Skip to main content
Allgemein

Create your own Darknet website to protect your organization from Tor traffic

By 26. Feber 2025No Comments13 min read

By having your own darknet website you will be able to decide whether you should protect your organization from any Tor traffic or not. In this blog post I will tell you why and how to apply the best Tor strategy for your environment.

Based on my last article explaining how to create your own darknet ransomware, I was asked how to actually create such a darknet website. Well, I can tell you in advance that it’s completely free and there are only two requirements:

  1. A device where your website is running on (e.g., Raspberry Pi)
  2. Don’t be afraid of a handful of Linux commands

The main objective of the Tor project (The Onion Router) is to increase an individual’s privacy. It aims to hide the identity of its users and their online activities from surveillance and traffic analysis by separating identification and routing. As you can imagine, this can be very important for journalists, human rights activists, or just people who are living in countries where freedom of expression is restricted.

As with all good ideas, and despite the project’s good intentions, there is a flip side to the coin. The Tor network will be also used for malicious purposes, like Botnets, data exfiltration, C&C traffic. And not to mention a good number of Darknet marketplaces, which are stuffed with illegal “goods”. Thankfully, not all of them survive very long. For this reason, you should consider monitoring or blocking Tor traffic within your organization. Later in this article, I will explain how to apply the right strategy regarding Tor traffic for your organization.

Ok, before we start off, it’s important to understand the terminology.

Table of contents:

  1. Web Types
  2. Your own Darknet website
  3. The right Tor strategy for you
  4. Q&A

1. Surface Web, Deep Web and Darknet, …whaaat?!

Let’s begin with the most obvious one: The Surface Web or the Clearnet. It is the publicly accessible Internet you all know. The results of standard search engines like Google, which are provided to you after a search, are basically a good example of Surface Web content. It’s also called the “indexed” web content.

The second one is the Deep Web. It’s any content you can’t directly access. It’s usually protected by passwords and/or encryption. A few examples are online banking, paid subscription-based media sites like Netflix, databases, or Companies’ internal platforms. So, any “non-indexed” content is part of the deep web.

Lastly, there is the Darknet or Dark Web. The contents of this network are also non-indexed but can only be accessed by using a Tor-compatible browser, like the Tor Browser. Due to the high level of anonymity, it is often misused for criminal intentions.

The best way to think of the different web types is probably an iceberg:

The entire network is like an iceberg, in which the smallest part we visit regularly is on the top, but the biggest part is unseen. It is worth noting that the Surface Web contains only 4% of all content, while the remaining 96% of information can be found on the Deep Web.

Now that we are understand the terminology of the different web types, let’s move on by creating our own Darknet website.

2. Your own Darknet website

In this how-to section, I will walk you through the necessary steps to create a Darknet website using a Raspberry Pi.

By the way, the more technical term for Darknet website is Onion Hidden Service or just Hidden Service.

At mindsetters, we have our own Hidden Service available (just for demonstration purposes, of course 😉). Don’t be scared, download the Tor-Browser, and visit the address below. You won’t regret it!

http://mindsets3awysyuugfcnltwni7txxtxp7hcd2f2w5usgimubprdmp7ad.onion/

If you have survived the above-mentioned website and you’re still willing to create your own Hidden Service, you’re really made of steel I can tell you, you’re almost there.

First, you need a web server. If you want to go for Apache, then install it by typing the following:

sudo apt update
sudo apt install apache2

Once the web server installation is finished, you are ready to install the required Tor services with all its dependencies by just firing off the following:

sudo apt install tor

It may take some seconds to finish this step depending on your network connection. After that, you need to modify the Tor config file under /etc/tor/torrc. Add or uncomment the following three lines here:

The path for the variable named HiddenServiceDir is important. Once you restart the Tor service (next step) a new folder will be created. It contains information and cryptographic keys for your Onion Service:

Now all that’s left to do is to restart the Tor service by entering the command below:

sudo systemctl restart tor

And that’s it! It’s time to verify if everything is working as expected. Go to the HiddenServiceDir directory and check the contents of the hostname file:

Copy the .onion address and paste it to your Tor Browser and you should see the Apache default landing page. In our case it’s the one you should already know:

If you want to change the Apache’s default page, then just go to the /var/www/html/ directory and create a new index.html file containing your favorite HTML code which suits your needs.

Give me a cool custom domain name right away

You might have noticed that the beginning of our .onion address include the word “mindset”. This can be chosen up to a certain degree. The more characters you want to include, the harder it is to calculate. By calculating I mean creating a pair of asymmetric keys (a public and a corresponding private key). This is required because .onion addresses are cryptographic hashes based on this public key. More on this later in the Q&A section.

There is a command-line tool available on GitHub called mkp224o to calculate these key pairs.

To get a feeling about the calculation times depending on how much characters you choose, here is some indication:

If you want the full list, just get it by clicking here. I was quite lucky because my chosen string “mindset” only took me about 1 day to generate. Below there is a list of the domain names I got withing 2 days:

However, here is how you’re using this tool. Once pulled from GitHub, you can start the generation process by typing the following command, for example:

./mkp224o -S 60 -d onions mindset

This command will display a status message every 60 seconds (-S 60). And it will save all .onion addresses starting with “mindset” under the onions directory (-d onions):

From this point I wish you good luck and a little patience.

3. The right Tor strategy for your organization

Unfortunately, as in most cases, there is no black or white when it comes to Tor and its use.

You basically can distinguish between two communication types:

  1. People who are looking for more privacy and anonymity or are just tech-savvy. They simply use a Tor-compatible browser (hopefully) without any bad intentions.
  2. Sometimes even the best cybersecurity measures fail. In this case you’re facing Tor traffic which is used to exfiltrate data or belong to malware (C&C traffic).

While it’s good to know the difference between these two types, ultimately it depends on your business strategy as to what actions you take:

  1. a)When legitimate access to services from the Tor network is low, you can adopt a blocking strategy with minimal impact.
  2. b)If the legitimate access of internet-exposed services from the Tor network is significant, organizations may need to seek a policy decision to allow traffic from the Tor network to access specific internet-exposed services where it is believed that the use of Tor is a specific business requirement.

In case of a) for legitimate users who may be affected by a blocking strategy, it may be worth letting them know that if their intent is to avoid identification and attention:

  • That the use of the Tor network will subject their communications to greater rather than lesser scrutiny
  • If they are using authenticated access they have already been identified

Regardless of whether you’re facing communication type 1) or 2) and have chosen strategy a) or b) it is always recommended to monitor and to log all Tor traffic (yes, there’s a difference).

Assuming most of the readers are interested in a blocking strategy (a) — otherwise you won’t be probably here — below you can find a list of best-practices to prevent Tor traffic.

A brief disclaimer: Blocking Tor traffic without any negative side effects might be harder than you think. Remember, even the Great Firewall of China has not managed to block Tor completely.

  • Apply Application White-/Blacklisting (for any Tor browser)
  • Prohibit users from making changes in the advanced settings of your corporate browser (basically any browser can be configured to access the Tor network)
  • Use category-based domain blocking (user might use Online Proxies like this one)
  • Block/Monitor traffic from https://www.torproject.org/(malware like my Ransomware is downloading a small Tor executable during runtime)
  • Enable network monitoring for TCP/UDP ports 9001, 9030, 9040, 9050, 9051, and 9150 (blocking not recommended, because there might be other purposes for these ports)
  • Block/Monitor traffic to Tor Exit Nodes based on this dynamic list

Applying these measures may not effectively mitigate all hazards but may protect against less sophisticated actors.

4. Q&A — The Onion Router

Before I started writing this blog post, I felt like I was pretty well versed in this topic. But the more I wrote, the more questions were raised. For this reason, I decided to add a small Q&A section including a couple of topics that were causing headaches, at least for me. I tried to keep it as simple as possible.

Will I smell like onions after using the Tor technology?

Maybe. But certainly not because of using Tor! The name The Onion Router (TOR) comes from the Onion Routing concept, where messages are encapsulated in layers of encryption, analogous to layers of an onion. The encrypted data is transmitted through a series of network nodes called onion routers, each of which “peels” away a single layer, uncovering the data’s next destination. When the final layer is decrypted, the message arrives at its destination.

What makes the Tor network so slow?

When you are visiting a web service via Tor, your connection request needs to pass multiple nodes with multiple encryption layers. Depending on the node’s usage, your connection may be slower or faster. Btw: Nodes will be not operated by industry leaders or something, but by volunteering people.

Why there is such a high degree of anonymization?

No-one in the network knows anything about the full connection. If I am the owner of a particular node, I only know that an encrypted message comes from one node and needs to be sent to another node.

Why these weird long .onion addresses?

This concept part of the end-to-end encryption model. It looks weird and random because it’s the identity public key of the specific Onion Service. Onion service traffic is encrypted from the client to the onion host. This is like getting strong SSL/HTTPS for free.

Why do Hidden Services not have HTTPS addresses?

The initial idea about .onion addresses not using TLS is based on the fact that the system of TLS and its certificate-based approach relies on Certificate Authorities (CAs) and trusts, and browsers would by default give alerts about self-signed certificates. Anyway, connections to Hidden Services are by default end-to-end encrypted, so it wasn’t deemed necessary to use TLS.

What are the Top-10 countries by daily Tor users?

https://metrics.torproject.org/userstats-relay-table.html

Here you can check out the other interesting statistics, such as censorship events per country.

Conclusion

The sophisticated technical implementation of the Tor project and its good intentions really help people to ensure a high level of privacy and preserve their freedom of expression. Unfortunately, this also raises some opportunities for bad entities, but the project isn’t bad per se.

From an enterprise’s perspective, the best way to “live” with the Tor network is probably monitoring AND logging all Tor-related traffic. One of the most important things I learned from my co-founder Stefan Winkler is communication. If some users insist on using Tor on a regular basis, it is probably best to talk to them and clarify their intentions. Most of the time it is just a misunderstanding, and it turns out that good alternatives can be used instead.

If you were successful in deploying your Hidden Services website, I’d be more than happy to share it with me. Consider using it as a test website for monitoring Tor traffic, because it’s (probably) safer than all the other Onion websites. 😉

If you enjoyed this article and want more, please let me know by simply clapping or sending me a message.

Stay safe and secure!

Cheers, David

Sources:
https://www.ijser.org/researchpaper/The-Deep-Web-03-2017.pdf
https://www.cyber.gov.au/acsc/view-all-content/publications/defending-against-malicious-use-tor-network
https://us-cert.cisa.gov/sites/default/files/publications/AA20-183A_Defending_Against_Malicious_Cyber_Activity_Originating_from_Tor_S508C.pdf
https://support.torproject.org/
https://en.wikipedia.org/wiki/Onion_routing

Related Posts

Allgemein

Komplexes Passwort vs. Buffer Overflow? And the winner is…

David Brucker2. Oktober 2023
Allgemein

Einfallstor IP-Kamera – Von Shodan zur Reverse Shell (RCE)

David Brucker2. März 2023
Allgemein

Die Rolle der Sicherheit im DevOps-Ansatz und warum DevSecOps nicht existiert.

Stefan Winkler14. Juni 2022

Nachweisbare Erfolge...

„Die mindsetters GmbH hat uns mit ihrem umfangreichen Red Teaming Assessment einen echten Schritt nach vorne gebracht. Die Zusammenarbeit war transparent, zielführend und hat uns gezeigt, wie wir unsere Sicherheitsmaßnahmen noch weiter optimieren können. Absolute Empfehlung!“

Herbert Frohner
Global CIO – NovaTaste GmbH

“From zero to ISO27001 certification in 4 months – thank you, mindsetters for pushing us through this mission impossible. After a year, we can confirm we not only received a certification but, more importantly, a running and effective ISMS!”

Ivan Skowronski
Konux GmbH

Sixt Logo

... und geprüfte Expertise

Sichern Sie Ihr Unternehmen!

Unsere Experten stehen Ihnen zur Verfügung, um Ihre Cybersicherheit zu verbessern.

Kostenloses Erstgespräch

mindsetters GmbH
Urstein Süd 15
A-5412 Puch bei Hallein

info@mindsetters.com
+43 664 88988214
+43 664 1081527

Impressum | Datenschutz