Weaponize the Dark Web for OSINT
The Dark Web or Dark Net is among the most challenging environments for OSINT researchers to work in. It’s used more and more for illegitimate activity by nefarious actors. Researchers looking to research the dark web need to operate safely, being aware of the variation in results that are presented by different searchs & also actors who are active in different types of darknets. As OSINT researchers, we need to be well-versed with the dark web and be able to navigate it with efficiency.
What is Dark Web?
The dark web is a subset of the internet that is accessed via special means, such as a TOR browser, and is not indexed. It’s important to note there are many dark webs and below is an example of four common ones:
- Tor
- I2P
- Freenet
- Zeronet
In this blog, we will only focus on TOR. The browser can be downloaded here.
Note that accessing TOR from your daily driver PC/Laptop running Windows 10 is a huge security and privacy risk. For that reason, it is recommended to configure a cloud-based VM using providers such as Amazon Workspaces, Google Cloud, etc. If that is not an option you can use a platform such as VMware to host a local VM and setup a TOR browser in it. It is advisable to run another OS on your VM. For Example- If your Daily Driver is Windows 10, its best if you use Linux based OS for research purposes. Also, If you have extra hardware you can setup a standalone research laptop/computer.
Using OSINT Tools for Dark Web
As a beginner, these few tools will get you familiar and comfortable when combing through the dark web for information:
- Hunchly Dark Web: Hunchly’s Daily Dark web reports help to understand the discovery of sites. The links they show may lead to Markets, malware, or sensitive content.
- Dark Search: It is a reliable search engine designed for dark web crawling. It also has advanced search operators.
- TorBot: What I would consider the Swiss Army Knife of Dark Web OSINT, TorBot has multiple features when it comes to Investigation. Features such as a completed Onion Crawler, Saving links to a database, Saving the crawl information to a JSON file, Crawling custom domains, etc. Some features will be added in the future as well.
Dark Web Searching
The Dark Web is crawled and indexed by non-standard providers. Search Engines like Google or Bing will not crawl .onion sites on the TOR network. Though, proxied TOR sites, those which use TOR2WEB services are indexed by Google.
We can find .onion addresses through https://onion.live/. It is a great site that allows you to search for a URL and check if the site is up or down. Alternatively, other sites will provide you with a catalog of resources. Do note that results vary significantly from search engine to search engine. Ideally, as a researcher, we should look across multiple engines and compare results.
Some Examples of Search Engines:
- Darksearch.io (darkschn4iw2hxvpv2vy2uoxwkvs2padb56t3h4wqztre6upoc5qwgid.onion)
- Lighter (lighterhrphu4lpb.onion)
- Tor66 (tor66sezptuu2nta.onion)
- notEvil (hss3uro2hsxfogfq.onion)
- Phobos (phobosxilamwcg75xt22id7aywkzol6q6rfl2flipcqoc4e4ahima5id.onion)
- Quo (quosl6t6c64mnn7d.onion/)
- OnionLand (3bbad7fauom4d6sgppalyqddsqbf5u5p56b5k5uk2zxsy3d6ey2jobad.onion/)
Investigations on the dark web usually come down to attribution between surface and dark web. When trying to attribute targets participating in transactions and/or activity on the dark web, information slippage is more often tied to poor habits. This is where the same attributable markers, e.g. usernames, PGP keys, cryptocurrency addresses, are used by actors on both the surface & dark web.
De-Anonymizing and Identifying Hosts of Sites
We can search Shodan for .onion links either by doing an SSL certificate search or a general query. We can also substitute the .onion with the full address of the service you are interested in as well. This may reveal the location.
If we have an IP address we can use https://metrics.torproject.org/exonerator.html
If there is an associated SSL certificate deployed to their server, we can search through Censys.io for such information. This should give you a list of IPs where the SSL Certificates had the hidden service address in them.
We can also use DNS records to find more information. Data-driven services like Censys.io for DNS records still have old A records pointing towards web servers IP address. SecurityTrails does exactly that. The “Historical Data” can be found in the sidebar on the left side.
Further Reads
- https://www.secjuice.com/finding-real-ips-of-origin-servers-behind-cloudflare-or-tor/
- https://jakecreps.com/2019/05/16/osint-tools-for-the-dark-web/
- http://www.automatingosint.com/blog/category/dark-web/
This was just an introductory blog on how to leverage Dark Web for OSINT, as always if you have any sort of improvement or feedback feel free to hop in at the discord server.
