You may have heard of this awesome tool called OnionScan that is used to scan hidden services in the dark web looking for potential data leaks. Recently the project released some cool visualizations and a high level description of what their scanning results looked like. What they didn’t provide is how to actually go about scanning as much of the dark web as possible, and then how to produce those very cool visualizations that they show.
At a high level we need to do the following:
Setup a server somewhere to host our scanner 24/7 becauseit takes some time to do the scanning work. Get TOR running on the server. Get OnionScan setup. Write some python to handle the scanning and some of the other data management to deal with the scan results. Write some more Python to make some cool graphs. (Part Two of the series)Let’s get started!
Setting up a Digital Ocean DropletIf you already use Amazon, or have your own linux server somewhere you can skip this step. For the rest of you, you can use my referral link here to get a $10 credit with Digital Ocean that will get you a couple months free (full disclosure I make money in my Digital Ocean account if you start paying for your server, feel free to bypass that referral link and pay for your own server). I am assuming you are running Ubuntu 16.04 for the rest of the instructions.
The first thing you need to do is to create a new Droplet by clicking on the big Create Droplet button. Next select a Ubuntu 16.04 configuration, and select the $5.00/month option (unless you want something more powerful). You can pick a datacenter wherever you like, and then scroll to the bottom and click Create.It will begin creating your droplet, and soon you should receive an email with how to access your new Linux server. If you are on Mac OSX or Linux get your terminal open. If you are on windows then grab Putty from here .
On Mac OSX it is: Finder -> Applications -> Utilities -> Terminal On Linux: Click your start menu and search for TerminalNow you are going to SSH into your new server. Windows Putty users just punch the IP address in that you received in your email and hit Enter. You will be authenticating as the root user and then type in the password you were provided in your email.
For Mac OSX and Linux people you will type the following into your terminal:
sshroot@IPADDRESSYou will be forced enter your password a second time, and then you have to change your password. Once that is done you should now be logged into your server.
Installing PrerequisitesNow we need to install the prerequisites for our upcoming code and for OnionScan. Follow each of these steps carefully and the instructions are the same for Mac OSX, Linux or Windows because the commands are all being run on the server.
Feel free to copy and paste each command instead of typing it out. Hit Enter on your keyboard after each step and watch for any problems or errors.
screen apt-get update apt-get installtorgitbisonlibexif-dev apt-get installpython-pip pipinstallstemNow we need to install the Go requirements (OnionScan is written in Go). The following instructions are from Ryan Frankel’s post here .
bash < <(curl -s -S -L https://raw.githubusercontent.com/moovweb/gvm/master/binscripts/gvm-installer) [[ -s "$HOME/.gvm/scripts/gvm" ]] && source "$HOME/.gvm/scripts/gvm" source /root/.gvm/scripts/gvm gvminstallgo1.4 gvmuse go1.4Ok beauty we have Go installed. Now let’s get OnionScan setup by entering the following:
goget github.com/s-rah/onionscan goinstallgithub.com/s-rah/onionscanNow if you just type:
onionscanAnd hit Enter you should get the onionscan command line usage information. If this all worked then you have successfully installed OnionScan. If you for some reason close your terminal and you can’t run the onionscan binary anymore just simply do a:
gvmuse go1.4and it will fix it for you.
Now we need to make a small modification to the TOR configuration to allow our Python script to request a new identity (a new IP address) which we will use when we run into scanning trouble later on. We have to enable this by doing the following:
tor --hash-passwordPythonRocksThis will give you output that will include the bottom line that looks like this:
16:3E73307B3E434914604C25C498FBE5F9B3A3AE2FB97DAF70616591AAF8
Copy this line and then type:
nano -w /etc/tor/torrcThis will open a simple text editor. Now go to the bottom of the file by hitting the following keystrokes (or endlessly scrolling down):
CTRL+W CTRL+VPaste in the following values at the bottom of the file:
ControlPort 9051 ControlListenAddress 127.0.0.1 HashedControlPassword 16:3E73307B3E434914604C25C498FBE5F9B3A3AE2FB97DAF70616591AAF8Now hit CTRL+O to write the file and CTRL+X to exit the file editor. Now type:
servicetorrestartThis will restart TOR and it should have our new settings in place. Note that if you want to use a password other than PythonRocks you will have to follow the steps above substituting your own password in place, and you will also have to later change the associated Python code.
We are almost ready to start writing some code. The last step is to grab my list of .onion addresses (at last count around 7182 addresses) so that your script has a starting point to start scanning hidden services.
wgethttps://raw.githubusercontent.com/automatingosint/osint_public/master/onionrunner/onion_master_list.txtWhew! We are all setup and ready to start punching out some code. At this point you can switch to your local machine or if you are comfortable writing code on a Linux server by all means go for it. I find it easier to use WingIDE on my local machine personally.
A Note About ScreenYou notice that both sets of instructions I have you run the screen command. This is a handy way to keep your session alive even if you get disconnected from your server. When you want to jump back into that session, you simply SSH back into the server and execute:
screen -rxThis will be handy later on when you start doing your scanning work, as it can take days for it to complete fully.
Writing an OnionScan Wrapper OnionScan is a great tool but we need to be able to systematically control it, and process the results. As well, TOR connections are notoriously unstable so we need a way to kill a stuck scan process and grab a fresh IP address from the TOR network.Let’s get coding! Crack open a new Python file, name it onionrunner.py and start punching out the following (you can do