Dark Web Scanning

- Basic Tor config

torrc:

EntryNodes {ch},{se},{is} and ExitNodes {is},{no},{ch}. StrictNodes:
EntryNodes {se},{ch},{is}
ExitNodes {is},{no},{ch}
StrictNodes 1

ExcludeExitNodes {us} and ExcludeNodes {us} together with StrictNodes. With the latter to ensure that it uses the nodes we indicate:

ExcludeNodes {us},{cn},{ru} StrictNodes 1

Log notice file /var/log/tor/notices.log

HTTPProxy and HTTPProxyAuthenticator: Configuring Tor as an http proxy

NewCircuitPeriod 60. Build a circuit every N seconds.

Accepting DNS requests as if it were a normal DNS or also resolution using the tor-resolve domain command:

DNSPort 9053
AutomapHostsOnResolve 1
AutomapHostsSuffixes .exit, .onion

Creating hidden service:

HiddenServiceDir /var/lib/tor/apache/
HiddenServicePort 80 127.0.0.1.1:80

- Search engines in the Dark Web

Ahmia

https://ahmia.fi/

http://juhanurmihxlp77nkq76byazcldy2hlmovfu2epvl5ankdibsot4csyd.onion/

DeepSearch

http://search7tdrcvri22rieiwgi5g46qnwsesvnubqav2xakhezv4hjzkkad.onion/

OnionLand

http://3bbad7fauom4d6sgppalyqddsqbf5u5p56b5k5uk2zxsy3d6ey2jobad.onion/

Phobos

http://phobosxilamwcg75xt22id7aywkzol6q6rfl2flipcqoc4e4ahima5id.onion/

Torsearch

http://wapabp2pnqczbxq4dqdo7txexhkqjzazmvrljxijtd5s2cohvejf4nqd.onion/

Python program OnionSearch, the mega search engine:

pip3 install onionsearh

git clone https://github.com/megadose/OnionSearch.git

cd OnionSearch/

python3 setup.py install

Onionscan (deprecated):

onionscan -mode analysis -webport 8888

onionscan -jsonReport -jsonSimpleReport -reportFile json -verbose hidden_service.onion

- Torsocks and proxychains

To use common tools we use for surface web pentesting we need to use them through torsocks or proxychains:

With proxychains, in the config file: TOR: socks5 127.0.0.1 9050

Examples with torsocks:

torsocks dig +tcp @1.1.1.1 google.es

torsocks curl -I http://kx6hftcujl3se23u3kjsjgdto72mtbykertyvjcnawyn4aspwko3c6yd.onion/

torsocks -q nmap -sT -Pn -n cfv5uye3kk7arw45ieve3tmpymohf6w3ztc4ggutnrfjvdwhc3t27lad.onion

torsocks -q nmap -sT -sV -Pn -n -p 22,2022,2222 hidden_service.onion

torsocks nmap -sT -sV -Pn -n -p 80 --script=http-enum hidden_service.onion

torsocks nikto -h http://hidden_service.onion

torsocks -q ./dirsearch.py -x 403,404,501 -i 200,301,302 -o hidden.json --format=json -u hidden_service.onion

torsocks -q wpscan --url hidden_service.onion

- SSH

In case the hidden service has ssh open we could try getting the hostkey and serch it in shodan or censys:

torsocks -q nmap -sV -sT -Pn -n -p 22 --script=ssh-hostkey --script-args ssh_hostkey=all hidden_service.onion

PreviousResearching Potential VulnerabilitiesNext3. Social Engeniering

Last updated