OnionScan is a tool for scanning hidden services for opsec leaks and software misconfiguration that could enable an attacker to determine the service operator. It will run on any operating system with Golang.

Install Go(lang)

On a Mac it's simple:

brew install go

On Linux, it may be available similarly via your package manager (probably as golang).

On other systems, follow the instructions to download and install from the Go website (or ask for a USB stick for Windows/Mac installers).

Install OnionScan

go get github.com/HouzuoGuo/tiedot
go get golang.org/x/crypto/openpgp
go get golang.org/x/net/proxy
go get golang.org/x/net/html
go get github.com/rwcarlsen/goexif/exif
go get github.com/rwcarlsen/goexif/tiff
go get github.com/s-rah/onionscan
go install github.com/s-rah/onionscan.go

Make it scan

OnionScan should now be installed in your GOPATH. On Mac, this should be ~/go (if not, find it by running go env GOPATH).

cd ~/go
./onionscan --verbose yourhiddenservice.onion

What it's doing

OnionScan crawls to look for things that might give away identity like images with EXIF tags and PGP identities. It also checks SSH endpoints, analytics IDs, and server fingerprinting that can be used to determine if two sites are hosted on the same infrastructure. And Apache's mod_status. And more.

OnionScan's output (in verbose mode) should give you a good idea of what it's checking. When it's finished it should show a report something like this:

--------------- OnionScan Report ---------------
Generating Report for: yourhiddenservice.onion

Info: Found Identities
         Items Identified:


There are a number of reports from aggregated OnionScans of thousands of hidden services, with great visualisations available on onionscan.org.

That's all folks

Some further reading:

Anonoblog | Robin Doherty | robindoherty.com | @rdoh | rdoherty@gmail.com | PGP