Repository files navigation

⚠️ WARNING

Security isn’t just about the tools you use or the software you download. It begins with understanding the unique threats you face and how you can counter those threats.

orjail is a tool that lets you create a jail around a program to force its network traffic throughTor.It creates a hostile environment for anything trying to discover your real IP address.

git clone https://github.com/orjail/orjail.gitcd orjailsudo make install

We provide a.deb package you can download fromhere and install with asimple:

sudo dpkg -i orjail*.deb

We've tried to de-anonymize a program executed in a torsocks environment and that was not so difficult as torsocks uses LD_PRELOAD, so you only need to statically compile your stuff.AsWhonix is sometimes too much, the idea is to experiment withlinux namespaces and learn by doing something useful (at least for us).

• Linux kernel supporting namespaces (you have it since 2008)
• Tor installed
• firejail (optional, but really suggested)

It creates a separatednetwork namespace (usingip netns) with its own networkinterface and a link to the host interface with some iptables rules (on host)that forces traffic generated from inside orjail to only exit via Tor (including DNS).
Insideorjail you'll be in another pid namespace (trysudo orjail ps aux) and another mount namespace (we use this to show a different /etc/resolv.conf).

if you find a way to de-anonymize a program running inside orjail (also a shell with root privileges) it would be nice toshare it with us

• orjail needs root permissions to run
• orjail runs your command as your user
• orjail will launch a Tor instance bound to orjail interface

orjail [options] [command]

-u, --user <user>
Run command as <user> (default$USER)

-f, --firejail
Usefirejail as a security container

--firejail-args "<args>"
Set arguments to pass to firejail surrounded by quotes.
eg. "--hostname=host --env=PS1=[orjail]"

--host-torrc
Include your torrc host

-t, --tor-exec <torpath>
Select a Tor executable to use. The path can be full, relative or be in $PATH (defaulttor)

-s, --shell
Execute a shell (default$SHELL)

-k, --keep
Don't delete namespace and don't kill tor after the execution.

-n, --name
Set a custom namespace name (defaultorjail)

$ sudo orjail ifconfigout-orjail: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        inet 10.200.1.2  netmask 255.255.255.0  broadcast 0.0.0.0        inet6 fe80::6439:afff:febc:c9b5  prefixlen 64  scopeid 0x20<link>        ether 66:39:af:bc:c9:b5  txqueuelen 1000  (Ethernet)        RX packets 6847  bytes 7488116 (7.1 MiB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 6809  bytes 915088 (893.6 KiB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

sudo orjail curl autistici.org > autistici.org

sudo orjail -u another_user curl autistici.org

sudo orjail dig wi7qkxyrdpu5cmvr.onion

sudo orjail -v -H 8080 -d examples "python -m SimpleHTTPServer 8080"

sudo orjail curl wi7qkxyrdpu5cmvr.onion

sudo orjail firefox -P /tmp/tmpprofile

⚠️

firefox has a flag that blocks .onion resolution by default, change it inabout:config/network.dns.blockDotOnion.

running a browser inside orjail is not safe, please useTor Browser instead

sudo orjail -s

sudo orjail -v pidgin

sudo orjail -k ls

sudo orjail -f thunderbird

• dbus
• X

Made with ❤️ by_to hacklab