbed lunch with them in town. Ted’s already gotten a new job at some Scottish bank. Chose not to tell them about my botnet research. The ideas may have come from them originally, but I’m not about to share this secret.

Anyhow, I popped in to the McDonalds by the railway station at about 4pm and connected to the Internet to see how my “botnet” was coming along. Surprise, surprise, I had three new members to my botnet. How cool is that! I was well chuffed with that small success and subsequently spent an entire hour connecting to each computer and checking out what I could access on their systems. Just as I was about to pack things up and head off home a fourth computer joined my botnet.

I couldn’t stop smiling on my way home from McDonalds. I think I may have even said “I’ve just fathered my first botnet” somewhere on the walk up the hill. Haha.

Guess where I’ll be tomorrow morning…

July 12, 2009 

Got to Starbucks early this morning and was online with my baby botnet by at least 9:30am. It had swollen over night and the counter had reached 18 computers – but I could only contact 6 of them. The others must have been turned off or something.

For the next hour (and second cup of Java) I created a couple dozen new malware bot agents and configured them to point to the same two Zeus CnC servers I’d set up yesterday. I then went on to use the same Newsgroup tactics – but picking a few other juicy social engineering file names (and descriptions) – e.g. “AcrobatProfessionalKeygen.exe”, “RossettaStoneLanguagePackUnlocker.exe”, etc.

By the time I left the coffee shop the botnet had grown to 23 computers – mostly in the US and the Netherlands, but a couple from Australia and Taiwan.

Went home afterwards to do some more studying and recon, and found some good information on how to automatically pull back account and identity information from Zeus malware clients. There are a number of scripts that you could run automatically on each botnet computer to extract their webmail credentials, anything they’ve told their IE or Firefox web browsers to remember, etc.

I also found some plug-ins for the Zeus CnC console that help to manage the data that comes back from the keylogger and other info-stealer components – which I installed on the web servers later on my return trip to Starbucks – and left CnC commands for the botnet malware to automatically start collecting and uploading the identity information. Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

By 7:30pm my botnet had reached 200 members. It’s no longer a “family unit”; it’s a small village and I’m Pastor of the flock.

July 14, 2009

Had a couple of contract interviews yesterday, and hadn’t managed to check on how my baby was coming along for a couple of days. So, it was with a rather pleasant surprise I noted that the botnet had reached 3,320 computers.

Actually, I’m not so sure about the number and whether it’s a good number to rely upon. The number of computers “active” were about 450 – and I tested that I could control them OK. As for the rest, well, they were “offline” – but I did have files from all 3,000+ computers sitting on the CnC server – so I guess they were successfully compromised with my botnet agent.

I moved all the files off the two CnC servers and copied them to the laptop. When I got home I started doing some analysis.

Brief stats (for posterity)…

942 Facebook accounts

766 Twitter accounts

322 Gmail accounts

318 Hotmail accounts

193 Yahoo accounts

76 Paypal accounts

… and lots of sub-50 accounts – many for services/websites I’ve never heard of before. All told, about 5,500 different accounts.

BTW I’m not sure I like using Starbucks – I’m spending too much money on coffee there ?

July 15, 2009

The botnet’s now reached 4,000 computers.

There was an email from 0000free.com waiting for me from yesterday. Apparently I should be upgrading to a paid account because of all the traffic/hits the site has been receiving. Just as well I moved off all the identity information and files – I was almost over the file quota too!

July 16, 2009

4,300. What’s the population have to be before a village can be called a town?

Created another couple of dozen malware for release on the Newsgroups since the botnet growth appeared to be slowing down.

July 17, 2009 

I think I’m the Mayor of a small town now. I visited the Starbucks down by the strip mall this afternoon and logged in to the botnet. 11,435 computers!

At first I thought it may have been a mistake since the size jump was so large. Introducing a couple new malware downloads didn’t get that much of a leap last time. But I figured it out after about 20 minutes of probing and searching. It would seem that the new file “MichaelJacksonDeath-OfficialAutopsyReport.exe” was more successful. It also managed to make its way on to some Torrent server and plenty of people are downloading it.

New lessons learnt from yesterday’s efforts: Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

1) Tying social engineering to media and entertainment current events results yields more additions to a botnet.

2) Torrent networks can make the botnet malware reach more people faster.

July 18, 2009

Just as well I downloaded all those new files yesterday, because the botnet is dead. I’m no longer the Mayor.

This morning I popped on over at the Library for a bit of their WiFi access and tried to connect to my CnC servers. Nothing – well, more than nothing, the Zeus CnC pages had been deleted and my webserver account had been disabled. There were instructions to phone the helpdesk to discuss reactivation.

Waiting in the inbox of the webmail account I used to register the free websites was an email telling me that my site may have been hacked and was being used for malicious purposes.

A quick Google revealed that both CnC URL’s and configuration files were listed up on ZeusTracker.abuse.ch.


July 19, 2009 

All is not lost. I’ve still got all those identity/account detail files from all my botnet computers. The total – adding the first batch with the batch from the 17th – comes to a little shy of 19,000 unique sets of credentials. I can still access any (if not all) of those stolen accounts anytime in the future.

Better yet – there’s absolutely nothing that can be tracked back to me. Sure, the botnet is now out of my control (and computers are still being compromised with the malware which is still in circulation in the Newsgroups and Torrents), but I’m safe and have learnt a few new lessons.

That said though, it’s about time I started to focus on bringing in the money from the botnets. I’m not going to get that Porsche building botnets for botnets sake. I could easily enough find buyers for the stolen information – the hacker forums are overflowing with buyers and agents. That’s not a problem. The problem lies in converting “Internet money” into cash – and laundering those transactions sufficiently.

With that in mind, I spent all afternoon researching offshore banking and the creation of anonymous accounts. Disappointingly those infamous Swiss Numbered Accounts don’t exist anymore – at least not like they do in the movies.

I managed to narrow it down to three banking accounts and, as my finances grow, I’ll start to bring them on line. I’ve found agents that will allow me to set up Swiss banking accounts online. They require proof of address, but they provide a level of guarantee that personal information will not be supplied to anyone outside of Switzerland. The Cayman Island accounts are easier to set up – and don’t require an agent – but require a higher deposit. They’re a little too rich for my tastes at the moment – but I’ll probably add an account once I break the $100k per month revenue stream (if ever?). Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

No, the account I created online this evening was for a Panama Bearer Share Corporation account. As of an hour ago I’m now CEO of a second company – “Net Wizards LLC.”. I deposited $5,000 into the account. Not only does it provide an anonymous business front and full international banking facilities, but it comes with 4% interest and the credit cards issued against the account should be arriving in 10 days time.

July 20, 2009

I’m back in the botnet business!

I was keeping a couple of my hacker forum accounts live by responding to a few message threads and I stumbled across a couple of reputable botmasters that were in the process of selling off sections of their botnets. They were offering batches of 100 bots with dedicated CnC hosted servers for $200 each.

Most significantly though – there were alternatives to the $200 in Webmoney or PayPal funds – they’d accept hacked webmail accounts, Facebook accounts and Twitter accounts.

After a little back and forth, we agreed on the trade and exchange mode (had to use an agent that was pre-vetted on the forum – one of the administrators – who charges 10% for his time/effort). From X4cker I picked up 600 bots and two CnC servers (in the Ukraine no less) for 3,000 Gmail accounts and 1,000 Hotmail accounts. From Dankar007 I managed to procure 500 bots for the princely sum of 500 PayPal accounts. The site administrator/agent didn’t do too badly out of the deal either. I’m sure that he (or she?) now has his own copies of all those accounts.

After some quick verification and having tested the access to the two botnets, I created a new Zeus botnet agent and pushed it down to all 1,100 bots – and changed the admin credentials on the CnC servers.

Not only am I back in “business” with a brand new botnet, but I’ve still got all those account details from the previous botnet that I can continue trading/reselling to other operators.

— I just realized that this diary is now precisely one month old. In that month I lost my job, founded two companies, become a CEO, built a botnet, lost a botnet, established a reputation in the hacker communities, opened an international banking account, and just purchased my second botnet.

Time to start pulling together the business plan for constructing a profitable money-making botnet! The “march to a million” sounds like a great idea, but I’d prefer to aim for Steve Austin’s The Six Million Dollar Man. I’m pretty confident that I can reach that target over the next 11 months! What would mom say?

Original BlackHat PDF file –


ZeuS Tracker Statistics – https://zeustracker.abuse.ch/statistic.php

Note: This is a fictitious (and subtly macabre, but hopefully humorous) diary account loosely based upon real investigations of professional botnet operators and the criminal enterprises they created to monetize the data and systems under their control. It does not represent a single botnet operator, rather it represents a concatenation of notable business models, decisions and discussions from a spectrum of criminal operators. Names and places have been deliberately altered. No animals were harmed in the making of this diary.



Tor hidden service secrets

Tor hidden service secrets

gAtO fRiDaY 10-18-2012 update hay you want to see a secret -hidden service –

Creative Hack – http://2kcreatydoneqybu.onion 

on top of this the name is custom – so that took extra time and efforts and the site is real when you have thier secret token — https://ahmia.fi/pagescreenshots/2kcreatydoneqybu.png

here you can take a look at this site anyway – try to extract any information from this secret Tor Website – you can’t see any source code – so you can’t make it error to extract information. I ask a friend that’s a Penn Tester to check this out – If anyone can extract any information please let me know –gAtOoUt

gAtO fRiDaY – sound off! – As i play with my new Tor hidden service – “Ok just apache website running https: a static site -right now” – What we know is that a Tor hidden service stays hidden until you send someone your .onion URL (example:- otwxbdvje5ttplpv.onion ) now once you know the URL your have access to the site. You may have to log in like on most bb sites but at least you reached the hidden service and now you can do stuff. 

While looking at the torrc file setting I found a little secret that with (server side) HiddenServiceAuthorizeClient-tag and the HidServAuth-tag on the (client) side -// your hidden service is now INVISIBLE to only the people that have a secret key installed in their “torrc” client file. In plain talk –

1. I put a special key on my hidden server – torrc file – HiddenServiceAuthorizeClient
2. generate a new key for client side – “what_ever_bcuuw46b3heyy”
3. send keys to the secret agents that can see or access the site HidServAuth
4. Only the people with my KEY can get to the front door of my hidden service – torrc file HidServAuth

This makes it hard to find the hidden service even if you have the URL ///./. it does nothing, no source code like a normal website. I ran into a few of these and had no clue why these sites behaved the way they did. I can pick apart most websites, at least, basics like html, asp, js, java directory you can gleam all kinds of information. But if you hit one of these site in Tor well it a big 0 -zero -///.

With my TDS project (Tor Directory Scan) I am generating an onion URL A-Za-z 2-7 URL and going out to scrape it and get some basic information about the site with a basic web crawler that grabs METADATA and not just links to other pages. If I hit these sites with my basic program I’ll get a dud -zero -///- but I will have a hit of sort. I hope to catch some of these sites – we all know the rcp command works well in Tor sometimes I found and httrack is another tool for sucking up site // be they hidden service or not – these secret hidden services will be very interesting in the scan -gATO oUt

— Tor Syntax

HiddenServiceAuthorizeClient auth-type client-name,client-name,…
If configured, the hidden service is accessible for authorized clients only. The auth-type can either be ‘basic’ for a general-purpose authorization protocol or ‘stealth’ for a less scalable protocol that also hides service activity from unauthorized clients. Only clients that are listed here are authorized to access the hidden service. Valid client names are 1 to 19 characters long and only use characters in A-Za-z0-9+-_ (no spaces). If this option is set, the hidden service is not accessible for clients without authorization any more. Generated authorization data can be found in the hostname file. Clients need to put this authorization data in their configuration file using HidServAuth.

HidServAuth onion-address auth-cookie [service-name]
Client authorization for a hidden service. Valid onion addresses contain 16 characters in a-z2-7 plus “.onion”, and valid auth cookies contain 22 characters in A-Za-z0-9+/. The service name is only used for internal purposes, e.g., for Tor controllers. This option may be used multiple times for different hidden services. If a hidden service uses authorization and this option is not set, the hidden service is not accessible. Hidden services can be configured to require authorization using the HiddenServiceAuthorizeClient option


Pierluigi Paganini – Cyber Weapons – Cyber Threat Summit 2012

Excellent presentation from Pierluigi at the ICTTF Cyber Threat Summit 2012. Apologies for the microphone problems (some twat in the audience was using a frequency jammer).The rise of Cyber Weapons and relative impact on cyber space. Well worth a watch.

Pierluigi can be found at http://securityaffairs.co/wordpress/ He is the co-author of the new book

The Deep Dark Web – coming soon


Tor Command syntax

gAtO wAnT’s – just the simple command syntax -from the OG-OR Roger Dingledine -Nick Mathewson the Tor gods.




       tor - The second-generation onion router


       tor [OPTION value]...


       tor  is  a connection-oriented anonymizing communication service. Users
       choose a source-routed path through a set of  nodes,  and  negotiate  a
       "virtual  circuit"  through  the  network, in which each node knows its
       predecessor and successor, but no  others.  Traffic  flowing  down  the
       circuit is unwrapped by a symmetric key at each node, which reveals the
       downstream node.

       Basically  tor  provides  a  distributed  network  of  servers  ("onion
       routers"). Users bounce their TCP streams -- web traffic, ftp, ssh, etc
       -- around the routers, and recipients, observers, and even the  routers
       themselves have difficulty tracking the source of the stream.


       -h, -help Display a short help message and exit.

       -f FILE
              FILE   contains   further   "option   value"   pairs.  (Default:

              Generates a hashed password for control port access.

              Generate your keys and output your nickname and fingerprint.

              Verify the configuration file is valid.

              --service [install|remove|start|stop]  Manage  the  Tor  Windows
              NT/2000/XP  service.   Current  instructions  can  be  found  at

              List all valid options.

              Display Tor version.

       Other options can be specified either on the command-line (--option
              value),  or  in  the configuration file (option value).  Options
              are case-insensitive.

       BandwidthRate N bytes|KB|MB|GB|TB
              A token bucket limits the average incoming  bandwidth  usage  on
              this  node  to the specified number of bytes per second, and the
              average outgoing bandwidth usage to that same value. (Default: 3

       BandwidthBurst N bytes|KB|MB|GB|TB
              Limit the maximum token bucket size (also known as the burst) to
              the given number of bytes in each direction. This  value  should
              be at least twice your BandwidthRate. (Default: 6 MB)

       MaxAdvertisedBandwidth N bytes|KB|MB|GB|TB
              If set, we will not advertise more than this amount of bandwidth
              for our BandwidthRate. Server operators who want to  reduce  the
              number  of clients who ask to build circuits through them (since
              this is proportional to  advertised  bandwidth  rate)  can  thus
              reduce the CPU demands on their server without impacting network

       ConnLimit NUM
              The minimum number of file descriptors that must be available to
              the Tor process before it will start. Tor will ask the OS for as
              many file descriptors as the OS will allow (you can find this by
              "ulimit -H -n"). If this number is less than ConnLimit, then Tor
              will refuse to start.

              You probably don’t need to adjust this.  It  has  no  effect  on
              Windows since that platform lacks getrlimit(). (Default: 1000)

       ControlPort Port
              If set, Tor will accept connections on this port and allow those
              connections to control the Tor process  using  the  Tor  Control
              Protocol (described in control-spec.txt).  Note: unless you also
              specify one of  HashedControlPassword  or  CookieAuthentication,
              setting  this  option will cause Tor to allow any process on the
              local host to control it. This option is required for  many  Tor
              controllers; most use the value of 9051.

       ControlListenAddress IP[:PORT]
              Bind  the  controller listener to this address. If you specify a
              port, bind to  this  port  rather  than  the  one  specified  in
              ControlPort.  We  strongly  recommend  that you leave this alone
              unless you know what you’re doing, since giving attackers access
              to   your   control  listener  is  really  dangerous.  (Default:
     This directive can be  specified  multiple  times  to
              bind to multiple addresses/ports.

       HashedControlPassword hashed_password
              Don’t  allow any connections on the control port except when the
              other  process  knows  the  password  whose  one-way   hash   is
              hashed_password.   You  can  compute  the  hash of a password by
              running "tor --hash-password password".

       CookieAuthentication 0|1
              If this option is set to 1, don’t allow any connections  on  the
              control  port  except  when  the  connecting  process  knows the
              contents of a file named "control_auth_cookie", which  Tor  will
              create  in  its  data  directory.   This  authentication methods
              should only be used on systems with  good  filesystem  security.
              (Default: 0)

       DataDirectory DIR
              Store working data in DIR (Default: /var/lib/tor)

       DirServer [nickname] [flags] address:port fingerprint
              Use a nonstandard authoritative directory server at the provided
              address and port, with  the  specified  key  fingerprint.   This
              option  can  be  repeated many times, for multiple authoritative
              directory servers.  Flags are separated by spaces, and determine
              what  kind of an authority this directory is.  By default, every
              authority is authoritative for current ("v2")-style directories,
              unless  the  "no-v2"  flag  is  given.   If  the  "v1"  flags is
              provided, Tor will use this server as an authority for old-style
              (v1)  directories  as  well.  (Only directory mirrors care about
              this.)  Tor will use this server  as  an  authority  for  hidden
              service information if the "hs" flag is set, or if the "v1" flag
              is set and the "no-hs" flag is not set.  If a flag "orport=port"
              is  given,  Tor  will  use the given port when opening encrypted
              tunnels to the dirserver.  If no dirserver line  is  given,  Tor
              will  use  the  default directory servers.  NOTE: this option is
              intended for setting up a  private  Tor  network  with  its  own
              directory   authorities.    If   you   use   it,   you  will  be
              distinguishable from other users, because you won’t believe  the
              same authorities they do.

       FetchHidServDescriptors 0|1
              If set to 0, Tor will never fetch any hidden service descriptors
              from the rendezvous directories. This option is only  useful  if
              you’re  using  a Tor controller that handles hidserv fetches for
              you.  (Default: 1)

       FetchServerDescriptors 0|1
              If set to 0, Tor will never fetch any network  status  summaries
              or server descriptors from the directory servers. This option is
              only useful if  you’re  using  a  Tor  controller  that  handles
              directory fetches for you.  (Default: 1)

       FetchUselessDescriptors 0|1
              If  set  to 1, Tor will fetch every non-obsolete descriptor from
              the authorities that it hears about. Otherwise,  it  will  avoid
              fetching  useless  descriptors, for example for routers that are
              not  running.   This  option  is  useful  if  you’re  using  the
              contributed  "exitlist"  script to enumerate Tor nodes that exit
              to certain addresses.  (Default: 0)

       Group GID
              On startup, setgid to this group.

       HttpProxy host[:port]
              Tor will make all its directory requests through this  host:port
              (or  host:80  if  port is not specified), rather than connecting
              directly to any directory servers.

       HttpProxyAuthenticator username:password
              If defined, Tor will use this username:password for  Basic  Http
              proxy authentication, as in RFC 2617. This is currently the only
              form of Http proxy authentication that Tor supports;  feel  free
              to submit a patch if you want it to support others.

       HttpsProxy host[:port]
              Tor  will  make  all  its  OR  (SSL)  connections  through  this
              host:port (or host:443 if  port  is  not  specified),  via  HTTP
              CONNECT  rather  than  connecting  directly to servers.  You may
              want to set FascistFirewall to restrict the  set  of  ports  you
              might  try  to  connect  to,  if  your  Https  proxy only allows
              connecting to certain ports.

       HttpsProxyAuthenticator username:password
              If defined, Tor will use this username:password for Basic  Https
              proxy authentication, as in RFC 2617. This is currently the only
              form of Https proxy authentication that Tor supports; feel  free
              to submit a patch if you want it to support others.

       KeepalivePeriod NUM
              To  keep  firewalls  from  expiring  connections, send a padding
              keepalive cell every NUM seconds on open connections that are in
              use.  If the connection has no open circuits, it will instead be
              closed after NUM seconds of idleness. (Default: 5 minutes)

       Log minSeverity[-maxSeverity] stderr|stdout|syslog
              Send all messages between minSeverity  and  maxSeverity  to  the
              standard  output  stream,  the  standard error stream, or to the
              system log. (The "syslog" value  is  only  supported  on  Unix.)
              Recognized  severity  levels  are debug, info, notice, warn, and
              err.  We advise using "notice" in  most  cases,  since  anything
              more  verbose  may  provide sensitive information to an attacker
              who obtains the logs.  If only one severity level is given,  all
              messages  of  that  level  or  higher will be sent to the listed

       Log minSeverity[-maxSeverity] file FILENAME
              As above, but send log messages to  the  listed  filename.   The
              "Log"  option may appear more than once in a configuration file.
              Messages are sent to all the  logs  that  match  their  severity

       OutboundBindAddress IP
              Make  all  outbound  connections  originate  from the IP address
              specified.  This is only useful when you have  multiple  network
              interfaces,  and  you  want all of Tor’s outgoing connections to
              use a single one.

       PidFile FILE
              On startup, write our PID to FILE.  On  clean  shutdown,  remove

       ProtocolWarnings 0|1
              If  1,  Tor will log with severity ’warn’ various cases of other
              parties not following the Tor specification. Otherwise, they are
              logged with severity ’info’. (Default: 0)

       RunAsDaemon 0|1
              If  1,  Tor  forks and daemonizes to the background. This option
              has no effect on Windows; instead you should use  the  --service
              command-line option. (Default: 0)

       SafeLogging 0|1
              If  1,  Tor  replaces  potentially sensitive strings in the logs
              (e.g. addresses) with the string [scrubbed]. This way  logs  can
              still   be  useful,  but  they  don’t  leave  behind  personally
              identifying information about  what  sites  a  user  might  have
              visited. (Default: 1)

       User UID
              On startup, setuid to this user.

       HardwareAccel 0|1
              If  non-zero,  try  to  use  crypto  hardware  acceleration when
              available. This is untested and probably buggy. (Default: 0)

       AvoidDiskWrites 0|1
              If non-zero, try to write to disk less frequently than we  would
              otherwise.  This is useful when running on flash memory or other
              media that support only a limited number of  writes.   (Default:

       TunnelDirConns 0|1
              If  non-zero, when a directory server we contact supports it, we
              will build a one-hop circuit and make  an  encrypted  connection
              via its ORPort. (Default: 0)

       PreferTunneledDirConns 0|1
              If  non-zero, we will avoid directory servers that don’t support
              tunneled directory connections, when possible. (Default: 0)


       The following  options  are  useful  only  for  clients  (that  is,  if
       SocksPort is non-zero):

       AllowInvalidNodes entry|exit|middle|introduction|rendezvous|...
              If  some  Tor  servers  are  obviously  not  working  right, the
              directory authorities can manually mark them as invalid, meaning
              that  it’s  not  recommended  you  use  them  for  entry or exit
              positions in your circuits. You can opt  to  use  them  in  some
              circuit  positions,  though. The default is "middle,rendezvous",
              and other choices are not advised.

       CircuitBuildTimeout NUM
              Try for at most NUM  seconds  when  building  circuits.  If  the
              circuit  isn’t  open  in  that time, give up on it.  (Default: 1

       CircuitIdleTimeout NUM
              If we have keept a clean (never used)  circuit  around  for  NUM
              seconds, then close it. This way when the Tor client is entirely
              idle, it can expire all of its circuits, and then expire its TLS
              connections.  Also,  if  we  end up making a circuit that is not
              useful for exiting any of the requests we’re receiving, it won’t
              forever  take up a slot in the circuit list.  (Default: 1 hour.)

       ClientOnly 0|1
              If set to 1, Tor will under no circumstances run  as  a  server.
              The  default  is to run as a client unless ORPort is configured.
              (Usually, you don’t need to set this; Tor  is  pretty  smart  at
              figuring  out whether you are reliable and high-bandwidth enough
              to be a useful server.)  (Default: 0)

       ExcludeNodes nickname,nickname,...
              A list of nodes to never use when building a circuit.

       EntryNodes nickname,nickname,...
              A list of preferred nodes to  use  for  the  first  hop  in  the
              circuit.    These   are   treated  only  as  preferences  unless
              StrictEntryNodes (see below) is also set.

       ExitNodes nickname,nickname,...
              A list of preferred nodes  to  use  for  the  last  hop  in  the
              circuit.    These   are   treated  only  as  preferences  unless
              StrictExitNodes (see below) is also set.

       StrictEntryNodes 0|1
              If 1, Tor will never use  any  nodes  besides  those  listed  in
              "EntryNodes" for the first hop of a circuit.

       StrictExitNodes 0|1
              If  1,  Tor  will  never  use  any nodes besides those listed in
              "ExitNodes" for the last hop of a circuit.

       FascistFirewall 0|1
              If 1, Tor will only create outgoing connections to  ORs  running
              on  ports that your firewall allows (defaults to 80 and 443; see
              FirewallPorts).  This will allow you to  run  Tor  as  a  client
              behind  a firewall with restrictive policies, but will not allow
              you to run as a server behind such a firewall.  This  option  is
              deprecated; use ReachableAddresses instead.

       FirewallPorts PORTS
              A  list  of  ports  that your firewall allows you to connect to.
              Only  used  when  FascistFirewall  is  set.   This   option   is
              deprecated; use ReachableAddresses instead. (Default: 80, 443)

       ReachableAddresses ADDR[/MASK][:PORT]...
              A  comma-separated  list  of  IP  addresses  and ports that your
              firewall allows you to connect to. The  format  is  as  for  the
              addresses  in  ExitPolicy,  except  that  "accept" is understood
              unless  "reject"   is   explicitly   provided.    For   example,
              ’ReachableAddresses,  reject,  accept
              *:80’ means that your firewall allows connections to  everything
              inside  net  99,  rejects  port  80  connections  to net 18, and
              accepts connections to port  80  otherwise.   (Default:  ’accept

       ReachableDirAddresses ADDR[/MASK][:PORT]...
              Like  ReachableAddresses,  a  list  of addresses and ports.  Tor
              will   obey   these   restrictions   when   fetching   directory
              information,  using  standard  HTTP  GET  requests.  If  not set
              explicitly then the value of  ReachableAddresses  is  used.   If
              HttpProxy  is  set  then  these connections will go through that

       ReachableORAddresses ADDR[/MASK][:PORT]...
              Like ReachableAddresses, a list of  addresses  and  ports.   Tor
              will  obey  these restrictions when connecting to Onion Routers,
              using  TLS/SSL.   If  not  set  explicitly  then  the  value  of
              ReachableAddresses  is  used.  If  HttpsProxy  is set then these
              connections will go through that proxy.

              The     separation     between     ReachableORAddresses      and
              ReachableDirAddresses   is   only   interesting   when  you  are
              connecting through proxies (see HttpProxy and HttpsProxy).  Most
              proxies  limit  TLS  connections  (which  Tor uses to connect to
              Onion Routers) to port 443, and some  limit  HTTP  GET  requests
              (which  Tor uses for fetching directory information) to port 80.

       LongLivedPorts PORTS
              A list of ports for services  that  tend  to  have  long-running
              connections  (e.g.  chat  and  interactive shells). Circuits for
              streams that use  these  ports  will  contain  only  high-uptime
              nodes,  to reduce the chance that a node will go down before the
              stream is finished.  (Default: 21, 22, 706,  1863,  5050,  5190,
              5222, 5223, 6667, 6697, 8300)

       MapAddress address newaddress
              When a request for address arrives to Tor, it will rewrite it to
              newaddress before processing it. For example, if you always want
              connections  to  www.indymedia.org  to exit via torserver (where
              torserver is  the  nickname  of  the  server),  use  "MapAddress
              www.indymedia.org www.indymedia.org.torserver.exit".

       NewCircuitPeriod NUM
              Every  NUM  seconds  consider  whether  to  build a new circuit.
              (Default: 30 seconds)

       MaxCircuitDirtiness NUM
              Feel free to reuse a circuit that was first  used  at  most  NUM
              seconds  ago, but never attach a new stream to a circuit that is
              too old.  (Default: 10 minutes)

       EnforceDistinctSubnets 0|1
              If 1, Tor will not put two servers whose IP addresses  are  "too
              close"  on  the same circuit.  Currently, two addresses are "too
              close" if they lie in the same /16 range. (Default: 1)

       RendNodes nickname,nickname,...
              A list of preferred nodes to use for the  rendezvous  point,  if

       RendExcludeNodes nickname,nickname,...
              A list of nodes to never use when choosing a rendezvous point.

       SocksPort PORT
              Advertise  this  port  to  listen  for  connections  from Socks-
              speaking applications.  Set this to 0 if you don’t want to allow
              application connections. (Default: 9050)

       SocksListenAddress IP[:PORT]
              Bind  to  this  address  to  listen  for connections from Socks-
              speaking applications. (Default: You can also specify
              a port (e.g.  This directive can be specified
              multiple times to bind to multiple addresses/ports.

       SocksPolicy policy,policy,...
              Set an entrance policy for this server, to limit who can connect
              to  the  Socks  ports.   The policies have the same form as exit
              policies below.

       SocksTimeout NUM
              Let a socks connection wait NUM  seconds  handshaking,  and  NUM
              seconds unattached waiting for an appropriate circuit, before we
              fail it.  (Default: 2 minutes.)

       TestVia nickname,nickname,...
              A list of nodes to prefer for  your  middle  hop  when  building
              testing   circuits.   This   option   is  mainly  for  debugging
              reachability problems.

       TrackHostExits host,.domain,...
              For each value in the  comma  separated  list,  Tor  will  track
              recent connections to hosts that match this value and attempt to
              reuse the same exit node for each. If  the  value  is  prepended
              with  a  ’.’, it is treated as matching an entire domain. If one
              of the values is just a ’.’, it  means  match  everything.  This
              option  is  useful  if you frequently connect to sites that will
              expire all your authentication cookies (ie log you out) if  your
              IP  address  changes.  Note  that  this  option  does  have  the
              disadvantage of making it more clear that  a  given  history  is
              associated  with  a  single user. However, most people who would
              wish to observe this will observe it through  cookies  or  other
              protocol-specific means anyhow.

       TrackHostExitsExpire NUM
              Since exit servers go up and down, it is desirable to expire the
              association between host and exit server after NUM seconds.  The
              default is 1800 seconds (30 minutes).

       UseEntryGuards 0|1
              If  this  option  is  set  to  1,  we pick a few long-term entry
              servers, and try to stick with them.  This is desirable  because
              constantly changing servers increases the odds that an adversary
              who owns some servers will observe a  fraction  of  your  paths.
              (Defaults to 1.)

       NumEntryGuards NUM
              If  UseEntryGuards  is  set to 1, we will try to pick a total of
              NUM routers as long-term entries for our circuits.  (Defaults to

       SafeSocks 0|1
              When  this  option  is  enabled,  Tor  will  reject  application
              connections that use unsafe variants of the  socks  protocol  --
              ones that only provide an IP address, meaning the application is
              doing a DNS resolve first.  Specifically, these are  socks4  and
              socks5 when not doing remote DNS.  (Defaults to 0.)

       TestSocks 0|1
              When  this  option  is enabled, Tor will make a notice-level log
              entry for each connection to the Socks port  indicating  whether
              the  request  used  a  safe socks protocol or an unsafe one (see
              above entry on SafeSocks).  This helps to determine  whether  an
              application   using   Tor  is  possibly  leaking  DNS  requests.
              (Default: 0)

       VirtualAddrNetwork Address/bits
              When a controller asks for a virtual (unused) address  with  the
              MAPADDRESS  command,  Tor  picks an unassigned address from this
              range.  (Default:

              When providing proxy server service to a  network  of  computers
              using   a  tool  like  dns-proxy-tor,  change  this  address  to
              ""     or     "".      The     default
              VirtualAddrNetwork   address  range  on  a  properly  configured
              machine will route to the loopback interface.  For local use, no
              change to the default VirtualAddrNetwork setting is needed.

       AllowNonRFC953Hostnames 0|1
              When  this  option  is disabled, Tor blocks hostnames containing
              illegal characters (like @ and :) rather than sending them to an
              exit  node  to be resolved.  This helps trap accidental attempts
              to resolve URLs and so on.  (Default: 0)

       FastFirstHopPK 0|1
              When this option is enabled and we aren’t running as  a  server,
              Tor  skips  the  public  key  step for the first hop of creating
              circuits.  This is safe  since  we  have  already  used  TLS  to
              authenticate  the  server  and to establish forward-secure keys.
              Turning  this  option  off  makes   circuit   building   slower.
              (Default: 1)

       TransPort PORT
              If  non-zero,  enables  transparent  proxy  support  on PORT (by
              convention, 9040).  Requires OS support for transparent proxies,
              such as BSDs’ pf or Linux’s IPTables.  If you’re planning to use
              Tor as a transparent proxy for a network, you’ll want to examine
              and  change  VirtualAddrNetwork from the default setting. You’ll
              also want to set the TransListenAddress option for  the  network
              you’d like to proxy.  (Default: 0).

       TransListenAddress IP[:PORT]
              Bind   to   this   address   to  listen  for  transparent  proxy
              connections.   (Default:   This   is   useful   for
              exporting a transparent proxy server to an entire network.

       NATDPort PORT
              Allow  old  versions  of  ipfw  (as  included in old versions of
              FreeBSD, etc.) to send connections through Tor  using  the  NATD
              protocol.   This  option  is  only  for  people  who  cannot use

       NATDListenAddress IP[:PORT]
              Bind to this address to listen for NATD connections.   (Default:


       The  following  options are useful only for servers (that is, if ORPort
       is non-zero):

       Address address
              The IP or fqdn of this  server  (e.g.  moria.mit.edu).  You  can
              leave this unset, and Tor will guess your IP.

       AssumeReachable 0|1
              This option is used when bootstrapping a new Tor network. If set
              to 1, don’t  do  self-reachability  testing;  just  upload  your
              server descriptor immediately. If AuthoritativeDirectory is also
              set, this  option  instructs  the  dirserver  to  bypass  remote
              reachability  testing  too  and  list  all  connected servers as

       ContactInfo email_address
              Administrative contact information for server. This  line  might
              get picked up by spam harvesters, so you may want to obscure the
              fact that it’s an email address.

       ExitPolicy policy,policy,...
              Set an exit policy for this server. Each policy is of  the  form
              "accept|reject  ADDR[/MASK][:PORT]".   If  /MASK is omitted then
              this policy just applies to the host given.  Instead of giving a
              host  or  network  you  can  also use "*" to denote the universe
              (  PORT can be a single port number, an  interval  of
              ports  "FROM_PORT-TO_PORT",  or  "*".   If PORT is omitted, that
              means "*".

              For  example,  "accept*,reject*,accept
              *:*"  would  reject  any  traffic  destined  for  MIT except for
              web.mit.edu, and accept anything else.

              To specify  all  internal  and  link-local  networks  (including
    , and, you can use the "private"  alias
              instead  of an address.  These addresses are rejected by default
              (at the beginning of your exit policy), along with  your  public
              IP  address,  unless  you set the ExitPolicyRejectPrivate config
              option to 0. For example, once you’ve done that, you could allow
              HTTP  to  and block all other connections to internal
              networks with  "accept,reject  private:*",  though
              that  may  also  allow connections to your own computer that are
              addressed to its public (external) IP address. See RFC 1918  and
              RFC 3330 for more details about internal and reserved IP address

              This directive can be specified multiple times so you don’t have
              to put it all on one line.

              Policies are considered first to last, and the first match wins.
              If you want to _replace_ the default exit policy, end your  exit
              policy  with  either  a  reject *:* or an accept *:*. Otherwise,
              you’re _augmenting_ (prepending to) the default exit policy. The
              default exit policy is:
                   reject *:25
                   reject *:119
                   reject *:135-139
                   reject *:445
                   reject *:465
                   reject *:563
                   reject *:587
                   reject *:1214
                   reject *:4661-4666
                   reject *:6346-6429
                   reject *:6699
                   reject *:6881-6999
                   accept *:*

       ExitPolicyRejectPrivate 0|1
              Reject  all private (local) networks, along with your own public
              IP address, at the beginning of  your  exit  policy.  See  above
              entry on ExitPolicy. (Default: 1)

       MaxOnionsPending NUM
              If  you  have  more  than  this  number of onionskins queued for
              decrypt, reject new ones. (Default: 100)

       MyFamily nickname,nickname,...
              Declare that this Tor server is controlled or administered by  a
              group  or organization identical or similar to that of the other
              named servers.  When two servers both declare that they  are  in
              the  same  ’family’,  Tor  clients will not use them in the same
              circuit.  (Each server only needs to list the other  servers  in
              its  family; it doesn’t need to list itself, but it won’t hurt.)

       Nickname name
              Set the server’s nickname to ’name’. Nicknames must be between 1
              and   19   characters  inclusive,  and  must  contain  only  the
              characters [a-zA-Z0-9].

       NumCPUs num
              How many processes to use at  once  for  decrypting  onionskins.
              (Default: 1)

       ORPort PORT
              Advertise  this  port to listen for connections from Tor clients
              and servers.

       ORListenAddress IP[:PORT]
              Bind to this IP address  to  listen  for  connections  from  Tor
              clients  and  servers.  If you specify a port, bind to this port
              rather than the one specified in ORPort. (Default: This
              directive  can  be  specified multiple times to bind to multiple

       PublishServerDescriptor 0|1
              If set to 0, Tor will act as a server  if  you  have  an  ORPort
              defined,   but  it  will  not  publish  its  descriptor  to  the
              dirservers. This option is useful if  you’re  testing  out  your
              server,  or  if  you’re  using  a  Tor  controller  that handles
              directory publishing for you.  (Default: 1)

       RedirectExit pattern target
              Whenever an outgoing connection tries to connect  to  one  of  a
              given set of addresses, connect to target (an address:port pair)
              instead.  The address pattern is given in the same format as for
              an  exit  policy.   The  address  translation applies after exit
              policies are applied.   Multiple  RedirectExit  options  can  be
              used: once any one has matched successfully, no subsequent rules
              are considered.  You can specify that no redirection  is  to  be
              performed  on  a  given  set  of  addresses by using the special
              target string "pass", which prevents subsequent rules from being

       ShutdownWaitLength NUM
              When we get a SIGINT and we’re a server, we begin shutting down:
              we close listeners and start refusing new  circuits.  After  NUM
              seconds,   we   exit.  If  we  get  a  second  SIGINT,  we  exit
              immediately.  (Default: 30 seconds)

       AccountingMax N bytes|KB|MB|GB|TB
              Never send more than the specified number of bytes  in  a  given
              accounting  period,  or  receive  more  than  that number in the
              period.  For example, with AccountingMax set to 1 GB,  a  server
              could  send  900  MB and receive 800 MB and continue running. It
              will only hibernate once one of the two reaches 1 GB.  When  the
              number of bytes is exhausted, Tor will hibernate until some time
              in the next accounting period.   To  prevent  all  servers  from
              waking at the same time, Tor will also wait until a random point
              in each period before waking up.  If  you  have  bandwidth  cost
              issues,  enabling  hibernation  is  preferable  to setting a low
              bandwidth, since it provides users with  a  collection  of  fast
              servers  that are up some of the time, which is more useful than
              a set of slow servers that are always "available".

       AccountingStart day|week|month [day] HH:MM
              Specify how long accounting periods last.  If  month  is  given,
              each accounting period runs from the time HH:MM on the dayth day
              of one month to the same day and time of  the  next.   (The  day
              must  be  between  1 and 28.)  If week is given, each accounting
              period runs from the time HH:MM of the dayth day of one week  to
              the same day and time of the next week, with Monday as day 1 and
              Sunday as day 7.  If day is given, each accounting  period  runs
              from  the  time HH:MM each day to the same time on the next day.
              All times are local, and given in 24-hour  time.   (Defaults  to
              "month 1 0:00".)

       ServerDNSResolvConfFile filename
              Overrides  the  default DNS configuration with the configuration
              in filename.  The file format is the same as the  standard  Unix
              "resolv.conf"  file  (7).  This option, like all other ServerDNS
              options, only affects name  lookup  that  your  server  does  on
              behalf  of clients.  Also, it only takes effect if Tor was built
              with  eventdns  support.   (Defaults  to  use  the  system   DNS

       ServerDNSSearchDomains 0|1
              If  set  to  1,  then  we will search for addresses in the local
              search domain.  For example, if this  system  is  configured  to
              believe it is in "example.com", and a client tries to connect to
              "www", the client will be connected to "www.example.com".   This
              option  only affects name lookup that your server does on behalf
              of clients, and only takes effect if Tor was build with eventdns
              support.  (Defaults to "0".)

       ServerDNSDetectHijacking 0|1
              When  this  option  is  set  to  1, we will test periodically to
              determine whether our local nameservers have been configured  to
              hijack  failing  DNS  requests (usually to an advertising site).
              If they are, we will attempt to correct this.  This option  only
              affects  name lookup that your server does on behalf of clients,
              and only takes effect if Tor was build  with  eventdns  support.
              (Defaults to "1".)

       ServerDNSTestAddresses address,address,...
              When  we’re  detecting DNS hijacking, make sure that these valid
              addresses aren’t getting redirected.  If they are, then our  DNS
              is  completely  useless,  and  we’ll  reset  our  exit policy to
              "reject *:*".  This option only affects name  lookup  that  your
              server  does  on behalf of clients, and only takes effect if Tor
              was build with eventdns support.  (Defaults to  "www.google.com,
              www.mit.edu, www.yahoo.com, www.slashdot.org".)

       ServerDNSAllowNonRFC953Hostnames 0|1
              When  this  option  is  disabled,  Tor  does  not try to resolve
              hostnames containing illegal characters (like @  and  :)  rather
              than  sending  them  to an exit node to be resolved.  This helps
              trap accidental attempts to resolve URLs and so on.  This option
              only  affects  name  lookup  that  your server does on behalf of
              clients, and only takes effect if Tor was  build  with  eventdns
              support.  (Default: 0)


       The  following  options are useful only for directory servers (that is,
       if DirPort is non-zero):

       AuthoritativeDirectory 0|1
              When this option is set to 1, Tor operates as  an  authoritative
              directory   server.    Instead  of  caching  the  directory,  it
              generates its own list of good servers, signs it, and sends that
              to the clients.  Unless the clients already have you listed as a
              trusted directory, you probably do not want to set this  option.
              Please coordinate with the other admins at tor-ops@freehaven.net
              if you think you should be a directory.

       V1AuthoritativeDirectory 0|1
              When this option is set in addition  to  AuthoritativeDirectory,
              Tor  also generates a version 1 directory (for Tor clients up to
              0.1.0.x).   (As  of  Tor  every   (v2)   authoritative
              directory still provides most of the v1 directory functionality,
              even without this option set to 1.  This however is expected  to
              change in the future.)

       VersioningAuthoritativeDirectory 0|1
              When  this  option  is  set  to 1, Tor adds information on which
              versions of Tor are still believed safe for use to the published
              directory.    Each   version  1  authority  is  automatically  a
              versioning authority; version 2 authorities provide this service
              optionally.  See RecommendedVersions, RecommendedClientVersions,
              and RecommendedServerVersions.

       NamingAuthoritativeDirectory 0|1
              When this option is set to 1, then the server advertises that it
              has  opinions  about  nickname-to-fingerprint bindings.  It will
              include these opinions in its published network-status pages, by
              listing  servers  with  the  flag  "Named"  if a correct binding
              between that nickname and fingerprint has been  registered  with
              the  dirserver.   Naming  dirservers  will  refuse  to accept or
              publish descriptors that contradict a registered  binding.   See
              approved-routers in the FILES section below.

       HSAuthoritativeDir 0|1
              When  this  option is set in addition to AuthoritativeDirectory,
              Tor  also  accepts  and  serves  hidden   service   descriptors.
              (Default: 0)

       DirPort PORT
              Advertise the directory service on this port.

       DirListenAddress IP[:PORT]
              Bind  the  directory  service  to this address. If you specify a
              port, bind to  this  port  rather  than  the  one  specified  in
              DirPort.  (Default:  This  directive  can be specified
              multiple times to bind to multiple addresses/ports.

       DirPolicy policy,policy,...
              Set an entrance policy for this server, to limit who can connect
              to the directory ports.  The policies have the same form as exit
              policies above.

       RecommendedVersions STRING
              STRING is a  comma-separated  list  of  Tor  versions  currently
              believed to be safe. The list is included in each directory, and
              nodes which pull down the directory learn whether they  need  to
              upgrade.  This option can appear multiple times: the values from
              multiple lines are spliced together.   When  this  is  set  then
              VersioningAuthoritativeDirectory should be set too.

       RecommendedClientVersions STRING
              STRING  is  a  comma-separated  list  of  Tor versions currently
              believed to be safe for clients to  use.   This  information  is
              included  in version 2 directories.  If this is not set then the
              value of RecommendedVersions is used.  When  this  is  set  then
              VersioningAuthoritativeDirectory should be set too.

       RecommendedServerVersions STRING
              STRING  is  a  comma-separated  list  of  Tor versions currently
              believed to be safe for servers to  use.   This  information  is
              included  in version 2 directories.  If this is not set then the
              value of RecommendedVersions is used.  When  this  is  set  then
              VersioningAuthoritativeDirectory should be set too.

       DirAllowPrivateAddresses 0|1
              If  set  to 1, Tor will accept router descriptors with arbitrary
              "Address" elements. Otherwise, if the address is not an IP or is
              a  private IP, it will reject the router descriptor. Defaults to

       AuthDirBadExit AddressPattern...
              Authoritative directories only.  A set of address  patterns  for
              servers  that  will be listed as bad exits in any network status
              document this authority  publishes,  if  AuthDirListBadExits  is

       AuthDirInvalid AddressPattern...
              Authoritative  directories  only.  A set of address patterns for
              servers that will never be listed  as  "valid"  in  any  network
              status document that this authority publishes.

       AuthDirReject AddressPattern...
              Authoritative  directories  only.  A set of address patterns for
              servers that will never be listed at all in any  network  status
              document  that  this  authority  publishes, or accepted as an OR
              address in any descriptor  submitted  for  publication  by  this

       AuthDirListBadExits 0|1
              Authoritative directories only.  If set to 1, this directory has
              some opinion about which nodes are  unsuitable  as  exit  nodes.
              (Do  not  set  this  to 1 unless you plan to list nonfunctioning
              exits as bad; otherwise, you are effectively voting in favor  of
              every declared exit as an exit.)

       AuthDirRejectUnlisted 0|1
              Authoritative  directories  only.   If  set  to 1, the directory
              server rejects  all  uploaded  server  descriptors  that  aren’t
              explicitly  listed  in  the  fingerprints  file.  This acts as a
              "panic button" if we get Sybiled. (Default: 0)


       The following options are used to configure a hidden service.

       HiddenServiceDir DIRECTORY
              Store data files for  a  hidden  service  in  DIRECTORY.   Every
              hidden service must have a separate directory.  You may use this
              option multiple times to specify multiple services.

       HiddenServicePort VIRTPORT [TARGET]
              Configure a virtual port VIRTPORT for a hidden service.  You may
              use this option multiple times; each time applies to the service
              using the most recent hiddenservicedir.  By default, this option
              maps  the  virtual  port to the same port on  You may
              override the target port,  address,  or  both  by  specifying  a
              target of addr, port, or addr:port.

       HiddenServiceNodes nickname,nickname,...
              If  possible, use the specified nodes as introduction points for
              the hidden service. If this is left unset, Tor will be smart and
              pick some reasonable ones; most people can leave this unset.

       HiddenServiceExcludeNodes nickname,nickname,...
              Do  not  use  the specified nodes as introduction points for the
              hidden service. In normal use there is no reason to set this.

       PublishHidServDescriptors 0|1
              If set to 0, Tor will run any hidden services you configure, but
              it won’t advertise them to the rendezvous directory. This option
              is only useful if you’re using a  Tor  controller  that  handles
              hidserv publishing for you.  (Default: 1)

       RendPostPeriod N seconds|minutes|hours|days|weeks
              Every  time  the  specified  period  elapses,  Tor  uploads  any
              rendezvous service descriptors to the directory  servers.   This
              information  is also uploaded whenever it changes.  (Default: 20


       Tor catches the following signals:

              Tor will catch this, clean up and sync to disk if necessary, and

       SIGINT Tor  clients  behave  as with SIGTERM; but Tor servers will do a
              controlled slow  shutdown,  closing  listeners  and  waiting  30
              seconds  before  exiting.  (The delay can be configured with the
              ShutdownWaitLength config option.)

       SIGHUP The signal instructs Tor to reload its configuration  (including
              closing and reopening logs), fetch a new directory, and kill and
              restart its helper processes if applicable.

              Log statistics about current connections, past connections,  and

              Switch  all  logs  to loglevel debug. You can go back to the old
              loglevels by sending a SIGHUP.

              Tor receives this signal when one of its  helper  processes  has
              exited, so it can clean up.

              Tor catches this signal and ignores it.

              If  this signal exists on your platform, Tor catches and ignores


              The configuration file, which contains "option value" pairs.

              The tor process stores keys and other data here.

              The most recently downloaded network status  document  for  each
              authority.  Each file holds one such document; the filenames are
              the hexadecimal  identity  key  fingerprints  of  the  directory

       DataDirectory/cached-routers and cached-routers.new
              These  files  hold downloaded router statuses.  Some routers may
              appear more than  once;  if  so,  the  most  recently  published
              descriptor  is used.  The ".new" file is an append-only journal;
              when it gets too large,  all  entries  are  merged  into  a  new
              cached-routers file.

              A set of persistent key-value mappings.  These are documented in
              the file.  These include:
            - The current entry guards and their status.
            - The current bandwidth accounting  values  (unused  so  far;  see
            - When the file was last written
            - What version of Tor generated the state file
            - A short history of bandwidth usage, as produced  in  the  router

              Used to track bandwidth  accounting  values  (when  the  current
              period  starts  and  ends; how much has been read and written so
              far this period).  This file is obsolete, and the  data  is  now
              stored  in  the  ’state’ file as well.  Only used when bandwidth
              accounting is enabled.

              Used for cookie authentication with the controller.  Regenerated
              on  startup.   See control-spec.txt for details.  Only used when
              cookie authentication is enabled.

              Only used by servers.  Holds identity keys and onion keys.

              Only used by servers.  Holds the  fingerprint  of  the  server’s
              identity key.

              Only   for   naming   authoritative   directory   servers   (see
              NamingAuthoritativeDirectory).   This  file  lists  nickname  to
              identity bindings.  Each line lists a nickname and a fingerprint
              separated by whitespace.   See  your  fingerprint  file  in  the
              DataDirectory  for  an example line.  If the nickname is !reject
              then descriptors  from  the  given  identity  (fingerprint)  are
              rejected  by this server. If it is !invalid then descriptors are
              accepted but marked in the directory as not valid, that is,  not

              The  <base32-encoded-fingerprint>.onion  domain  name  for  this
              hidden service.

              The private key for this hidden service.


       privoxy(1), tsocks(1), torify(1)



       Plenty, probably. Tor is still in development. Please report them.


       Roger Dingledine <arma@mit.edu>, Nick Mathewson <nickm@alum.mit.edu>.