top of page

How To Access The Dark Web (Guide)

How To Access The Dark Web (Guide) | Black Hat HQ

How To Access The Dark Web


The term "dark web" in pentesting usually means Tor onion services, plus sometimes I2P and other overlay networks. This is how to actually find and navigate .onion services safely during an engagement. This is a guide on how to access the dark web.


The Architecture Underneath


When you access a .onion, you're not on some separate internet. You're still using TCP/IP. The difference is the routing:


You → Tor Guard → Tor Middle → Tor Rendezvous ← Tor Middle ← Tor Guard ← Onion Server

Neither you nor the onion server know each other's IP. The rendezvous point connects two independent Tor circuits. No exit nodes are involved — your traffic never touches the clearnet.

This matters because it means:


  • No ISP can see what .onion you're visiting

  • No .onion you visit can see your IP

  • The rendezvous point can't read the traffic (end-to-end encrypted)

  • Latency is high (6 hops minimum)


The Essential Tool Stack


Tool

Purpose

Tails OS

Amnesic bootable environment — no forensic trace on the host machine

Tor Browser

Sends everything through Tor, pre-configured for .onion access

Whonix

VM-based isolation — browser exploit can't leak real IP

OnionScan

Scans .onion services for misconfigurations, exposed services, IP leaks

Ahmia / Torch

.onion search engines

Recon[ng] / theHarvester

OSINT frameworks with Tor integration

Custom Python + stem

Automated .onion monitoring and scraping


For sustained monitoring, Whonix wins. For one-shot recon, boot Tails.


Step 1: Establish Your Baseline Connection


bash

# Boot Tails, connect Tor, verify:
# Visit https://check.torproject.org
# Should show: "Congratulations. This browser is configured to use Tor."

# Test a known .onion to confirm the circuit works:
# DuckDuckGo's onion: https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion
# If it loads, your circuit is solid.

# From the terminal (CLI access through Tor):
curl --socks5-hostname 127.0.0.1:9050 http://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion

# Or with torsocks:
torsocks curl http://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion

Step 2: Finding .Onion Services


There's no Google for onion land. Discovery is fragmented by design.


Directory Sites & Wikis


The closest thing to an index are community-maintained link lists:


  • The Hidden Wiki — multiple instances, varying quality. The original is long dead; what exists now are mirrors and forks. Useful for getting your bearings but never trust links blindly. Verify every .onion you visit.

  • Tor.Taxi — fairly well-maintained directory of marketplaces, forums, and services. Has a clearnet mirror for easy reference.

  • dark.fail — journalist and researcher-maintained, focuses on verifying authentic URLs vs phishing clones.


Key practice: Cross-reference every address across at least two independent directories. Phishing .onion sites that mirror real markets are extremely common and are often the first result in any search.


Search Engines


Engine

.onion Address

Notes

Ahmia

juhanurmihxlp77nkq76byazcldy2hlmovfu2epvl5ankdibsot4csyd.onion

Filters abuse, has public API

Torch

torchdeedp3i2jigzjdmfpn5ttjhthxqhpyrnqrkl372eo6jwexqd.onion (approximate — verify)

Oldest, claims largest index

Haystack

Various mirrors

Large index, mixed quality

Kilos

Market-focused search

Searches across multiple marketplaces

Recon

Vendor/supplier focused

Searches vendor listings across markets


None of these are comprehensive. Most .onion services are never indexed. Discovery relies on:


  • Following links from known services

  • Monitoring forums (Dread, Endchan)

  • Word of mouth on encrypted messaging (Session, SimpleX)


Dread


Dread is the Reddit of .onion — the primary coordination forum:


dreadytofatroptsdj6io7l3xptbet32lj7b32d3n4au7j2d7rmvnkzqbad.onion

This is where you find:


  • Market outage announcements

  • Vendor reputation threads

  • Security alerts about compromised services

  • New market launches and verified URLs


It's the single most important site to bookmark for threat intel research.


Step 3: Navigating Safely


URL Verification


.onion addresses are deliberately unmemorable. This makes phishing trivial — a single character changed and you're on a clone that steals your credentials or serves browser exploits.


bash

# Compare the address character by character against a trusted source
# v3 onion addresses are 56 characters: [a-z2-7]{56}.onion

# Common phishing tricks:
# - Substituting 'o' for '0' (though v3 doesn't use 0 or o, scammers use
#   similar-looking characters from the allowed set)
# - Replacing 'i' with 'j' or 'l'
# - Using 'vv' for 'w'
# - Swapping adjacent characters

# Verify with at least TWO independent directory sources
# Dread + dark.fail + Tor.Taxi — if all three agree, it's probably real

The TLS Question


Most .onion sites use plain HTTP. This is confusing at first but makes sense:


  • The circuit is already end-to-end encrypted

  • HTTPS on top of Tor is redundant for encryption

  • Certificate Authorities can't validate .onion domains (except DigiCert for EV certs)


That said, some .onion services DO use HTTPS. When they do:


bash

# Check the certificate
# Click padlock → Connection → More Information → View Certificate
# If it's a DigiCert EV cert with a registered organization name,
# that's a strong signal the site operator has been vetted

# If it's a self-signed cert, it adds no security — just confirms
# the site is the same one you visited last time (TOFU model)

The JavaScript Decision


We covered this in the hardening guide. For darknet research:


Tor Browser → Shield → Safest mode

This disables JavaScript everywhere.
Most .onion sites are designed to work without JS.
Sites that break are probably not worth the exploit risk.

Step 4: Programmatic Access (Scraping & Monitoring)


For automated threat intel gathering during an engagement.


Python with Requests + SOCKS


python

#!/usr/bin/env python3
"""
Fetch a .onion page through Tor SOCKS proxy.
Install: pip3 install requests[socks] pysocks
"""
import requests

def fetch_onion(url, timeout=30):
    """Fetch a .onion URL through local Tor SOCKS5 proxy"""
    session = requests.Session()
    session.proxies = {
        'http': 'socks5h://127.0.0.1:9050',
        'https': 'socks5h://127.0.0.1:9050'
    }
    
    try:
        resp = session.get(url, timeout=timeout)
        resp.raise_for_status()
        return resp.text
    except requests.exceptions.RequestException as e:
        print(f"[-] Failed to fetch {url}: {e}")
        return None

# Usage
html = fetch_onion("http://exampleonion1234567890abcdefghijklmnopqrstuvwxyz.onion")
if html:
    print(html[:500])

The socks5h scheme (note the 'h') means DNS resolution happens through Tor, not locally. This prevents DNS leaks.


Stem — Python Tor Controller


For more advanced control over Tor circuits:


bash

pip3 install stem

python

#!/usr/bin/env python3
"""
Tor circuit control with Stem.
Create fresh circuits per request, monitor circuit status.
"""
from stem import Signal
from stem.control import Controller
import requests
import time

class TorClient:
    def __init__(self, control_port=9051, socks_port=9050, password=None):
        self.control_port = control_port
        self.socks_port = socks_port
        self.password = password
        self.session = requests.Session()
        self.session.proxies = {
            'http': f'socks5h://127.0.0.1:{socks_port}',
            'https': f'socks5h://127.0.0.1:{socks_port}'
        }

    def new_circuit(self):
        """Request a new Tor circuit (new identity)"""
        with Controller.from_port(port=self.control_port) as controller:
            if self.password:
                controller.authenticate(password=self.password)
            else:
                controller.authenticate()
            controller.signal(Signal.NEWNYM)
        time.sleep(1)  # Let the new circuit establish

    def get(self, url, timeout=30):
        """Fetch URL through current Tor circuit"""
        try:
            return self.session.get(url, timeout=timeout)
        except Exception as e:
            print(f"[-] {e}")
            return None

    def circuit_status(self):
        """Display current circuit info"""
        with Controller.from_port(port=self.control_port) as controller:
            controller.authenticate()
            for circ in controller.get_circuits():
                print(f"Circuit {circ.id}: {circ.status} — {circ.path}")

# Usage
tc = TorClient()
tc.circuit_status()

# Fetch with one circuit
resp = tc.get("http://someonion.onion")

# Rotate circuit for next request
tc.new_circuit()
resp2 = tc.get("http://anotheronion.onion")

OnionScan — Reconnaissance on Onion Services


OnionScan scans .onion services for operational security failures:


bash

git clone https://github.com/s-rah/onionscan
cd onionscan
go build
sudo ./onionscan --webport=8080

# Web interface at http://127.0.0.1:8080
# Or CLI:
./onionscan targetonionaddress.onion

# Checks for:
# - SSH keys exposed
# - Apache/Nginx server-status pages
# - Exposed .git directories
# - EXIF data in images
# - Open ports on the onion server
# - Bitcoin addresses in page source
# - Email addresses
# - Server IP leaks through misconfiguration
# - Linked .onion services

This is invaluable for mapping out a target's darknet infrastructure during OSINT.


Step 5: Other Darknets Worth Knowing


Tor isn't the only game in town, and for a comprehensive pentest you should know what else exists.


I2P (Invisible Internet Project)


# I2P uses "garlic routing" (messages bundled like garlic cloves)
# vs Tor's "onion routing" (layers of encryption)

# Install I2P router:
sudo apt install i2p
i2prouter start

# Access via: http://127.0.0.1:7657
# I2P sites use .i2p domains (called "eepsites")
# I2P is fully distributed — no directory authorities
# Every I2P router also relays traffic for others
# Lower latency than Tor for some use cases
# Popular for forums, file sharing, some marketplaces

I2P has its own ecosystem of forums, marketplaces, and services. It's less well-known than Tor, which means less attention from adversaries — but also less scrutiny from the security research community.


ZeroNet (Mostly Dead, But Know It)


# Decentralized — sites are served via BitTorrent
# .bit domains via Namecoin
# Each visitor seeds the site to others
# Near-impossible to take down (no central server)
# Largely abandoned after 2020, but some services remain

IPFS (InterPlanetary File System)


Not "dark" per se, but used alongside darknet services for hosting:


bash

# Content-addressed, decentralized file hosting
# Used by some markets for product images, documentation
# ipfs.io gateway or run your own node
# Can be accessed through Tor for anonymity

Step 6: Pentest Use Cases


OSINT & Threat Intelligence


bash

# 1. Monitor for client credentials in market listings
# 2. Search for client's brand in forum discussions
# 3. Check if client's customer data appears in dumps
# 4. Monitor ransomware leak sites for client mentions
# 5. Track threat actor discussions mentioning client's tech stack

Red Team Infrastructure


bash

# 1. Host C2 panels as onion services (no IP exposed)
# 2. Phishing pages as onion services (harder to takedown)
# 3. Data exfiltration endpoints via onion + curl --socks5
# 4. Anonymous research on target employees' darknet activity

Attack Surface Discovery


bash

# Find your client's .onion services they may have forgotten:
# - OnionScan your client's known onion addresses
# - Check for linked services (onionscan finds these)
# - Check DNS TXT records for onion addresses (some orgs publish them)
# - Search Ahmia/Torch for your client's brand name

Operational Security Checklist


☐ Booted into Tails (bare metal, not VM) or Whonix
☐ Tor Browser set to Safest mode
☐ No personal accounts logged in anywhere on this machine
☐ MAC address spoofing enabled (Tails default)
☐ Bridges configured if ISP/country blocks Tor
☐ URL verified against 2+ independent directories
☐ No downloads opened while online
☐ Screenshots sanitized (no EXIF, no desktop background, no taskbar)
☐ New Identity (padlock → New Identity) between research topics
☐ Session notes written in generic language (no real names, orgs)
☐ Proper shutdown (Tails wipes RAM)
☐ USB stored securely or destroyed after engagement
☐ All findings transferred to secure client report system via
   air-gapped method (not emailed through Tor)

What To NEVER Do


  • Never access .onion services from your work laptop, personal machine, or any device tied to your identity

  • Never log into a .onion forum with a username you've used anywhere else

  • Never download and execute binaries from .onion sites (even on Tails — it's not magic)

  • Never use the same Tails session for different research topics (reboot between)

  • Never access a .onion and a clearnet site in the same browser window

  • Never upload files created outside Tor (EXIF, metadata, fonts, software signatures all leak identity)

  • Never assume a .onion site is what it claims to be — every site could be law enforcement, a competitor, or a honeypot


Enroll In Online Cybersecurity & Hacking Classes/Courses

Comments


bottom of page