The idea of this Docker container came after reading the excellent Micah Hoffman’s blog post: Dark Web Report + TorGhost + EyeWitness == Goodness. Like Micah, I’m also receiving a daily file with new websites discovered on the (dark|deep) web (name it as you prefer). This service is provided by @huncky Twitter account. Once a day, you get an XLS sheet with newly discovered websites. Micah explained how to process automatically these URLs. He’s using TorGhost with EyeWitness (written by Chris Truncer). It worked very well but it requires the installation of many libraries (EyeWitness has a lot of software dependencies) and I hate polluting my system with libraries used by only a few tools. That’s why I using Docker to run everything in a container. Also, processing a new XLS files every way is really a pain! So let’s automate as much as possible. To process the XLS file, I wrote a small Python script xlsxtract.py (see my previous blog post):
# ./xlsxtract.py -w 'New Today' -c A -r 2- -s /tmp/HiddenServices.xlsx marketos2sttgxde.onion s4usinb4eu7exiqj.onion jt3wzqga4wrprwrf.onion anonstni3rufuvab.onion torhnpnu2vv5xtrh.onion torl7e6yohnjtrn3.onion anggactr2fturxop.onion ntqb6tpjsdl4kpu7.onion gfdbbv5mmprt3dor.onion 22222owjmamxwgv4.onion cbehcy6letx6vnao.onion 2reich6dcr3dclrx.onion 36663z4ei2552lu6.onion
I built a Docker container (‘TorWitness’) that performs the following tasks:
- Setup TorGhost and connect to the Tor network
- Extract .onion URLs from XLS files
- Take screenshots of the URLs via EyeWitness
But, sometimes, it can be helpful to visit other websites (not only on the .onion) via the Tor network. That’s why you can pass your own list of URLs as an argument.
Here is an example of container execution:
$ cat $HOME/torwitness/urls.txt https://blog.rootshell.be https://isc.sans.edu $ docker run \ --rm \ -it ÷ -v $HOME/torwitness:/data \ --cap-add=NET_ADMIN --cap-add=NET_RAW \ torwitness \ urls.txt _____ ____ _ _ |_ _|__ _ __ / ___| |__ ___ ___| |_ | |/ _ \| '__| | _| '_ \ / _ \/ __| __| | | (_) | | | |_| | | | | (_) \__ \ |_ |_|\___/|_| \____|_| |_|\___/|___/\__| v2.0 - SusmithHCK | www.khromozome.com [done] [12:19:18] Configuring DNS resolv.conf file.. [done] * Starting tor daemon... [OK] [12:19:18] Starting tor service.. [done] [12:19:19] setting up iptables rules [done] [12:19:19] Fetching current IP... [12:19:19] CURRENT IP : 51.15.79.107 Using environment variables: TIMEOUT=30 MAX_RETRIES=3 Found Onion URLs to process: https://blog.rootshell.be https://isc.sans.edu ################################################################################ # EyeWitness # ################################################################################ Starting Web Requests (2 Hosts) Attempting to screenshot https://blog.rootshell.be Attempting to screenshot https://isc.sans.edu Finished in 22.2635469437 seconds $ cd $HOME/torwitness $ ls results-20171025113745 urls.txt $ cd results-20171025113745 $ firefox result.html
If you don’t pass a file to the Docker, it will parse XLSX files in the /data directory and extract .onion URLs. There are multiple cases where this container can be helpful:
- Browsing the dark web
- Performing reconnaissance phase
- Hunting
- Browsing attacker’s resources
To build the Docker, instructions and the Dockerfile are available on my GitHub repository.
[The post “TorWitness” Docker Container: Automated (Tor) Websites Screenshots has been first published on /dev/random]
from Xavier
No comments:
Post a Comment