- 1,165
- 105
- 980
De-onion: How Administrators of Tor Websites Are Tracked
Contents:
In a standard IP-based routing system, one node sends a request to an address, and another responds to the same address. In contrast, Tor's onion routing sends requests through three nodes (entry, relay, and exit) before reaching the destination. The entry and exit nodes encrypt and decrypt traffic to ensure anonymity.
However, anonymity is not absolute. Attackers can control Tor nodes to collect unencrypted request data or manipulate information transmitted between clients and servers. For instance, the KAX17 hacker group managed 900 infected servers, handling up to 16% of Tor traffic in 2020.
Tools for Investigating Tor Nodes:
Since websites on Tor can still collect fingerprinting data like screen resolution, CPU cores, and browser characteristics, users are advised to disable JavaScript and avoid fullscreen mode.
"Onion" DNS
Unlike traditional DNS, Tor domains use a decentralized system with .onion addresses consisting of generated identifiers. This system lacks conventional hierarchical structures like TLDs and SLDs. Due to decentralization, Whois lookups and DNS reconnaissance via tools like DNSdumpster are ineffective.
Tools for Investigating Tor Domains:
Tor sites often run on common CMS platforms like WordPress or Drupal, making them susceptible to automated reconnaissance.
Tools for Tor Site Analysis:
Tor is commonly used for illegal trading, which leads to money laundering via cryptocurrencies. Transactions often go through tumblers or mixers to obscure fund origins.
Tools for Cryptocurrency Tracking:
Search Engines
Clearweb Search Engines Indexing Onion Sites:
site:example.com intext:moon
can help identify users across forums.
Traps
Techniques like IP logging and Canary Tokens help track Tor users. IP loggers, however, are easily detected, making them ineffective against experienced users. Canary Tokens, which alert investigators when accessed, offer a more robust alternative.
Tools for Traps:
Tor sites can still perform fingerprinting by collecting browser attributes, fonts, plugins, and user behaviors.
Tools for Fingerprinting Analysis:
Text Analysis
Users have unique linguistic patterns. Mistakes like punctuation inconsistencies or capitalization habits help track individuals across platforms.
A notable case was Ross Ulbricht, Silk Road’s administrator, whose writing style helped law enforcement link forum posts to his identity.
Crawlers, Spiders, Scrapers
Automated tools scan Tor for structured information.
Crawlers:
Investigating Tor usage on seized computers involves analyzing system files, memory dumps, and network traffic.
Key Forensic Artifacts:
Despite Tor's anonymity, multiple techniques can identify website administrators. Mistakes, technical leaks, and investigative tools allow law enforcement and OSINT professionals to track down operators of illicit marketplaces. Those investigating Tor-based activities should employ both standard reconnaissance techniques and methods adapted to the dark web.
Contents:
- How Tor Network Works
- "Onion" DNS
- Website Structure
- The Shadow Economy
- Search Engines
- Traps
- Fingerprinting
- Text Analysis
- Crawlers, Spiders, Scrapers
- Forensics
- Conclusion
In a standard IP-based routing system, one node sends a request to an address, and another responds to the same address. In contrast, Tor's onion routing sends requests through three nodes (entry, relay, and exit) before reaching the destination. The entry and exit nodes encrypt and decrypt traffic to ensure anonymity.
However, anonymity is not absolute. Attackers can control Tor nodes to collect unencrypted request data or manipulate information transmitted between clients and servers. For instance, the KAX17 hacker group managed 900 infected servers, handling up to 16% of Tor traffic in 2020.
Tools for Investigating Tor Nodes:
- TOR Node List – A list of known Tor nodes.
- ExoneraTor – Checks if an IP was used as a Tor node.
- Onionite – Provides detailed information about Tor nodes.
- Tor Metrics – Analyzes Tor node data.
- Collector Tor – Archives IPs and ports of Tor nodes.
Since websites on Tor can still collect fingerprinting data like screen resolution, CPU cores, and browser characteristics, users are advised to disable JavaScript and avoid fullscreen mode.
"Onion" DNS
Unlike traditional DNS, Tor domains use a decentralized system with .onion addresses consisting of generated identifiers. This system lacks conventional hierarchical structures like TLDs and SLDs. Due to decentralization, Whois lookups and DNS reconnaissance via tools like DNSdumpster are ineffective.
Tools for Investigating Tor Domains:
- TorWhois – Gathers information about open ports, certificates, and site configurations.
- Research on DNS Traffic Analysis – Studies indicate that analyzing DNS traffic passing through Tor exit nodes can reveal visited websites by identifying correlation patterns in queries.
Tor sites often run on common CMS platforms like WordPress or Drupal, making them susceptible to automated reconnaissance.
Tools for Tor Site Analysis:
- Onionscan – Audits onion websites.
- Onion Nmap – Runs Nmap scans on onion sites.
- OWASP ZAP, Nikto, WPScan, Burp Suite, Wapiti – Various security scanners.
- Vulnerability lists on Mitre.org – Provides databases of known exploits.
Tor is commonly used for illegal trading, which leads to money laundering via cryptocurrencies. Transactions often go through tumblers or mixers to obscure fund origins.
Tools for Cryptocurrency Tracking:
- Breadcrumbs
- OXT.ME
- Blockpath
Search Engines
Clearweb Search Engines Indexing Onion Sites:
- Onion Search Engine, Torry, OnionLand Search, Tor Search, OnionSearch, DuckDuckGo
- DuckDuckGo (Onion), Not Evil, Ahmia, Haystak, Torch, Demon
site:example.com intext:moon
can help identify users across forums.
Traps
Techniques like IP logging and Canary Tokens help track Tor users. IP loggers, however, are easily detected, making them ineffective against experienced users. Canary Tokens, which alert investigators when accessed, offer a more robust alternative.
Tools for Traps:
- Canary Tokens – Deploys tracking tokens via Docker images.
- IP Logger – Tracks basic IP access (not recommended for professionals).
Tor sites can still perform fingerprinting by collecting browser attributes, fonts, plugins, and user behaviors.
Tools for Fingerprinting Analysis:
- AmIUnique.org – Analyzes unique browser fingerprints.
- Canvas Fingerprinting – Uses HTML5 canvas elements to track users.
Text Analysis
Users have unique linguistic patterns. Mistakes like punctuation inconsistencies or capitalization habits help track individuals across platforms.
A notable case was Ross Ulbricht, Silk Road’s administrator, whose writing style helped law enforcement link forum posts to his identity.
Crawlers, Spiders, Scrapers
Automated tools scan Tor for structured information.
Crawlers:
- TorBot, OnionBot, OnionScan, VigilantOnion, OnionIngestor
- Scrapy, BeautifulSoup, Selenium, Puppeteer, Frontera
- Onioff, Onion Spider
Investigating Tor usage on seized computers involves analyzing system files, memory dumps, and network traffic.
Key Forensic Artifacts:
- C:\Windows\Prefetch – Contains traces of Tor Browser execution.
- Thumbnail Cache – Stores previews of viewed images.
- Pagefile/SWAP – May retain browser activity records.
- Windows Registry – Contains browser settings and plugin data.
- Tor Browser Data Directory – Stores history, bookmarks, and cookies.
- Belkasoft RAM Capturer – Captures memory dumps.
- Regshot – Analyzes registry changes.
- Wireshark & NetworkMiner – Examines network traffic, identifying Tor-related activity.
- Internet Evidence Finder – Tracks Bitcoin wallets used in transactions.
Despite Tor's anonymity, multiple techniques can identify website administrators. Mistakes, technical leaks, and investigative tools allow law enforcement and OSINT professionals to track down operators of illicit marketplaces. Those investigating Tor-based activities should employ both standard reconnaissance techniques and methods adapted to the dark web.