A practical guide to de-anonymizing hidden services.

A practical guide to de-anonymizing hidden services.

In this article I will share two concepts you can use to deanonymize hidden services and share a flowchart that will guide through the available methods and options.


The concepts.

Hidden services are anonymous network services that are most often exposed over the Tor network. In contrast to conventional Internet services, hidden services are private and generally not indexed by search engines.

There are several ways to discover the server responsible for hosting a hidden service. In this article we will discuss two concepts: application & service misconfigurations and metadata correlation.

Application & service misconfigurations.

Operators of hidden services often forget to properly configure their services to restrict outbound communication without going over a Tor connection, prevent management and status pages from being accessed or use the correct URLs and hostnames in HTTP responses.

For example if the application is being served using Apache and you are accessing it over a loopback connection you can potentially access the server-info page which exposes information about:

  • Server uptime.
  • Individual request-response statistics and CPU usage of the working processes.
  • Current HTTP requests, client IP addresses, requested paths, and processed virtual hosts.

Here we can see that the server is running Apache 2.4.25 on Debian, it was last restarted on Monday the 1st of March and it's vhost is set to a certain .com domain.

Other common misconfigurations occur when the application or service makes requests to the internet. For example wordpress pingbacks or external MyBB avatar uploads can leak the IP address of the server.

Metadata correlation.

We can use some of the data we found by looking at application and service misconfigurations to correlate these with data we have from internet-wide scans by using search engines such as shodan.io, censys.io and binaryedge.io

For example operators of hidden services can open additional ports on their hidden service by specifying them in the Tor configuration.

HiddenServicePort 22 127.0.0.1:22
This configuration entry would let you access SSH via your hidden service address

When SSH is opened on both to the hidden service and the internet you can correlate the SSH public keys to keys found on search engines.

Misconfigurations are common.

Misconfigured hidden services are more common than you think. Several high-profile hidden services have been taken down because their operator made critical mistakes.

The operator responsible for AlphaBay was discovered after he misconfigured his server to send e-mails from his own hotmail address.

Welcome To Video was located after the forum software was misconfigured to load content from the IP address the server was hosted on.

The flowchart.

I put the following flowchart together to guide you through various methods to discover more information about a hidden service.

It is recommended that you download this SVG locally. You will need to zoom around as it contains a lot of information.

A flowchart detailing the various ways you can identify the server responsible for a onion address
Show Comments