Custom Tor Hidden Services
Have you ever wondered how hidden services on Tor obtain their hostnames? This process is quite different from how websites are identified on the open web. If you’ve spent any time on the Tor network, you’ve probably noticed that the hostnames belonging to hidden services are somewhat unusual and difficult to remember (e.g: duskgytldkxiuqc6[.]onion). But if this is the standard, how do hidden services like facebookcorewwwi[.]onion obtain custom hostnames?
Taking a step back for some context, hidden services are akin to websites found on the open web, but instead of .com, .org, etc., the Top-Level Domain (TLD) for hidden services on Tor is .onion. Hidden services can only be accessed via a modified version of Firefox, which can be downloaded on the Tor Project’s website.
Spinning up a standard .onion hidden service is a pretty straightforward process: connect to Tor, set up a web server, add a couple lines of config (or uncomment/adjust them), and restart. Hostnames for these hidden services are automatically generated during this process, and are associated with the service’s private key. However, when the creator of a hidden service wants a custom hostname and/or key, the process is not as simple as heading over to GoDaddy.
There are a few tools available to aid in the creation of custom hidden service hostnames: Shallot, Eschalot, and Scallion being a few oniony examples. Shallot, originally named onionhash, was created in 2006. Its source was hosted by a few different Tor users before it ended up on GitHub in 2010. Shallot brute forces the SHA-1 hash in order to generate partial custom hostnames. It’s important to clarify that partial, not full, custom hostnames are generated because this process can take a very long time.
For example, on a 1.5Ghz processor, it will take less than a minute to generate a hostname with five or less custom characters. It takes approximately 30 minutes for six, one day for seven, 25 days for eight, all the way up to 2.6 million years for a 14-character custom hostname. This means that if Shallot was used to create Facebook’s hidden service, it potentially took 25 days to obtain the hostname facebookcorewwwi[.]onion—presuming the “core” and “wwwi” were incidental.
Eschalot, a fork of Shallot, also uses brute force and wordlists to generate partially custom hostnames. Eschalot compiles on Linux and Unix systems and is a bit faster than Shallot. Scallion, on the other hand, is much faster than Shallot, but requires a GPU for hashing.
The creation of custom hostnames can help ensure visitors are not misled. One fear associated with complicated hidden service names is that users can unknowingly be directed to spoofed sites. Partially custom hostnames however, are easier for humans to remember and help to discourage this. Either way, it’s important to pay attention to the sites you visit. Exercising caution is key on both the open and (especially) the dark web.
Learn More:
https://www.torproject.org/docs/tor-hidden-service.html.en
https://github.com/katmagic/shallot
https://github.com/reclaimyourprivacy/eschalot
https://github.com/lachesis/scallion
