← Home

The non-negotiables

Philosophy.

Five rules define what sloth is allowed to do. They are not preferences and they are not negotiable per feature. They are what makes sloth trustworthy to run on a sensitive segment: the bytes it observes are bytes that were already there. Lose that and the tool is just another offensive fork.

RULE 01

Passive only.

Sloth never injects packets, never sends probes, never deauthenticates, never beacons, never ARP-poisons, never port-scans, never resolves hosts it didn't already see, and never modifies kernel state — no iw set, no ip link set, no iptables, no monitor-mode toggling. It reads. It never writes to the wire.

Monitor-mode interfaces must be set up externally by the operator before sloth starts (using iw, airmon-ng, or the tool of your choice). Sloth attaches to whatever interface is already in monitor mode and starts watching. It never asks the kernel to change link state on its behalf.

RULE 02

No active key recovery.

Sloth never runs a passphrase against a captured handshake. It never calls hashcat, aircrack-ng, John, or any cracking library. It never decrypts a frame it captured.

It does capture EAPOL / PMKID material and export it in hashcat-22000 format — so the operator can run a crack themselves, offline, on hardware they own, against a target they're authorised to test. That step is the operator's responsibility, on the operator's clock, with the operator's legal cover — not sloth's.

RULE 03

Vulnerabilities flagged, not exploited.

Sloth detects a wide vocabulary of weak / hostile patterns, emits an alert, and (optionally) writes a per-flow pcap snippet. It never follows up with an active step — no MITM, no session hijack, no replay, no credential harvesting.

  • WEP, WPA-TKIP, MFP-off
  • Weak TLS (SSLv3, TLS 1.0/1.1)
  • Attack-tool User-Agents
  • Evil twins (same SSID, OPEN sibling)
  • Rogue DHCP servers
  • DGA-style DNS qnames
  • Deauth floods
  • KARMA / Pineapple-style behaviour
  • dnscat / iodine DNS tunnels
  • ARP spoofing
  • Probe-request floods
RULE 04

White hat only.

Sloth is built for:

  • Defenders monitoring their own networks
  • Blue teams running authorised SIGINT in a SOC
  • Incident responders triaging a compromised host
  • Researchers in a lab they own
  • CTF and training environments
  • Security-aware travellers who want to know what the café Wi-Fi is doing

It is not built for surveillance of third parties, harassment, stalking, or any operation against a network the operator does not have explicit written authority to observe.

RULE 05

Operator owns the consequences.

Sloth surfaces information. What the operator does with that information — file an incident, reconfigure an AP, brief a client, walk away — is outside sloth's scope.

The tool is honest about what it sees and silent about what to do.

OUT OF SCOPE

What sloth deliberately won't do.

If you're tempted to add a feature because it would be useful — port scanning the LAN, sending a deauth to test detection, auto-cracking the captured handshake — stop. That feature belongs in a different tool. Sloth's value is being trusted to be passive: an operator can run sloth on a sensitive segment without changing the segment.

  • Active reconnaissance (port scan, host sweep, OS fingerprint via probes).
  • Frame injection of any kind.
  • Online cracking, dictionary attacks, password-spray, credential validation.
  • Network configuration (DHCP server, DNS resolver, firewall rules).
  • Any "honeypot" mode that responds to inbound traffic.
  • Remote-control surfaces of any kind. No command channel, no "do X" RPC, no inbound-configuration endpoint, no plugin loader, no shell-out. Sloth refuses to act on instructions it receives over the wire.

“Sloth is a passive, white-hat SIGINT console: it watches, it flags, it never attacks.”