What are Tor Hidden Services?
Tor Hidden services are websites located inside the Tor Networks, and they may be accessed only through Tor. Tor hidden services provide server anonymity. In other words, a Tor hidden service is a unique type of site that may be solely visited with Tor, concealing your digital trail and the location of the server hosting the hidden service.
A Tor hidden service is occasionally called an onion site or an onion service and contains a unique domain name that ends in .onion — such as http://3g2upl4pq6kufc4m.onion (DuckDuckGo’s search engine Onion URL) — that may be merely accessed using Tor.
How to Investigate & Deanonymize Tor Hidden Services
Frequently there are indirect indications that a Tor hidden service discloses that may be used by an investigator to trace where the service is truly hosted on the internet. This may be due to servers being misconfigured by inexperienced system administrators.
Finding IP Addresses Associated with an Onion SSL Certificate
There are many instances where an onion hidden service has a linked SSL certificate utilized on their server. Since the traffic within Tor already contains strong encryption, there will be moments where an individual has mistakenly set up an SSL certificate.
Using Censys.io, it is possible to locate every website that has contains an onion SSL certificate:
443.https.tls.certificate.parsed.names: onion
This method provides you a historical list of IP addresses where there had been SSL certificates that contained onion hidden service addresses in them.
Checking if an IP Address was Used as a Tor Relay
There will be times where you have an IP address and would like to confirm if the individual was on Tor. The Tor Project provides a tool that permits an investigator to establish if an IP address was connected to Tor on a specific date.
Finding Server Information of Onion Hidden Services
Another technique that can be deployed by an investigator involves using the Censys service to search for running services, and this may be achieved by simply entering the complete onion domain address which can ultimately return an IP address if the server has been misconfigured by the system administrator.
In addition, another method can be used to disclose information regarding an onion site running Apache. This can be accomplished by visiting domainexample.onion/server-status.
This may disclose the IP addresses accessing the server, additional domains that are utilizing the same server, operating system of the server, creation date, uptime status, and the type of resources (For example: Pages & Images) that are being accessed.
Using Shodan to Search for Tor Onion Hidden Services
We can also use Shodan to search for onion domains by completing a query or SSL certificate search:
ssl:“.onion”
It is possible to replace the .onion domain with the complete address of the Tor hidden service you would like to investigate.
You may also locate any websites that can be potentially misconfigured, which may reveal where they are located:
“.onion”