Scraping Dark Web Sites with Python

00:00

hi I am out on travel so this is a hotel

00:04

room video please don't hate me I'm

00:06

sorry in a lot of other videos I've

00:09

showcased how you can automate

00:10

interactions with the website whether

00:12

you're on the command line using tools

00:14

like curl or in scripting languages like

00:17

python where you can use libraries and

00:19

packages modules like requests but I

00:22

haven't showcased how we might be able

00:24

to automate this or scrape different

00:26

websites that might be in the dark web

00:29

you using tour hidden services or do

00:32

onion addresses so in this video that's

00:34

what we're going to dive into thankfully

00:37

this is really easy to do so I am inside

00:39

of my Cali Linux virtual machine I'll

00:41

hit Control Alt t on my keyboard to open

00:44

up a terminal f11 to full screen zoom in

00:46

to make this text a little bit easier

00:48

for you to read and I will go ahead and

00:51

install tour just as a service that

00:54

might run in the background so that I

00:55

could tunnel through the onion router

00:58

and access some of those dark websites

01:00

like onion addresses moving through

01:03

different relays and nodes across that

01:05

network will pseudo appt install tacy to

01:07

automatically confirm enter my password

01:10

for Cali and then go ahead and install

01:12

tour now one command that is actually

01:14

bundled with the tour package is this

01:16

thing called torify and if I actually

01:18

wanted to take a look at the Man pages

01:20

for that we could see it is a wrapper

01:23

for tour Soxs and tour so like a socks

01:25

proxy how we might move through and have

01:28

some network communication through that

01:30

protocol think of this like proxy chains

01:32

on the command line you could basically

01:34

put it in front of other commands you'd

01:35

want to run and that tunnels your

01:37

traffic all through tour I'll hit Q to

01:39

get out of that so say I were to use

01:41

Curl on the command line and access just

01:44

if config doso and that will give me hey

01:48

my current public IP address I'm fine

01:51

with that but if I wanted to wrap that

01:53

through torify let's see if I could get

01:55

that to come through for me m not

01:57

working all that well turns out we

02:00

actually need to configure and enable

02:01

that inside of the tour configuration

02:03

file so I could pseudo Nano Etc tour and

02:08

T RC for that configuration file and

02:11

having this open in our text editor I

02:13

want to scroll through and try to find

02:15

the configuration settings that all

02:17

change in this case we want to enable

02:19

the control Port we want to ensure that

02:21

is uncommented and you could add a

02:23

little bit more security here as it

02:25

notes if you enable the control Port be

02:27

sure to enable one of these

02:29

Authentication methods to prevent

02:30

attackers from accessing it so you could

02:32

add your own hashed control password for

02:35

the sake of Simplicity just cruise into

02:37

this demo I won't do that but I will

02:39

actually uncomment and again maybe you

02:41

had an octo Thorp or hashtag present

02:43

there for cookie authentication and this

02:46

value was originally the number one I'll

02:48

toggle that just to zero inside Nano crl

02:51

o to save the file crl X to exit and

02:54

with that I will service I think tour

02:57

restart is all that we should need to go

03:00

ahead and restart that service now

03:02

fingers crossed I'll be able to do this

03:05

torfi curl command and finally get a new

03:08

IP address separate from what I would

03:10

have had originally just naturally going

03:13

through tour or without tour in this

03:15

case but through Tour on that end

03:17

toggling on that control port and

03:20

manipulating and changing some of the

03:21

authentication to actually interact with

03:24

the tour service and maybe authenticate

03:26

or change your IP address or manipulate

03:28

what routes or nodes that you move

03:30

through is kind of optional in sometimes

03:32

but honestly probably good to do for

03:34

this case however in some tools that you

03:37

might use it's not always necessary and

03:39

of course this was just a cutesy example

03:42

trying to see our current IP address to

03:44

validate that we're moving through tour

03:46

but we might be asking actually why

03:49

would we even do this why would you want

03:51

to scrape or interrogate or automate

03:53

interactions with like onion addresses

03:56

things that we haven't even dug into yet

03:58

but consider all of the thread

04:00

intelligence or just hey maybe tracking

04:03

cyber crime and threat actors and

04:05

adversaries that you might be able to do

04:07

with that if you build and create your

04:08

own thread intelligence feed or automate

04:11

what's out there on onion sites you

04:13

might like in this twoo some really

04:15

awesome tools like flare that awesome

04:18

cyber threat intelligence and attack

04:20

surface management solution where

04:22

attackers thread actors and aders series

04:24

no longer have the information Advantage

04:26

because you can get out in front of it

04:28

let me log in here super quick spinning

04:30

up our dashboard we can take a look at

04:33

our threat risk assessment our exposed

04:36

attack surface and maybe get a better

04:38

understanding of look how secure are we

04:41

and our business our organization and

04:43

our company are there any leaked

04:44

credentials are there any personal

04:46

identifiable information or pii that's

04:48

out across the dark web or even the

04:51

clear net in Shady cyber crime telegram

04:54

groups or for sale on marketplaces or

04:56

within data breaches all of that awesome

04:58

stuff we could dig into within flare and

05:01

even on top of that getting a better

05:03

idea as to what cyber criminals are up

05:05

to and what damage they're doing like I

05:08

tend to track ransomware thread actors

05:10

and adversaries that do damage

05:12

encrypting the devices and data of

05:14

companies and businesses we could see oh

05:16

play ransomware or 8base or lock bit 3.0

05:20

what they're up to and what data they

05:22

might be dumping for those victims that

05:24

could be really worthwhile information

05:26

to keep tabs on and honestly we could

05:28

just use this as basically a Google

05:30

Across the dark web and do just Global

05:34

searches for any severity of a threat or

05:37

information exposure or risk that we

05:38

want to track in any of these different

05:40

categories like the open internet leaky

05:42

S3 buckets GitHub repositories or pce

05:45

spin posts maybe just then the dark web

05:49

marketplaces where malware could be

05:50

bought and sold Forum posts where thread

05:53

actors are chatting with each other or

05:55

telegram the real social media for cyber

05:58

crime look I could just look for for oh

06:00

info stealer malware I'll put that in

06:03

quotes and then we'll see what's popping

06:05

up maybe hey I'll go ahead and change

06:07

the date just to say look I'll do a

06:09

custom range here so we aren't getting

06:11

anything super duper recent about

06:13

November 2023 up to just the start of

06:15

December 2023 and if I search for this

06:18

look at all of the crazy shenanigans

06:20

that we might be able to dig into and of

06:22

course you'll actually get all of the

06:24

links all of the references flare will

06:26

just outright give that to you alongside

06:28

the actor maybe some uh summary of the

06:30

content whether or not you want to take

06:32

down information that's pertinent to you

06:34

your company your business and then

06:36

maybe some artificial intelligence to

06:38

help translate Russian languages or

06:40

again vernacular that you're not

06:42

familiar with like I totally can't read

06:44

that I don't understand that language oh

06:46

here's a good example looks like AI was

06:48

able to offer a quick synopsis little

06:50

bit of a summary here the details it's

06:52

worth digging into and even some

06:54

remediation or mitigation guides you

06:56

could of course create your own

06:57

identifiers for things that you want to

06:59

track like your business your company

07:01

your name whatever you want and maybe

07:03

track down o the flow of threats as to

07:05

what might feed into the other as

07:07

Associated events and Trends across the

07:09

cyber crime or threat intelligence

07:11

industry and Supply chains just as well

07:14

if ransomware attacks actually have a

07:16

thirdparty maybe trickle down effect

07:19

onto your world anyway I'm driving down

07:22

that road to note how we might be able

07:24

to dig into those threat actors cyber

07:27

crime and stuff out on the dark web that

07:29

we might want to track so just as an

07:31

example this is an onion link that I'm

07:34

actually viewing through the tour

07:35

browser hey that graphical user

07:37

interface the web browser to just simply

07:39

go to any onion address that we want to

07:43

big long V3 URL with a onion TLD or top

07:47

level domain you can't naturally access

07:49

that with curl but if we funnel it

07:51

through tour or maybe scrape it in

07:53

Python we totally could let me get back

07:55

to C and I'll show you look if I were to

07:57

try to curl that big on ransomware URL

08:01

that was a page that had a listing of

08:03

those different ransomware groups and

08:04

maybe their own onion leak sites that we

08:07

might want to keep track of

08:08

unfortunately c will tell us hey we

08:10

don't know how to do that in this case

08:12

not going to resolve an onion address

08:14

but we might be able to tell curl look

08:16

we have tour set up and installed we

08:19

should actually still pull that info cuz

08:21

if I were to try and tfy this I think

08:24

it'll still whine at me but we could

08:26

tell Tor excuse me we could tell curl

08:29

look let's actually use a socks 5 host

08:32

name and we'll specify our current local

08:35

host

08:37

1271 with our Port

08:39

9050 which is that default Port that the

08:42

tour service we listening on not the

08:45

control port in this case because we're

08:46

not manipulating or tweaking and tuning

08:48

some tour settings but we just want that

08:51

socks proxy to funnel through if I add

08:54

these arguments in and then I paste my

08:56

URL fingers crossed will be able to pull

08:58

down this onion site across the dark web

09:02

in an automated way not using just a

09:04

tour browser let me hit enter on this

09:06

and hopefully I got that syntax right

09:08

takes a little bit cuz we're funneling

09:09

through all those noes but take a look

09:11

now we've got all of the HTML specific

09:14

to that exact web page and looks it's

09:16

listing out all of those different gangs

09:18

all those different sites all those

09:20

illicit underground cyber crime

09:22

syndicates and includes a couple other

09:23

links that we might be able to dig into

09:25

that's pretty cool at least for a

09:27

one-off on the command line curl we

09:30

could pull down onion sites now of

09:32

course the better question well okay how

09:35

do we automate that and maybe a

09:36

scripting language like python let me

09:39

show you how on the command line inside

09:41

of our Cali Linux or whatever virtual

09:43

machine you might like we could use pip

09:46

to install a new python Library I'll go

09:48

ahead and pip install requests uncore

09:52

tour and that will allow us to make

09:55

requests across tour we'll go ahead and

09:57

install that get it staged set up for us

10:00

and then I'll create a new script maybe

10:03

requests T testing. py and now inside my

10:06

text editor I'll add my usual shabang

10:09

line user bin environment Python 3 and

10:12

we'll go ahead and import requests

10:14

uncore tour but truthfully there is one

10:18

sort of subm module or piece of data in

10:20

this package that I'm most interested in

10:22

so actually change that from request

10:25

tour I want to go ahead and import

10:27

requests tour with with a capital r

10:30

capital T and no underscore in this case

10:33

now with that module imported we can go

10:35

ahead and create sort of a client or the

10:37

way we could interact with it and if you

10:39

wanted to get used to oh just how you

10:41

naturally type requests.get or request.

10:44

poost when you use some scripting

10:46

language stuff in Python like this we

10:48

can call that object just requests and

10:50

I'll create a new requests tour object

10:53

and I'll pass in some parameters here

10:55

we'll specify tour ports like the actual

10:58

proxy ports that Tor might be listening

11:00

on

11:01

9050 as we saw and I'll add a comma

11:04

there just to den note hey that's

11:06

usually a tuple we just got to make sure

11:08

that value is set and it'll actually

11:09

Supply another T C ports for our control

11:13

Port that 9051 that you saw set in the

11:17

tour configuration file that should be

11:19

9051 with that set and staged again this

11:22

is super duper simple all we need to do

11:25

is a usual requests.get and we can

11:28

supply any URL that could still be a

11:31

onion address across the dark web let me

11:34

Define a variable for that here we'll

11:36

just paste in the ransomware sites we

11:38

had been using previously and I'll

11:40

Define that as a variable let me capture

11:43

that and we'll print out the response or

11:45

the text of that request.get just like

11:48

we normally do in Python and actually

11:51

since that is usually just one port we

11:53

should toggle that variable name the

11:55

keyword argument to tour cport singular

11:58

no s at the very very end now again

12:00

super simple with all this set I can get

12:03

back to my command line and let's try to

12:05

run my Python 3 requests toward testing.

12:08

py script fingers crossed again it'll

12:11

take a little bit because we're

12:12

tunneling through all that traffic but

12:14

look we have all that output and we can

12:16

in an automated way within python

12:19

interact with those dark web URLs V3

12:22

onion addresses and tour hidden services

12:25

this is all the actual output the raw

12:28

HTML in the source of the web page

12:30

that's returned to us when we view this

12:32

in our tour browser in that graphical

12:35

user web browser interface here but let

12:38

me actually go pull this a little bit

12:39

further because again we're not doing

12:41

anything too crazy but we're just

12:42

demonstrating that we can access onion

12:44

sites let me see if I can pull down that

12:46

alv or black cat ransomware blog and

12:49

maybe we could track oh specific new

12:51

updates on leak sites or maybe get the

12:54

alerts when we're seeing new changes

12:56

across the dark web let's use this as an

12:58

example I'll go back to my script and of

13:00

course we can make this whatever we want

13:02

but let's just change that URL to now

13:04

get to alfv in their leak site back to

13:07

the command line super easy we'll just

13:09

run this one more time but take a look

13:11

at what we've got here obviously

13:12

requesting a new page and we'll get the

13:15

HTML that gives us some interesting

13:17

breadcrumbs scrolling up to the top here

13:20

this tells us oh the website has been

13:22

seized and this is actually kind of a

13:25

little gimmick a little bit of a trick

13:27

and exit scam that that thread actor

13:29

ransomware gang alv and black cat had

13:32

been up to recently where they're trying

13:34

to scam out a lot of their Affiliates

13:35

the whole cyber threat Intel community

13:37

and a lot of infos Pros were digging

13:39

into this previously but if we took a

13:40

look at the web page here I'll get back

13:42

to that ransomware leak site take a look

13:44

if we open the link that brings us to

13:46

the this website has been seized page

13:49

and it is looking like oh a formal

13:52

official law enforcement operation to

13:54

take down that ransomware gang and their

13:57

online presence in their leak site

13:59

however it's something that a lot of

14:01

folks have been tracking and saying look

14:02

it's not I even wanted to get my head

14:05

straight on this over on Twitter or X or

14:07

whatever and it was just validating hang

14:08

on was this an April Fool's joke or was

14:10

it still the exit scam whatever or is

14:13

this a real interdiction and some folks

14:15

chimed in look that is still the exit

14:17

scam I thank them and they linked this

14:18

really cool little thread and right up

14:20

from Fabian here I love the fact that

14:22

they end up changing the file path just

14:24

like we saw if we were digging into the

14:27

actual HTML source code of the

14:29

application just like we saw from our

14:31

python code output look if you actually

14:33

dig into this you can see maybe even the

14:35

stupid copy pasta clone mirroring any

14:38

open directory that would like save page

14:41

as for any regular actual law

14:43

enforcement interdiction and takedown I

14:45

think that's just a little cool bit and

14:47

worthwhile to mix in here now hey if you

14:49

wanted to dig into any of these

14:50

resources online there are a lot of

14:52

references articles blogs and write up

14:55

that showcase even Tori like we started

14:57

with some of the tricks that you got in

14:59

the mix and maybe some of the control

15:01

Port communication altering or tweaking

15:03

some of the settings maybe getting a new

15:05

IP address through all the nodes relays

15:07

and tunnels alongside the documentation

15:10

or at least the sort of public page

15:11

showcasing that requests tour package

15:14

and library in Python you could dig into

15:16

and actually see a little bit more of

15:18

what you might be able to do here I do

15:19

like the advance you should section

15:21

where they show you look you could very

15:22

easily just check your IP get a new

15:25

identity test some things or make any

15:27

other HTTP method request that you want

15:30

and look I'll be the first to admit

15:31

maybe you have another solution or a

15:34

better tool or a better trick some

15:35

techniques to actually accomplish this

15:38

script and automate some scraping of

15:40

tour hidden Services V un addresses or

15:43

the dark web there's torpy just as well

15:46

a pure python implementation of the tour

15:49

protocol so you don't even need to have

15:51

that tour client installed like we did

15:53

to begin with OR stem or other libraries

15:56

that we might be able to dig into they

15:57

showcase this with some command line

15:59

examples that are really kind of slick

16:01

and even a little bit of the Python

16:03

syntax itself if you wanted to import it

16:06

and use it within your own code and

16:07

scripts here's another simple one tour

16:09

requests you can find this online and

16:11

that's pretty basic pretty similar just

16:13

like we did with requests unor tour

16:16

import this thing hey you could have a

16:18

context manager if you wanted to

16:19

requests.get as usual and that is one

16:22

easy way to do it you could have maybe a

16:24

little bit more communication there and

16:25

actually stage and set up some of the

16:26

passwords like the client or control

16:29

Port authentication and let me actually

16:31

dive into that a little bit this

16:33

resource danan Madar is actually really

16:35

awesome because it talks a little bit

16:37

about all of this it actually offers

16:39

some more links lets you install tour

16:41

just as we did to begin with take a look

16:43

at the version go ahead and check out

16:45

the status of that service bounce

16:47

restart stop and start as you need to

16:49

and then maybe even interact with that

16:50

control Port super duper simple you can

16:53

just try to authenticate but once you

16:55

validate hey we actually have the

16:56

control Port running configured and set

16:58

in r RC file then maybe you could

17:00

authenticate and set up a new hashed

17:04

password just like we saw in that file

17:06

you could generate one with just a

17:07

simple command T tac tac hashen password

17:10

and whatever you want slap that into the

17:12

config file and you're good to go you

17:14

can do your authentication you can then

17:16

check your IP with torify you could then

17:18

manipulate and change your IP address or

17:21

you can even use stem one really awesome

17:24

library that lets you manipulate and do

17:26

a little bit more fine-tuning with a lot

17:28

of the really or nodes that you travel

17:30

and Traverse through while you move

17:32

through that tour onion router protocol

17:34

you can validate this with other tools

17:36

like privoxy you could go ahead and dig

17:38

into other libraries that might change

17:40

your own IP address so there is a lot

17:42

out there and it's just a matter of

17:43

Googling and playing with what you're

17:45

interested in I do want to give another

17:46

shout out to this medium article because

17:48

it digs into a really cool use case of

17:50

tour within Python and they dig into

17:53

that stem library that python module

17:56

that I just kind of alluded to with a

17:58

little bit more detail on how you could

18:00

dig into specific relays or nodes that

18:02

you move through they have some cool

18:04

visuals and they set up using stem and

18:07

this I think gives you a little bit more

18:08

of an idea for the syntax or code that

18:10

you might be able to use and get some

18:12

better fine tooth comb granularity and

18:15

what you're going to do as you move

18:17

through tool but at the end of the day

18:19

look it's still automating interaction

18:22

with onion websites cross the dark web

18:25

tour hidden services and if you want you

18:27

can scrape whatever data like oh

18:29

ransomware updates or potential breaches

18:32

or just changes or modifications to

18:34

forums that you might be tracking

18:36

marketplaces where you want to see

18:37

whether or not things are actually being

18:39

modified up down Sales reviews anything

18:42

that is worth your attention you could

18:44

put together with your own code if you'd

18:46

like to build out something custom but I

18:48

will acknowledge look there's a whole

18:50

lot out there and there's almost too

18:52

much of it it's a little overwhelming

18:54

and look if you just want a solution

18:55

that's quick and easy already done for

18:57

you and manages this with so much insane

18:59

Telemetry invisibility please do take a

19:02

look at flare big thanks to flare for

19:04

sponsoring this video they are seriously

19:06

incredible they have so much cool data

19:08

and I love just being able to look

19:10

around and see what threats are out

19:12

there and know and assess my own attack

19:14

service thank you so much for watching

19:16

hope you enjoyed this video please do

19:17

those YouTube algorithm things like

19:18

comment subscribe and I'll see you in

19:21

the next one in the hotel cuz I'm still

19:23

on Trav so this is it for a little

19:27

bit