How To Access The Dark Web (Guide)
- Biohazard

- 5 days ago
- 7 min read

How To Access The Dark Web
The term "dark web" in pentesting usually means Tor onion services, plus sometimes I2P and other overlay networks. This is how to actually find and navigate .onion services safely during an engagement. This is a guide on how to access the dark web.
The Architecture Underneath
When you access a .onion, you're not on some separate internet. You're still using TCP/IP. The difference is the routing:
You → Tor Guard → Tor Middle → Tor Rendezvous ← Tor Middle ← Tor Guard ← Onion Server
Neither you nor the onion server know each other's IP. The rendezvous point connects two independent Tor circuits. No exit nodes are involved — your traffic never touches the clearnet.
This matters because it means:
No ISP can see what .onion you're visiting
No .onion you visit can see your IP
The rendezvous point can't read the traffic (end-to-end encrypted)
Latency is high (6 hops minimum)
The Essential Tool Stack
Tool | Purpose |
Tails OS | Amnesic bootable environment — no forensic trace on the host machine |
Tor Browser | Sends everything through Tor, pre-configured for .onion access |
Whonix | VM-based isolation — browser exploit can't leak real IP |
OnionScan | Scans .onion services for misconfigurations, exposed services, IP leaks |
Ahmia / Torch | .onion search engines |
Recon[ng] / theHarvester | OSINT frameworks with Tor integration |
Custom Python + stem | Automated .onion monitoring and scraping |
For sustained monitoring, Whonix wins. For one-shot recon, boot Tails.
Step 1: Establish Your Baseline Connection
bash
# Boot Tails, connect Tor, verify:
# Visit https://check.torproject.org
# Should show: "Congratulations. This browser is configured to use Tor."
# Test a known .onion to confirm the circuit works:
# DuckDuckGo's onion: https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion
# If it loads, your circuit is solid.
# From the terminal (CLI access through Tor):
curl --socks5-hostname 127.0.0.1:9050 http://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion
# Or with torsocks:
torsocks curl http://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onionStep 2: Finding .Onion Services
There's no Google for onion land. Discovery is fragmented by design.
Directory Sites & Wikis
The closest thing to an index are community-maintained link lists:
The Hidden Wiki — multiple instances, varying quality. The original is long dead; what exists now are mirrors and forks. Useful for getting your bearings but never trust links blindly. Verify every .onion you visit.
Tor.Taxi — fairly well-maintained directory of marketplaces, forums, and services. Has a clearnet mirror for easy reference.
dark.fail — journalist and researcher-maintained, focuses on verifying authentic URLs vs phishing clones.
Key practice: Cross-reference every address across at least two independent directories. Phishing .onion sites that mirror real markets are extremely common and are often the first result in any search.
Search Engines
Engine | .onion Address | Notes |
Ahmia | juhanurmihxlp77nkq76byazcldy2hlmovfu2epvl5ankdibsot4csyd.onion | Filters abuse, has public API |
Torch | torchdeedp3i2jigzjdmfpn5ttjhthxqhpyrnqrkl372eo6jwexqd.onion (approximate — verify) | Oldest, claims largest index |
Haystack | Various mirrors | Large index, mixed quality |
Kilos | Market-focused search | Searches across multiple marketplaces |
Recon | Vendor/supplier focused | Searches vendor listings across markets |
None of these are comprehensive. Most .onion services are never indexed. Discovery relies on:
Following links from known services
Monitoring forums (Dread, Endchan)
Word of mouth on encrypted messaging (Session, SimpleX)
Dread
Dread is the Reddit of .onion — the primary coordination forum:
dreadytofatroptsdj6io7l3xptbet32lj7b32d3n4au7j2d7rmvnkzqbad.onion
This is where you find:
Market outage announcements
Vendor reputation threads
Security alerts about compromised services
New market launches and verified URLs
It's the single most important site to bookmark for threat intel research.
Step 3: Navigating Safely
URL Verification
.onion addresses are deliberately unmemorable. This makes phishing trivial — a single character changed and you're on a clone that steals your credentials or serves browser exploits.
bash
# Compare the address character by character against a trusted source
# v3 onion addresses are 56 characters: [a-z2-7]{56}.onion
# Common phishing tricks:
# - Substituting 'o' for '0' (though v3 doesn't use 0 or o, scammers use
# similar-looking characters from the allowed set)
# - Replacing 'i' with 'j' or 'l'
# - Using 'vv' for 'w'
# - Swapping adjacent characters
# Verify with at least TWO independent directory sources
# Dread + dark.fail + Tor.Taxi — if all three agree, it's probably real
The TLS Question
Most .onion sites use plain HTTP. This is confusing at first but makes sense:
The circuit is already end-to-end encrypted
HTTPS on top of Tor is redundant for encryption
Certificate Authorities can't validate .onion domains (except DigiCert for EV certs)
That said, some .onion services DO use HTTPS. When they do:
bash
# Check the certificate
# Click padlock → Connection → More Information → View Certificate
# If it's a DigiCert EV cert with a registered organization name,
# that's a strong signal the site operator has been vetted
# If it's a self-signed cert, it adds no security — just confirms
# the site is the same one you visited last time (TOFU model)
The JavaScript Decision
We covered this in the hardening guide. For darknet research:
Tor Browser → Shield → Safest mode
This disables JavaScript everywhere.
Most .onion sites are designed to work without JS.
Sites that break are probably not worth the exploit risk.
Step 4: Programmatic Access (Scraping & Monitoring)
For automated threat intel gathering during an engagement.
Python with Requests + SOCKS
python
#!/usr/bin/env python3
"""
Fetch a .onion page through Tor SOCKS proxy.
Install: pip3 install requests[socks] pysocks
"""
import requests
def fetch_onion(url, timeout=30):
"""Fetch a .onion URL through local Tor SOCKS5 proxy"""
session = requests.Session()
session.proxies = {
'http': 'socks5h://127.0.0.1:9050',
'https': 'socks5h://127.0.0.1:9050'
}
try:
resp = session.get(url, timeout=timeout)
resp.raise_for_status()
return resp.text
except requests.exceptions.RequestException as e:
print(f"[-] Failed to fetch {url}: {e}")
return None
# Usage
html = fetch_onion("http://exampleonion1234567890abcdefghijklmnopqrstuvwxyz.onion")
if html:
print(html[:500])
The socks5h scheme (note the 'h') means DNS resolution happens through Tor, not locally. This prevents DNS leaks.
Stem — Python Tor Controller
For more advanced control over Tor circuits:
bash
pip3 install stem
python
#!/usr/bin/env python3
"""
Tor circuit control with Stem.
Create fresh circuits per request, monitor circuit status.
"""
from stem import Signal
from stem.control import Controller
import requests
import time
class TorClient:
def __init__(self, control_port=9051, socks_port=9050, password=None):
self.control_port = control_port
self.socks_port = socks_port
self.password = password
self.session = requests.Session()
self.session.proxies = {
'http': f'socks5h://127.0.0.1:{socks_port}',
'https': f'socks5h://127.0.0.1:{socks_port}'
}
def new_circuit(self):
"""Request a new Tor circuit (new identity)"""
with Controller.from_port(port=self.control_port) as controller:
if self.password:
controller.authenticate(password=self.password)
else:
controller.authenticate()
controller.signal(Signal.NEWNYM)
time.sleep(1) # Let the new circuit establish
def get(self, url, timeout=30):
"""Fetch URL through current Tor circuit"""
try:
return self.session.get(url, timeout=timeout)
except Exception as e:
print(f"[-] {e}")
return None
def circuit_status(self):
"""Display current circuit info"""
with Controller.from_port(port=self.control_port) as controller:
controller.authenticate()
for circ in controller.get_circuits():
print(f"Circuit {circ.id}: {circ.status} — {circ.path}")
# Usage
tc = TorClient()
tc.circuit_status()
# Fetch with one circuit
resp = tc.get("http://someonion.onion")
# Rotate circuit for next request
tc.new_circuit()
resp2 = tc.get("http://anotheronion.onion")
OnionScan — Reconnaissance on Onion Services
OnionScan scans .onion services for operational security failures:
bash
git clone https://github.com/s-rah/onionscan
cd onionscan
go build
sudo ./onionscan --webport=8080
# Web interface at http://127.0.0.1:8080
# Or CLI:
./onionscan targetonionaddress.onion
# Checks for:
# - SSH keys exposed
# - Apache/Nginx server-status pages
# - Exposed .git directories
# - EXIF data in images
# - Open ports on the onion server
# - Bitcoin addresses in page source
# - Email addresses
# - Server IP leaks through misconfiguration
# - Linked .onion services
This is invaluable for mapping out a target's darknet infrastructure during OSINT.
Step 5: Other Darknets Worth Knowing
Tor isn't the only game in town, and for a comprehensive pentest you should know what else exists.
I2P (Invisible Internet Project)
# I2P uses "garlic routing" (messages bundled like garlic cloves)
# vs Tor's "onion routing" (layers of encryption)
# Install I2P router:
sudo apt install i2p
i2prouter start
# Access via: http://127.0.0.1:7657
# I2P sites use .i2p domains (called "eepsites")
# I2P is fully distributed — no directory authorities
# Every I2P router also relays traffic for others
# Lower latency than Tor for some use cases
# Popular for forums, file sharing, some marketplaces
I2P has its own ecosystem of forums, marketplaces, and services. It's less well-known than Tor, which means less attention from adversaries — but also less scrutiny from the security research community.
ZeroNet (Mostly Dead, But Know It)
# Decentralized — sites are served via BitTorrent
# .bit domains via Namecoin
# Each visitor seeds the site to others
# Near-impossible to take down (no central server)
# Largely abandoned after 2020, but some services remain
IPFS (InterPlanetary File System)
Not "dark" per se, but used alongside darknet services for hosting:
bash
# Content-addressed, decentralized file hosting
# Used by some markets for product images, documentation
# ipfs.io gateway or run your own node
# Can be accessed through Tor for anonymityStep 6: Pentest Use Cases
OSINT & Threat Intelligence
bash
# 1. Monitor for client credentials in market listings
# 2. Search for client's brand in forum discussions
# 3. Check if client's customer data appears in dumps
# 4. Monitor ransomware leak sites for client mentions
# 5. Track threat actor discussions mentioning client's tech stack
Red Team Infrastructure
bash
# 1. Host C2 panels as onion services (no IP exposed)
# 2. Phishing pages as onion services (harder to takedown)
# 3. Data exfiltration endpoints via onion + curl --socks5
# 4. Anonymous research on target employees' darknet activity
Attack Surface Discovery
bash
# Find your client's .onion services they may have forgotten:
# - OnionScan your client's known onion addresses
# - Check for linked services (onionscan finds these)
# - Check DNS TXT records for onion addresses (some orgs publish them)
# - Search Ahmia/Torch for your client's brand nameOperational Security Checklist
☐ Booted into Tails (bare metal, not VM) or Whonix
☐ Tor Browser set to Safest mode
☐ No personal accounts logged in anywhere on this machine
☐ MAC address spoofing enabled (Tails default)
☐ Bridges configured if ISP/country blocks Tor
☐ URL verified against 2+ independent directories
☐ No downloads opened while online
☐ Screenshots sanitized (no EXIF, no desktop background, no taskbar)
☐ New Identity (padlock → New Identity) between research topics
☐ Session notes written in generic language (no real names, orgs)
☐ Proper shutdown (Tails wipes RAM)
☐ USB stored securely or destroyed after engagement
☐ All findings transferred to secure client report system via
air-gapped method (not emailed through Tor)What To NEVER Do
Never access .onion services from your work laptop, personal machine, or any device tied to your identity
Never log into a .onion forum with a username you've used anywhere else
Never download and execute binaries from .onion sites (even on Tails — it's not magic)
Never use the same Tails session for different research topics (reboot between)
Never access a .onion and a clearnet site in the same browser window
Never upload files created outside Tor (EXIF, metadata, fonts, software signatures all leak identity)
Never assume a .onion site is what it claims to be — every site could be law enforcement, a competitor, or a honeypot




Comments