Cyber security information center

Technical analysis of Hola

Posted by Vectra Threat Labs on Jun 1, 2015 7:19:00 AM

blog-hola-networkUpdated June 3, 2015 11:00 AM (see details)

Recently a popular privacy and unblocker application known as Hola has been gaining attention from the security community for a variety of vulnerabilities and highly questionable practices that allow the service to essentially behave as a botnet-for-hire through its sister service called Luminati. Vectra researchers have been looking into this application after observing it in customer networks over the past several weeks, and the results are both intriguing and troubling. In addition to its various botnet-enabling functions that are now part of the public record, the Hola application contains a variety of features that make it an ideal platform for executing targeted cyber attacks.

Let’s start with the basics
Hola markets itself as providing anonymous browsing and an unblocker for accessing any content from any location. “Unblocking” comes in two forms. The first is that an Hola user can pretend to be in any country she wants, enabling access to content that would only be available within the target country. A common example is a Canadian citizen accessing the US version of Netflix. The second is an employee in a company which blocks certain outbound traffic can use Hola to get past the blockage.

The software is available either as a browser extension or a stand-alone application with versions for every major operating system, and Hola claims 46 million users worldwide. Vectra researchers analyzed the Windows 32-bit version of Hola for Windows, and the Android ARM and Android x86 versions of Hola for mobile available prior to May 27, 2015. 

Once installed, the service acts as giant peer-to-peer network known internally as “Zon” where a user’s Internet traffic is bounced through other Hola users. In the Zon network, every unpaid user is used as an exit node, meaning that if you were to install the application, you would carry traffic from other anonymous users. Worse still, Hola caches content on user devices, meaning that not only would you carry someone else’s traffic without your knowledge, but you could be used to cache their content as well. These are all things that Hola publicly states on its website and license agreement. While users who have just realized this have expressed shock, the story doesn’t end there.

Our decision to analyze this software was that it triggered a type of detection we call “External Remote Access” in some of our customers’ networks. The algorithm behind this detection finds connections that are established from the inside of a customer’s network to the Internet and the subsequent interaction is clearly driven by a human on the outside of the customer’s network. This pattern is consistent with how a peer-to-peer anonymity network works. The employee computer with Hola installed must use well-known techniques to make a firewall allow the peer’s connection to complete and these techniques effectively make the connection appear – to the firewall and to Vectra – to be initiated from the employee’s machine to the peer who wishes to make use of it. Once the connection is up, the external human controlling the peer drives all the action.

Read a blog on cyber attackers using The Onion Router

Digging deeper
Things get a bit more interesting when you realize that Hola (the company) operates a second brand called Luminati that sells access to the Hola network to third parties. If this sounds to you like a recipe for a botnet, you’re not alone. In fact moderators from the controversial site 8chan claim to have experienced a DDoS originating from the Hola/Zon network

In addition, third-party researchers have uncovered a variety of vulnerabilities in the Hola software that allow users to not only be tracked, but also can be exploited to run arbitrary code on an Hola user’s machine. It should be noted that vulnerabilities in perfectly legitimate software aren’t unusual – most software publishers are judged by the competence of their programmers in preventing security vulnerabilities as well as the speed with which they react to reported vulnerabilities. The vulnerabilities were publicized on May 29. On June 1, Hola stated the vulnerabilities were patched, and their statement was rebutted by the third-party researchers in an update to their original post.

It also appears that the DDoS mentioned above is not the first time hackers have attempted to use Hola for malicious activity. While analyzing the protocol used by Hola, Vectra researchers found 5 different malware samples on VirusTotal that contain the Hola protocol. The SHA256 hashes for these samples are listed below: 

  • 83fd35d895c08b08d96666d2e40468f56317ff1d7460834eb7f96a9773fadd2d 
  • 2f54630804eeed4162618b1aff55a114714eeb9d3b83f2dd2082508948169401
  • 65687dacabd916a9811eeb139d2c2dada1cefa8c446d92f9a11c866be672280b
  • 43498f20431132cd28371b80aed58d357367f7fa836004266f30674802a0c59c
  • 59a9fedeb29552c93bb78fff72b1de95a3c7d1c4fc5ad1e22a3bbb8c8ddbfaba 

Unsurprisingly, this means that bad guys had realized the potential of Hola before the recent flurry of public reports by the good guys.

Enabling a human attacker
While analyzing Hola, Vectra Threat Labs researchers found that in addition to reports of Hola enabling a botnet, it contains a variety of capabilities that can enable a targeted, human-driven cyber attack on the network in which an Hola user’s machine resides.

First, the Hola software can download and install any additional software without the user’s knowledge. This is because in addition to being signed with a valid code-signing certificate, once Hola has been installed, the software installs its own code-signing certificate on the user’s system. On Windows systems, the certificate is added to the Trusted Publishers Certificate Store. This modification to the system allows any additional code to be installed and run without the user being notified by the operating system or browser.

In addition, Hola contains a built-in console that remains active even when the user is not browsing via the Hola service – it is included in the process that acts as a forwarder for other peers’ traffic. The presence of this console – dubbed “zconsole” – is surprising on its own, as it enables direct human interaction with a Hola node even when the service is not actively in use by the system’s user. So if a human outside the system were to gain access to this console, what could they do?

  • List and kill any running process
  • Download any file with an option to bypass anti-virus (AV) checking
  • Execute a downloaded file and:
    • Run the file with the token of another process
    • Run it as a background process
  • Open a socket to any IP address, device, guid, alias or Windows name
  • Read and write content across the socket to the console or to a file

This represents just a small subset of the functionality available in the console. The developers of the console have been gracious enough to include a man page to help someone unfamiliar with the commands.

These capabilities can enable a competent attacker to accomplish almost anything. This shifts the discussion away from a leaky anonymity network enabling a botnet, and instead forces us to acknowledge the possibility that an attacker could use Hola as a platform to launch a targeted attack within any network containing the Hola software.

As a result, we highly encourage organizations to determine if Hola is active in their network and decide whether the risks highlighted in this blog are acceptable. To help with this, we have crafted Yara rules to identify whether Hola is present on a system. For customers that have an intrusion prevention system (IPS) deployed, we have also created Snort signatures to help them identify Hola traffic in their network.

Additions and clarifications since first publication
  • Where there were statements about botnets in conjunction with Hola, clarifications were made that Hola was used to enable a botnet and is itself, not a botnet.
  • Added information in paragraph three about the specific version Hola for Windows and Hola for mobile analyzed for this blog. This information was already present in the later section entitled SHA256 Hashes of Windows and Android Versions of Hola Software Analyzed.
  • Added information that became available after our blog was published about Hola patching their software.
  • Clarified that the samples on VirusTotal indicate malicious attempts to use Hola; evidence of these attacks succeeding is not available
  • Updated our recommendation to organizations in the final paragraph

Snort signatures to detect Hola or Luminati traffic (link to file)

alert tcp any any -> any any (msg:"VECTRA TROJAN Zon Network Encrypted"; content:"|ac 2e bf 5c|"; offset:0; depth:4; classtype:trojan-activity; sid:500001; rev:2; )
alert tcp any any -> any any (msg:"VECTRA TROJAN Zon Network PCLR"; content:"PCLR"; offset:0; depth:4; classtype:trojan-activity; sid:500002; rev:2; )
alert tcp any any -> any any (msg:"VECTRA TROJAN Zon Network ZCLR"; content:"ZCLR"; offset:0; depth:4; classtype:trojan-activity; sid:500003; rev:2; )
alert tcp any any -> any any (msg:"VECTRA TROJAN Zon Network ZPNG"; content:"ZPNG"; offset:0; depth:4; classtype:trojan-activity; sid:500004; rev:2; )
 
Yara rules to detect Hola software on endpoint (link to file)
 rule Zon_Network {
       meta:
              description = "ZON Networks protocol"
              thread_level = 3
              in_the_wild = true
              authors = "Vectra"
              date = "5-10-15"
             
       strings:
              $s1 = "zconn_new"
              $s2 = "zmsg_znatconnect_handler"
              $s3 = "zmsg_upgrade"
              $s4 = "zmsg_snd_rcv_handler"
              $s5 = "zmsg_upgrade_peer"
              $s6 = "zmsg_ts_long_cb"
              $s7 = "zmsg_write"
              $s8 = "zmsg_http_write"
              $s9 = "zmsg_http_read"
              $s10 = "zmsg_write_handler"
              $s11 = "zmsg_read"
              $s12 = "zmsg_read received"
              $s13 = "zmsg_read_handler"
              $s14 = "zmsg_read_invalid"
              $s15 = "zmsg_magic_write_handler"
              $s16 = "zmsg_magic_read_handler"
              $s17 = "zmsg_http_send_handler"
              $s18 = "zmsg_zping_resp_handler"
              $s19 = "zmsg_route_req_handler"
              $s20 = "zmsg_route_get_next_hop_cb"
              $s21 = "zconn_son_free"
              $s22 = "zconn_write_handler"
              $s23 = "zconn_read_handler"
              $s24 = "zconn_write"
              $s25 = "zconn_read"
              $s26 = "zconn_dns_fail"
              $s27 = "zconn_http_handler"
              $s28 = "zconn_local_handler"
              $s29 = "zconn_handler"
              $s30 = "zmsg_release"
              $s31 = "zmsg_fail_connect"
              $s32 = "zmsg_accumulate"
              $s33 = "zconn_info"
       condition:
              10 of them
}
SHA256 hashes of Windows and Android versions of Hola software analyzed
53a2c3ac094b5d2031a96b63d1ce2dc31739fffd07d8241399dc9c444d10b6ec hola_svc.exe
00d8d91f774ede9ab32d515582431eaf7de9ae2c3a8ac62e02b0d6b97935f691 libhola_svc.so
97f5ebe94d94ccf8c42fccca69cd8ca7d50731e598523bf5e73975b6a6e32291 hola.exe
6ad1b7278e17045d9f2ddc208cfb5e92e5c90e153158d80a7e18b3af4831ad60 hola_br.exe
5ab55033c66e7f78d3fb060fb4ff755d335ad9e37cb3e1ddaf22b57c9bb8468a hola_setup.exe
1687cc861c305917deba24c036ef2eb5c2b6f1da531b76ff20473e332431a068 hola_svc.exe
1687cc861c305917deba24c036ef2eb5c2b6f1da531b76ff20473e332431a068 hola_updater.exe
f0c6596601e85f24c7ff9d65b3f3c096bdf02e3d3bb91ce68f6544b84b522a4d libhola_svc.so
9ba0dc7bfc86b2c8eca9edcbc06ac91ba8cf5bb204cb986f0b8278b4d106bc1b libhola_svc_nopie.so
fa61e624e3b2b02e603461d4f804635a2212829a89c76e57cdee598d350cb97e libhola_svc_pie.so
05ceef6118bd079fd750837f2dce22c8457adebfd3507b66a0551e37892ce3da libiomx-ics.so
a847b9a012f4f5f5b3957a80de0c15bd1f2490e27c6d849c0fb657f56cb4d494 libjni_util.so
81e762ea94a8584fbb919de5be656e5ca746e6b7d86d00c2d2ca32c8c8b83d98 libvlcjni.so
 
Details of code-signing certificate installed by Hola
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d2:fa:bf:f7:0c:a4:c8:4f:d9:29:e6:d1:83:f1:48
    Signature Algorithm: sha1WithRSAEncryption
        Issuer:
            C=US
            O=VeriSign, Inc.
            OU=VeriSign Trust Network
            OU=Terms of use at https://www.verisign.com/rpa (c)10
            CN=VeriSign Class 3 Code Signing 2010 CA
        Validity
            Not Before: Aug 25 00:00:00 2014 GMT
            Not After : Sep 19 23:59:59 2015 GMT
        Subject:
            C=IL
            ST=Netanya
            L=Netanya
            O=Hola Networks Ltd.
            CN=Hola Networks Ltd.
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
               Public-Key: (2048 bit)
                Modulus:
                   00:aa:5b:fa:45:a0:65:0b:6d:ad:91:9c:1e:2c:83:
                   4c:cc:1c:c6:f2:af:bc:ef:69:f5:63:1b:d6:9e:42:
                   85:12:e6:67:0e:2a:ab:21:43:11:de:72:12:7f:21:
                   4a:db:00:78:12:21:60:8c:c8:c0:d8:56:2a:9f:ee:
                   42:5f:02:3a:26:07:6b:28:51:4e:13:ab:55:d4:7b:
                   7b:05:06:c1:09:2b:98:62:2b:83:8d:7f:bb:ef:39:
                   49:f0:75:c1:7f:44:3a:9c:3b:81:64:85:5d:b1:2f:
                   09:bc:e3:e4:21:cd:43:83:50:6c:02:c3:49:0f:94:
                   4b:6a:95:6b:b8:e3:08:4f:4d:fe:62:de:10:00:8d:
                   f6:e1:65:8c:26:98:4f:67:84:ad:2b:ee:88:50:5c:
                   5c:5b:4b:e2:8e:25:b2:d7:52:ea:87:2f:6c:ae:3f:
                   54:6e:99:55:49:dc:6c:16:7d:17:c8:37:d1:e9:e8:
                   34:78:3a:07:78:06:88:18:28:f3:0e:77:e1:d1:b8:
                   dc:d1:b6:d3:12:d7:7a:42:95:3d:20:5f:8f:4f:a8:
                   c6:b0:51:86:35:b3:95:74:03:5d:27:38:b1:4e:ce:
                   9b:58:c6:76:ac:7d:64:eb:f0:b7:3e:71:7a:42:b5:
                   e5:81:aa:7a:a1:f5:1e:9c:68:65:36:6d:cc:45:41:
                   b0:79
               Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
               CA:FALSE
            X509v3 Key Usage: critical
               Digital Signature
            X509v3 CRL Distribution Points:
 
               Full Name:
                 URI:http://sf.symcb.com/sf.crl
 
            X509v3 Certificate Policies:
               Policy: 2.16.840.1.113733.1.7.23.3
                 CPS: https://d.symcb.com/cps
                 User Notice:
                   Explicit Text: https://d.symcb.com/rpa
 
            X509v3 Extended Key Usage:
                Code Signing
            Authority Information Access:
               OCSP - URI:http://sf.symcd.com
               CA Issuers - URI:http://sf.symcb.com/sf.crt
 
            X509v3 Authority Key Identifier:
               keyid:CF:99:A9:EA:7B:26:F4:4B:C9:8E:8F:D7:F0:05:26:EF:E3:D2:A7:9D
 
            X509v3 Subject Key Identifier:
               0F:C8:09:D0:EE:23:9A:F6:24:2A:65:52:0A:28:EA:72:DE:1F:CD:40
            Netscape Cert Type:
               Object Signing
            1.3.6.1.4.1.311.2.1.27:
               0.......
    Signature Algorithm: sha1WithRSAEncryption
         99:45:93:73:0d:cd:56:37:19:41:7f:0a:52:9a:28:6b:ae:3d:
         21:27:35:71:51:19:2c:6a:7f:0c:63:a3:ff:37:44:1d:66:0c:
         c4:a2:22:fd:10:27:06:ea:d0:e7:4a:80:e2:2e:67:2e:23:48:
         8f:7e:50:cd:8b:23:35:27:31:d6:df:1c:5d:eb:fe:7f:c2:4d:
         2f:2a:30:a4:bd:94:11:91:b9:85:92:39:0d:a1:8c:13:d3:ef:
         37:ee:8a:77:81:de:3a:4b:2b:1f:da:de:a0:30:74:a9:00:8e:
         a5:49:80:33:b7:ff:58:c8:f3:18:2e:ed:9c:9e:e3:b0:e6:95:
         3b:3b:79:22:f6:ae:9e:6b:a0:8b:bb:20:4a:88:1f:ea:de:a6:
         f4:e6:75:50:b4:6c:f7:a4:45:97:60:96:d3:f2:ed:e0:78:26:
         51:29:5a:42:cb:5a:42:57:ba:c2:ae:39:2a:b7:c0:e9:15:ea:
         4b:3e:61:b5:8e:45:f5:38:92:5d:3c:8a:24:f1:7a:ea:0f:28:
         83:6a:4e:c5:4f:bd:b8:f8:5b:a5:48:f8:06:c0:7e:94:ff:75:
         86:7c:bb:46:45:03:05:4a:8f:f3:66:6c:70:bb:01:ed:6b:dc:
         3e:8f:23:a2:80:c9:41:ce:a3:fe:b8:25:82:78:84:67:29:4a:
         ba:ee:69:da
 
Man page for Hola zconsole
Usage: sha1sum [OPTIONS] FILE
OPTIONS:
  --temp: path to temp directory
Example: sha1sum --temp Hola-Setup-1.7.5.exe
calculate sha1 checksum
 
Usage: reg PATH ATTRIB
Options:
  PATH: registry path
  ATTRIB: attribute in the registry path
get a registry value
 
Usage: sh_kill [-f] [-w SEC] PID
Options:
  -f: forcefully
  -w SEC: wait SEC seconds for termination (default 1 sec)
  PID: the pid of the process
kill a process
 
Usage: sh_file_ver PATH
get file version (win32 metadata)
 
Usage: sh_ps
list currently running processes
 
Usage: svc_performance enabel|disable
set svc to performance mode
 
Usage: get_workdir
Returns client's workdir
 
Usage: idle [--peek]
OPTIONS:
  --peek: query idle on updaters on vista/7
Returns client's idle information
 
Usage: event_busy_time on/off/reset
set eventloop busy time logging
 
Usage: exec [OPTIONS] EXE ARG1 ARG2...OPTIONS:
  --temp: will execute EXE from temp directory
  --bg: will run process in background
  --detach: will run process without inherting handles
  --token-pid PID: will use the access token from PID to run EXE
  --stdin STRING: string which will be used as stdin for EXE
Example: exec_spawn --temp --bg Hola_install.exe --silent
Example: exec_spawn --token-pid 1234 --bg c:/temp/Hola_install.exe --silent
 
Usage: exec [OPTIONS] EXE ARG1 ARG2...OPTIONS:
  --temp: will execute EXE from temp directory
  --bg: will run process in background
  --detach: will run process without inherting handles
  --token-pid PID: will use the access token from PID to run EXE
  --stdin STRING: string which will be used as stdin for EXE
Example: exec --temp --bg Hola_install.exe --silent
Example: exec --token-pid 1234 --bg c:/temp/Hola_install.exe --silent
Executes an executable
 
Usage: dns [OPTIONS] SERVER_IP FQDN
OPTIONS:
  --no-rec: send non recursive request
  --timeout MS: put a timeout on the requst
  --port PORT: destination port
  --dev DEVID: send on the specified DEVID
send a dns request
 
Usage: wget [OPTIONS] URL
OPTIONS:
  --file FILE: destination where to copy downloaded file
  --temp: downloades to temp directory
  --hdrs "hdrs": use these request hdrs as is
  --discard: throw away obtained data
  --zprotocol: use protocol to speed download
Example: wget --file c:/temp/h_i.exe http://hola.org/hl.exe
Example: wget http://hola.org/Hola_install.exe
wget a url and save to FILE
 
Usage: idle_checks_update full_screen screen_saver
Example: idle_checks_update 0 1
 
Usage: force_user_away [idle|active|auto]
force user away status
 
Usage: test_lexit
test lexit handling
 
Usage: test_exception
test exception handling
test_exception
Display build information
build_info
 
Usage: tar [OPTIONS]
OPTIONS:
  -z : gzips the resulting tar
Mini tar create implementation
 
Usage: gzip [OPTIONS]
OPTIONS:
  --decrypt : decrypts the file before gzipping
Mini gzip implementation
 
Usage: ps [OPTIONS]
  -s: short format
  -v: verbose
  -v -v: very verbose
  -p: show pointers
  -l: allow output >512K
  -t: show time
Print etask tasks
 
Usage: quit [--install]
  --install: quit and install (upgrade) afterwards
  --restart: quit and restart (external source) afterwards
  --ui: send quit to ui
  --ui-logoff: quit
Quit application
 
Usage: echo_spawn [-e|--sleep MS] TEXT...
  -e: output TEXT to stderr instead of stdout
  --sleep: sleeps MS milliseconds
Echo command just using etask
 
Usage: echo [-e] TEXT...
  -e: output TEXT to stderr instead of stdout
Echo command
 
Usage: help [OPTIONS]
OPTIONS:
  all: show all available commands
  -s STRING: search for commands containing the string
Show help for all commands
help
result truncated: see log for full result
session logoff.
--ui-logoff
system/quit_ui
--ui
--
 
Usage: webserver_timeout ip
cause webserver timeout - works only in unittests!
 
Usage: ztget_resp_info cid conn
get tunnel ztget resp info - works only in unittests!
 
Usage: jtest_perr -t type [OPTIONS]
OPTIONS:
  -t : perr type
  -i : perr info
  -b : string that will be used as the context log
create a perr report. works only in unittests
 
Usage: unblocker_json_set STATUS JSON_FILE_CONTENT
set unblocker json rules
 
Usage: set_ext_tunnel
set external tunnel as default for unittests
 
Usage: unblocker_set STATUS WPAD_PAC_FILE_CONTENT
set wpad pac file and enable unblocker
 
Usage: unblocker_get_port
get port for unblocking a given country string
 
Usage: unblocker_tunnels_del [all|] OPTIONS
OPTIONS:
  --ip: src peer ip to erase specifically [default localhost]
delete tunnels associated with unblocker rules
 
Usage: test_unblocker CID
test unblocker functionality
 
Usage: znatconnect OPTIONS
OPTIONS:
  --dev: specify device for socket connect
use znatconnect logic to connect to another peer
 
Usage: get_cookie
return the current cookie from registry
 
Usage: set_cookie COOKIE
save the supplied cookie to registry
OPTIONS:
  empty : call 'pset_qa' with no options resets all settings
  -q : set qa type - performance/logic
       + any /svc/conf/protocol/debug/ boolean flag
  -a : set qa agents group - ofer/steve/ron/z1/z2/z3/internal/
  -p : set qa peers group
  -t : set qa tunnels group
Example: pset_qa -q "logic disable_cache" -g "11 12 126" -p 54
 
Usage: set_enc [--all] IS_ENABLE
set net enc mode
 
Usage: webserver_write [stop|start]
set whether the webserver should succeed in writing data - works
  only in unittests
 
Usage: delay_get_from_cache [stop |start]
delay read from local cache - works only in unittests
 
Usage: browser_serving [stop|start]
set whether the browser should process data for serving - works
  only in unittests
 
Usage: jtest_set_multizget <data_rate>
set multizget stats - data_rate, peer, tunnel chunk obtaining time   works only in in unittests!
 
Usage: jtest_get_wait [1 | 0]
new get requests will be blocked until next cli call -
  works only in unittests!
 
Usage: jtest_multizget_best_cp [cid | reset]
set multizget's best cp - works only in in unittests!
 
Usage: multizget_time_to_complete time
set multizget time to complete - works only in unittests
 
Usage: ztget_timeout cid conn
cause ztget timeout - works only in unittests
 
Usage: ztun_timeout cid conn
cause ztun timeout - works only in unittests
 
Usage: zget_resp_info cid conn
get agent zget resp info - works only in unittests
 
Usage: zget_info cid conn
get client zget info - works only in unittests
 
Usage: gid_info cid conn
get client gid info - works only in unittests
 
Usage: zg_closed cid conn
check agent zg context has closed - works only in unittests
 
Usage: zget_closed cid conn
check client zget context has closed - works only in unittests
 
Usage: chunk_timeout fid index cid
cause chunk timeout - works only in unittests
 
Usage: chunk_check_timeout fid index
check chunk timeout - works only in unittests
 
Usage: jtest_dnss_hook_cb HOST
simulates dnss network resolution hook callback
Dnss resolution hook callback
 
Usage: jtest_dnss_cb HOST IP1 [IP2 ...]
simulates dnss network resolution callback
Dnss resolution callback
 
Usage: jtest_new_conn PROCESS IP PORT [APK]
returns the newly redirect port on 127.0.0.1
Add new connection
 
Usage: jtest_max_space
set static max free space as times*dbc_file_size
jtest_max_space
Usage: jtest_torrent_stats
Example: jtest_torrent_stats num_peers=3;num_unchoked=1;
set torrent stats for unittests
 
Usage: perr [OPTIONS] ptr
Options:
  -c - dump client perr (ptr is browser_get_t), default option
  -a - dump agent perr (ptr is zget_resp_t)
  -t - dump tunnel perr (ptr is ztget_resp_t)
dump the perr information in ptr
 
Usage: ndfs_flush [--no-reset]
Options:
  --no-reset - flush only non active slabs that don't require reset
write all ndfs data to files and remap to volume
 
Usage: protocol_cache_mode MODE
Set caching mode for protocol
 
Usage: protocol_db_purge [conf]|[urls|peers|NDFS|bw|analyzer]
  - will purge all dbs
  conf = takes settings from /conf/protocol/debug/purge/.. urls = erases dbs urls, chksms, strs
  peers = erases dbs agents, caches, knownagents, url_peers
  ndfs = erases NDFS db
  bw = erases dbs bw, bw_peers
  analyzer = erases dbs get, zget, zgetchunk, action
  delete = delete db files if their size not reduced
Example: protocol_db_purge urls|peers
Purge protocol different data bases
 
 
Usage: zsipc OPTIONS CMD
OPTIONS:
  --cancel SCID ID: cancel zipc with ID on server SCID
Parameters:
  CMD: ipc command
Example: zsipc zcipc 5 protocol_db_purge
Example: zsipc --cancel -2 5
Send ipc command to server
 
 
Usage: zroute [add|del] -i --src [src_cids] --dst [dst_cids] --cmd [zmsg] [--reverse] --of_traffic [percent]
OPTIONS:
  no options-  dumps existing rules
  [add|del] - add remove the rule
  --src - cids that this rule will apply to ("1 4 5 28")
          if omitted works on all clients  --dst - cids that this rule will route to ("-7 -11 -57")
          must exist - cannot be omitted  --cmd - specific msg this rule applies to ("ZGETAGENTS")
          if omitted applies to all msgs
  --idx - index of rule to delete
  --metric - metric of rule to add - default 0
  --reverse - apply only to reverse version of this cmd
 
Usage: prot_restart
restart the protocol task
 
Usage: zc_timeout [dev]
simulate zc bio timeout - works only in in unittests!
 
Usage: tunnel_tcp_connect IP PORT
Parameters:
  IP: destination IP
  PORT: destination PORT
TCP connect and tunnel the ipc to tcp
 
tunnel_tcp_connect
Usage: tunnel_tcp_listen [--port LOCAL_PORT] ARGV
Parameters:
  LOCAL_PORT: local server port of the listen socket
  ARGV: argv of a command to execute on the spawned connection
Open tcp listener for zipc tcp tunnel
 
Usage: zping [--server|--cid ] OPTIONS
OPTIONS:
  --fd
  --dst-ip
  --sdev - source dev alias name
send zmsg zping to remote client
 
Usage: sock_list
See also: sock_write, sock_read, sock_connect, sock_close,
  sock_info
list all open sockets previously created with sock_connect
 
Usage: zmsg_release
See also: zmsg_accumulate
process all zmsgs accumulated since calling 'zmsg_accumulate' cmd
  works only in unittests!
 
Usage: zc_congestion -s -r
set or release congestion state from given sockets by cids
  works only in unittests
 
Usage: connect_delay ip is_resume
delay / resume tcp connect - works only in unittests!
 
Usage: zmsg_fail_connect [cid1 cid2 ...]
list of cids to fail esocket_connect_fast - works only in unittests!
 
Usage: zmsg_accumulate [cid1 cid2 ...]
See also: zmsg_release
when receiving zmsgs on sockets of the given ips dont process them
  - wait for zmsg_release call - works only in unittests!
 
Usage: sock_info FD
  returns tcp info if successful -1 if fails
See also: sock_write, sock_read, sock_connect, sock_close,
  sock_list
get tcp info of a given fd
 
Usage: sock_close [FD]
  returns 0 if successful -1 if fails. if no FD, then close all.
See also: sock_write, sock_read, sock_connect, sock_info,
  sock_list
close a given fd, previously created with sock_connect
 
Usage: sock_write [--str STR] [--file FILE] [--size SIZE] FD
  returns the number of written bytes or -1 if fails
Options:
  --str STR - writes STR content
  --file FILE - writes the contents of FILE
  --size SIZE - writes SIZE bytes of 'x's
See also: sock_connect, sock_read, sock_close, sock_info,
  sock_list
write to a given fd, previously created with sock_connect
 
Usage: sock_read [--size SIZE] [--file FILE] [--console] FD
  returns the read data to console output
Options:
  --file FILE - output is written to FILE
  --console - output is written to the console
  --size SIZE - exactly SIZE will be read
    remember that this is a blocking socket.
    if no SIZE is given all the data will be read up to 10K
See also: sock_write, sock_connect, sock_close, sock_info,
  sock_list
read from a given fd, previously created with sock_connect
 
 
Usage: sock_connect [--bind DEV] IP PORT
  returns the created fd or -1 if fails
  --bind can be used to bind to a specific device, guid, alias or
    windows name can be used
See also: sock_write, sock_read, sock_close, sock_info,
  sock_list
create a blocking tcp socket
 
Usage: jtest_zconn_resolve ip1 ip2 ...
set static resolve response for zconn_handler
 
Usage: jtest_cleanup_test
tests there are no open connections
 
Usage: jtest_set_next_port_read PORT
set the next socket that will be read - used to control internal
timings - works only in in unittests!
 
Usage: jtest_bio_flush IP
flush zconn according to destination ip - works only in in unittests!
 
Usage: jtest_zconn_write_fail IP
close zconn write handler according to destination ip - works only in in unittests!
 
Usage: jtest_sock_info CID STATS
  STATS: rtt:kb_sec_up:kb_sec_dn
set specific zconn sock bw info - works only in in unittests
 
Usage: zc_sock_info FD
print out specific zconn sock information
 
Usage: dev_clr_info DEV
  DEV - can be any one of cm alias, windows devid or connection table name
Example: dev_clr_info ethB1A1
reset all device level stats
 
Usage: dev_list
print out list of protocol recognized devices
 
Usage: set_wan_port DEV PORT
set wan tcp port
 
Usage: dev_info [--protocol] DEV
  DEV - can be any one of cm alias, windows devid
    or connection table name
  --protocol - print protocol info, device bw table and per zconn
    stats
 
Example: dev_info ethB1A1
print out dev bw information
 
Usage: pif_info cid ifname
get peer interface info - works only in unittests
 
Usage: zch_info cid
get zch info - works only in unittests
 
Usage: zconn_info cid
get zconn info - works only in unittests
 
Usage: protocol_disable IS_DISABLE
Disable protocol
 
Usage: protocol_network_change [OPTIONS]
OPTIONS:
  dev: development network
  release: release network
Change between development and release networks
 
 
Usage: internal_agent
  internal_agent set IS_ENABLE
  internal_agent get
returns the current state
enable/disable internal agent
 
Usage: pool_shrink [OPTIONS]
OPTIONS:
  --close [peer,br,web|all]: close connections
  --close-idle [peer,br,web|all]: close idle connections
  --ndfs-flush: flush ndfs cache (without protocol reset)
clear all in memory cache
 
Usage: log_collect OPTIONS (svc_live|svc_crash)
OPTIONS:
  --tgz : tar and gzip the log collect directory. file is created
          in the Hola parent dir
collect relevant files from crash or protocol error
 
Usage: log_flush
flush svc log to file
 
Usage: io_in_mem [all|db|ndfs|file] 0/1
set various system io components to work in memory
 
Usage: get_logged_in
returns: [ACTIVE_SID|-1] [[PID1] [SID1]] [[PID2] [SID2]] ...
get list of running ui's and there sessions
 
Usage: start_ui [PID]
returns 1 if ui already running
Start ui using PID to take access token from
 
 
Usage: is_ui_running
Checks if there is a ui up and running
 
 
OPTIONS:
  empty : call 'set_qa' with no options resets all settings
  -q : set qa type - performance/logic/cm/routing
  -c|--disable-cache : clear cache and dont write urls/chunks
Example: set_qa -q logic -g "ofer steve"
set_qa [OPTIONS]
set_qa
system/debug/file_in_mem
--
 
Usage: reg_change
Re-read registry settings, since they have have changed.
 
 
Usage: set_patch PATH PATCH
Set patch for a given layer
 
 
Usage: patch_get PATH [OPTIONS]
OPTIONS:
  --no-stats: do not update stats before generating patch
Get patch delta
 
 
Usage: patch_init
Allocates a layer for the patch commands
 
 
Usage: set_notify_multi PATH_1 PATH_2 ... PATH_N
Notifies on leaf changes to set (non leaf not implemented)
 
 
Usage: conf_restore_default
Restore default configuration
 
Usage: conf_save WRITE_DELAY
  write_delay - delayed priority - integer in the range of 1(=NOW) to 4(=LOW)
Save the configuration to disk
 
Usage: conf_get PATH
Get value of a path
 
Usage: mkdir PATH
make new dir
 
Usage: copy PATH PATH
copy subtree to different location
 
Usage: print PATH
Print configuration
 
Usage: del PATH
Delete subtree from configuration
 
Usage: get PATH
Get path value
 
Usage: set_raw PATH SET_STR
Creates/overwrites a complete set in string format from PATH
 
Usage: set PATH VALUE
Set path to value
 
Usage: dnss_purge_db
purge dnss db
 
Usage: dnss_stats_reset
reset dnss statistics
 
Usage: wget_result
wget result get
 
Usage: wget_test [OPTIONS] URL
Parameters:
  URL - url to get
OPTIONs:
  -i, --dev DEVID - bind to device
  -a, --av-bypass - do av bypass
  -l, --limit - limit output size to given limit
  -m, --out-mem - write output to 'content' ptr in result struct
  -f, --out-file - write output to given file name
    if empty filename (''), the filename is extracted from the   url, or 'file.txt' is used if the url has no filename
  -p, --post-len - add post data in this size
-- 
Usage: tap_fd_pass
pass tap file descriptor using SCM_RIGHTS msg works only on pipe
Usage: tap_prepare
prepare for tap initialization
Usage: cm_connected
Internet connected or not
Usage: cm_focus
Refresh devices connectivity
 
 

Topics: Targeted Attacks, Automated Breach Detection, P2P