Nowadays, cyber threats are coming from everywhere, from both the surface and the dark web. For instance, many enterprises rely on information collected from dark web communities to predict future attacks against their IT infrastructure and information systems.
The World Wide Web is composed of three layers: the surface, deep, and dark webs. The surface–or normal - web is what most people refer to when talking about the internet (although the internet and the web are two different terms). The surface web makes up less than 4% of the entire web content and includes web pages that are indexed by typical search engines, such as Google and Yahoo. The second layer is the deep web. The content within this layer is hidden behind a paywall (i.e. requires paid access), login pages, or requires the user to enter search queries in HTML forms to retrieve information from deep web databases. The deep web makes up the greatest volume of the web’s content. Many researchers estimate the deep web’s size to be 400 to 550 times the size of the surface web. Typical search engines cannot index their contents. Both surface and deep web can be accessed using typical web browsers; however, things are different when talking about the deepest layer of the web (the dark web) which requires special software to access. The dark web is a tiny portion of the deep web (it makes up less than 1% of the entire web’s size). The dark web is not one network, rather, it is a term for any closed network that requires specific software, configurations, or authorization to access that mask the identity of its visitors (e.g. by concealing their IP address). The collection of these networks (e.g. TOR, I2P, Freenet) form the dark web.
Dark web sites are accessed by thousands of people every day; however, there is no central repository for these sites that simplify finding contents within them. Knowing how to find your way within this jungle becomes an essential skill for any cybersecurity professional.
The dark web can be the source of very important information when looking for threat intelligence. However, finding information on the dark web is very difficult, especially when searching for criminal communities involved in trading illegal products and services.
In this article, we will shed some light on popular dark web services (both search engines and directories) to search and locate information in the dark web, focusing on the TOR anonymity network because of its size and popularity.
Tor2web (see Figure 1) is the first free online service that can be used to access the TOR darknet, without the TOR Browser and using your current web browser from the normal (surface) internet.
TOR websites (also known as TOR Onion Services) have the extension .onion. To use Tor2web, all you have to do is replace the onion website extension with either .onion.to, .onion.city, .onion.cab, or *.onion.direct to access the TOR service on the darknet. Tor2web connects you with onion services hosted on the TOR network and relays messages back to you via the TOR network.
If you are using the TOR network for anonymity, then it is not advisable to use this service. However, if you aim to browse TOR hidden services using your standard web browser without using the TOR Browser, then Tor2web is your option.
DarkSearch (see Figure 2) claims it can index a large percentage of the TOR network content. Currently, it has indexed more than one million pages from about 2000,0 sites. We can use this service from the surface web to search for keywords within TOR hidden services. Darksearch uses the Tor2web service to access content on the TOR darknet using typical web browsers.
DarkSearch differentiates its service from other dark web search engines by offering a free API to automate searches in addition to crawling TOR darknet hidden services, weekly, to update its index. Finally, DarkSearch does not store user search queries when using it from the surface web, although, keeping user anonymous can be achieved by accessing this service from within the TOR anonymity network (using the TOR Browser).
Ahmia (see Figure 3) is an old search engine for finding hidden services on the TOR anonymity network. Ahmia is a free and open-source project, so one can set up a working version of Ahmia on a local computer with its crawlers and index. Ahmia offers some forms of privacy for its users by not recording user search queries; however, unlike the previous two services, you need to use TOR Browser to access results returned by Ahmia search engine.
Ahmia has a dedicated search facility for I2P anonymity network that can be accessed at http://msydqstlz2kzerdg.onion/i2p.
Finally, Ahmia allows TOR hidden service owners to register their sites on its index, so other searchers can locate the website and its contents more easily.
TORCH (see Figure 4) is another search engine for searching the TOR network, it claims to index around 1.1 Million pages.
TorLinks (see Figure 5) is a directory of TOR hidden services. Sites are categorized into groups (both commercial and non-commercial sites).
not Evil (see Figure 6) is another search engine for finding information on the TOR anonymity network. not Evil does not index sites promoting illegal products and services.
DeepLink Onion Directory
DeepLink (see Figure 8) is the richest directory of TOR hidden services on the TOR anonymity network. It lists both legal and illegal services and some of them link to different marketplaces for buying and selling illicit goods, including stolen personal information that can be used for identity theft.
In today’s information age, to manage risks against your organization, you need to have access to a vast amount of digital data that may exist on the dark web. There are no centralized search engines for locating information on dark web anonymity networks; however, there are a few search engines and some web directories that list major dark web sites. They can serve as your introduction point to begin your journey of discovering resources on the dark web. Keep in mind, the dark web is where most cybercriminal activities take place, use a reliable VPN service, and a security-hardened operating system (e.g. Tails) before accessing this place.