OnionScan is a tool for scanning hidden services for opsec leaks and software misconfiguration that could enable an attacker to determine the service operator. It will run on any operating system with Golang.
On a Mac it's simple:
brew install go
On Linux, it may be available similarly via your package manager (probably as
go get github.com/HouzuoGuo/tiedot go get golang.org/x/crypto/openpgp go get golang.org/x/net/proxy go get golang.org/x/net/html go get github.com/rwcarlsen/goexif/exif go get github.com/rwcarlsen/goexif/tiff go get github.com/s-rah/onionscan go install github.com/s-rah/onionscan.go
Make it scan
OnionScan should now be installed in your GOPATH. On Mac, this should be
~/go (if not, find it by running
go env GOPATH).
cd ~/go ./onionscan --verbose yourhiddenservice.onion
What it's doing
OnionScan crawls to look for things that might give away identity like images with EXIF tags and PGP identities. It also checks SSH endpoints, analytics IDs, and server fingerprinting that can be used to determine if two sites are hosted on the same infrastructure. And Apache's mod_status. And more.
OnionScan's output (in verbose mode) should give you a good idea of what it's checking. When it's finished it should show a report something like this:
--------------- OnionScan Report --------------- Generating Report for: yourhiddenservice.onion Info: Found Identities Items Identified: onion-munch.jpg
There are a number of reports from aggregated OnionScans of thousands of hidden services, with great visualisations available on onionscan.org.
That's all folks
Some further reading:
- The OnionScan reports
- Building a Tor Hidden Service From Scratch
- Dark Web OSINT with Python and OnionScan
- Why we need Tor now more than ever