Tor hidden service secrets
gAtO fRiDaY 10-18-2012 update hay you want to see a secret -hidden service –
Creative Hack – http://2kcreatydoneqybu.onion
on top of this the name is custom – so that took extra time and efforts and the site is real when you have thier secret token — https://ahmia.fi/pagescreenshots/2kcreatydoneqybu.png
here you can take a look at this site anyway – try to extract any information from this secret Tor Website – you can’t see any source code – so you can’t make it error to extract information. I ask a friend that’s a Penn Tester to check this out – If anyone can extract any information please let me know –gAtOoUt
gAtO fRiDaY – sound off! – As i play with my new Tor hidden service – “Ok just apache website running https: a static site -right now” – What we know is that a Tor hidden service stays hidden until you send someone your .onion URL (example:- otwxbdvje5ttplpv.onion ) now once you know the URL your have access to the site. You may have to log in like on most bb sites but at least you reached the hidden service and now you can do stuff.
While looking at the torrc file setting I found a little secret that with (server side) HiddenServiceAuthorizeClient-tag and the HidServAuth-tag on the (client) side -// your hidden service is now INVISIBLE to only the people that have a secret key installed in their “torrc” client file. In plain talk –
1. I put a special key on my hidden server – torrc file – HiddenServiceAuthorizeClient
2. generate a new key for client side – “what_ever_bcuuw46b3heyy”
3. send keys to the secret agents that can see or access the site HidServAuth
4. Only the people with my KEY can get to the front door of my hidden service – torrc file HidServAuth
This makes it hard to find the hidden service even if you have the URL ///./. it does nothing, no source code like a normal website. I ran into a few of these and had no clue why these sites behaved the way they did. I can pick apart most websites, at least, basics like html, asp, js, java directory you can gleam all kinds of information. But if you hit one of these site in Tor well it a big 0 -zero -///.
With my TDS project (Tor Directory Scan) I am generating an onion URL A-Za-z 2-7 URL and going out to scrape it and get some basic information about the site with a basic web crawler that grabs METADATA and not just links to other pages. If I hit these sites with my basic program I’ll get a dud -zero -///- but I will have a hit of sort. I hope to catch some of these sites – we all know the rcp command works well in Tor sometimes I found and httrack is another tool for sucking up site // be they hidden service or not – these secret hidden services will be very interesting in the scan -gATO oUt
— Tor Syntax
HiddenServiceAuthorizeClient auth-type client-name,client-name,…
If configured, the hidden service is accessible for authorized clients only. The auth-type can either be ‘basic’ for a general-purpose authorization protocol or ‘stealth’ for a less scalable protocol that also hides service activity from unauthorized clients. Only clients that are listed here are authorized to access the hidden service. Valid client names are 1 to 19 characters long and only use characters in A-Za-z0-9+-_ (no spaces). If this option is set, the hidden service is not accessible for clients without authorization any more. Generated authorization data can be found in the hostname file. Clients need to put this authorization data in their configuration file using HidServAuth.
HidServAuth onion-address auth-cookie [service-name]
Client authorization for a hidden service. Valid onion addresses contain 16 characters in a-z2-7 plus “.onion”, and valid auth cookies contain 22 characters in A-Za-z0-9+/. The service name is only used for internal purposes, e.g., for Tor controllers. This option may be used multiple times for different hidden services. If a hidden service uses authorization and this option is not set, the hidden service is not accessible. Hidden services can be configured to require authorization using the HiddenServiceAuthorizeClient option