Darknet applications & domain name extensions?

For a list self-containted networks can be found here.


Finding darknet websites?

Open source intelligence against TOR hidden services?

If a TOR hidden service is not correctly setup, there are multiple ways the server can leak information about itself. By default Apache2 web servers have a module enabled by default called mod_status which provides information about the server via the URL However if you visit a tor hidden service with mod_status enabled you’ll get the same page, leaking information about the server.

There is a tool called OnionScan which does all of the hard work for you, this scans the hidden service and checks for any information leakage such as, server version, IP address of server, etc…

Usage of OnionScan.

onionscan notarealhiddenservice.onion

Attacking TOR hidden services with pentesting tools?

Due to the nature of TOR, most pentesting applications do not support SOCK5 proxies which are required to connect to a TOR hidden service, however there are work arounds for this that require you to launch a tunnel from our local machine to the hidden service using socat this package is installed default on most Linux distros.

Start TOR via the terminal on your system.


Create a tunnel to the TOR hidden service you want to attack, the default port for TOR is 9050. If you want to attack other services such as SSH, RDP, etc change the hidden service port from 80 to 22, 3309, 5900 etc.

socat TCP4-LISTEN:5555,reuseaddr,fork SOCKS4A:,socksport=9050

Now you have create a tunnel towards the hidden service, using the following URL.

You can now feed that URL into any pentesting application such as sqlmap, nmap, hydra etc.

sqlmap -u "" # Scanning for SQLi's
nmap "" # Port scanning.

Locating admin pages on Darknet web apps?

If you find a hidden service that has apache mod_status enabled, either by using OnionScan or checking the /server-status path you can locate potential admin pages and hidden directories.

An example of a hidden service /server-status.

As you can see above if you carefully monitor the POST and GET requests, if the admin logins in you’ll be able to extract a lot of information from the requests such as admin panel locations, passwords sent via POST etc.

Thanks for reading. 😋😊


Leave a comment

Your email address will not be published. Required fields are marked *