Configuring onion services for once can be tricky. A surprising number of system administrators make seemingly trivial mistakes which ultimately lead to catastrophic cases of de-anonymizing supposedly anonymous sites on the dark web. OnionScan can be a tool designed to identify common misconfigurations in onion services as well as aid us in understanding how to fix them.
As security researcher @x0rz demonstrated in an article on securing onion services, websites are often de-anonymized all too easily. He utilized software such as cURL, a command-line tool used for transferring data using various protocols, to collect HTTP response headers for later Shodan queries.
Don’t Miss: How to Find Vulnerable Targets Using Shodan
All of the methods x0rz used to de-anonymize the onion services should have been ineffective if basic safeguards were taken by the site owners. System administrators need to take better precautions to prevent their websites coming from being vulnerable to server fingerprinting as well as enumeration. as well as which’s where OnionScan comes into play.
What can be OnionScan?
OnionScan can be a free as well as open-source tool designed for investigating onion services. Its written in Go, a programming language created by Google in 2009. OnionScan’s primary goal can be to help operators of onion services identify as well as fix operational security (OPSEC) issues with their services. OnionScan can also be used to help researchers as well as investigators monitor as well as track sites on the dark web.
The developers of OnionScan aim to make finding vulnerabilities as simple as possible. Not because they agree with the motives of every investigation force from the entire world, however because they believe which by creating these kinds of audits easy, they will create a powerful incentive for fresh as well as much better anonymity technologies.
Step 1: Installing OnionScan
Let’s dive in as well as take a look at how to run OnionScan on a Kali box. You can run This particular in a virtual machine, on a laptop, or on a Raspberry Pi. Before starting, make sure your system can be up to date by typing apt-get update into a terminal window.
Then, let’s make sure we have Go installed. This particular dependency can be required to install OnionScan, so open a terminal as well as type the following.
sudo apt-get install golang
When which’s done installing, we’ll need to clone the OnionScan repository coming from the developer’s GitHub page. from the same terminal window, type the following.
go get github.com/s-rah/onionscan
Then compile This particular by running This particular command:
go install github.com/s-rah/onionscan
Change into the /root/go/bin directory to by typing cd /root/go/bin into the terminal. Then list the directory contents with ls.
which’s This particular for installing OnionScan. Simply executing ./onionscan coming from the /root/go/bin directory will invoke the help page as well as provide all the available options.
Step 2: Using OnionScan
due to This particular demo, I’ll be anonymizing my Kali box with Whonix. Doing This particular will route all of my network traffic through the Tor network. To do This particular, you can refer to our tutorial linked below.
This particular can be primarily for convenience, as OnionScan only works against onion sites. To use OnionScan, type the command below into a terminal window.
./onionscan –torProxyAddress=10.152.152.10:9050 youronionservice.onion
The –torProxyAddress part tells OnionScan to use a proxy, while 10.152.152.10:9050 can be a Tor proxy port from the Whonix gateway. This particular argument will tell OnionScan to proxy requests through the Whonix gateway.
For non-Whonix setups, we might use 127.0.0.1:9050 as our torProxyAddress.
./onionscan –torProxyAddress=127.0.0.1:9050 youronionservice.onion
./onionscan –torProxyAddress=10.152.152.10:9050 –jsonReport youronionservice.onion > /path/to/save/destination/filename.json
Step 3: Protecting Yourself & Your Onion Services
Did OnionScan report a “High Risk” vulnerability with your onion service? Don’t be alarmed. There are steps we can take to resolve these issues. Below, I’ll cover how to fix as well as prevent some of the most common vulnerabilities discovered by OnionScan.
The Apache status module allows a server admin to actively monitor how well their server can be performing. An HTML page can be presented which provides the current server statistics in an easily readable form. With This particular information, attackers can:
- Build a fingerprint of your server, including type information for PHP as well as some other software.
- Determine client IP addresses if you are co-hosting a clearnet site.
- Determine your IP address if your setup allows.
- Determine some other sites you are co-hosting.
- Determine how active your site can be.
- Find secret or hidden areas of your site.
By default, This particular module can be enabled as well as accessed by appending /server-status to the website URL. This particular can be still one of the biggest issues we find with dark web sites today.
Comment out or completely remove the <Location /server-status> brackets from the status.conf file. Open a terminal as well as type the command below to access This particular.
After modifying the status.conf as well as saving the configuration, restart Apache by typing the command below into a terminal.
sudo apachectl restart
You’ll notice visiting http://youronionservice.onion/server-status right now returns HTTP status code 404. This particular means you’ve successfully disabled mod_status.
By default, appending a trailing slash to a URL will instruct Apache to return the contents of a given directory. For example, I added a /hidden_folder/ to my website. The image below shows the directory structure of my website.
from the /images directory, we can see the hidden_folder, which might not normally be discovered by an attacker. With directories openly accessible, visiting http://youronionservice.onion/uploads/images/ will disclose the contents of the entire directory. The image below can be an example of which.
OnionScan will list every directory This particular was able to access. The image below can be an example of OnionScan reporting open directories.
We’ll need to modify the apache2.conf. Open a terminal as well as type the following command.
Find the <Directory /var/www/> brackets. Notice the Indexes between Options as well as FollowSymLinks. Here can be how the brackets look by default:
Options Indexes FollowSymLinks
Require all granted
Remove Indexes entirely, as well as This particular should look like This particular when we’re done:
Require all granted
Save as well as close the file, then restart Apache by typing the following command into a terminal.
sudo apachectl restart
EXIF stands for Exchangeable Image File as well as can be stored in JPEG, PNG, as well as PDF file types. This particular embedded data can sometimes reveal interesting information, including timestamps, device information, as well as GPS coordinates. Most websites still do not properly sanitize EXIF data coming from images, leaving themselves or their users at risk of de-anonymization.
A perfect example of the dangers of EXIF data can be the arrest of Higinio Ochoa. FBI agents extrapolated his girlfriend’s geographic location using the GPS data found in a photo Higinio uploaded to Twitter.
OnionScan will list every photo which may contain sensitive EXIF metadata. The following screenshot can be an example of OnionScan reporting harmful EXIF metadata discovered in JPGs found on an onion website.
How to Fix This particular
We need to manually remove EXIF metadata coming from our images. Below are several recommended metadata wiping tools.
- ExifTool, a Perl application for editing metadata in a wide variety of files.
- Exiv2, a C++ application to manage image metadata.
- Jhead, a JPEG header manipulation tool.
- Pdfparanoia, a tool to remove watermark coming from academic papers.
I’ll be using MAT (Metadata Anonymization Toolkit), a command-line tool used to remove metadata coming from images, which can be found in most favorite Linux distribution repositories. To install MAT, open a terminal as well as type the command below.
sudo apt-get install mat
After MAT can be installed, we can display harmful EXIF metadata by typing the following command into a terminal.
mat -d image.jpg
The -d will instruct MAT to list all harmful metadata of a file without removing This particular. This particular can be useful for viewing EXIF metadata without wiping This particular. To completely remove all the EXIF metadata, type the following command.
4. SSH, FTP & SMTP
OnionScan collects SSH public key fingerprints, SMTP banners, as well as some other FTP, IRC, Ricochet, as well as MongoDB server information. These banners are often misconfigured to reveal information about the target server, including OS versions, hostnames, as well as IP addresses. This particular information can be compared to some other onion as well as clearnet servers in order to try as well as identify the actual server location.
This particular image can be an example of OnionScan revealing SSH as well as SMTP banners:
By default, SSH will try to listen on 0.0.0.0. This particular means your SSH server will attempt to broadcast on every interface, creating your SSH server accessible to search engines like Shodan. Modify the SSH config file by typing the following command into a terminal.
Notice the “ListenAddress” line can be set to 0.0.0.0.
We’ll need to modify which to 127.0.0.1 so This particular looks like the following text.
Save as well as close the sshd_config file, then restart your SSH server by typing the following command into a terminal.
sudo systemctl restart ssh
OnionScan scans for common cryptocurrency clients including Bitcoin as well as Litecoin. coming from these, This particular extracts some other connected onion services as well as the user agent.
If This particular’s not absolutely necessary, don’t publicly share currency information on your websites. Unfortunately, there’s not much we can do to “fix” website scanners as well as crawlers coming from collecting your cryptocurrency addresses.
OnionScan can be a powerful tool. The image below can be a graphical representation the developers created using OnionScan which depicts connections made between a vast majority of sites on the dark web. These connections were established using Bitcoin addresses, Apache mod_status leaks, SSH fingerprints, as well as some other types of identifiers.
While many people may think dark web sites are anonymous by design, the reality can be which they require attention like any some other site to truly protect the identity of the administrator. Here, we’ve covered the common ways the owner of an onion service can improve their security, as the most useful methods for de-anonymizing a poorly configured onion service.
I desire which you enjoyed This particular OnionScan tutorial. If you have any questions, feel free to leave a comment below.