is metasploit under whonix anonymous?
If I run an exploit like EternalBlue with Metasploit on whonix to a remote machine, do I remain anonymous? I think I do because it goes over tor but I am not sure. Am I right?
Demir last edited by
Whonix routes all of the network traffic via Tor, so theoretically speaking - yes. However, there are many other ways in which you can be de-anonymized. Just because you send your traffic over Tor, it doesn't necessarily mean you're 100% anonymous. For example, the actions you take on the hypothetical machine after the exploitation could de-anonymize you.
I would also advise against installing unnecessary things in Whonix since the process of downloading and installing the binaries could de-anonymize you in itself. This recommendation is also outlined in the Whonix documentation.
A better way of doing this would be to use Whonix for your host (so your traffic is networked via Tor), rent a server with XMR, SSH to that server over Tor, install Metasploit on that server and then use that server to launch your exploit. Then wipe the server entirely when you're done and burn any credentials, etc. Of course, this isn't 100% fool proof either. Since the actions you take on the server you're running the exploit from could also de-anonymize you even if you're using Tor and paid for the server in XMR.
As forest mentioned in the comments, it is also important to ensure that if you're going to SSH to an anonymously purchased server, you need to configure your SSH client such that it does not send all of your public keys, as any other public keys you have configured will also be sent to the server, thus potentially leaking your identity.
In such a case that you only need to perform this once, you could opt for using Tails (it also sends all of the traffic via Tor) over Whonix for the duration of the exploitation since it's an amnesic OS. But always ensure you purchase a server to carry out the actual attacks!
There's a lot of useful information about using Whonix correctly & safely in the Whonix documentation, I would highly advise you to read it. There's also some advice on general opsec practices.