AnanAS or AnonOS? Let's catch this FRUIT!

In this post, I will show you how we can build an ANANAS to make an OS based on pineapple. Let's

If you are at home, go out and move to the GREENGROCER and buy an Ananas. Your result should appear like

BUT if your result appears like this

to solve this problem, come back at home, take your PC/Mac/SomeAnyDeviceYouUse, if you have upstairs move to it, open a window and finally throw your device out the window. If you don't have upstairs, simply smash your device and start to confess your sins.

After this step, we can build an

anonOS (not ananAS), an anonymous OS

Most of part of this guide is referenced from: https://anonguide.cyberguerrilla.org/.

ONE IMPORTANT NOTE: it is assumed you live in a country where the usage of TOR does not bring to any legal consequences. This note is important because this statement is not true for all jurisdictions in the world! If you do not know, try to use Google to search information about TOR and your jurisdiction.

First of all, I advice you to follow the previous post on this blog linked at this address: http://anthonyvoza.blogspot.it/2017/11/3ncrypt3d-0p3r4t1ng-sy2t3m.html to build an encrypted OS based on Debian. It is a good choice to build on it an anonymous system.

When you get the 3ncr1pt3d 0S, we can START!

First of all, access to Debian OS and choose GNOME Classic as environment to consume less resources. Be sure to be connected to Internet. For security reasons, it is better you use a wired network connection. Anyway either you use wired connection or WiFi connection, go on Settings-->Network, then select your active connection (wired or WiFi) on the left of the window, then click on the gear that should be in the bottom-right part of the window. Another window appears. At this point, if you are on a WiFi network, click on Identity tab and deselect the option Connect Automatically. After this, if you are either wired or WiFi network, go on the IPv6 tab and switch to OFF the IPv6 voice. Click Apply and close the Network Manager.

Now open the Terminal and type:

• sudo -i

It will ask you for the password. Use the password you set in the previous post for user when you installed Debian OS. If the password is correct, now you have full root access so just care onthe command you use in this mode. Anyway, always on the Terminal as root access, type:

• dpkg-reconfigure tzdata

A window appears and choose the option None of the above and press Enter. On the next screen scroll down by mouse, choose UTC and press again Enter.
The next step is to install a firewall to improve security against possible intrusions. Always by using the same Terminal window, type:

• apt-get install ufw

At this point we must disable several ICMP traffic, in this way we give less space to be attacked. So type:

• nano /etc/ufw/before.rules

The before.rules file is opened. Search the line containing "# ok icmp codes" and after this line you can see five rows about the ICMP input. Just comment that five rows by placing the # character at the beginning of each row like this:

Now press LEFT_CTRL+O, press Y to save the changes and close nano by pressing LEFT_CTRL+X.

Now enable the firewall by typing on the Terminal:

• ufw enable

The next step is to install THE ONION (we must come back to the greengrocer... really!... I joke). We set the Debian OS such that all OS updates or software installations come from the Debian Organization's Tor hidden services. This solution helps you to hide what OS you are using from possible snoopers. Then, by the same Terminal, type:

• apt-get install tor apt-transport-tor

Now we are ready to configure the sources.list for installing softwares and updating by Tor hidden services. By Terminal, type:

• nano /etc/apt/sources.list

The content of sources.list appears. Delete all rows (use LEFT_CTRL+K to delete one row). When you cleaned the content of the file, add these rows:

• deb tor+http://vwakviie2ienjx6t.onion/debian jessie main contrib
• deb tor+http://vwakviie2ienjx6t.onion/debian jessie-updates main contrib 
• deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security jessie/updates main contrib

jessie is the codename of Debian 8.

If you have a recent version of Debian, just refer to https://wiki.debian.org/SourcesList#Using_Tor_with_Apt

Save the file (LEFT_CTRL+O)  and exit (LEFT_CTRL+X).

At this point, to avoid that attackers can gain a possible mechanism to identify you, specially if you use software on your next OS (we will see it later) that needs of an onion host on your machine (like several chat programs), we must disable TCP Timestamps. So type on Terminal:

• echo "net.ipv4.tcp_timestamps = 0" > /etc/sysctl.d/tcp_timestamps.conf

Now we must load the just created file to set the policy for TCP Timestamps in Debian host. Type:

• sysctl -p /etc/sysctl.d/tcp_timestamps.conf

If you do not use IPv6, to avoid leaks with the IPv6 protocol, we can disable it. For this purpose, open the grub file by typing:

• nano /etc/default/grub

and inside this file, find the line GRUB_CMDLINE_LINUX_DEFAULT. After the = character, adds the string ipv6.disable=1. The result must appear like this

Then save the changes and exit.

Next, update the grub by typing:

• update-grub

After this operation, type:

• exit

In this way we are out of the root environment.

Now we need to download Whonix Gateway .ova file. We use Whonix to surf over TOR network. On the Terminal, type:

• cd Downloads
• torsocks wget -c https://download.whonix.org/linux/13.0.0.1.4/Whonix-Gateway13.0.0.1.4.ova
• torsocks wget -c https://download.whonix.org/ova/15.0.0.6.6/Whonix-CLI-15.0.0.6.6.ova

After the downloading, we disable TOR to avoid that it automatically runs at startup. To do this, type:

• cd
• sudo systemctl disable tor.service

Now we make some alias command to update and upgrade our Debian OS over TOR network. For this purpose, type:

• echo "alias dist-upgrade='sudo systemctl start tor.service && sleep 10 && sudo apt-get update && sudo apt-get dist-upgrade && sudo apt-get clean && sudo systemctl stop tor.service'" >> .bashrc 

Then, to install packages over TOR network, we create a function command called apt-install. On the Terminal type:

• echo "function apt-install() { sudo systemctl start tor.service; sleep 10; sudo apt-get update; sudo apt-get install "\$@"; sudo apt-get clean; sudo systemctl stop tor.service; }" >> .bashrc

Now, to load these new commands, type:

• source .bashrc

The next step is to install VirtualBox. We will use VirtualBox to run Whonix Gateway and the OS that we want to anonymyze. Type:

• apt-install virtualbox

NOTE: it is IMPORTANT you use Debian only just for hosting Whonix. We will not work on Debian, it is just the host of Whonix and of the OS we use to surf in anonymous way. So, DON NOT USE DEBIAN FOR GENERAL USAGE!

Then, after the installation of VirtualBox, on the Terminal type:

• dist-upgrade

NOTE: it is IMPORTANT you keep in mind that you must keep Debian OS updated, so run dist-upgrade frequently.

At the end, type exit to close the Terminal. Now open VirtualBox, click on File->Import Appliance and a window appears. Browse the downloaded Whonix .ova file and choose it, then click always on Next button and finally (I do not know if check Reinitialize the MAC address is a good choice or it is not important) click Import button and click on Agree.

When the import process is completed, click on Snapshots button in the main window of VirtualBox. Then, click on Current State and click on the camera icon to take a snapshot of the virtual machine, give a name and click on OK. The snapshots are used to restore the current state of a virtual machine to the state of machine when the snapshot was created.

Use these commands to manage the Whonix CLI: https://www.whonix.org/wiki/Common_Whonix_CLI_Commands

Now we must download the OS we want to anonymyze by Whonix. You can choose what distro you want, I assume to use this OS

It is easy to understand! COME ON! Download it from: https://www.kali.org/downloads/

I assume to download the .iso file. You can download it by wget at same way you downloaded Whonix, by opening the Terminal and typing, for example:

• sudo systemctl start tor.service
• cd Downloads
• torsocks wget -c https://cdimage.kali.org/kali-2020.1/kali-linux-2020.1-installer-amd64.iso

At the end of the download, type:

• sudo systemctl stop tor.service

Now we need to install DNSCrypt that is used to crypt data going to the DNS server for resolving website names. If these data are encrypted, a sniffer cannot know what nameserver we want to resolve. To install DNSCrypt, you need: to download from here: https://github.com/dnscrypt/dnscrypt-proxy/releases/latest by choosing the right file for your version: Linux/x86_64 if you are using Debian 64-bit or Linux/x86 if you are using Debian 32-bit. To install it, unpack the downloaded file and run installer.sh file by typing by a Terminal on the same folder of installer.sh:

• source installer.sh
• sudo apt-get install dnscrypt-proxy

After the installation, if dnsmasq is already running, you can choose to remove it. dnsmasq performs caching as does dnscrypt-proxy v2. As such, the redundant caching is unnecessary, and dnsmasq can effectively be disabled. To disable dnsmasq for NetworkManager, make the /etc/NetworkManager/NetworkManager.conf file look like this:

[main]
plugins=ifupdown,keyfile,ofono

#dns=dnsmasq
[ifupdown]
managed=false

Then, configure dnscrypt-proxy.toml by:

• cd /etc/dnscrypt-proxy
• sudo cp dnscrypt-proxy.toml dnscrypt-proxy.toml.original  # non-idempotent

In dnscrypt-proxy.toml, replace listen_addresses = ['127.0.0.1:53'] with listen_addresses = []. For some reason, the package installs systemd sockets instead of standard sockets.
Further configuration changes can be made later as needed, but in order to help with troubleshooting, keep the changes to a minimum for now.

Successively, modify your /etc/resolv.conf name servers to only contain nameserver 127.0.0.1. All queries going to localhost will be forwarded through DNSCrypt.

Now go to network configuration applet. Click on Wired Connection 1 (if you use wired) or the Wifi name that you currently used and click on the gear icon. In the window, click IPv4 settings, choose Automatic (DHCP) address only on the method. Finally add 127.0.0.1 in the DNS servers.

At this point, look for a provider you would like to use. You can look from: https://github.com/DNSCrypt/dnscrypt-resolvers.

Now we need to create the systemd service file: make the file /etc/systemd/system/dnscrypt.service by typing:

• sudo nano /etc/systemd/system/dnscrypt.service

Before adding content, you must choose the DNS resolver you would like to use by looking the link I shown before (more specifically: https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md, but you can choose others). When you choose it, look for the name of resolver you chose, you can do it by looking the Name column. I guess we choose cisco. At this point on the just created dnscrypt.service add this content

Description=dnscrypt daemon

After=network.target



[Service]

ExecStart=/usr/local/sbin/dnscrypt-proxy --resolver-name=cisco

ExecReload=/bin/kill -s HUP $MAINPID

ExecStop=/bin/kill -s TERM $MAINPID



[Install]

WantedBy=multi-user.target

where the --resolver-name= specifies what resolver we chose. In this case is cisco but you can change by writing the resolver name you prefer. Anyway save the file and close it.

Now by the Terminal, type:

• sudo systemctl restart NetworkManager
• sudo systemctl restart dnscrypt-proxy
• sudo systemctl enable dnscrypt.service (in this way dnscrypt will run at startup)
• sudo systemctl start dnscrypt.service

If you do not get error, you should have an output like

Dec 09 02:51:55 dnscrypt-proxy[23836]: [NOTICE] Starting dnscrypt-proxy 1.7.0

Dec 09 02:51:55 dnscrypt-proxy[23836]: [INFO] Generating a new session key pair

Dec 09 02:51:55 dnscrypt-proxy[23836]: [INFO] Done

Dec 09 02:51:55 dnscrypt-proxy[23836]: [INFO] Server certificate with serial '0001' received

Dec 09 02:51:55 dnscrypt-proxy[23836]: [INFO] This certificate is valid

Dec 09 02:51:55 dnscrypt-proxy[23836]: [INFO] Chosen certificate #808464433 is valid from [2016-11-03] to [2026-11-01]

Dec 09 02:51:55 dnscrypt-proxy[23836]: [INFO] Server key fingerprint is BAB8:591D:F2F8:10AA:362E:6CF9:AB91:3573:1EA9:AD44:20D5:6A3F:492E:5083:C435:5236

Dec 09 02:51:55 dnscrypt-proxy[23836]: [NOTICE] Proxying from 127.0.0.1:53 to 70.32.38.67:443

(source: https://ryanclouser.com/2016/12/08/Debian-8-DNSCrypt/)

To avoid that DHCP blocks resolv.conf, make or go to /etc/dhcpcd by typing on the Terminal:

• sudo nano /etc/dhcpcd

and write on a new line nohook resolv.conf. It should find the resolv.conf file because it is in the same directory of dhcpcd, that is /etc.

Note that DNSCrypt works well with Unbound but I did not try it.

Another advice is: to avoid that your ISP can spoof your DNS (DNS leaks), you can change the primary and secondary DNS servers on router/modem (if it is possible it is much better) and/or on your OS on the Network Settings. As new DNS server you can use the two DNS servers shown here: https://blog.uncensoreddns.org/.
To do a DNS leaktest, refer to these two websites:

• https://www.dnsleaktest.com
• https://www.perfect-privacy.com/dns-leaktest

If all is fine, you should not see your ISP.

Anyway now we have changed DNS server where to send data and we have also encrypted these data.

At this point you need to install Kali Linux on VirtualBox. First of all, start Whonix. Now make a new virtual machine for Kali. When you make a new virtual machine, after the setup, do not start Kali virtual machine, just go instead on Settings. Now move on System-->Processor tab and check the Enable PAE/NX box and click OK applying the changes. Now go to the Settings and click on Network and click on the Adapter 1. At this point on the box Attached to you must choose Internal Network and on the Name box you must choose Whonix. Then click on OK, apply the changes. For being sure, recheck these settings again. At this point you can START Kali Linux virtual machine and you can start to install it. To increase your security, I advice you to install Kali Linux as encrypted by following my previous post: https://anthonyvoza.blogspot.com/2017/11/3ncrypt3d-0p3r4t1ng-sy2t3m.html.

JUST AN IMPORTANT NOTE DURING THE KALI LINUX INSTALLATION: during the installation, when it asks you for configuring the network, during the DHCP check, it should give you an error. You must click Continue and then choose the Configure network manually option. It will ask you for an IP address. You should insert the IP address you see on Whonix (to see it on Whonix, switch on the Whonix virtual machine and click on Reload Tor, a terminal window appear with different information and the IP address). Usually the IP address on Whonix is 10.152.152.10 so on IP address asked by Kali installation, you should insert 10.152.152.11 or 10.152.152.13 or what you prefer in the Whonix network. Click on Continue. Then as Netmask 255.255.255.0 and click on Continue, as Gateway 10.152.152.10 and click on Continue. As Hostname type what you prefer and as Domain you can leave empty. As username of your account, feel free to choose a fun username (and not a stupid username user like we used on Debian). Now continue to follow "the encrypted guide" for installation.

After the installation, on the main window of VirtualBox, make a snapshot also for Kali Linux as you did for Whonix Gateway. Now feel free to delete the .ova and .iso files you downloaded before.

Now on Debian OS, go on Settings-->Sound, go on Input tab, choose the microphone(s) you have connected, then on the right of Input Volume switch to OFF that option. Do it for all available sound input devices you have.

Then come back to the Settings and go on Privacy, click on Usage & History, switch Recently Used to OFF, click on Clear Recent History and at the end close the window to come back to the Privacy Settings. Now click on Purge Trash & Temporary Files, switch to ON the Automatically empty Trash and Automatically purge Temporary Files options and on Purge After set 1 day. Then, close the window and close the Settings.

Now come back to VirtualBox and start Whonix Gateway. It will start the Whonix Setup Wizard and ask you to accept some conditions, so click on Understood and click on Next. While you go next, it will ask you for other choices, so choose these options:

1. I am ready to enable Tor and click Next always until you reach the next choice
2. Yes. Automatically install updates from the Whonix team and click Next
3. Whonix Stable Repository and click Next until you reach to click Finish

Now Whonix must check the status of TOR connection and check for updates. Wait them. At the end you will receive a whonixcheck window with the information about the procedure, just click OK. 

Since now you are on Whonix Gateway, you need to change the default password. Open the Konsole and type:

• sudo -i

As password for user that it asks you, insert changeme. Now you must change this default password. Type:

• passwd

and press Enter. It asks you to insert a new password. Choose what you prefer. Then, if it is successful, we need to change also the password of user account. Type:

• passwd user

and press Enter. It asks you to insert a new password. Choose what you prefer. Then, if it is successful, go on.

Now we need to configure Whonix Gateway to use Debian Organization's and the Whonix Organization's Tor hidden services as we did for Debian OS. Type:

• echo deb http://vwakviie2ienjx6t.onion/debian jessie main contrib non-free > /etc/apt/sources.list.d/debian.list
• echo deb http://sgvtcaew4bxjd7ln.onion jessie/updates main contrib non-free >> /etc/apt/sources.list.d/debian.list
• whonix_repository --baseuri http://deb.kkkkkkkkkk63ava6.onion --enable --repository stable

Then update the Whonix Gateway by typing:

• apt-get update && apt-get dist-upgrade

During the upgrading, if it asks you for some options, choose the default choices. If it asks you to overwrite a file, choose the option that keeps the original local version unless the new file has .whonix extension.

When the upgrading process is ended, close the Konsole.

Now we must check that KALI LINUX OS is connected to the Whonix Gateway. Be sure Whonix is already operative, then start Kali Linux virtual machine. Log in as root because we must give SUDO POWER to our username. When you are inside Kali, open a Terminal and type:

• sudo adduser <username> sudo
• sudo apt-get update

instead of <username> write your username.

At this point reboot Kali and login by your user account. We need to edit the sources.list file. Open a terminal and type:

• sudo /etc/apt/sources.list

Delete everything and add this row: deb http://http.kali.org/kali kali-rolling main non-free contrib

Save the file and close it. At this point type:

• sudo apt-get update

If your PC is slow because of running Whonix concurrently with Kali consumes a lot of your resources, you can install a lighter environment on Kali Linux. By the Terminal try to install the package LXDE that is one of the lightest desktop environment available on Linux. When you installed it, reboot Kali and at login, after you insert the username and before you type your password, click on the gear icon and choose LXDE.

To verify if you are connected by Whonix Gateway, open a Terminal and type:

• curl ifconfig.me

and check if the resulting IP address is the one resulted by Whonix Gateway.

Even on Kali, disable IPv6, the microphone inputs, ICMP, set the privacy setting and all other options as we did for Debian above.

A last setup I would like to show you is related to the setting of your browser on Kali Linux. To not fill this post with other 100000 rows, read and follow carefully all suggestions on the following link: https://www.privacytools.io.

I strongly recommend you to follow it and implement its solutions.

A LAST IMPORTANT NOTE: remember that you should use only Kali. Do not use Debian or Whonix Gateway for general usage, just update them periodically. 
Each time you want to use Kali, remember to start Whonix Gateway for first and THEN start Kali. 
When you should turn off, shutdown Kali for first and THEN shutdown Whonix Gateway.

At this point we get an improved

ANONYMOUS SURFING