{"id":19386809,"url":"https://github.com/unkaktus/grill","last_synced_at":"2026-05-01T03:33:50.012Z","repository":{"id":149437933,"uuid":"75864853","full_name":"unkaktus/grill","owner":"unkaktus","description":"global rate-limiting in Linux (CVE-2016-5696) scanner","archived":false,"fork":false,"pushed_at":"2017-04-27T10:51:33.000Z","size":15,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-06-10T19:16:31.310Z","etag":null,"topics":["flaws","linux-kernel","scanner","tcp","tcp-off-path"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc0-1.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/unkaktus.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2016-12-07T18:40:47.000Z","updated_at":"2021-12-25T11:33:09.000Z","dependencies_parsed_at":null,"dependency_job_id":"38bf0705-0df2-4d73-bcf7-59bd97fff00c","html_url":"https://github.com/unkaktus/grill","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/unkaktus/grill","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unkaktus%2Fgrill","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unkaktus%2Fgrill/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unkaktus%2Fgrill/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unkaktus%2Fgrill/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/unkaktus","download_url":"https://codeload.github.com/unkaktus/grill/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unkaktus%2Fgrill/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32484352,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-30T13:12:12.517Z","status":"online","status_checked_at":"2026-05-01T02:00:05.856Z","response_time":64,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["flaws","linux-kernel","scanner","tcp","tcp-off-path"],"created_at":"2024-11-10T10:07:31.532Z","updated_at":"2026-05-01T03:33:49.999Z","avatar_url":"https://github.com/unkaktus.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"grill\n=====\n\n`grill`, aka global rate-limiting in Linux, is a scanner for\nCVE-2016-5696 (pure TCP off-path).\n\nInstall\n-------\n```\n$ go get github.com/nogoegst/grill\n```\n\nCaveats\n-------\n*Don't ever use wireless links* on the way to the hosts. Constant packet loss and retransmisions drastically reduce scan accuracy.\n\n*Use less NATs as possible* (down to 0), they introduce delays and change packets.\n\nCurrenly `grill` uses around avg. 400KBit/s and max. 500Kbit/s of output bandwidth (16 concurrent scans).\n\nKernel interference\n-------------------\nTo avoid kernel interference during scan add a rule to your firewall to drop outgoing RST packets.\n\nFor PF (`/etc/pf.conf`):\n```\nblock drop out quick proto tcp flags R/R\n```\nthen `# pfctl -f /etc/pf.conf`.\n\nFor NetFilter:\n```\n# iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP\n```\n\nUsage\n-----\n`grill` reads `stdin` and scans hosts from it (up to 16 concurrent scans). The input format is `host port\\n`.\n\n```\n# cat probe | grill -i interface -dll gateway-MAC [-sll src-MAC] [-sip src-IP] \u003e results \n```\n\nThe output format is `host:port,recievedChACKs,1stBurstSendingTime,2ndBurstSendingTime`.\n\nTo get human results, run results though `verdict` utility (is in `verdict` directory):\n```\ncat results | verdict\n```\n\nSo it goes. Have fun and make love.\n\n\nScanning the Tor network\n------------------------\nTo scan relays of the Tor network, just fetch and format last consensus:\n```\ncurl https://collector.torproject.org/recent/relay-descriptors/consensuses/`date -u +'%Y-%m-%d-%H-00-00-consensus'` | grep '^r '| awk '{print $7\" \"$8}' \u003e probe-consensus\n```\n\nAnd then just pass resulted file to `grill` input.\nAs of now, scanning whole Tor network should take less than 30m (16 concurrent scans).\n\nI managed to scan whole net in 7m44s by using 127 concurrent scans and in 6m30s by reducing timeout to 1.7s further (this is probably not safe due to packet loss, congestion, etc).\n\nNote that 127 is the maximum (and reasonable) number of open BPFs in OpenBSD. In Linux this limit is higher but it will make you kernel almost stuck. Anyway, good luck.\n\nAcknowlegments\n-------------\n`grill` is hugely inspired by similar Scapy scanner by David Stainton [https://github.com/david415/scan_for_rfc5961]\nand PoC by violentshell [https://github.com/violentshell/rover].\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Funkaktus%2Fgrill","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Funkaktus%2Fgrill","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Funkaktus%2Fgrill/lists"}