1 month ago

How to Detect Misconfigurations in ‘Anonymous’ Dark Web Sites with OnionScan « Null Byte :: WonderHowTo

Configuring onion services for once can be tricky. A surprising number of system administrators make seemingly trivial mistakes which ultimately lead to catastrophic cases of de-anonymizing supposedly anonymous sites on the dark web. OnionScan can be a tool designed to identify common misconfigurations in onion services as well as aid us in understanding how to fix them.

As security researcher @x0rz demonstrated in an article on securing onion services, websites are often de-anonymized all too easily. He utilized software such as cURL, a command-line tool used for transferring data using various protocols, to collect HTTP response headers for later Shodan queries.

Don’t Miss: How to Find Vulnerable Targets Using Shodan

All of the methods x0rz used to de-anonymize the onion services should have been ineffective if basic safeguards were taken by the site owners. System administrators need to take better precautions to prevent their websites coming from being vulnerable to server fingerprinting as well as enumeration. as well as which’s where OnionScan comes into play.

What can be OnionScan?

OnionScan can be a free as well as open-source tool designed for investigating onion services. Its written in Go, a programming language created by Google in 2009. OnionScan’s primary goal can be to help operators of onion services identify as well as fix operational security (OPSEC) issues with their services. OnionScan can also be used to help researchers as well as investigators monitor as well as track sites on the dark web.

The developers of OnionScan aim to make finding vulnerabilities as simple as possible. Not because they agree with the motives of every investigation force from the entire world, however because they believe which by creating these kinds of audits easy, they will create a powerful incentive for fresh as well as much better anonymity technologies.

Step 1: Installing OnionScan

Let’s dive in as well as take a look at how to run OnionScan on a Kali box. You can run This particular in a virtual machine, on a laptop, or on a Raspberry Pi. Before starting, make sure your system can be up to date by typing apt-get update into a terminal window.

Don’t Miss: How to Install Kali Linux as a Virtual Machine on a Mac

Then, let’s make sure we have Go installed. This particular dependency can be required to install OnionScan, so open a terminal as well as type the following.

sudo apt-get install golang

When which’s done installing, we’ll need to clone the OnionScan repository coming from the developer’s GitHub page. from the same terminal window, type the following.

go get github.com/s-rah/onionscan

Then compile This particular by running This particular command:

go install github.com/s-rah/onionscan

Change into the /root/go/bin directory to by typing cd /root/go/bin into the terminal. Then list the directory contents with ls.

which’s This particular for installing OnionScan. Simply executing ./onionscan coming from the /root/go/bin directory will invoke the help page as well as provide all the available options.

Step 2: Using OnionScan

due to This particular demo, I’ll be anonymizing my Kali box with Whonix. Doing This particular will route all of my network traffic through the Tor network. To do This particular, you can refer to our tutorial linked below.

Don’t Miss: How to Fully Anonymize Kali with Tor, Whonix & PIA VPN

This particular can be primarily for convenience, as OnionScan only works against onion sites. To use OnionScan, type the command below into a terminal window.

./onionscan –torProxyAddress= youronionservice.onion

The –torProxyAddress part tells OnionScan to use a proxy, while can be a Tor proxy port from the Whonix gateway. This particular argument will tell OnionScan to proxy requests through the Whonix gateway.

For non-Whonix setups, we might use as our torProxyAddress.

./onionscan –torProxyAddress= youronionservice.onion

OnionScan also offers an alternate JSON output format for integration with some other applications like Censys as well as programming languages such as Python as well as JavaScript.

./onionscan –torProxyAddress= –jsonReport youronionservice.onion > /path/to/save/destination/filename.json

Step 3: Protecting Yourself & Your Onion Services

Did OnionScan report a “High Risk” vulnerability with your onion service? Don’t be alarmed. There are steps we can take to resolve these issues. Below, I’ll cover how to fix as well as prevent some of the most common vulnerabilities discovered by OnionScan.

1. Apache mod_status Leak

The Apache status module allows a server admin to actively monitor how well their server can be performing. An HTML page can be presented which provides the current server statistics in an easily readable form. With This particular information, attackers can:

  • Build a fingerprint of your server, including type information for PHP as well as some other software.
  • Determine client IP addresses if you are co-hosting a clearnet site.
  • Determine your IP address if your setup allows.
  • Determine some other sites you are co-hosting.
  • Determine how active your site can be.
  • Find secret or hidden areas of your site.

By default, This particular module can be enabled as well as accessed by appending /server-status to the website URL. This particular can be still one of the biggest issues we find with dark web sites today.

How to Fix This particular

Comment out or completely remove the <Location /server-status> brackets from the status.conf file. Open a terminal as well as type the command below to access This particular.

nano /etc/apache2/mods-enabled/status.conf

After modifying the status.conf as well as saving the configuration, restart Apache by typing the command below into a terminal.

sudo apachectl restart

You’ll notice visiting http://youronionservice.onion/server-status right now returns HTTP status code 404. This particular means you’ve successfully disabled mod_status.

2. Open Directories

By default, appending a trailing slash to a URL will instruct Apache to return the contents of a given directory. For example, I added a /hidden_folder/ to my website. The image below shows the directory structure of my website.

from the /images directory, we can see the hidden_folder, which might not normally be discovered by an attacker. With directories openly accessible, visiting http://youronionservice.onion/uploads/images/ will disclose the contents of the entire directory. The image below can be an example of which.

OnionScan will list every directory This particular was able to access. The image below can be an example of OnionScan reporting open directories.

How to Fix This particular

We’ll need to modify the apache2.conf. Open a terminal as well as type the following command.

nano /etc/apache2/apache2.conf

Find the <Directory /var/www/> brackets. Notice the Indexes between Options as well as FollowSymLinks. Here can be how the brackets look by default:

<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted

Remove Indexes entirely, as well as This particular should look like This particular when we’re done:

<Directory /var/www/>
Options FollowSymLinks
AllowOverride None
Require all granted

Save as well as close the file, then restart Apache by typing the following command into a terminal.

sudo apachectl restart

3. EXIF Tags

EXIF stands for Exchangeable Image File as well as can be stored in JPEG, PNG, as well as PDF file types. This particular embedded data can sometimes reveal interesting information, including timestamps, device information, as well as GPS coordinates. Most websites still do not properly sanitize EXIF data coming from images, leaving themselves or their users at risk of de-anonymization.

A perfect example of the dangers of EXIF data can be the arrest of Higinio Ochoa. FBI agents extrapolated his girlfriend’s geographic location using the GPS data found in a photo Higinio uploaded to Twitter.

OnionScan will list every photo which may contain sensitive EXIF metadata. The following screenshot can be an example of OnionScan reporting harmful EXIF metadata discovered in JPGs found on an onion website.

How to Fix This particular

We need to manually remove EXIF metadata coming from our images. Below are several recommended metadata wiping tools.

I’ll be using MAT (Metadata Anonymization Toolkit), a command-line tool used to remove metadata coming from images, which can be found in most favorite Linux distribution repositories. To install MAT, open a terminal as well as type the command below.

sudo apt-get install mat

After MAT can be installed, we can display harmful EXIF metadata by typing the following command into a terminal.

mat -d image.jpg

The -d will instruct MAT to list all harmful metadata of a file without removing This particular. This particular can be useful for viewing EXIF metadata without wiping This particular. To completely remove all the EXIF metadata, type the following command.

mat image.jpg


OnionScan collects SSH public key fingerprints, SMTP banners, as well as some other FTP, IRC, Ricochet, as well as MongoDB server information. These banners are often misconfigured to reveal information about the target server, including OS versions, hostnames, as well as IP addresses. This particular information can be compared to some other onion as well as clearnet servers in order to try as well as identify the actual server location.

This particular image can be an example of OnionScan revealing SSH as well as SMTP banners:

How to Fix This particular

By default, SSH will try to listen on This particular means your SSH server will attempt to broadcast on every interface, creating your SSH server accessible to search engines like Shodan. Modify the SSH config file by typing the following command into a terminal.

nano /etc/ssh/sshd_config

Notice the “ListenAddress” line can be set to

ListenAddress ::

We’ll need to modify which to so This particular looks like the following text.

#ListenAddress ::

Save as well as close the sshd_config file, then restart your SSH server by typing the following command into a terminal.

sudo systemctl restart ssh

5. Cryptocurrency Clients

OnionScan scans for common cryptocurrency clients including Bitcoin as well as Litecoin. coming from these, This particular extracts some other connected onion services as well as the user agent.

How to Fix This particular

If This particular’s not absolutely necessary, don’t publicly share currency information on your websites. Unfortunately, there’s not much we can do to “fix” website scanners as well as crawlers coming from collecting your cryptocurrency addresses.

Looking Deeper into the Dark Web

OnionScan can be a powerful tool. The image below can be a graphical representation the developers created using OnionScan which depicts connections made between a vast majority of sites on the dark web. These connections were established using Bitcoin addresses, Apache mod_status leaks, SSH fingerprints, as well as some other types of identifiers.

Image by OnionScan/Mascherari Press

While many people may think dark web sites are anonymous by design, the reality can be which they require attention like any some other site to truly protect the identity of the administrator. Here, we’ve covered the common ways the owner of an onion service can improve their security, as the most useful methods for de-anonymizing a poorly configured onion service.

I desire which you enjoyed This particular OnionScan tutorial. If you have any questions, feel free to leave a comment below.

Don’t Miss: Host Your Own Tor Hidden Service that has a Custom Onion Address

Cover image via Wallup.net; Screenshots by tokyoneon/Null Byte

Leave a Comment

Your email address will not be published. Required fields are marked *

5 × four =