• Mon. Jun 17th, 2024

ETag Unveils Hidden Darknet Tor Servers

Avatar photo


Jul 11, 2023
ETag Unveils Hidden Darknet Tor Servers

Etag is a special identification code generated by the server in response to a client request for a resource. The client utilizes it to check the resource version’s current status. The client switches to the cached version if the Etag stays the same, reducing traffic and accelerating the download.

But Etag also functions as a tracking device. It may provide details about the server, such as the IP address, time, or hash. As a result, a client may obtain the same Etag, which discloses the server’s true IP address, when requesting the same resource from other disguised Tor services that belong to the same server.

In a Medium post, the author described how he discovered the IP address of a ransomware service controlled by the RagnarLocker ransomware using the curl and torsocks tools, an Etag comparison, and other methods. Since each Etag carried a hash of the server’s IP address, we were able to identify the server’s genuine address and location.

Etag Vulnerability: Unveiling Tor Server IP Addresses

According to the study, the notorious Ragnar Locker ransomware group attacked video game company Capcom, claiming to have stolen one terabyte of data. Capcom denied Ragnar Locker’s claims, and 67 GB of the stolen files were published on the Dark Web.

The leaked site contained only a link, not the files themselves. Instead, a special Onion address was provided for storing files such as the leaked data, which was apparently prepared by the Ragnar Locker operator. The files were split up into several parts and placed on an Onion address starting with t2w….

Typically, a Dark Web search for a site’s source IP address checks the site’s source code, SSL certificate, response headers, etc. to get unique strings and fingerprint information, and then uses scanning services such as Shodan, Censys, and others to search for the IP address. In this study, response headers were checked. If the response header contains a unique string, it is possible to obtain the original IP address.

After checking the response headers and finding the same ETag, the researcher tried to download a file with the same name on the Onion address and on the IP address, and confirmed that the file with the same name was located as shown in the image below. Thus, we can say that the original IP address of the Onion address t2w5by….onion is

Later, the IP address was mentioned in the FBI operational report. The report said that the address was used as a server to host compromised Capcom data.

This method can be used both by attackers to de-anonymize users and providers of hidden Tor services, and by law enforcement in the fight against illegal activity. However, there are ways to protect yourself, such as disabling Etag on the server or using a proxy to modify Etag during transmission.