OnionScan - Tool To Check the Anonymity Of Dark Web Sites

OnionScan - Tool To Check the Anonymity Of Dark Web Sites

OnionScan is a free and open source tool for investigating the Dark Web.

It has two primary goals:
  • To help operators of hidden services find and fix operational security issues with their services.
  • To help researchers and investigators monitor and track Dark Web sites.

Here are some of the kinds of scans and correlations that OnionScan supports:
  • Web sites: When OnionScan detects a web server, it is scanned for the following issues.
    • Apache mod_status Leak
    • Open Directories
    • EXIF Tags
    • Server Fingerprint
    • Analytics IDs
    • PGP Identities
  • SSH: OnionScan collects information about SSH endpoints including software versions and the SSH public key fingerprint. These can be correlated against other onion services or clearnet servers in order to try and identifier the actual server location
  • FTP & SMTP: OnionScan collects information from other non-web servers, most notably software banners. These banners are often misconfigured to reveal information about the target server - including OS version, and sometimes hostnames and IP addresses. The software version itself can also be a correlation vector.
  • Cryptocurrency Clients: OnionScan scans for common cryptocurrency clients including Bitcoin and Litecoin. From these, it extracts other connected onion services as well as the user agent.
  • Protocol Detection: OnionScan also detects the presence of many other protocols including IRC, XMPP, VNC & Ricochet.

Requirements



Installation

First, grab the Onionscan:
go get github.com/s-rah/onionscan
then compile/run from git cloned source:
Once you have cloned the repository into somewhere that go can find it you can run go install github.com/s-rah/onionscan and then run the binary in $GOPATH/bin/onionscan.

Alternatively, you can just do go run github.com/s-rah/onionscan.go to run without compiling.

Basic Usage

  • For a simple report detailing the high, medium and low-risk areas found with a hidden service:
onionscan notarealhiddenservice.onion
  • The most interesting output comes from the verbose option:
onionscan --verbose notarealhiddenservice.onion
  • There is also a JSON output if you want to integrate with another program or application:
onionscan --jsonReport notarealhiddenservice.onion
  • If you would like to use a proxy server listening on something other that 127.0.0.1:9050, then you can use the --torProxyAddress flag:
onionscan --torProxyAddress=127.0.0.1:9150 notarealhiddenservice.onion
  • If you want to configure the types of scanning that OnionScan does, you can use the "scans" parameter:
onionscan --scans web notarealhiddenservice.onion

OnionScan Correlation Lab

If you are a researcher monitoring multiple sites you will definitely want to use the OnionScan Correlation Lab - a web interface hosted by OnionScan that allows you to discover, search and tag different identity correlations.

The OnionScan Correlation Lab is a rather unique environment. The Lab provides you with a way of uncovering relationships between different onion sites.

The best way to often start is to enter the name of an onion service you are interested in, in the search bar:


If you have scanned the site with OnionScan then the search should result in a page displaying all kinds of correlations that OnionScan has detected:


You can look around this page and find identifiers and other information that may indicate potential deanonymization vectors.

OnionScan also attempts to highlight the most important information at the top of the page - for example, in the screen above OnionScan has added the page title along with two tags indicating that OnionScan found a mod_status leak on the service in question.


The Correlation Lab supports the tagging of search results - you can tag any given search results, including the results for other tags, in the left-hand column.


You can then search for all tagged pages using the search feature - or by clicking on the tag:




No comments

Powered by Blogger.