Onion site at IP?

littlejob · May 9, 2022, 3:55am

If I suspect a public IP may be hosting an onion site, is there a way to verify this? Shodan doesn’t have any info on the IP, torproject says it’s not a node/bridge.

shatteredglassedge · May 9, 2022, 3:56am

Compare the http headers.

Run an nmap scan on common alternative http ports to see if the onion is public.

littlejob · May 9, 2022, 3:57am

Done - no differences in target and known “good” IPs. All tests were same ISP as target.

Known ‘Good’ #1

Not shown: 997 filtered ports
PORT    STATE SERVICE VERSION
21/tcp  open  ftp?
80/tcp  open  http?
443/tcp open  https?

Known ‘Good’ #2

Not shown: 997 filtered ports
PORT    STATE SERVICE    VERSION
21/tcp  open  tcpwrapped
80/tcp  open  tcpwrapped
443/tcp open  tcpwrapped

Target

Not shown: 997 filtered ports
PORT    STATE SERVICE    VERSION
21/tcp  open  tcpwrapped
80/tcp  open  tcpwrapped
443/tcp open  tcpwrapped

Edit: Additional scan data added and formatting

shatteredglassedge · May 9, 2022, 3:58am

Visit the site on the public IP to see if it is the same (pass the Onion host header also)

littlejob · May 9, 2022, 3:59am

just tested by standing up a hidden server and scanning the public IP with same results as known “good” #1. Bleh.