Check private_key and raise an alarm if it is a hidden service key

s-rah / onionscan

OnionScan is a free and open source tool for investigating the Dark Web.

https://twitter.com/OnionScan

Other

2.89k stars 599 forks source link

Check private_key and raise an alarm if it is a hidden service key #71

Closed laanwj closed 8 years ago

laanwj commented 8 years ago

Checks retrieved files whose names end in /private_key and check whether they are hidden service private keys (well, base64 encoded RSA keys).

Example:

./onionscan -scans web -verbose 4hwyik7xxwb6pbvb.onion

...
Critical Risk: Hidden service private key is accessible!
         Why this is bad: This can be used to impersonate the service at any point in the future.
         To fix, generate a new hidden service and make sure the private_key file is not reachable from
         the web root
...

Implements #52.

s-rah commented 8 years ago

Thanks, I updated the code to check the validity of the key too.

laanwj commented 8 years ago

Your solution is awesome. I had thought about finding associated hostname files but this is much better.

With this level of specificity it could, at some point, make sense to scan other files for keys as well. In an extremely rare case someone may have left the key around in some other text file, or even posted one in a site or forum post. Not sure people are actually that careless.