tor-honeypotTor is a free software that is widely used by people to protect their identity and avoid network surveillance. The Onion Router (TOR) stops the tracking of your internet activity by directing your traffic through a free and volunteer network of more than 6000 relays spread across the world. Recently a post was published on a website, that detailed how to setup a Tor honeypot and reveal the true identity of the user without using any malware.

This analysis of the Dark Web honeypot was published on, where the author describes the experiences and steps taken to honeypot a Tor user. Well, let me tell you the geeky definition of honeypot: “It’s a trap that is set to detect or counteract the attempts made to breach a computer system or a network that looks like a part of the network, but it’s monitored and isolated.”

The author goes on to describes that the project started to secretly track the activities of three types of Tor users: the ones interested in counterfeiting services, illegal drugs, and pedophiles (those interested in child pornography). To the author’s surprise, the Tor hidden service for pedophile website attracted 100 times more traffic than the other two combined. So, this project became a “dark web pedophile honeypot project” that ran its own hidden websites and captured the user information who visited it.

How Tor hidden service honeypot was set?

Here I would tell you how the author built Tor honeypot in simpler explanation for better understanding. Those who are interested in more detailed discussion, they’ll find a link to the original of “dark web tor honeypot project” ahead in the article.

The Dark Web spider and Tor:

You can use a Dark Web spider, a software application (PHP web crawler) that crawls the Dark Web websites using Tor protocol to categorize the discovered content. It runs for hours and generates a report with the revealed information.

Just the way each user gets anonymity using Tor circuits, anonymous websites too could be configured to provide the same Tor anonymity to its users. These websites are the infamous “hidden services.”

Love Hacking And Pentesting? Get Started Here

More about Tor hidden services honeypot:

Hidden services using Linux on a VMWare virtual machine: The server to run honeypot and penetration testing ran on a secure Debian machine that had multiple hacking and penetration tools. Author writes that even though the server was hardened, but it was made to allow some hacking attempts to capture and report malicious traffic.

Bro, OSSEC, and Snort IDS systems: Three different Intrusion Detection Systems (IDS) were used. All Bro alerts were passed to Elasticsearch database. Snort was used to capture low-level details from the network packets. Then, using Barnyard, Snort’s results were parsed and inserted into the Elasticresearch database.

Proxies everywhere: A squid proxy was used before Tor that allowed the packets to be monitored and manipulated before entering Tor.

Web server and ElasticSearch: Using a single web service, four virtual web servers were run. The other two servers – Apache and nginx, aka Engine X – were installed and used for various services like Elasticsearch, Kibana, and Graylog2 for web reporting.

Custom code framework: All three hidden services used common code framework and the site’s appearance was easily changeable for the unique appearance. Each record inserted was given a unique identifier of a particular hidden service to record the activity.

To record each user, a custom IDS log was used. The login information too was captured and a report was generated for monitoring purposes. Author’s hidden websites emphasized that no communication would be done via email. So, the messages passed through the contact me channel, were tagged with the above-mentioned user info. The link traps captured information whenever a user clicked somewhere. That link pointed to a Clearnet site that recorded all traffic on another MySQL database. This data was again coupled with the unique identifier and then the report was generated for easy understanding.

The Security Scanner: Finally hacker decided to hit the final nail in the coffin by writing a small Windows program that displayed “scan progress and results”. A report was created using the exit node IP address and pedophile’s true IP address. Here’s a result:


So, here I tried to explain how Tor honeypot was used by a hacker to reveal the secrets of the Dark Web. If you want to know more, go to the site using this link:

To know more about Tor honeypot, mail the author here: [email protected]

Adarsh Verma
Fossbytes co-founder and an aspiring entrepreneur who keeps a close eye on open source, tech giants, and security. Get in touch with him by sending an email — [email protected]