OnionScan: What's New and What's Next ?
It has been 4 months since I released the first version of OnionScan and the response has been amazing.
Work in Progress. Who would like an automated way to see how bad at anonymity your onion service is? pic.twitter.com/qCDs3laoiV
— Sarah Jamie Lewis (@SarahJamieLewis) April 5, 2016
Given that I thought I would take some to talk about some of the new features that have been added to OnionScan since April.
What's New
- New Protocols: The original OnionScan only had support for HTTP endpoints. We quickly added support for many more and today OnionScan supports detecting and scanning a whole array of protocols including:
- SSH
- FTP
- SMTP
- XMPP
- VNC
- TLS
- IRC
- Bitcoin
- New Identifier Extractions: To start OnionScan only looked for major issues with a site like exposed mod_status or EXIF data. Since Februrary we've added a number of new identity extractions that can be used to deanonymize a site from Protocol Banners (SMTP, SSH, FTP), to HTTPS certificates and PGP Keys.
- Support for batch scanning: you can now provide OnionScan with a file containing a list of onion services to scan. OnionScan will handle the queuing and processing of these sites.
- Fingerprinting Scans - The original OnionScan was very noisy and gave little care to pulling down entire directories - since then we've added different configurations to control the breadth and depth of scans.
Has OnionScan Made a Difference?
There are still sadly far too many onion sites that expose /server-status endpoints and EXIF data. There are many more than can be identified through a multitude of correlations.
However, everyday I get new messages or discover new conversation threads about OnionScan, about people and groups using OnionScan when they setup new onion services and about privacy groups recommending and incorporating the lessons from OnionScan into the design of their products so that the next generation of onion web services are immune by design.
I hope that this trend continues with the ultimate goal being that OnionScan becomes obsolete. Opsec being opec, I think that might take a while!
What's Next?
There is still so much to do - there are many different protocols out there which have identifiers we do not capture. In the next few months I am aiming to add:
- Bitcoin address extraction and analysis
- Deeper XMPP and IRC fingerprinting
- Better image fingerprinting
- A more friendly interface including better reporting of identity correlation issues
- More core identifier extraction from website pages e.g. email addresses, phone numbers, google analytics etc.
If you would like to help with any of these (or have other ideas about how OnionScan should be extended) - please start a conversation on the GitHub issues, or see my profile for contact information.
Keep Fixing & Happy Hacking.