The deep web has been gaining mainstream attention and a multitude of blogs have been floating around about the things that could be found on the dark web. There is a lot of confusion over deep web vs. dark web; they are often used interchangeably, which is wrong. In essence the term “deep web” simply means anything that a search engine cannot find or is not indexed, while the term “dark web” is going a little deeper under the surface and is classified as a small portion of the deep web that is intentionally hidden and inaccessible through standard web browsers. Naturally this sparks curiosity due to the abundance of research information available under the surface web and people begin their own adventures in most cases by downloading the Tor browser bundle. The Tor browser lets you use the Tor network of volunteer-operated servers that lets you connect through a series of virtual tunnels rather than making a direct connection, thus allowing the sharing of information over public networks without compromising privacy. The majority of this content is not malicious or even illegal, it is simply hidden membership pages, private servers, and other secret websites. This guide aims to serve as a proper and educated way to start using the dark web platform by guiding the user through three foundational objectives: staying anonymous, finding content on the dark web, and accessing content on the dark web.
Staying Anonymous on the Dark Web
There is a popular perception that using the Tor browser by itself (especially in its default state) is enough for anonymity when surfing the web. This perception is in fact wrong. Tor has some weak points which authorities and threat actors alike use to exploit its users. Tor, by default, does not wipe cookies (until browser is closed or identity refreshed) and allows JavaScript, Java, and all types of other plugins to be enabled, which may compromise anonymity. The other prominent weakness in Tor is that it does not add its own encryption layer, which makes the data available in clear text between the Tor nodes and the destination (unless the traffic itself is encrypted, then it is still HTTPS between nodes), allowing multiple opportunities for Man-in-the-Middle (MitM) attacks on each node it passes through.
I will walk you through on how to harden your Tor browser and ensure link encryption (communication path data including network packet payloads, headers, and trailers) to circumvent these main Tor weaknesses so that you can browse in significantly improved anonymity. It is important to keep in mind that nothing is going to guarantee perfect anonymity, even if you follow all the steps mentioned, but you can improve it.
Once you have downloaded the Tor browser (and its accompanying digital signature, “.asc” file) we need to verify that the Tor software is authentic. Navigate to the verifying signatures page for instructions for your specific operating system. Once verified the output should say “Good signature” as follows:
gpg: Signature made Mon 26 Mar 2018 05:46:09 AM EDT
gpg: using RSA key D1483FA6C3C07136
gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Next we can launch and harden our Tor browser (or the underlying Firefox browser) by disabling functionality that may compromise our identity. This can be achieved by setting the right browser preferences. Ensure the following in your Tor browser:
1. Ensure Tor is up to date, check for updates (always stay up to date!)
2. In “Privacy settings”, make sure the “Tracking” box is left UNCHECKED. This may seem counterintuitive, but telling sites that you do not want to be tracked is worse than not saying anything. More information on the Tracking option can be found here.
3. In “Security Settings”, make sure all 4 ticks are enabled: Warn when sites try to install add-ons, block dangerous and deceptive content, block dangerous downloads and warn about unwanted software.
4. In “Advanced”, navigate to “Data Choices” and make sure “Browser Health Report” is disabled (if available).
5. Scripts are globally enabled by default. Disable them by selecting the “Forbid Scripts Globally” option in NoScript. (Note, disabling JavaScript may break certain non-malicious sites that use it.)
6. Enable HTTPS Everywhere by enabling the check in the plugin interface (this forces sites with HTTPS available to load over HTTPS, if HTTPS is not available, extension won’t affect the site).
7. Click on the Onion, navigate to security settings, and ensure security is set to either Safer or Safest. The differences between the two security levels is pictured below:
8. When browsing, don’t maximize your Tor browser window or change its size as that could be used to track your browser’s fingerprint.
Now we need to ensure our data is encrypted in a link encryption fashion, meaning all data along the communication path is encrypted including network packet payloads, headers and trailers. To achieve this, we need a VPN service. While Tor emphasizes anonymity, VPN emphasizes privacy from your ISP (Internet Service Provider), because while they may not be able to view your activity on Tor, they know that you are on Tor, which may be enough to raise eyebrows. While there are free VPN service providers, I would encourage against the use of such services as free doesn’t necessarily mean safe. Some good VPN providers that will not break your bank are IPVanish, NordVPN or Private Internet Access VPN, all reputable choices for around $5 a month. It is also important to note that there are two ways of implementing VPN with Tor, Tor over VPN or VPN over Tor. Your choice of VPN might be limited based on the approach in implementation you decide to make. These differences in implementation are:
Tor over VPN: in this connection you first connect to the VPN to mask the identity from the ISP, then load up the Tor browser. The benefit of this approach is hiding the Tor browsing from the ISP and Tor entry nodes not being able to track you via your IP address. The drawback of this implementation is that the VPN provider receives the actual IP address, and malicious Tor exit nodes would still constitute a threat. If you choose to take this approach, the aforementioned VPN services would be solid choices.
In the VPN over Tor implementation, the settings in the VPN would need to be adjusted to work with Tor. Once adjusted, this approach connects directly to Tor, once connected, you can turn on your VPN and mask the IP address. This way you’re anonymized before you get online and your identity is protected from the VPN provider, only disclosing the IP for the Tor exit nodes. It is important to note that this approach is significantly more secure and provides better anonymity, but restricts the user to as few as two VPN service providers known to allow you to connect in this manner; AirVPN and BolehVPN.
It is also important to note that there are alternatives to using the Tor browser such as Tails OS and Whonix OS, which I will not cover in-depth in this post, but each offers additional and unique anonymity and persistence options. The underlying difference between them being Tails OS is best used as a live DVD/live USB to ensure data does not survive reboot. Whonix has two components, a workstation OS that contains personal files (user data is persistent) and a Whonix gateway component, which routes internet traffic through Tor. Both Tails and Whonix can be deployed as virtual machines.
Finding Content on the Dark Web
Now that we can safely browse the dark web, we need to know where to look. Onion sites are generally 16-character hashes which are automatically generated based on a public key when a hidden service is configured. Such addresses are not actually DNS names, and the .onion’s are not in the Internet DNS root and can only be accessed with the appropriate proxy software (sending request through the network of Tor servers). Finding these .onion websites is the first challenge, as they will not show up in your everyday search engine such as Google.
To find content on the dark web, we will use specialized search engines, directories, and wikis to help us locate the data we are looking for. To get you started, some popular search engines that do index .onion sites are NotEvil, Onion.city, Onion.to, Torch, and Grams. The other option is to use one of these search engines to find link repositories or wikis such as the Hidden Wiki, Matrix Directory, Daniel, or OnionDir. From there, you are able to find .onion links that are broken up into categories, which can be useful in narrowing your search.
Figure 1: HiddenWiki link repository.
These specialized search engines and wikis are two good options for searching for sites and content, but perhaps the most valuable resource in finding .onion links is Reddit. There is a number of subreddits to check out; these are more reliable as users post the most up-to-date, active .onion links and repositories on there:
Accessing Content on the Dark Web
Although there is a good selection of interesting content one can access effortlessly without restriction on the dark web such as an assortment of financial services, commercial services, whistleblowing sites such as WikiLeaks, forums/Chans, P2P, and more; sometimes you encounter content behind some sort of an authentication or access control (such as exploit repositories and hacking forums).
Figure 2: “Exodus” hacking/exploit community requires “deep web compatible” email or XMPP client (more on that later) in order to register.
If you are attempting to access content that requires authentication, you may need one or all of the following services in order to access it:
An encrypted Tor-compatible email address – you may need to register. The top providers in this domain are Protonmail, Bitmessage, and Tor2Mail. Each has their respectable pros and cons and therefore comes down to personal preference.
A XMPP instant messaging service such as Jabber or Pidgin – first you need to obtain XMPP account details from a public XMPP server at https://list.jabber.at/ . Due to XMPP’s decentralized nature, there are thousands of XMPP servers available from which to choose; you may choose any of the listed servers. A thorough walkthrough on this whole process that can be found here. Once registered, you can input your account details into the messaging client as in the following example:
Figure 3: Pidgin client interface for use with XMPP
Some sites on the other hand will have extremely strict registration rules in order to access their community. These may ask that you either receive multiple vouches from its existing user base or shell out some Bitcoin to gain entry. Such registration rules can be seen in this 0day community:
Figure 4: “0day” community strict membership rules, two vouches from existing users or pay for membership.
If you are really determined to access these communities, a Bitcoin wallet will be needed. Luckily, generating a Bitcoin wallet is extremely simple: navigate to Bitaddress.org and generate your own wallet. Save or print the generated value, laminating it, and storing it on your person like a real wallet. I am not going to touch on how to obtain or buy Bitcoin in this post, but once obtained, you would be able to use your Bitcoin wallet to access or buy into exclusive membership communities.
Closing Remarks
With what we know as the surface web or our everyday web making up a miniscule 10%[1] of the Internet, the abundance of information available on the deep web is overwhelming to say the least and is open to exploration. This guide aimed to help the user fast-track the learning curve of diving into the dark/deep Web platform by showcasing the foundational knowledge one would need to start their own exploration into the abundance of information available on the remaining 90% of the Internet we do not use on a daily basis. Challenge yourself to dive deeper, but surf responsibly.
Polito, Inc. offers a wide range of security consulting services including threat hunting, penetration testing, vulnerability assessments, incident response, digital forensics, and more. If your business or your clients have any cyber security needs, contact our experts and experience what Masterful Cyber Security is all about.
Phone: 571-969-7039
E-mail: info@politoinc.com
Website: politoinc.com